aws.efs
Filters
check-secure-transport
Find EFS that does not enforce secure transport
- Example:
- name: efs-securetransport-check-policy
resource: efs
filters:
- check-secure-transport
To configure an EFS to enforce secure transport, set up the appropriate Effect and Condition for its policy document. For example:
{
"Sid": "efs-statement-b3f6b59b-d938-4001-9154-508f67707073",
"Effect": "Deny",
"Principal": { "AWS": "*" },
"Action": "*",
"Condition": {
"Bool": { "aws:SecureTransport": "false" }
}
}
properties:
type:
enum:
- check-secure-transport
required:
- type
Permissions - elasticfilesystem:DescribeFileSystemPolicy
consecutive-aws-backups
Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.
- example:
policies:
- name: dynamodb-consecutive-aws-backup-count
resource: dynamodb-table
filters:
- type: consecutive-aws-backups
count: 7
period: days
status: 'COMPLETED'
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- COMPLETED
- PARTIAL
- DELETING
- EXPIRED
type:
enum:
- consecutive-aws-backups
required:
- count
- period
- status
- type
Permissions - backup:ListRecoveryPointsByResource
cross-account
Filter EFS file systems which have cross account permissions
- example:
policies:
- name: efs-cross-account
resource: aws.efs
filters:
- type: cross-account
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
return_allowed:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - elasticfilesystem:DescribeFileSystemPolicy
has-statement
Find resources with matching access policy statements.
If you want to return resource statements that include the listed Action or NotAction, you can use PartialMatch instead of an exact match.
- example:
policies:
- name: sns-check-statement-id
resource: sns
filters:
- type: has-statement
statement_ids:
- BlockNonSSL
policies:
- name: sns-check-block-non-ssl
resource: sns
filters:
- type: has-statement
statements:
- Effect: Deny
Action: 'SNS:Publish'
Principal: '*'
Condition:
Bool:
"aws:SecureTransport": "false"
PartialMatch: 'Action'
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
PartialMatch:
anyOf:
- enum:
- Action
- NotAction
type: string
- items:
- enum:
- Action
- NotAction
type: string
type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
lifecycle-policy
Filters efs based on the state of lifecycle policies
- example:
policies:
- name: efs-filter-lifecycle
resource: efs
filters:
- type: lifecycle-policy
state: present
value: AFTER_7_DAYS
properties:
state:
enum:
- present
- absent
type:
enum:
- lifecycle-policy
value:
type: string
required:
- state
- type
Permissions - elasticfilesystem:DescribeLifecycleConfiguration
Actions
configure-lifecycle-policy
Enable/disable lifecycle policy for efs.
- example:
policies:
- name: efs-apply-lifecycle
resource: efs
actions:
- type: configure-lifecycle-policy
state: enable
rules:
- 'TransitionToIA': 'AFTER_7_DAYS'
properties:
rules:
items:
type: object
type: array
state:
enum:
- enable
- disable
type:
enum:
- configure-lifecycle-policy
required:
- state
- type
Permissions - elasticfilesystem:PutLifecycleConfiguration
delete
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type
Permissions - elasticfilesystem:DescribeMountTargets, elasticfilesystem:DeleteMountTarget, elasticfilesystem:DeleteFileSystem
remove-statements
Action to remove policy statements from EFS
- example:
policies:
- name: remove-efs-cross-account
resource: efs
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - elasticfilesystem:DescribeFileSystems, elasticfilesystem:DeleteFileSystemPolicy
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources