aws.eni¶
Filters¶
flow-logs¶
Are flow logs enabled on the resource.
ie to find all vpcs with flows logs disabled we can do this
- example:
policies:
- name: flow-logs-enabled
resource: vpc
filters:
- flow-logs
or to find all vpcs with flow logs but that don’t match a particular configuration.
- example:
policies:
- name: flow-mis-configured
resource: vpc
filters:
- not:
- type: flow-logs
enabled: true
set-op: or
op: equal
# equality operator applies to following keys
traffic-type: all
status: active
log-group: vpc-logs
properties:
deliver-status:
enum:
- success
- failure
destination:
type: string
destination-type:
enum:
- s3
- cloud-watch-logs
enabled:
default: false
type: boolean
log-format:
type: string
log-group:
type: string
op:
default: equal
enum:
- equal
- not-equal
set-op:
default: or
enum:
- or
- and
status:
enum:
- active
traffic-type:
enum:
- accept
- reject
- all
type:
enum:
- flow-logs
required:
- type
Permissions - ec2:DescribeFlowLogs
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
Actions¶
delete¶
Delete a network interface.
- example:
policies:
- name: mark-orphaned-enis
comment: Flag abandoned Lambda VPC ENIs for deletion
resource: eni
filters:
- Status: available
- type: value
op: glob
key: Description
value: "AWS Lambda VPC ENI*"
- "tag:custodian_status": absent
actions:
- type: mark-for-op
tag: custodian_status
msg: "Orphaned Lambda VPC ENI: {op}@{action_date}"
op: delete
days: 1
- name: delete-marked-enis
comment: Delete flagged ENIs that have not been cleaned up naturally
resource: eni
filters:
- type: marked-for-op
tag: custodian_status
op: delete
actions:
- type: delete
properties:
type:
enum:
- delete
required:
- type
Permissions - ec2:DeleteNetworkInterface
set-flow-log¶
Create flow logs for a network resource
- example:
policies:
- name: vpc-enable-flow-logs
resource: vpc
filters:
- type: flow-logs
enabled: false
actions:
- type: set-flow-log
DeliverLogsPermissionArn: arn:iam:role
LogGroupName: /custodian/vpc/flowlogs/
properties:
DeliverLogsPermissionArn:
type: string
LogDestination:
type: string
LogDestinationType:
enum:
- s3
- cloud-watch-logs
LogFormat:
type: string
LogGroupName:
type: string
MaxAggregationInterval:
type: integer
TrafficType:
enum:
- ACCEPT
- REJECT
- ALL
type: string
state:
type: boolean
type:
enum:
- set-flow-log
Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup