aws.efs

Filters

check-secure-transport

Find EFS that does not enforce secure transport

Example

- name: efs-securetransport-check-policy
  resource: efs
  filters:
    - check-secure-transport

To configure an EFS to enforce secure transport, set up the appropriate Effect and Condition for its policy document. For example:

{
    "Sid": "efs-statement-b3f6b59b-d938-4001-9154-508f67707073",
    "Effect": "Deny",
    "Principal": { "AWS": "*" },
    "Action": "*",
    "Condition": {
        "Bool": { "aws:SecureTransport": "false" }
    }
}
properties:
  type:
    enum:
    - check-secure-transport
required:
- type

Permissions - elasticfilesystem:DescribeFileSystemPolicy

consecutive-aws-backups

Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups. :example: .. code-block:: yaml

policies:
  • name: dynamodb-consecutive-aws-backup-count resource: dynamodb-table filters:

    • type: consecutive-aws-backups count: 7 period: days status: ‘COMPLETED’

properties:
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - COMPLETED
    - PARTIAL
    - DELETING
    - EXPIRED
  type:
    enum:
    - consecutive-aws-backups
required:
- count
- period
- status
- type

Permissions - backup:ListRecoveryPointsByResource

has-statement

Find resources with matching access policy statements. :example: .. code-block:: yaml

policies:
  • name: sns-check-statement-id resource: sns filters:

    • type: has-statement statement_ids:

      • BlockNonSSL

policies:
  • name: sns-check-block-non-ssl resource: sns filters:

    • type: has-statement statements:

      • Effect: Deny Action: ‘SNS:Publish’ Principal: ‘*’ Condition:

        Bool:

        “aws:SecureTransport”: “false”

properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - kms:ListKeys, kms:DescribeKey

lifecycle-policy

Filters efs based on the state of lifecycle policies

example
policies:
  - name: efs-filter-lifecycle
    resource: efs
    filters:
      - type: lifecycle-policy
        state: present
        value: AFTER_7_DAYS
properties:
  state:
    enum:
    - present
    - absent
  type:
    enum:
    - lifecycle-policy
  value:
    type: string
required:
- state
- type

Permissions - elasticfilesystem:DescribeLifecycleConfiguration

Actions

configure-lifecycle-policy

Enable/disable lifecycle policy for efs.

example
policies:
  - name: efs-apply-lifecycle
    resource: efs
    actions:
      - type: configure-lifecycle-policy
        state: enable
        rules:
          - 'TransitionToIA': 'AFTER_7_DAYS'
properties:
  rules:
    items:
      type: object
    type: array
  state:
    enum:
    - enable
    - disable
  type:
    enum:
    - configure-lifecycle-policy
required:
- state
- type

Permissions - elasticfilesystem:PutLifecycleConfiguration

delete

Parent base class for filters and actions.

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - elasticfilesystem:DescribeMountTargets, elasticfilesystem:DeleteMountTarget, elasticfilesystem:DeleteFileSystem