Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties: selector: enum: - previous - date - locked selector_value: type: string type: enum: - json-diff required: - type
Permissions - config:GetResourceConfigHistory
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as
more explicitly distinguishes between
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties: default: type: object key: type: string match-resource: type: boolean op: enum: - eq - equal - ne - not-equal - gt - greater-than - ge - gte - le - lte - lt - less-than - glob - regex - regex-case - in - ni - not-in - contains - difference - intersect operator: enum: - and - or type: enum: - kms-key value: oneOf: - type: array - type: string - type: boolean - type: number - type: 'null' value_from: additionalProperties: 'False' properties: expr: oneOf: - type: integer - type: string format: enum: - csv - json - txt - csv2dict headers: patternProperties: ? '' : type: string type: object url: type: string required: - url type: object value_path: type: string value_regex: type: string value_type: enum: - age - integer - expiration - normalize - size - cidr - cidr_size - swap - resource_count - expr - unique_size - date - version required: - type
Permissions - kms:ListKeys, kms:DescribeKey
Delete a set of kinesis streams.
Additionally, if we’re configured with ‘force’, we will remove all existing consumers before deleting the stream itself. For ‘force’ to work, we would require the kinesis:DeregisterStreamConsumer permission as well.
policies: - name: kinesis-stream-deletion resource: kinesis filters: - type: marked-for-op op: delete actions: - type: delete force: true
properties: force: type: boolean type: enum: - delete required: - type
Permissions - kinesis:DeleteStream
Parent base class for filters and actions.
properties: key: type: string type: enum: - encrypt required: - key
Permissions - kinesis:UpdateShardCount