aws.elasticsearch

Filters

cross-account

Filter to return all elasticsearch domains with cross account access permissions

example

policies:
  - name: check-elasticsearch-cross-account
    resource: aws.elasticsearch
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - es:DescribeElasticsearchDomainConfig

cross-cluster

Filter to return all elasticsearch domains with inbound cross-cluster with the given info

example

policies:
  - name: check-elasticsearch-cross-cluster
    resource: aws.elasticsearch
    filters:
      - type: cross-cluster
        inbound:
            key: SourceDomainInfo.OwnerId
            op: eq
            value: '123456789'
        outbound:
            key: SourceDomainInfo.OwnerId
            op: eq
            value: '123456789'
properties:
  inbound:
    additionalProperties: false
    properties:
      default:
        type: object
      key:
        type: string
      op:
        enum:
        - eq
        - equal
        - ne
        - not-equal
        - gt
        - greater-than
        - ge
        - gte
        - le
        - lte
        - lt
        - less-than
        - glob
        - regex
        - regex-case
        - in
        - ni
        - not-in
        - contains
        - difference
        - intersect
      type:
        enum:
        - inbound
      value:
        oneOf:
        - type: array
        - type: string
        - type: boolean
        - type: number
        - type: 'null'
      value_from:
        additionalProperties: 'False'
        properties:
          expr:
            oneOf:
            - type: integer
            - type: string
          format:
            enum:
            - csv
            - json
            - txt
            - csv2dict
          url:
            type: string
        required:
        - url
        type: object
      value_regex:
        type: string
      value_type:
        enum:
        - age
        - integer
        - expiration
        - normalize
        - size
        - cidr
        - cidr_size
        - swap
        - resource_count
        - expr
        - unique_size
        - date
        - version
    required:
    - key
    - value
    type: object
  outbound:
    additionalProperties: false
    properties:
      default:
        type: object
      key:
        type: string
      op:
        enum:
        - eq
        - equal
        - ne
        - not-equal
        - gt
        - greater-than
        - ge
        - gte
        - le
        - lte
        - lt
        - less-than
        - glob
        - regex
        - regex-case
        - in
        - ni
        - not-in
        - contains
        - difference
        - intersect
      type:
        enum:
        - outbound
      value:
        oneOf:
        - type: array
        - type: string
        - type: boolean
        - type: number
        - type: 'null'
      value_from:
        additionalProperties: 'False'
        properties:
          expr:
            oneOf:
            - type: integer
            - type: string
          format:
            enum:
            - csv
            - json
            - txt
            - csv2dict
          url:
            type: string
        required:
        - url
        type: object
      value_regex:
        type: string
      value_type:
        enum:
        - age
        - integer
        - expiration
        - normalize
        - size
        - cidr
        - cidr_size
        - swap
        - resource_count
        - expr
        - unique_size
        - date
        - version
    required:
    - key
    - value
    type: object
  type:
    enum:
    - cross-cluster
required:
- type

Permissions - es:ESCrossClusterGet

has-statement

Find resources with matching access policy statements. :example: .. code-block:: yaml

policies:
  • name: sns-check-statement-id resource: sns filters:

    • type: has-statement statement_ids:

      • BlockNonSSL

policies:
  • name: sns-check-block-non-ssl resource: sns filters:

    • type: has-statement statements:

      • Effect: Deny Action: ‘SNS:Publish’ Principal: ‘*’ Condition:

        Bool:

        “aws:SecureTransport”: “false”

properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - kms:ListKeys, kms:DescribeKey

source-ip

ValueFilter-based filter for verifying allowed source ips in an ElasticSearch domain’s access policy. Useful for checking to see if an ElasticSearch domain allows traffic from non approved IP addresses/CIDRs.

example

Find ElasticSearch domains that allow traffic from IP addresses not in the approved list (string matching) .. code-block: yaml

  • type: source-ip op: not-in value: [“103.15.250.0/24”, “173.240.160.0/21”, “206.108.40.0/21”]

Same as above but using cidr matching instead of string matching .. code-block: yaml

  • type: source-ip op: not-in value_type: cidr value: [“103.15.250.0/24”, “173.240.160.0/21”, “206.108.40.0/21”]

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - source-ip
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - es:DescribeElasticsearchDomainConfig

Actions

delete

Parent base class for filters and actions.

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - es:DeleteElasticsearchDomain

remove-matched-source-ips

Action to remove matched source ips from a Access Policy. This action needs to be used in conjunction with the source-ip filter. It can be used for removing non-approved IP addresses from the the access policy of a ElasticSearch domain.

example

properties:
  type:
    enum:
    - remove-matched-source-ips
required:
- type

Permissions - es:UpdateElasticsearchDomainConfig

remove-statements

Action to remove policy statements from elasticsearch

example

policies:
  - name: elasticsearch-cross-account
    resource: aws.elasticsearch
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - es:DescribeElasticsearchDomainConfig, es:UpdateElasticsearchDomainConfig

update-tls-config

Action to update tls-config on a domain endpoint

example

policies:
  - name: update-tls-config
    resource: elasticsearch
    filters:
      - type: value
        key: 'DomainEndpointOptions.TLSSecurityPolicy'
        op: eq
        value: "Policy-Min-TLS-1-0-2019-07"
    actions:
      - type: update-tls-config
        value: "Policy-Min-TLS-1-2-2019-07"
properties:
  type:
    enum:
    - update-tls-config
  value:
    enum:
    - Policy-Min-TLS-1-0-2019-07
    - Policy-Min-TLS-1-2-2019-07
    type: string
required:
- value
- type

Permissions - es:UpdateElasticsearchDomainConfig, es:ListDomainNames