aws.event-rule

Filters

event-rule-target

Filter event rules by their targets

example:

policies:
    - name: find-event-rules-with-no-targets
      resource: aws.event-rule
      filters:
        - type: event-rule-target
          key: Arn
          value: absent
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - event-rule-target
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - events:ListTargetsByRule

invalid-targets

Filter event rules for invalid targets, Use the all option to find any event rules that have all invalid targets, otherwise defaults to filtering any event rule with at least one invalid target.

example:

policies:
    - name: find-event-rules-with-invalid-targets
      resource: aws.event-rule
      filters:
        - type: invalid-targets
          all: true # defaults to false
properties:
  all:
    default: false
    type: boolean
  type:
    enum:
    - invalid-targets
required:
- type

Permissions - events:ListTargetsByRule

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Delete an event rule, force target removal with the force option

example:

policies:
    - name: force-delete-rules
      resource: aws.event-rule
      filters:
        - Name: my-event-rule
      actions:
        - type: delete
          force: true
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - events:DeleteRule, events:RemoveTargets, events:ListTargetsByRule

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-rule-state

This action allows to enable/disable a rule

example:

policies:
    - name: test-rule
      resource: aws.event-rule
      filters:
        - Name: my-event-rule
      actions:
        - type: set-rule-state
          enabled: true
properties:
  enabled:
    default: true
    type: boolean
  type:
    enum:
    - set-rule-state
required:
- type

Permissions - events:EnableRule, events:DisableRule