aws.rds-snapshot¶
Resource manager for RDS DB snapshots.
Filters¶
age¶
Filters RDS snapshots based on age (in days)
- example
policies:
- name: rds-snapshot-expired
resource: rds-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- age
required:
- type
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - rds:DescribeDBSnapshotAttributes
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
latest¶
Return the latest snapshot for each database.
properties:
automatic:
type: boolean
type:
enum:
- latest
required:
- type
Permissions - rds:DescribeDBSnapshots
Actions¶
delete¶
Deletes a RDS snapshot resource
- example
policies:
- name: rds-snapshot-delete-stale
resource: rds-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBSnapshot
region-copy¶
Copy a snapshot across regions.
Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.
Example:
- name: copy-encrypted-snapshots
description: |
copy snapshots under 1 day old to dr region with kms
resource: rds-snapshot
region: us-east-1
filters:
- Status: available
- type: value
key: SnapshotCreateTime
value_type: age
value: 1
op: less-than
actions:
- type: region-copy
target_region: us-east-2
target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
copy_tags: true
tags:
OriginRegion: us-east-1
properties:
copy_tags:
type: boolean
tags:
type: object
target_key:
type: string
target_region:
type: string
type:
enum:
- region-copy
required:
- target_region
Permissions - rds:CopyDBSnapshot
restore¶
Restore an rds instance from a snapshot.
Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.
additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.
properties:
modify_options:
type: object
restore_options:
type: object
type:
enum:
- restore
required:
- type
Permissions - rds:ModifyDBInstance, rds:ModifyDBParameterGroup, rds:ModifyOptionGroup, rds:RebootDBInstance, rds:RestoreDBInstanceFromDBSnapshot
set-permissions¶
Set permissions for copying or restoring an RDS snapshot
Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.
Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:
- example
policies:
- name: rds-snapshot-remove-cross-account
resource: rds-snapshot
filters:
- type: cross-account
whitelist:
- '112233445566'
actions:
- type: set-permissions
remove: matched
properties:
add:
items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
remove:
oneOf:
- enum:
- matched
- items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - rds:ModifyDBSnapshotAttribute