aws.rds-cluster

Resource manager for RDS clusters.

Filters

consecutive-snapshots

Returns RDS clusters where number of consective daily snapshots is equal to/or greater

than n days.

example

policies:
  - name: rdscluster-daily-snapshot-count
    resource: rds-cluster
    filters:
      - type: consecutive-snapshots
        days: 7
properties:
  days:
    minimum: 1
    type: number
  type:
    enum:
    - consecutive-snapshots
required:
- days
- type

Permissions - rds:DescribeDBClusterSnapshots, rds:DescribeDBClusters

db-cluster-parameter

Applies value type filter on set db cluster parameter values. :example: .. code-block:: yaml

policies:
  • name: rdscluster-pg resource: rds-cluster filters:

    • type: db-cluster-parameter key: someparam op: eq value: someval

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - db-cluster-parameter
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - rds:DescribeDBInstances, rds:DescribeDBParameters

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - kms:ListKeys, kms:DescribeKey

Actions

delete

Action to delete a RDS cluster

To prevent unwanted deletion of clusters, it is recommended to apply a filter to the rule

example

policies:
  - name: rds-cluster-delete-unused
    resource: rds-cluster
    filters:
      - type: metrics
        name: CPUUtilization
        days: 21
        value: 1.0
        op: le
    actions:
      - type: delete
        skip-snapshot: false
        delete-instances: true
properties:
  delete-instances:
    type: boolean
  skip-snapshot:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - rds:DeleteDBCluster

modify-db-cluster

Modifies an RDS instance based on specified parameter using ModifyDbInstance.

‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.

example

policies:
  - name: disable-db-cluster-deletion-protection
    resource: rds-cluster
    filters:
      - DeletionProtection: true
      - PubliclyAccessible: true
    actions:
      - type: modify-db-cluster
        attributes:
            CopyTagsToSnapshot: true
            DeletionProtection: false
properties:
  attributes:
    type: object
  type:
    enum:
    - modify-db-cluster
required:
- attributes

Permissions - rds:ModifyDBCluster

retention

Action to set the retention period on rds cluster snapshots, enforce (min, max, exact) sets retention days occordingly.

example

policies:
  - name: rds-cluster-backup-retention
    resource: rds-cluster
    filters:
      - type: value
        key: BackupRetentionPeriod
        value: 21
        op: ne
    actions:
      - type: retention
        days: 21
        enforce: min
properties:
  days:
    type: number
  enforce:
    enum:
    - min
    - max
    - exact
    type: string
  type:
    enum:
    - retention
required:
- type

Permissions - rds:ModifyDBCluster

snapshot

Action to create a snapshot of a rds cluster

example

policies:
  - name: rds-cluster-snapshot
    resource: rds-cluster
    actions:
      - snapshot
properties:
  type:
    enum:
    - snapshot
required:
- type

Permissions - rds:CreateDBClusterSnapshot

start

Start a stopped db cluster

properties:
  type:
    enum:
    - start
required:
- type

Permissions - rds:StartDBCluster

stop

Stop a running db cluster

properties:
  type:
    enum:
    - stop
required:
- type

Permissions - rds:StopDBCluster