aws.efs¶
Filters¶
check-secure-transport¶
Find EFS that does not enforce secure transport
- Example
- name: efs-securetransport-check-policy
resource: efs
filters:
- check-secure-transport
To configure an EFS to enforce secure transport, set up the appropriate Effect and Condition for its policy document. For example:
{
"Sid": "efs-statement-b3f6b59b-d938-4001-9154-508f67707073",
"Effect": "Deny",
"Principal": { "AWS": "*" },
"Action": "*",
"Condition": {
"Bool": { "aws:SecureTransport": "false" }
}
}
properties:
type:
enum:
- check-secure-transport
required:
- type
Permissions - elasticfilesystem:DescribeFileSystemPolicy
consecutive-aws-backups¶
Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups. :example: .. code-block:: yaml
- policies:
name: dynamodb-consecutive-aws-backup-count resource: dynamodb-table filters:
type: consecutive-aws-backups count: 7 period: days status: ‘COMPLETED’
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- COMPLETED
- PARTIAL
- DELETING
- EXPIRED
type:
enum:
- consecutive-aws-backups
required:
- count
- period
- status
- type
Permissions - backup:ListRecoveryPointsByResource
has-statement¶
Find resources with matching access policy statements. :example: .. code-block:: yaml
- policies:
name: sns-check-statement-id resource: sns filters:
type: has-statement statement_ids:
BlockNonSSL
- policies:
name: sns-check-block-non-ssl resource: sns filters:
type: has-statement statements:
Effect: Deny Action: ‘SNS:Publish’ Principal: ‘*’ Condition:
- Bool:
“aws:SecureTransport”: “false”
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key¶
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - kms:ListKeys, kms:DescribeKey
lifecycle-policy¶
Filters efs based on the state of lifecycle policies
- example
policies: - name: efs-filter-lifecycle resource: efs filters: - type: lifecycle-policy state: present value: AFTER_7_DAYS
properties:
state:
enum:
- present
- absent
type:
enum:
- lifecycle-policy
value:
type: string
required:
- state
- type
Permissions - elasticfilesystem:DescribeLifecycleConfiguration
Actions¶
configure-lifecycle-policy¶
Enable/disable lifecycle policy for efs.
- example
policies: - name: efs-apply-lifecycle resource: efs actions: - type: configure-lifecycle-policy state: enable rules: - 'TransitionToIA': 'AFTER_7_DAYS'
properties:
rules:
items:
type: object
type: array
state:
enum:
- enable
- disable
type:
enum:
- configure-lifecycle-policy
required:
- state
- type
Permissions - elasticfilesystem:PutLifecycleConfiguration
delete¶
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type
Permissions - elasticfilesystem:DescribeMountTargets, elasticfilesystem:DeleteMountTarget, elasticfilesystem:DeleteFileSystem