aws.elastic-ip

Filters

• config-compliance

• event

• finding

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• shield-enabled

• tag-count

• used-by

• value

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:ListProtections

used-by

Filter Elastic IPs to find the resource type that the network interface that the Elastic IP is associated with is attached to.

This filter is useful for limiting the types of resources to enable AWS Shield Advanced protection.

Example:

policies:
  - name: eip-shield-advanced-enable
    resource: aws.elastic-ip
    filters:
      - type: used-by
        resource-type: elb-net
      - type: shield-enabled
        state: false
    actions:
      - type: set-shield
        state: true

properties:
  resource-type:
    type: string
  type:
    enum:
    - used-by
required:
- resource-type
- type

Permissions - ec2:DescribeNetworkInterfaces

Actions

• auto-tag-user

• copy-related-tag

• disassociate

• invoke-lambda

• invoke-sfn

• mark-for-op

• normalize-tag

• notify

• post-finding

• post-item

• put-metric

• release

• remove-tag

• rename-tag

• set-shield

• tag

• tag-trim

• webhook

disassociate

Disassociate elastic IP addresses from resources without releasing them.

example:

policies:
  - name: disassociate-network-addr
    resource: network-addr
    filters:
      - AllocationId: ...
    actions:
      - type: disassociate

properties:
  type:
    enum:
    - disassociate
required:
- type

Permissions - ec2:DisassociateAddress

release

Action to release elastic IP address(es)

Use the force option to cause any attached elastic IPs to also be released. Otherwise, only unattached elastic IPs will be released.

example:

policies:
  - name: release-network-addr
    resource: network-addr
    filters:
      - AllocationId: ...
    actions:
      - type: release
        force: True

properties:
  force:
    type: boolean
  type:
    enum:
    - release
required:
- type

Permissions - ec2:ReleaseAddress, ec2:DisassociateAddress

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

Permissions - shield:CreateProtection, shield:ListProtections