aws.logs resources¶
aws.log-group¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
last-write¶
Filters CloudWatch log groups by last write
- example
policies:
- name: cloudwatch-stale-groups
resource: log-group
filters:
- type: last-write
days: 60
properties:
days:
type: number
type:
enum:
- last-write
required:
- type
Actions¶
delete¶
- example
policies:
- name: cloudwatch-delete-stale-log-group
resource: log-group
filters:
- type: last-write
days: 182.5
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
retention¶
Action to set the retention period (in days) for CloudWatch log groups
- example
policies:
- name: cloudwatch-set-log-group-retention
resource: log-group
actions:
- type: retention
days: 200
properties:
days:
type: integer
type:
enum:
- retention
required:
- type
set-encryption¶
Encrypt/Decrypt a log group
- example
policies:
- name: encrypt-log-group
resource: log-group
filters:
- kmsKeyId: absent
actions:
- type: set-encryption
kms-key: alias/mylogkey
state: True
- name: decrypt-log-group
resource: log-group
filters:
- kmsKeyId: kms:key:arn
actions:
- type: set-encryption
state: False
properties:
kms-key:
type: string
state:
type: boolean
type:
enum:
- set-encryption
required:
- type