aws.rds-cluster-snapshot
Resource manager for RDS cluster snapshots.
Filters
age
Filters rds cluster snapshots based on age (in days)
- example:
policies:
- name: rds-cluster-snapshots-expired
resource: rds-cluster-snapshot
filters:
- type: age
days: 30
op: gt
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- age
required:
- type
cross-account
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
return_allowed:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - rds:DescribeDBClusterSnapshotAttributes
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
Actions
delete
Action to delete rds cluster snapshots
To prevent unwanted deletion of rds cluster snapshots, it is recommended to apply a filter to the rule
- example:
policies:
- name: rds-cluster-snapshots-expired-delete
resource: rds-cluster-snapshot
filters:
- type: age
days: 30
op: gt
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBClusterSnapshot
region-copy
Copy an cluster snapshot across regions
Example:
- name: copy-encrypted-cluster-snapshots
description: |
copy cluster snapshots under 1 day old to dr region with kms
resource: rds-cluster-snapshot
region: us-east-1
filters:
- Status: available
- type: value
key: SnapshotCreateTime
value_type: age
value: 1
op: less-than
actions:
- type: region-copy
target_region: us-east-2
target_key: arn:aws:kms:us-east-2:644160558196:key/b10f842a-feb7-4318-92d5-0640a75b7688
copy_tags: true
tags:
OriginRegion: us-east-1
properties:
copy_tags:
type: boolean
tags:
type: object
target_key:
type: string
target_region:
type: string
type:
enum:
- region-copy
required:
- target_region
Permissions - rds:CopyDBClusterSnapshot
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-permissions
Set permissions for copying or restoring an RDS cluster snapshot
Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.
Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:
- example:
policies:
- name: rds-cluster-snapshot-prune-permissions
resource: rds-cluster-snapshot
filters:
- type: cross-account
whitelist:
- '112233445566'
actions:
- type: set-permissions
remove: matched
properties:
add:
items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
remove:
oneOf:
- enum:
- matched
- items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - rds:ModifyDBClusterSnapshotAttribute