Filters
cross-account
Filters lambda functions with cross-account permissions
The whitelist parameter can be used to prevent certain accounts
from being included in the results (essentially stating that these
accounts permissions are allowed to exist)
This can be useful when combining this filter with the delete action.
- example:
policies:
- name: lambda-cross-account
resource: lambda
filters:
- type: cross-account
whitelist:
- 'IAM-Policy-Cross-Account-Access'
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - lambda:GetPolicy
event-source
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- event-source
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - lambda:GetPolicy
has-specific-managed-policy
Filter an lambda function that has an IAM execution role that has a
specific managed IAM policy.
- example:
policies:
- name: lambda-has-admin-policy
resource: aws.lambda
filters:
- type: has-specific-managed-policy
value: admin-policy
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- has-specific-managed-policy
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:ListAttachedRolePolicies
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current
resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and
against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key
Filter a resource by its associated kms key and optionally the aliasname
of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies:
- name: dms-encrypt-key-check
resource: dms-instance
filters:
- type: kms-key
key: "c7n:AliasName"
value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies:
- name: dms-aws-managed-key
resource: dms-instance
filters:
- type: kms-key
key: KeyManager
value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
lambda-edge
Filter for lambda@edge functions. Lambda@edge only exists in us-east-1
- example:
policies:
- name: lambda-edge-filter
resource: lambda
region: us-east-1
filters:
- type: lambda-edge
state: True
properties:
state:
type: boolean
type:
enum:
- lambda-edge
required:
- type
Permissions - cloudfront:ListDistributions
reserved-concurrency
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- reserved-concurrency
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - lambda:GetFunction
url-config
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- url-config
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - lambda:GetFunctionUrlConfig
Actions
delete
Delete a lambda function (including aliases and older versions).
- example:
policies:
- name: lambda-delete-dotnet-functions
resource: lambda
filters:
- Runtime: dotnetcore1.0
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - lambda:DeleteFunction
remove-statements
Action to remove policy/permission statements from lambda functions.
- example:
policies:
- name: lambda-remove-cross-accounts
resource: lambda
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - lambda:GetPolicy, lambda:RemovePermission
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys
then we’ll use the value specified by Application, which is based on the
order of values of old_keys.
policies:
- name: rename-tags-example
resource: aws.log-group
filters:
- or:
- "tag:Bap": present
- "tag:Application": present
actions:
- type: rename-tag
old_keys: [Application, Bap]
new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-concurrency
Set lambda function concurrency to the desired level.
Can be used to set the reserved function concurrency to an exact value,
to delete reserved concurrency, or to set the value to an attribute of
the resource.
properties:
expr:
type: boolean
type:
enum:
- set-concurrency
value:
oneOf:
- type: string
- type: integer
- type: 'null'
required:
- value
Permissions - lambda:DeleteFunctionConcurrency, lambda:PutFunctionConcurrency
set-xray-tracing
This action allows for enable Xray tracing to Active
- example:
actions:
- type: enable-xray-tracing
properties:
state:
default: true
type: boolean
type:
enum:
- set-xray-tracing
required:
- type
Permissions - lambda:UpdateFunctionConfiguration
trim-versions
Delete old versions of a function.
By default this will only remove the non $LATEST
version of a function that are not referenced by
an alias. Optionally it can delete only versions
older than a given age.
- example:
policies:
- name: lambda-gc
resource: aws.lambda
actions:
- type: trim-versions
exclude-aliases: true # default true
older-than: 60 # default not-set
retain-latest: true # default false
retain-latest refers to whether the latest numeric
version will be retained, the $LATEST alias will
still point to the last revision even without this set,
so this is safe wrt to the function availability, its more
about desire to retain an explicit version of the current
code, rather than just the $LATEST alias pointer which will
be automatically updated.
properties:
exclude-aliases:
default: true
type: boolean
older-than:
type: number
retain-latest:
default: true
type: boolean
type:
enum:
- trim-versions
required:
- type
Permissions - lambda:ListAliases, lambda:ListVersionsByFunction, lambda:DeleteFunction
update
Update a lambda’s configuration.
This action also has specific support for enacting recommendations
from the AWS Cost Optimization Hub for resizing.
- example:
policies:
- name: lambda-rightsize
resource: aws.lambda
filters:
- type: cost-optimization
attrs:
- actionType: Rightsize
actions:
- update
properties:
properties:
type: object
type:
enum:
- update
required:
- type
Permissions - lambda:UpdateFunctionConfiguration