aws.elasticsearch
Filters
cross-account
Filter to return all elasticsearch domains with cross account access permissions
- example:
policies:
- name: check-elasticsearch-cross-account
resource: aws.elasticsearch
filters:
- type: cross-account
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - es:DescribeElasticsearchDomainConfig
cross-cluster
Filter to return all elasticsearch domains with inbound cross-cluster with the given info
- example:
policies:
- name: check-elasticsearch-cross-cluster
resource: aws.elasticsearch
filters:
- type: cross-cluster
inbound:
key: SourceDomainInfo.OwnerId
op: eq
value: '123456789'
outbound:
key: SourceDomainInfo.OwnerId
op: eq
value: '123456789'
properties:
inbound:
additionalProperties: false
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- inbound
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- key
- value
type: object
outbound:
additionalProperties: false
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- outbound
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- key
- value
type: object
type:
enum:
- cross-cluster
required:
- type
Permissions - es:ESCrossClusterGet
has-statement
Find resources with matching access policy statements.
If you want to return resource statements that include the listed Action or NotAction, you can use PartialMatch instead of an exact match.
- example:
policies:
- name: sns-check-statement-id
resource: sns
filters:
- type: has-statement
statement_ids:
- BlockNonSSL
policies:
- name: sns-check-block-non-ssl
resource: sns
filters:
- type: has-statement
statements:
- Effect: Deny
Action: 'SNS:Publish'
Principal: '*'
Condition:
Bool:
"aws:SecureTransport": "false"
PartialMatch: 'Action'
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
PartialMatch:
anyOf:
- enum:
- Action
- NotAction
type: string
- items:
- enum:
- Action
- NotAction
type: string
type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
source-ip
ValueFilter-based filter for verifying allowed source ips in an ElasticSearch domain’s access policy. Useful for checking to see if an ElasticSearch domain allows traffic from non approved IP addresses/CIDRs.
- example:
Find ElasticSearch domains that allow traffic from IP addresses not in the approved list (string matching)
Same as above but using cidr matching instead of string matching
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- source-ip
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - es:DescribeElasticsearchDomainConfig
Actions
delete
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type
Permissions - es:DeleteElasticsearchDomain
enable-auditlog
Action to enable audit logs on a domain endpoint
- example:
policies:
- name: enable-auditlog
resource: elasticsearch
filters:
- type: value
key: 'LogPublishingOptions.AUDIT_LOGS.Enabled'
op: eq
value: false
actions:
- type: enable-auditlog
state: True
loggroup_prefix: "/aws/es/domains"
properties:
delay:
type: number
loggroup_prefix:
type: string
state:
type: boolean
type:
enum:
- enable-auditlog
required:
- state
- type
Permissions - es:UpdateElasticsearchDomainConfig, es:ListDomainNames, logs:DescribeLogGroups, logs:CreateLogGroup, logs:PutResourcePolicy
remove-matched-source-ips
Action to remove matched source ips from a Access Policy. This action needs to be used in conjunction with the source-ip filter. It can be used for removing non-approved IP addresses from the the access policy of a ElasticSearch domain.
- example:
policies:
- name: es-access-revoke
resource: elasticsearch
filters:
- type: source-ip
value_type: cidr
op: not-in
value_from:
url: s3://my-bucket/allowed_cidrs.csv
actions:
- type: remove-matched-source-ips
properties:
type:
enum:
- remove-matched-source-ips
required:
- type
Permissions - es:UpdateElasticsearchDomainConfig
remove-statements
Action to remove policy statements from elasticsearch
- example:
policies:
- name: elasticsearch-cross-account
resource: aws.elasticsearch
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- '*'
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - es:DescribeElasticsearchDomainConfig, es:UpdateElasticsearchDomainConfig
update-tls-config
Action to update tls-config on a domain endpoint
- example:
policies:
- name: update-tls-config
resource: elasticsearch
filters:
- type: value
key: 'DomainEndpointOptions.TLSSecurityPolicy'
op: eq
value: "Policy-Min-TLS-1-0-2019-07"
actions:
- type: update-tls-config
value: "Policy-Min-TLS-1-2-2019-07"
properties:
type:
enum:
- update-tls-config
value:
enum:
- Policy-Min-TLS-1-0-2019-07
- Policy-Min-TLS-1-2-2019-07
- Policy-Min-TLS-1-2-PFS-2023-10
type: string
required:
- value
- type
Permissions - es:UpdateElasticsearchDomainConfig, es:ListDomainNames