aws.ebs-snapshot
Filters
age
EBS Snapshot Age Filter
Filters an EBS snapshot based on the age of the snapshot (in days)
- example:
policies:
- name: ebs-snapshots-week-old
resource: ebs-snapshot
filters:
- type: age
days: 7
op: ge
cross-account
Check a resource’s embedded iam policy for cross account access.
Permissions - ec2:DescribeSnapshotAttribute
skip-ami-snapshots
Filter to remove snapshots of AMIs from results
This filter is ‘true’ by default.
- example:
implicit with no parameters, ‘true’ by default
policies:
- name: delete-ebs-stale-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
- skip-ami-snapshots
- example:
explicit with parameter
policies:
- name: delete-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
- type: skip-ami-snapshots
value: false
Permissions - ec2:DescribeImages
unused
Filters snapshots based on usage
true: snapshot is not used by launch-template, launch-config, or ami.
false: snapshot is being used by launch-template, launch-config, or ami.
- example:
policies:
- name: snapshot-unused
resource: ebs-snapshot
filters:
- type: unused
value: true
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeImages
volume
Filter EBS snapshots by their volume attributes.
policies:
- name: snapshot-with-no-volume
description: Find any snapshots that do not have a corresponding volume.
resource: aws.ebs-snapshot
filters:
- type: volume
key: VolumeId
value: absent
- name: find-snapshots-from-volume
resource: aws.ebs-snapshot
filters:
- type: volume
key: VolumeId
value: vol-foobarbaz
Permissions - ec2:DescribeVolumes
Actions
copy
Copy a snapshot across regions
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html
- example:
policies:
- name: copy-snapshot-east-west
resource: ebs-snapshot
filters:
- type: age
days: 7
op: le
actions:
- type: copy
target_region: us-west-2
target_key: target_kms_key
encrypted: true
Permissions - ec2:CreateTags, ec2:CopySnapshot, ec2:DescribeSnapshots
delete
Deletes EBS snapshots
- example:
policies:
- name: delete-stale-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
Permissions - ec2:DeleteSnapshot
set-permissions
Action to set permissions for creating volumes from a snapshot
Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove respectively. The default is to remove any create volume permissions granted to other AWS accounts.
Combining this action with the ‘cross-account’ filter allows you greater control over which accounts will be removed, e.g. using a whitelist:
- example:
policies:
- name: ebs-dont-share-cross-account
resource: ebs-snapshot
filters:
- type: cross-account
whitelist:
- '112233445566'
actions:
- type: set-permissions
remove: matched
Permissions - ec2:ModifySnapshotAttribute