aws.rds-cluster-snapshot

Resource manager for RDS cluster snapshots.

Filters

age

Filters rds cluster snapshots based on age (in days)

example:

policies:
  - name: rds-cluster-snapshots-expired
    resource: rds-cluster-snapshot
    filters:
      - type: age
        days: 30
        op: gt

properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - rds:DescribeDBClusterSnapshotAttributes

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Action to delete rds cluster snapshots

To prevent unwanted deletion of rds cluster snapshots, it is recommended to apply a filter to the rule

example:

policies:
  - name: rds-cluster-snapshots-expired-delete
    resource: rds-cluster-snapshot
    filters:
      - type: age
        days: 30
        op: gt
    actions:
      - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - rds:DeleteDBClusterSnapshot

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-permissions

Set permissions for copying or restoring an RDS cluster snapshot

Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.

Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:

example:

policies:
  - name: rds-cluster-snapshot-prune-permissions
    resource: rds-cluster-snapshot
    filters:
      - type: cross-account
        whitelist:
          - '112233445566'
    actions:
      - type: set-permissions
        remove: matched

properties:
  add:
    items:
      oneOf:
      - maxLength: 12
        minLength: 12
        type: string
      - enum:
        - all
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        oneOf:
        - maxLength: 12
          minLength: 12
          type: string
        - enum:
          - all
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - rds:ModifyDBClusterSnapshotAttribute