aws.eni

Filters

flow-logs

Are flow logs enabled on the resource.

ie to find all vpcs with flows logs disabled we can do this

example:

policies:
  - name: flow-logs-enabled
    resource: vpc
    filters:
      - flow-logs

or to find all vpcs with flow logs but that don’t match a particular configuration.

example:

policies:
  - name: flow-mis-configured
    resource: vpc
    filters:
      - not:
        - type: flow-logs
          enabled: true
          set-op: or
          op: equal
          # equality operator applies to following keys
          traffic-type: all
          status: active
          log-group: vpc-logs
properties:
  deliver-status:
    enum:
    - success
    - failure
  destination:
    type: string
  destination-type:
    enum:
    - s3
    - cloud-watch-logs
  enabled:
    default: false
    type: boolean
  log-format:
    type: string
  log-group:
    type: string
  op:
    default: equal
    enum:
    - equal
    - not-equal
  set-op:
    default: or
    enum:
    - or
    - and
  status:
    enum:
    - active
  traffic-type:
    enum:
    - accept
    - reject
    - all
  type:
    enum:
    - flow-logs
required:
- type

Permissions - ec2:DescribeFlowLogs

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Delete a network interface.

example:

policies:
  - name: mark-orphaned-enis
    comment: Flag abandoned Lambda VPC ENIs for deletion
    resource: eni
    filters:
      - Status: available
      - type: value
        op: glob
        key: Description
        value: "AWS Lambda VPC ENI*"
      - "tag:custodian_status": absent
    actions:
      - type: mark-for-op
        tag: custodian_status
        msg: "Orphaned Lambda VPC ENI: {op}@{action_date}"
        op: delete
        days: 1

  - name: delete-marked-enis
    comment: Delete flagged ENIs that have not been cleaned up naturally
    resource: eni
    filters:
      - type: marked-for-op
        tag: custodian_status
        op: delete
    actions:
      - type: delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - ec2:DeleteNetworkInterface

set-flow-log

Create flow logs for a network resource

example:

policies:
  - name: vpc-enable-flow-logs
    resource: vpc
    filters:
      - type: flow-logs
        enabled: false
    actions:
      - type: set-flow-log
        DeliverLogsPermissionArn: arn:iam:role
        LogGroupName: /custodian/vpc/flowlogs/
properties:
  DeliverLogsPermissionArn:
    type: string
  LogDestination:
    type: string
  LogDestinationType:
    enum:
    - s3
    - cloud-watch-logs
  LogFormat:
    type: string
  LogGroupName:
    type: string
  MaxAggregationInterval:
    type: integer
  TrafficType:
    enum:
    - ACCEPT
    - REJECT
    - ALL
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-flow-log

Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup