aws.lambda¶
Filters¶
cross-account¶
Filters lambda functions with cross-account permissions
The whitelist parameter can be used to prevent certain accounts from being included in the results (essentially stating that these accounts permissions are allowed to exist)
This can be useful when combining this filter with the delete action.
- example
policies:
- name: lambda-cross-account
resource: lambda
filters:
- type: cross-account
whitelist:
- 'IAM-Policy-Cross-Account-Access'
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - lambda:GetPolicy
event-source¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- event-source
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - lambda:GetPolicy
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key¶
Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example
policies: - name: lambda-kms-key-filters resource: aws.lambda filters: - type: kms-key key: c7n:AliasName value: "^(alias/aws/lambda)" op: regex
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - kms:ListKeys, kms:DescribeKey
reserved-concurrency¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- reserved-concurrency
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - lambda:GetFunction
Actions¶
delete¶
Delete a lambda function (including aliases and older versions).
- example
policies:
- name: lambda-delete-dotnet-functions
resource: lambda
filters:
- Runtime: dotnetcore1.0
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - lambda:DeleteFunction
remove-statements¶
Action to remove policy/permission statements from lambda functions.
- example
policies:
- name: lambda-remove-cross-accounts
resource: lambda
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - lambda:GetPolicy, lambda:RemovePermission
set-concurrency¶
Set lambda function concurrency to the desired level.
Can be used to set the reserved function concurrency to an exact value, to delete reserved concurrency, or to set the value to an attribute of the resource.
properties:
expr:
type: boolean
type:
enum:
- set-concurrency
value:
oneOf:
- type: string
- type: integer
- type: 'null'
required:
- value
Permissions - lambda:DeleteFunctionConcurrency, lambda:PutFunctionConcurrency