aws.rds-cluster-snapshot¶
Resource manager for RDS cluster snapshots.
Filters¶
age¶
Filters rds cluster snapshots based on age (in days)
- example:
policies:
- name: rds-cluster-snapshots-expired
resource: rds-cluster-snapshot
filters:
- type: age
days: 30
op: gt
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- age
required:
- type
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
required:
- type
Permissions - rds:DescribeDBClusterSnapshotAttributes
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
Actions¶
delete¶
Action to delete rds cluster snapshots
To prevent unwanted deletion of rds cluster snapshots, it is recommended to apply a filter to the rule
- example:
policies:
- name: rds-cluster-snapshots-expired-delete
resource: rds-cluster-snapshot
filters:
- type: age
days: 30
op: gt
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBClusterSnapshot
set-permissions¶
Set permissions for copying or restoring an RDS cluster snapshot
Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.
Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:
- example:
policies:
- name: rds-cluster-snapshot-prune-permissions
resource: rds-cluster-snapshot
filters:
- type: cross-account
whitelist:
- '112233445566'
actions:
- type: set-permissions
remove: matched
properties:
add:
items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
remove:
oneOf:
- enum:
- matched
- items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - rds:ModifyDBClusterSnapshotAttribute