aws.ec2
Filters
default-vpc
Matches if an ec2 database is in the default vpc
properties:
type:
enum:
- default-vpc
required:
- type
Permissions - ec2:DescribeVpcs
ebs
EC2 instances with EBS backed volume
Filters EC2 instances with EBS backed storage devices (non ephemeral)
- Example:
policies:
- name: ec2-encrypted-ebs-volumes
resource: ec2
filters:
- type: ebs
key: Encrypted
value: true
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
skip-devices:
items:
type: string
type: array
type:
enum:
- ebs
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeVolumes
ephemeral
EC2 instances with ephemeral storage
Filters EC2 instances that have ephemeral storage (an instance-store backed root device)
- Example:
policies:
- name: ec2-ephemeral-instances
resource: ec2
filters:
- type: ephemeral
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html
properties:
type:
enum:
- ephemeral
required:
- type
has-specific-managed-policy
- Filter an EC2 instance that has an IAM instance profile that contains an IAM role that has
a specific managed IAM policy. If an EC2 instance does not have a profile or the profile does not contain an IAM role, then it will be treated as not having the policy.
- example:
policies:
- name: ec2-instance-has-admin-policy
resource: aws.ec2
filters:
- type: has-specific-managed-policy
value: admin-policy
- example:
Check for EC2 instances with instance profile roles that have an attached policy matching a given list:
policies:
- name: ec2-instance-with-selected-policies
resource: aws.ec2
filters:
- type: has-specific-managed-policy
op: in
value:
- AmazonS3FullAccess
- AWSOrganizationsFullAccess
- example:
Check for EC2 instances with instance profile roles that have attached policy names matching a pattern:
policies:
- name: ec2-instance-with-full-access-policies
resource: aws.ec2
filters:
- type: has-specific-managed-policy
op: glob
value: "*FullAccess"
Check for EC2 instances with instance profile roles that have attached policy ARNs matching a pattern:
policies:
- name: ec2-instance-with-aws-full-access-policies
resource: aws.ec2
filters:
- type: has-specific-managed-policy
key: PolicyArn
op: regex
value: "arn:aws:iam::aws:policy/.*FullAccess"
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- has-specific-managed-policy
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:GetInstanceProfile, iam:ListInstanceProfiles, iam:ListAttachedRolePolicies
image
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- image
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeImages
image-age
EC2 AMI age filter
Filters EC2 instances based on the age of their AMI image (in days)
- Example:
policies:
- name: ec2-ancient-ami
resource: ec2
filters:
- type: image-age
op: ge
days: 90
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- image-age
required:
- type
Permissions - ec2:DescribeImages
instance-age
Filters instances based on their age (in days)
- Example:
policies:
- name: ec2-30-days-plus
resource: ec2
filters:
- type: instance-age
op: ge
days: 30
properties:
days:
type: number
hours:
type: number
minutes:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- instance-age
required:
- type
instance-attribute
EC2 Instance Value Filter on a given instance attribute.
Filters EC2 Instances with the given instance attribute
- Example:
policies:
- name: ec2-unoptimized-ebs
resource: ec2
filters:
- type: instance-attribute
attribute: ebsOptimized
key: "Value"
value: false
properties:
attribute:
enum:
- instanceType
- kernel
- ramdisk
- userData
- disableApiTermination
- instanceInitiatedShutdownBehavior
- rootDeviceName
- blockDeviceMapping
- productCodes
- sourceDestCheck
- groupSet
- ebsOptimized
- sriovNetSupport
- enaSupport
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- instance-attribute
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- attribute
Permissions - ec2:DescribeInstanceAttribute
instance-uptime
Automatically filter resources older than a given date.
Deprecated use a value filter with value_type: age which can be done on any attribute.
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- instance-uptime
required:
- type
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
offhour
Custodian OffHour filter
Filters running EC2 instances with the intent to stop at a given hour of the day. A list of days to excluded can be included as a list of strings with the format YYYY-MM-DD. Alternatively, the list (using the same syntax) can be taken from a specified url.
Note: You can disable filtering of only running instances by setting state-filter: false
- Example:
policies:
- name: offhour-evening-stop
resource: ec2
filters:
- type: offhour
tag: custodian_downtime
default_tz: et
offhour: 20
actions:
- stop
- name: offhour-evening-stop-skip-holidays
resource: ec2
filters:
- type: offhour
tag: custodian_downtime
default_tz: et
offhour: 20
skip-days: ['2017-12-25']
actions:
- stop
- name: offhour-evening-stop-skip-holidays-from
resource: ec2
filters:
- type: offhour
tag: custodian_downtime
default_tz: et
offhour: 20
skip-days-from:
expr: 0
format: csv
url: 's3://location/holidays.csv'
actions:
- stop
properties:
default_tz:
type: string
fallback-schedule:
type: string
fallback_schedule:
type: string
offhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
state-filter:
type: boolean
tag:
type: string
type:
enum:
- offhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- type
onhour
Custodian OnHour filter
Filters stopped EC2 instances with the intent to start at a given hour of the day. A list of days to excluded can be included as a list of strings with the format YYYY-MM-DD. Alternatively, the list (using the same syntax) can be taken from a specified url.
Note: You can disable filtering of only stopped instances by setting state-filter: false
- Example:
policies:
- name: onhour-morning-start
resource: ec2
filters:
- type: onhour
tag: custodian_downtime
default_tz: et
onhour: 6
actions:
- start
- name: onhour-morning-start-skip-holidays
resource: ec2
filters:
- type: onhour
tag: custodian_downtime
default_tz: et
onhour: 6
skip-days: ['2017-12-25']
actions:
- start
- name: onhour-morning-start-skip-holidays-from
resource: ec2
filters:
- type: onhour
tag: custodian_downtime
default_tz: et
onhour: 6
skip-days-from:
expr: 0
format: csv
url: 's3://location/holidays.csv'
actions:
- start
properties:
default_tz:
type: string
fallback-schedule:
type: string
fallback_schedule:
type: string
onhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
state-filter:
type: boolean
tag:
type: string
type:
enum:
- onhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- type
singleton
EC2 instances without autoscaling or a recover alarm
Filters EC2 instances that are not members of an autoscaling group and do not have Cloudwatch recover alarms.
- Example:
policies:
- name: ec2-recover-instances
resource: ec2
filters:
- singleton
actions:
- type: tag
key: problem
value: instance is not resilient
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html
properties:
type:
enum:
- singleton
required:
- type
Permissions - cloudwatch:DescribeAlarmsForMetric
ssm
Filter ec2 instances by their ssm status information.
- Example:
Find ubuntu 18.04 instances are active with ssm.
policies:
- name: ec2-ssm-check
resource: ec2
filters:
- type: ssm
key: PingStatus
value: Online
- type: ssm
key: PlatformName
value: Ubuntu
- type: ssm
key: PlatformVersion
value: 18.04
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- ssm
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ssm:DescribeInstanceInformation
ssm-compliance
Filter ec2 instances by their ssm compliance status.
- Example:
Find non-compliant ec2 instances.
policies:
- name: ec2-ssm-compliance
resource: ec2
filters:
- type: ssm-compliance
compliance_types:
- Association
- Patch
severity:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNSPECIFIED
states:
- NON_COMPLIANT
eval_filters:
- type: value
key: ExecutionSummary.ExecutionTime
value_type: age
value: 30
op: less-than
properties:
compliance_types:
items:
type: string
type: array
eval_filters:
items:
oneOf:
- $ref: '#/definitions/filters/valuekv'
- $ref: '#/definitions/filters/value'
type: array
op:
enum:
- or
- and
severity:
items:
type: string
type: array
states:
default:
- NON_COMPLIANT
items:
enum:
- COMPLIANT
- NON_COMPLIANT
type: array
type:
enum:
- ssm-compliance
required:
- compliance_types
- type
Permissions - ssm:ListResourceComplianceSummaries
ssm-inventory
Filter EC2 instances by their SSM software inventory.
- Example:
Find instances that have a specific package installed.
policies:
- name: ec2-find-specific-package
resource: ec2
filters:
- type: ssm-inventory
query:
- Key: Name
Values:
- "docker"
Type: Equal
- name: ec2-get-all-packages
resource: ec2
filters:
- type: ssm-inventory
properties:
query:
items:
properties:
Key:
type: string
Type:
enum:
- Equal
- NotEqual
- BeginWith
- LessThan
- GreaterThan
- Exists
Values:
items:
type: string
type: array
required:
- Key
- Values
type: object
type: array
type:
enum:
- ssm-inventory
required:
- type
Permissions - ssm:ListInventoryEntries
state-age
Age an instance has been in the given state.
policies:
- name: ec2-state-running-7-days
resource: ec2
filters:
- type: state-age
op: ge
days: 7
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- state-age
required:
- type
stop-protected
EC2 instances with disableApiStop attribute set
Filters EC2 instances with disableApiStop attribute set to true.
- Example:
policies:
- name: stop-protection-enabled
resource: ec2
filters:
- type: stop-protected
- Example:
policies:
- name: stop-protection-NOT-enabled
resource: ec2
filters:
- not:
- type: stop-protected
properties:
type:
enum:
- stop-protected
required:
- type
Permissions - ec2:DescribeInstanceAttribute
termination-protected
EC2 instances with disableApiTermination attribute set
Filters EC2 instances with disableApiTermination attribute set to true.
- Example:
policies:
- name: termination-protection-enabled
resource: ec2
filters:
- type: termination-protected
- Example:
policies:
- name: termination-protection-NOT-enabled
resource: ec2
filters:
- not:
- type: termination-protected
properties:
type:
enum:
- termination-protected
required:
- type
Permissions - ec2:DescribeInstanceAttribute
user-data
Filter on EC2 instances which have matching userdata. Note: It is highly recommended to use regexes with the ?sm flags, since Custodian uses re.match() and userdata spans multiple lines.
- example:
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- user-data
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeInstanceAttribute
Actions
autorecover-alarm
Adds a cloudwatch metric alarm to recover an EC2 instance.
This action takes effect on instances that are NOT part of an ASG.
- Example:
policies:
- name: ec2-autorecover-alarm
resource: ec2
filters:
- singleton
actions:
- autorecover-alarm
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html
properties:
type:
enum:
- autorecover-alarm
required:
- type
Permissions - cloudwatch:PutMetricAlarm
reboot
Reboots a previously running EC2 instance.
- Example:
policies:
- name: ec2-reboot-instances
resource: ec2
query:
- instance-state-name: running
actions:
- reboot
http://docs.aws.amazon.com/cli/latest/reference/ec2/reboot-instances.html
properties:
type:
enum:
- reboot
required:
- type
Permissions - ec2:RebootInstances
resize
Change an instance’s size.
An instance can only be resized when its stopped, this action can optionally stop/start an instance if needed to effect the instance type change. Instances are always left in the run state they were found in.
There are a few caveats to be aware of, instance resizing needs to maintain compatibility for architecture, virtualization type hvm/pv, and ebs optimization at minimum.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html
This action also has specific support for enacting recommendations from the AWS Cost Optimization Hub for resizing.
- example:
policies: - name: ec2-rightsize resource: aws.ec2 filters: - type: cost-optimization attrs: - actionType: Rightsize actions: - resize
properties:
default:
type: string
restart:
type: boolean
type:
enum:
- resize
type-map:
type: object
required:
- type
Permissions - ec2:DescribeInstances, ec2:ModifyInstanceAttribute
send-command
Run an SSM Automation Document on an instance.
- Example:
Find ubuntu 18.04 instances are active with ssm.
policies:
- name: ec2-osquery-install
resource: ec2
filters:
- type: ssm
key: PingStatus
value: Online
- type: ssm
key: PlatformName
value: Ubuntu
- type: ssm
key: PlatformVersion
value: 18.04
actions:
- type: send-command
command:
DocumentName: AWS-RunShellScript
Parameters:
commands:
- wget https://pkg.osquery.io/deb/osquery_3.3.0_1.linux.amd64.deb
- dpkg -i osquery_3.3.0_1.linux.amd64.deb
properties:
command:
type: object
type:
enum:
- send-command
required:
- command
Permissions - ssm:SendCommand
set-instance-profile
Sets (add, modify, remove) the instance profile for a running EC2 instance.
- Example:
policies:
- name: set-default-instance-profile
resource: ec2
filters:
- IamInstanceProfile: absent
actions:
- type: set-instance-profile
name: default
https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html
properties:
name:
type: string
type:
enum:
- set-instance-profile
required:
- type
Permissions - ec2:AssociateIamInstanceProfile, ec2:DisassociateIamInstanceProfile, iam:PassRole
set-metadata-access
Set instance metadata server access for an instance.
- example:
Require instances to use IMDSv2
policies:
- name: ec2-require-imdsv2
resource: ec2
filters:
- MetadataOptions.HttpTokens: optional
actions:
- type: set-metadata-access
tokens: required
- example:
Disable metadata server access
Reference: https://amzn.to/2XOuxpQ
properties:
anyOf:
- required:
- endpoint
- required:
- tokens
- required:
- metadatatags
- required:
- hop-limit
endpoint:
enum:
- enabled
- disabled
hop-limit:
maximum: 64
minimum: 1
type: integer
metadata-tags:
enum:
- enabled
- disabled
tokens:
enum:
- required
- optional
type:
enum:
- set-metadata-access
required:
- type
Permissions - ec2:ModifyInstanceMetadataOptions
set-monitoring
Action on EC2 Instances to enable/disable detailed monitoring
The different states of detailed monitoring status are : ‘disabled’|’disabling’|’enabled’|’pending’ (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_instances)
- Example:
policies:
- name: ec2-detailed-monitoring-activation
resource: ec2
filters:
- Monitoring.State: disabled
actions:
- type: set-monitoring
state: enable
References
properties:
state:
enum:
- enable
- disable
type:
enum:
- set-monitoring
required:
- type
Permissions - ec2:MonitorInstances, ec2:UnmonitorInstances
snapshot
Snapshot the volumes attached to an EC2 instance.
Tags may be optionally added to the snapshot during creation.
copy-volume-tags copies all the tags from the specified volume to the corresponding snapshot.
copy-tags copies the listed tags from each volume to the snapshot. This is mutually exclusive with copy-volume-tags.
tags allows new tags to be added to each snapshot when using ‘copy-tags`. If no tags are specified, then the tag custodian_snapshot is added.
The default behavior is copy-volume-tags: true.
- Example:
policies:
- name: ec2-snapshots
resource: ec2
actions:
- type: snapshot
copy-tags:
- Name
tags:
custodian_snapshot: True
properties:
copy-tags:
items:
type: string
type: array
copy-volume-tags:
type: boolean
exclude-boot:
default: false
type: boolean
tags:
type: object
type:
enum:
- snapshot
required:
- type
Permissions - ec2:CreateSnapshot, ec2:CreateTags
start
Starts a previously stopped EC2 instance.
- Example:
policies:
- name: ec2-start-stopped-instances
resource: ec2
query:
- instance-state-name: stopped
actions:
- start
http://docs.aws.amazon.com/cli/latest/reference/ec2/start-instances.html
properties:
type:
enum:
- start
required:
- type
Permissions - ec2:StartInstances
stop
Stops or hibernates a running EC2 instances
- Example:
policies:
- name: ec2-stop-running-instances
resource: ec2
query:
- instance-state-name: running
actions:
- stop
- name: ec2-hibernate-instances
resources: ec2
query:
- instance-state-name: running
actions:
- type: stop
hibernate: true
Note when using hiberate, instances not configured for hiberation will just be stopped.
properties:
force:
type: boolean
hibernate:
type: boolean
terminate-ephemeral:
type: boolean
type:
enum:
- stop
required:
- type
Permissions - ec2:StopInstances
terminate
Terminate a set of instances.
While ec2 offers a bulk delete api, any given instance can be configured with api deletion termination protection, so we can’t use the bulk call reliabily, we need to process the instances individually. Additionally If we’re configured with ‘force’ then we’ll turn off instance termination and stop protection.
- Example:
policies:
- name: ec2-process-termination
resource: ec2
filters:
- type: marked-for-op
op: terminate
actions:
- terminate
properties:
force:
type: boolean
type:
enum:
- terminate
required:
- type
Permissions - ec2:TerminateInstances