aws.rds-cluster-snapshot

Resource manager for RDS cluster snapshots.

Filters

age

Filters rds cluster snapshots based on age (in days)

example

policies:
  - name: rds-cluster-snapshots-expired
    resource: rds-cluster-snapshot
    filters:
      - type: age
        days: 30
        op: gt
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - rds:DescribeDBClusterSnapshotAttributes

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Action to delete rds cluster snapshots

To prevent unwanted deletion of rds cluster snapshots, it is recommended to apply a filter to the rule

example

policies:
  - name: rds-cluster-snapshots-expired-delete
    resource: rds-cluster-snapshot
    filters:
      - type: age
        days: 30
        op: gt
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - rds:DeleteDBClusterSnapshot

set-permissions

Set permissions for copying or restoring an RDS cluster snapshot

Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.

Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:

example

policies:
  - name: rds-cluster-snapshot-prune-permissions
    resource: rds-cluster-snapshot
    filters:
      - type: cross-account
        whitelist:
          - '112233445566'
    actions:
      - type: set-permissions
        remove: matched
properties:
  add:
    items:
      oneOf:
      - maxLength: 12
        minLength: 12
        type: string
      - enum:
        - all
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        oneOf:
        - maxLength: 12
          minLength: 12
          type: string
        - enum:
          - all
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - rds:ModifyDBClusterSnapshotAttribute