aws.lambda

Filters

cross-account

Filters lambda functions with cross-account permissions

The whitelist parameter can be used to prevent certain accounts from being included in the results (essentially stating that these accounts permissions are allowed to exist)

This can be useful when combining this filter with the delete action.

example

policies:
  - name: lambda-cross-account
    resource: lambda
    filters:
      - type: cross-account
        whitelist:
          - 'IAM-Policy-Cross-Account-Access'
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from: &id001
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from: *id001
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from: *id001
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from: *id001
required:
- type

event-source

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - event-source
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
required:
- type

reserved-concurrency

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - reserved-concurrency
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
required:
- type

Actions

delete

Delete a lambda function (including aliases and older versions).

example

policies:
  - name: lambda-delete-dotnet-functions
    resource: lambda
    filters:
      - Runtime: dotnetcore1.0
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

remove-statements

Action to remove policy/permission statements from lambda functions.

example

policies:
  - name: lambda-remove-cross-accounts
    resource: lambda
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

set-concurrency

Set lambda function concurrency to the desired level.

Can be used to set the reserved function concurrency to an exact value, to delete reserved concurrency, or to set the value to an attribute of the resource.

properties:
  expr:
    type: boolean
  type:
    enum:
    - set-concurrency
  value:
    oneOf:
    - type: string
    - type: integer
    - type: 'null'
required:
- value