aws.log-group

Filters

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - logs:DescribeSubscriptionFilters

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListKeys, kms:DescribeKey

last-write

Filters CloudWatch log groups by last write

example:

policies:
  - name: cloudwatch-stale-groups
    resource: log-group
    filters:
      - type: last-write
        days: 60
properties:
  days:
    type: number
  type:
    enum:
    - last-write
required:
- type

Permissions - logs:DescribeLogStreams

Actions

delete

example:

policies:
  - name: cloudwatch-delete-stale-log-group
    resource: log-group
    filters:
      - type: last-write
        days: 182.5
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - logs:DeleteLogGroup

put-subscription-filter

Create/Update a subscription filter and associate with a log group

example:

policies:
  - name: cloudwatch-put-subscription-filter
    resource: log-group
    actions:
      - type: put-subscription-filter
        filter_name: AllLambda
        filter_pattern: ip
        destination_arn: arn:aws:logs:us-east-1:1234567890:destination:lambda
        distribution: Random
        role_arn: "arn:aws:iam::{account_id}:role/testCrossAccountRole"
properties:
  destination_arn:
    type: string
  distribution:
    enum:
    - Random
    - ByLogStream
  filter_name:
    type: string
  filter_pattern:
    type: string
  role_arn:
    type: string
  type:
    enum:
    - put-subscription-filter
required:
- filter_name
- destination_arn
- type

Permissions - logs:PutSubscriptionFilter

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

retention

Action to set the retention period (in days) for CloudWatch log groups

example:

policies:
  - name: cloudwatch-set-log-group-retention
    resource: log-group
    actions:
      - type: retention
        days: 200
properties:
  days:
    type: integer
  type:
    enum:
    - retention
required:
- type

Permissions - logs:PutRetentionPolicy

set-encryption

Encrypt/Decrypt a log group

example:

policies:
  - name: encrypt-log-group
    resource: log-group
    filters:
      - kmsKeyId: absent
    actions:
      - type: set-encryption
        kms-key: alias/mylogkey
        state: True

  - name: decrypt-log-group
    resource: log-group
    filters:
      - kmsKeyId: kms:key:arn
    actions:
      - type: set-encryption
        state: False
properties:
  kms-key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-encryption
required:
- type

Permissions - logs:AssociateKmsKey, logs:DisassociateKmsKey, kms:DescribeKey