aws.peering-connection
Filters
cross-account
Check a resource’s embedded iam policy for cross account access.
Supports a whitelist_patterns option to skip principals whose identifier
matches any of the provided fnmatch patterns. This is
useful for ignoring unique identifiers left behind by deleted IAM principals
(e.g. AIDA* for deleted IAM users, AROA* for deleted IAM roles)
which AWS substitutes into resource policies when the original principal is
removed. See IAM unique identifiers
for the full list of prefixes.
- type: cross-account
whitelist_patterns:
- "AIDA*"
- "AROA*"
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeVpcPeeringConnections
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
missing-route
Return peers which are missing a route in route tables.
If the peering connection is between two vpcs in the same account, the connection is returned unless it is in present route tables in each vpc.
If the peering connection is between accounts, then the local vpc’s route table is checked.
properties:
type:
enum:
- missing-route
required:
- type
Permissions - ec2:DescribeRouteTables