aws.ebs

Filters

fault-tolerant

This filter will return any EBS volume that does/does not have a snapshot within the last 7 days. ‘Fault-Tolerance’ in this instance means that, in the event of a failure, the volume can be restored from a snapshot with (reasonable) data loss

policies:
 - name: ebs-volume-tolerance
   resource: ebs
   filters:
     - type: fault-tolerant
       tolerant: True
properties:
  tolerant:
    type: boolean
  type:
    enum:
    - fault-tolerant
required:
- type

health-event

Check if there are operations health events (phd) related to the resources

https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/

Health events are stored as annotation on a resource.

Custodian also supports responding to phd events via a lambda execution mode.

properties:
  statuses:
    items:
      enum:
      - open
      - upcoming
      - closed
      type: string
    type: array
  type:
    enum:
    - health-event
  types:
    items:
      enum:
      - AWS_EBS_DEGRADED_EBS_VOLUME_PERFORMANCE
      - AWS_EBS_VOLUME_LOST
      type: string
    type: array
required:
- type

instance

Filter volumes based on filtering on their attached instance

example

policies:
  - name: instance-ebs-volumes
    resource: ebs
    filters:
      - type: instance
        key: tag:Name
        value: OldManBySea
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

kms-alias

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - kms-alias
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

modifyable

Check if an ebs volume is modifyable online.

Considerations:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/limitations.html

Consideration Summary

See modify action for examples.

properties:
  type:
    enum:
    - modifyable
required:
- type

Actions

copy-instance-tags

Copy instance tags to its attached volume.

Useful for cost allocation to ebs volumes and tracking usage info for volumes.

Mostly useful for volumes not set to delete on termination, which are otherwise candidates for garbage collection, copying the instance tags gives us more semantic information to determine if their useful, as well letting us know the last time the volume was actually used.

example

policies:
  - name: ebs-copy-instance-tags
    resource: ebs
    filters:
      - type: value
        key: "Attachments[0].Device"
        value: not-null
    actions:
      - type: copy-instance-tags
        tags:
          - Name
properties:
  tags:
    items:
      type: string
    type: array
  type:
    enum:
    - copy-instance-tags
required:
- type

delete

Delete an ebs volume.

If the force boolean is true, we will detach an attached volume from an instance. Note this cannot be done for running instance root volumes.

example

policies:
  - name: delete-unattached-volumes
    resource: ebs
    filters:
      - Attachments: []
      - State: available
    actions:
      - delete
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

detach

Detach an EBS volume from an Instance.

If ‘Force’ Param is True, then we’ll do a forceful detach of the Volume. The default value for ‘Force’ is False.

example

policies:
  - name: detach-ebs-volumes
    resource: ebs
    filters:
      - VolumeId :  volumeid
    actions:
      - detach
properties:
  force:
    type: boolean
  type:
    enum:
    - detach
required:
- type

encrypt-instance-volumes

Encrypt extant volumes attached to an instance

  • Requires instance restart

  • Not suitable for autoscale groups.

Multistep process:

  • Stop instance (if running)

  • For each volume
    • Create snapshot

    • Wait on snapshot creation

    • Copy Snapshot to create encrypted snapshot

    • Wait on snapshot creation

    • Create encrypted volume from snapshot

    • Wait on volume creation

    • Delete transient snapshots

    • Detach Unencrypted Volume

    • Attach Encrypted Volume

    • Set DeleteOnTermination instance attribute equal to source volume

  • For each volume
    • Delete unencrypted volume

  • Start Instance (if originally running)

  • For each newly encrypted volume
    • Delete transient tags

example

policies:
  - name: encrypt-unencrypted-ebs
    resource: ebs
    filters:
      - Encrypted: false
    actions:
      - type: encrypt-instance-volumes
        key: alias/encrypted
properties:
  delay:
    type: number
  key:
    type: string
  type:
    enum:
    - encrypt-instance-volumes
  verbose:
    type: boolean
required:
- key
- type

modify

Modify an ebs volume online.

Note this action requires use of modifyable filter

Intro Blog & Use Cases:

https://aws.amazon.com/blogs/aws/amazon-ebs-update-new-elastic-volumes-change-everything/

Docs:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modify-volume.html

Considerations:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/limitations.html

example

Find under utilized provisioned iops volumes older than a week and change their type.

policies:
 - name: ebs-remove-piops
   resource: ebs
   filters:
    - type: value
      key: CreateDate
      value_type: age
      value: 7
      op: greater-than
    - VolumeType: io1
    - type: metrics
      name: VolumeConsumedReadWriteOps
      statistics: Maximum
      value: 100
      op: less-than
      days: 7
    - modifyable
   actions:
    - type: modify
      volume-type: gp2

iops-percent and size-percent can be used to modify respectively iops on io1 volumes and volume size.

When converting to io1, iops-percent is used to set the iops allocation for the new volume against the extant value for the old volume.

example

Double storage and quadruple iops for all io1 volumes.

policies:
 - name: ebs-upsize-piops
   resource: ebs
   filters:
     - VolumeType: io1
     - modifyable
   actions:
     - type: modify
       size-percent: 200
       iops-percent: 400

Note resizing down aka shrinking requires OS and FS support and potentially additional preparation, else data-loss may occur. To prevent accidents, shrinking must be explicitly enabled by also setting shrink: true on the action.

properties:
  iops-percent:
    type: number
  shrink: false
  size-percent:
    type: number
  type:
    enum:
    - modify
  volume-type:
    enum:
    - io1
    - gp2
    - st1
    - sc1
required:
- type

snapshot

Snapshot an EBS volume

example

policies:
  - name: snapshot-volumes
    resource: ebs
    filters:
      - Attachments: []
      - State: available
    actions:
      - type: snapshot
        copy-tags:
          - Name
properties:
  copy-tags:
    items:
      type: string
    type: array
  copy-volume-tags:
    type: boolean
  type:
    enum:
    - snapshot
required:
- type