aws.glue-catalog

Filters

cross-account

Filter glue catalog if it has cross account permissions

example:

policies:
  - name: catalog-cross-account
    resource: aws.glue-catalog
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - glue:GetResourcePolicy

glue-security-config

Filter glue catalog by its glue encryption status and KMS key

example:

policies:
  - name: glue-catalog-security-config
    resource: aws.glue-catalog
    filters:
      - type: glue-security-config
        SseAwsKmsKeyId: alias/aws/glue
properties:
  AwsKmsKeyId:
    type: string
  CatalogEncryptionMode:
    enum:
    - DISABLED
    - SSE-KMS
  ReturnConnectionPasswordEncrypted:
    type: boolean
  SseAwsKmsKeyId:
    type: string
  type:
    enum:
    - glue-security-config

Permissions - glue:GetDataCatalogEncryptionSettings

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  key-type:
    enum:
    - EncryptionAtRest
    - ConnectionPasswordEncryption
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- key-type
- type

Permissions - glue:GetDataCatalogEncryptionSettings

Actions

remove-statements

Action to remove policy statements from Glue Data Catalog

example:

policies:
   - name: remove-glue-catalog-cross-account
     resource: aws.glue-catalog
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - glue:PutResourcePolicy

set-encryption

Modifies glue data catalog encryption based on specified parameter As per docs, we can enable catalog encryption or only password encryption, not both

example:

policies:
  - name: data-catalog-encryption
    resource: glue-catalog
    filters:
      - type: value
        key: DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode
        value: DISABLED
        op: eq
    actions:
      - type: set-encryption
        attributes:
          EncryptionAtRest:
            CatalogEncryptionMode: SSE-KMS
            SseAwsKmsKeyId: alias/aws/glue
properties:
  attributes:
    additionalProperties: false
    properties:
      ConnectionPasswordEncryption:
        additionalProperties: false
        properties:
          AwsKmsKeyId:
            type: string
          ReturnConnectionPasswordEncrypted:
            type: boolean
        required:
        - ReturnConnectionPasswordEncrypted
        type: object
      EncryptionAtRest:
        additionalProperties: false
        properties:
          CatalogEncryptionMode:
            enum:
            - DISABLED
            - SSE-KMS
          SseAwsKmsKeyId:
            type: string
        required:
        - CatalogEncryptionMode
        type: object
    type: object
  type:
    enum:
    - set-encryption
required:
- attributes
- type

Permissions - glue:PutDataCatalogEncryptionSettings