aws.rds-cluster

Resource manager for RDS clusters.

Filters

• config-compliance

• event

• finding

• json-diff

• marked-for-op

• metrics

• network-location

• offhour

• onhour

• ops-item

• security-group

• subnet

• tag-count

• value

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• modify-db-cluster

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• retention

• snapshot

• start

• stop

• tag

• webhook

delete

Action to delete a RDS cluster

To prevent unwanted deletion of clusters, it is recommended to apply a filter to the rule

example

policies:
  - name: rds-cluster-delete-unused
    resource: rds-cluster
    filters:
      - type: metrics
        name: CPUUtilization
        days: 21
        value: 1.0
        op: le
    actions:
      - type: delete
        skip-snapshot: false
        delete-instances: true

properties:
  delete-instances:
    type: boolean
  skip-snapshot:
    type: boolean
  type:
    enum:
    - delete
required:
- type

modify-db-cluster

Modifies an RDS instance based on specified parameter using ModifyDbInstance.

‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.

example

policies:
  - name: disable-db-cluster-deletion-protection
    resource: rds-cluster
    filters:
      - DeletionProtection: true
      - PubliclyAccessible: true
    actions:
      - type: modify-db-cluster
        attributes:
            CopyTagsToSnapshot: true
            DeletionProtection: false

properties:
  attributes:
    type: object
  type:
    enum:
    - modify-db-cluster
required:
- attributes

retention

Action to set the retention period on rds cluster snapshots, enforce (min, max, exact) sets retention days occordingly.

example

policies:
  - name: rds-cluster-backup-retention
    resource: rds-cluster
    filters:
      - type: value
        key: BackupRetentionPeriod
        value: 21
        op: ne
    actions:
      - type: retention
        days: 21
        enforce: min

properties:
  days:
    type: number
  enforce:
    enum:
    - min
    - max
    - exact
    type: string
  type:
    enum:
    - retention
required:
- type

snapshot

Action to create a snapshot of a rds cluster

example

policies:
  - name: rds-cluster-snapshot
    resource: rds-cluster
    actions:
      - snapshot

properties:
  type:
    enum:
    - snapshot
required:
- type

start

Start a stopped db cluster

properties:
  type:
    enum:
    - start
required:
- type

stop

Stop a running db cluster

properties:
  type:
    enum:
    - stop
required:
- type