aws.glue-catalog¶
Filters¶
cross-account¶
Filter glue catalog if it has cross account permissions
- example:
policies:
- name: catalog-cross-account
resource: aws.glue-catalog
filters:
- type: cross-account
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
required:
- type
Permissions - glue:GetResourcePolicy
glue-security-config¶
Filter glue catalog by its glue encryption status and KMS key
- example:
policies:
- name: glue-catalog-security-config
resource: aws.glue-catalog
filters:
- type: glue-security-config
SseAwsKmsKeyId: alias/aws/glue
properties:
AwsKmsKeyId:
type: string
CatalogEncryptionMode:
enum:
- DISABLED
- SSE-KMS
ReturnConnectionPasswordEncrypted:
type: boolean
SseAwsKmsKeyId:
type: string
type:
enum:
- glue-security-config
Permissions - glue:GetDataCatalogEncryptionSettings
kms-key¶
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
key-type:
enum:
- EncryptionAtRest
- ConnectionPasswordEncryption
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- key-type
- type
Permissions - glue:GetDataCatalogEncryptionSettings
Actions¶
remove-statements¶
Action to remove policy statements from Glue Data Catalog
- example:
policies:
- name: remove-glue-catalog-cross-account
resource: aws.glue-catalog
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- '*'
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - glue:PutResourcePolicy
set-encryption¶
Modifies glue data catalog encryption based on specified parameter As per docs, we can enable catalog encryption or only password encryption, not both
- example:
policies:
- name: data-catalog-encryption
resource: glue-catalog
filters:
- type: value
key: DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode
value: DISABLED
op: eq
actions:
- type: set-encryption
attributes:
EncryptionAtRest:
CatalogEncryptionMode: SSE-KMS
SseAwsKmsKeyId: alias/aws/glue
properties:
attributes:
additionalProperties: false
properties:
ConnectionPasswordEncryption:
additionalProperties: false
properties:
AwsKmsKeyId:
type: string
ReturnConnectionPasswordEncrypted:
type: boolean
required:
- ReturnConnectionPasswordEncrypted
type: object
EncryptionAtRest:
additionalProperties: false
properties:
CatalogEncryptionMode:
enum:
- DISABLED
- SSE-KMS
SseAwsKmsKeyId:
type: string
required:
- CatalogEncryptionMode
type: object
type: object
type:
enum:
- set-encryption
required:
- attributes
- type
Permissions - glue:PutDataCatalogEncryptionSettings