aws.eni

Filters

• config-compliance

• event

• finding

• flow-logs

• json-diff

• list-item

• marked-for-op

• network-location

• ops-item

• reduce

• security-group

• subnet

• tag-count

• value

• vpc

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

• auto-tag-user

• copy-related-tag

• delete

• detach

• invoke-lambda

• invoke-sfn

• mark-for-op

• modify-security-groups

• normalize-tag

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• rename-tag

• set-flow-log

• tag

• tag-trim

• webhook

delete

Delete a network interface.

example:

policies:
  - name: mark-orphaned-enis
    comment: Flag abandoned Lambda VPC ENIs for deletion
    resource: eni
    filters:
      - Status: available
      - type: value
        op: glob
        key: Description
        value: "AWS Lambda VPC ENI*"
      - "tag:custodian_status": absent
    actions:
      - type: mark-for-op
        tag: custodian_status
        msg: "Orphaned Lambda VPC ENI: {op}@{action_date}"
        op: delete
        days: 1

  - name: delete-marked-enis
    comment: Delete flagged ENIs that have not been cleaned up naturally
    resource: eni
    filters:
      - type: marked-for-op
        tag: custodian_status
        op: delete
    actions:
      - type: delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - ec2:DeleteNetworkInterface

detach

Detach a network interface from an EC2 instance.

example:

policies:
  - name: detach-enis
    comment: Detach ENIs attached to EC2 with public IP addresses
    resource: eni
    filters:
      - type: value
        key: Attachment.InstanceId
        value: present
      - type: value
        key: Association.PublicIp
        value: present
    actions:
      - type: detach

properties:
  type:
    enum:
    - detach
required:
- type

Permissions - ec2:DetachNetworkInterface

set-flow-log

Set flow logs for a network resource

example:

policies:
  - name: vpc-enable-flow-logs
    resource: vpc
    filters:
      - type: flow-logs
        enabled: false
    actions:
      - type: set-flow-log
        attrs:
          DeliverLogsPermissionArn: arn:iam:role
          LogGroupName: /custodian/vpc/flowlogs/

attrs are passed through to create_flow_log and are per the api documentation

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2/client/create_flow_logs.html

properties:
  DeliverLogsPermissionArn:
    type: string
  LogDestination:
    type: string
  LogDestinationType:
    enum:
    - s3
    - cloud-watch-logs
  LogFormat:
    type: string
  LogGroupName:
    type: string
  MaxAggregationInterval:
    type: integer
  TrafficType:
    enum:
    - ACCEPT
    - REJECT
    - ALL
    type: string
  attrs:
    type: object
  state:
    type: boolean
  type:
    enum:
    - set-flow-log
required:
- type

Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup