aws.rds-cluster¶
Resource manager for RDS clusters.
Filters¶
consecutive-snapshots¶
- Returns RDS clusters where number of consective daily snapshots is equal to/or greater
than n days.
- example
policies:
- name: rdscluster-daily-snapshot-count
resource: rds-cluster
filters:
- type: consecutive-snapshots
days: 7
properties:
days:
minimum: 1
type: number
type:
enum:
- consecutive-snapshots
required:
- days
- type
Permissions - rds:DescribeDBClusterSnapshots, rds:DescribeDBClusters
db-cluster-parameter¶
Applies value type filter on set db cluster parameter values. :example: .. code-block:: yaml
- policies:
name: rdscluster-pg resource: rds-cluster filters:
type: db-cluster-parameter key: someparam op: eq value: someval
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- db-cluster-parameter
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - rds:DescribeDBInstances, rds:DescribeDBParameters
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key¶
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - kms:ListKeys, kms:DescribeKey
Actions¶
delete¶
Action to delete a RDS cluster
To prevent unwanted deletion of clusters, it is recommended to apply a filter to the rule
- example
policies:
- name: rds-cluster-delete-unused
resource: rds-cluster
filters:
- type: metrics
name: CPUUtilization
days: 21
value: 1.0
op: le
actions:
- type: delete
skip-snapshot: false
delete-instances: true
properties:
delete-instances:
type: boolean
skip-snapshot:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBCluster
modify-db-cluster¶
Modifies an RDS instance based on specified parameter using ModifyDbInstance.
‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.
- example
policies:
- name: disable-db-cluster-deletion-protection
resource: rds-cluster
filters:
- DeletionProtection: true
- PubliclyAccessible: true
actions:
- type: modify-db-cluster
attributes:
CopyTagsToSnapshot: true
DeletionProtection: false
properties:
attributes:
type: object
type:
enum:
- modify-db-cluster
required:
- attributes
Permissions - rds:ModifyDBCluster
retention¶
Action to set the retention period on rds cluster snapshots, enforce (min, max, exact) sets retention days occordingly.
- example
policies:
- name: rds-cluster-backup-retention
resource: rds-cluster
filters:
- type: value
key: BackupRetentionPeriod
value: 21
op: ne
actions:
- type: retention
days: 21
enforce: min
properties:
days:
type: number
enforce:
enum:
- min
- max
- exact
type: string
type:
enum:
- retention
required:
- type
Permissions - rds:ModifyDBCluster
snapshot¶
Action to create a snapshot of a rds cluster
- example
policies:
- name: rds-cluster-snapshot
resource: rds-cluster
actions:
- snapshot
properties:
type:
enum:
- snapshot
required:
- type
Permissions - rds:CreateDBClusterSnapshot
start¶
Start a stopped db cluster
properties:
type:
enum:
- start
required:
- type
Permissions - rds:StartDBCluster
stop¶
Stop a running db cluster
properties:
type:
enum:
- stop
required:
- type
Permissions - rds:StopDBCluster