aws.log-group
Filters
cross-account
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - logs:DescribeSubscriptionFilters
kms-key
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
last-write
Filters CloudWatch log groups by last write
- example:
policies:
- name: cloudwatch-stale-groups
resource: log-group
filters:
- type: last-write
days: 60
properties:
days:
type: number
type:
enum:
- last-write
required:
- type
Permissions - logs:DescribeLogStreams
Actions
delete
- example:
policies:
- name: cloudwatch-delete-stale-log-group
resource: log-group
filters:
- type: last-write
days: 182.5
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - logs:DeleteLogGroup
put-subscription-filter
Create/Update a subscription filter and associate with a log group
- example:
policies:
- name: cloudwatch-put-subscription-filter
resource: log-group
actions:
- type: put-subscription-filter
filter_name: AllLambda
filter_pattern: ip
destination_arn: arn:aws:logs:us-east-1:1234567890:destination:lambda
distribution: Random
role_arn: "arn:aws:iam::{account_id}:role/testCrossAccountRole"
properties:
destination_arn:
type: string
distribution:
enum:
- Random
- ByLogStream
filter_name:
type: string
filter_pattern:
type: string
role_arn:
type: string
type:
enum:
- put-subscription-filter
required:
- filter_name
- destination_arn
- type
Permissions - logs:PutSubscriptionFilter
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
retention
Action to set the retention period (in days) for CloudWatch log groups
- example:
policies:
- name: cloudwatch-set-log-group-retention
resource: log-group
actions:
- type: retention
days: 200
properties:
days:
type: integer
type:
enum:
- retention
required:
- type
Permissions - logs:PutRetentionPolicy
set-encryption
Encrypt/Decrypt a log group
- example:
policies:
- name: encrypt-log-group
resource: log-group
filters:
- kmsKeyId: absent
actions:
- type: set-encryption
kms-key: alias/mylogkey
state: True
- name: decrypt-log-group
resource: log-group
filters:
- kmsKeyId: kms:key:arn
actions:
- type: set-encryption
state: False
properties:
kms-key:
type: string
state:
type: boolean
type:
enum:
- set-encryption
required:
- type
Permissions - logs:AssociateKmsKey, logs:DisassociateKmsKey, kms:DescribeKey