aws.lambda¶
Filters¶
cross-account¶
Filters lambda functions with cross-account permissions
The whitelist parameter can be used to prevent certain accounts from being included in the results (essentially stating that these accounts permissions are allowed to exist)
This can be useful when combining this filter with the delete action.
- example
policies:
- name: lambda-cross-account
resource: lambda
filters:
- type: cross-account
whitelist:
- 'IAM-Policy-Cross-Account-Access'
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
event-source¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- event-source
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
reserved-concurrency¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- reserved-concurrency
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Actions¶
delete¶
Delete a lambda function (including aliases and older versions).
- example
policies:
- name: lambda-delete-dotnet-functions
resource: lambda
filters:
- Runtime: dotnetcore1.0
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
remove-statements¶
Action to remove policy/permission statements from lambda functions.
- example
policies:
- name: lambda-remove-cross-accounts
resource: lambda
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
set-concurrency¶
Set lambda function concurrency to the desired level.
Can be used to set the reserved function concurrency to an exact value, to delete reserved concurrency, or to set the value to an attribute of the resource.
properties:
expr:
type: boolean
type:
enum:
- set-concurrency
value:
oneOf:
- type: string
- type: integer
- type: 'null'
required:
- value