aws.ec2

Filters

default-vpc

Matches if an ec2 database is in the default vpc

properties:
  type:
    enum:
    - default-vpc
required:
- type

ebs

EC2 instances with EBS backed volume

Filters EC2 instances with EBS backed storage devices (non ephemeral)

Example

policies:
  - name: ec2-encrypted-ebs-volumes
    resource: ec2
    filters:
      - type: ebs
        key: Encrypted
        value: true
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  skip-devices:
    items:
      type: string
    type: array
  type:
    enum:
    - ebs
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

ephemeral

EC2 instances with ephemeral storage

Filters EC2 instances that have ephemeral storage (an instance-store backed root device)

Example

policies:
  - name: ec2-ephemeral-instances
    resource: ec2
    filters:
      - type: ephemeral

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

properties:
  type:
    enum:
    - ephemeral
required:
- type

image

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - image
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

image-age

EC2 AMI age filter

Filters EC2 instances based on the age of their AMI image (in days)

Example

policies:
  - name: ec2-ancient-ami
    resource: ec2
    filters:
      - type: image-age
        op: ge
        days: 90
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - image-age
required:
- type

instance-age

Filters instances based on their age (in days)

Example

policies:
  - name: ec2-30-days-plus
    resource: ec2
    filters:
      - type: instance-age
        op: ge
        days: 30
properties:
  days:
    type: number
  hours:
    type: number
  minutes:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance-age
required:
- type

instance-attribute

EC2 Instance Value FIlter on a given instance attribute.

Filters EC2 Instances with the given instance attribute

Example

policies:
  - name: ec2-unoptimized-ebs
    resource: ec2
    filters:
      - type: instance-attribute
        attribute: ebsOptimized
        key: "Value"
        value: false
properties:
  attribute:
    enum:
    - instanceType
    - kernel
    - ramdisk
    - userData
    - disableApiTermination
    - instanceInitiatedShutdownBehavior
    - rootDeviceName
    - blockDeviceMapping
    - productCodes
    - sourceDestCheck
    - groupSet
    - ebsOptimized
    - sriovNetSupport
    - enaSupport
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance-attribute
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- attribute

instance-uptime

Automatically filter resources older than a given date.

Deprecated use a value filter with value_type: age which can be done on any attribute.

properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance-uptime
required:
- type

singleton

EC2 instances without autoscaling or a recover alarm

Filters EC2 instances that are not members of an autoscaling group and do not have Cloudwatch recover alarms.

Example

policies:
  - name: ec2-recover-instances
    resource: ec2
    filters:
      - singleton
    actions:
      - type: tag
        key: problem
        value: instance is not resilient

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

properties:
  type:
    enum:
    - singleton
required:
- type

ssm

Filter ec2 instances by their ssm status information.

Example

Find ubuntu 18.04 instances are active with ssm.

policies:
  - name: ec2-ssm-check
    resource: ec2
    filters:
      - type: ssm
        key: PingStatus
        value: Online
      - type: ssm
        key: PlatformName
        value: Ubuntu
      - type: ssm
        key: PlatformVersion
        value: 18.04
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - ssm
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

state-age

Age an instance has been in the given state.

policies:
  - name: ec2-state-running-7-days
    resource: ec2
    filters:
      - type: state-age
        op: ge
        days: 7
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - state-age
required:
- type

termination-protected

EC2 instances with disableApiTermination attribute set

Filters EC2 instances with disableApiTermination attribute set to true.

Example

policies:
  - name: termination-protection-enabled
    resource: ec2
    filters:
      - type: termination-protected
Example

policies:
  - name: termination-protection-NOT-enabled
    resource: ec2
    filters:
      - not:
        - type: termination-protected
properties:
  type:
    enum:
    - termination-protected
required:
- type

user-data

Filter on EC2 instances which have matching userdata. Note: It is highly recommended to use regexes with the ?sm flags, since Custodian uses re.match() and userdata spans multiple lines.

example

policies:
  - name: ec2_userdata_stop
    resource: ec2
    filters:
      - type: user-data
        op: regex
        value: (?smi).*password=
    actions:
      - stop
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - user-data
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Actions

autorecover-alarm

Adds a cloudwatch metric alarm to recover an EC2 instance.

This action takes effect on instances that are NOT part of an ASG.

Example

policies:
  - name: ec2-autorecover-alarm
    resource: ec2
    filters:
      - singleton
    actions:
      - autorecover-alarm

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

properties:
  type:
    enum:
    - autorecover-alarm
required:
- type

propagate-spot-tags

Propagate Tags that are set at Spot Request level to EC2 instances.

Example

policies:
  - name: ec2-spot-instances
    resource: ec2
    filters:
      - State.Name: pending
      - instanceLifecycle: spot
    actions:
      - type: propagate-spot-tags
        only_tags:
          - Name
          - BillingTag
properties:
  only_tags:
    items:
      type: string
    type: array
  type:
    enum:
    - propagate-spot-tags
required:
- type

reboot

reboots a previously running EC2 instance.

Example

policies:
  - name: ec2-reboot-instances
    resource: ec2
    query:
      - instance-state-name: running
    actions:
      - reboot

http://docs.aws.amazon.com/cli/latest/reference/ec2/reboot-instances.html

properties:
  type:
    enum:
    - reboot
required:
- type

resize

Change an instance’s size.

An instance can only be resized when its stopped, this action can optionally restart an instance if needed to effect the instance type change. Instances are always left in the run state they were found in.

There are a few caveats to be aware of, instance resizing needs to maintain compatibility for architecture, virtualization type hvm/pv, and ebs optimization at minimum.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html

properties:
  default:
    type: string
  restart:
    type: boolean
  type:
    enum:
    - resize
  type-map:
    type: object
required:
- type

send-command

Run an SSM Automation Document on an instance.

Example

Find ubuntu 18.04 instances are active with ssm.

policies:
  - name: ec2-osquery-install
    resource: ec2
    filters:
      - type: ssm
        key: PingStatus
        value: Online
      - type: ssm
        key: PlatformName
        value: Ubuntu
      - type: ssm
        key: PlatformVersion
        value: 18.04
    actions:
      - type: send-command
        command:
          DocumentName: AWS-RunShellScript
          Parameters:
            commands:
              - wget https://pkg.osquery.io/deb/osquery_3.3.0_1.linux.amd64.deb
              - dpkg -i osquery_3.3.0_1.linux.amd64.deb
properties:
  command:
    type: object
  type:
    enum:
    - send-command
required:
- command

set-instance-profile

Sets (add, modify, remove) the instance profile for a running EC2 instance.

Example

policies:
  - name: set-default-instance-profile
    resource: ec2
    filters:
      - IamInstanceProfile: absent
    actions:
      - type: set-instance-profile
        name: default

https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html

properties:
  name:
    type: string
  type:
    enum:
    - set-instance-profile
required:
- type

snapshot

Snapshots volumes attached to an EC2 instance

Example

policies:
  - name: ec2-snapshots
    resource: ec2
    actions:
      - type: snapshot
        copy-tags:
          - Name
properties:
  copy-tags:
    items:
      type: string
    type: array
  copy-volume-tags:
    type: boolean
  exclude-boot:
    default: false
    type: boolean
  type:
    enum:
    - snapshot
required:
- type

start

Starts a previously stopped EC2 instance.

Example

policies:
  - name: ec2-start-stopped-instances
    resource: ec2
    query:
      - instance-state-name: stopped
    actions:
      - start

http://docs.aws.amazon.com/cli/latest/reference/ec2/start-instances.html

properties:
  type:
    enum:
    - start
required:
- type

stop

Stops a running EC2 instances

Example

policies:
  - name: ec2-stop-running-instances
    resource: ec2
    query:
      - instance-state-name: running
    actions:
      - stop
properties:
  terminate-ephemeral:
    type: boolean
  type:
    enum:
    - stop
required:
- type

terminate

Terminate a set of instances.

While ec2 offers a bulk delete api, any given instance can be configured with api deletion termination protection, so we can’t use the bulk call reliabily, we need to process the instances individually. Additionally If we’re configured with ‘force’ then we’ll turn off instance termination protection.

Example

policies:
  - name: ec2-process-termination
    resource: ec2
    filters:
      - type: marked-for-op
        op: terminate
    actions:
      - terminate
properties:
  force:
    type: boolean
  type:
    enum:
    - terminate
required:
- type