aws.lambda-layer
Note custodian models the lambda layer version.
Layers end up being a logical asset, the physical asset for use and management is the layer verison.
To ease that distinction, we support querying just the latest layer version or having a policy against all layer versions.
By default we query all versions, the following is an example to query just the latest.
policies:
- name: lambda-layer
resource: lambda
query:
- version: latest
Filters
cross-account
Check a resource’s embedded iam policy for cross account access.
Supports a whitelist_patterns option to skip principals whose identifier
matches any of the provided fnmatch patterns. This is
useful for ignoring unique identifiers left behind by deleted IAM principals
(e.g. AIDA* for deleted IAM users, AROA* for deleted IAM roles)
which AWS substitutes into resource policies when the original principal is
removed. See IAM unique identifiers
for the full list of prefixes.
- type: cross-account
whitelist_patterns:
- "AIDA*"
- "AROA*"
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
return_allowed:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_patterns:
items:
type: string
type: array
whitelist_patterns_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - lambda:GetLayerVersionPolicy
Actions
delete
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type
Permissions - lambda:DeleteLayerVersion
remove-statements
Parent base class for filters and actions.
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - lambda:GetLayerVersionPolicy, lambda:RemoveLayerVersionPermission