aws.rds-snapshot
Resource manager for RDS DB snapshots.
Filters
age
Filters RDS snapshots based on age (in days)
- example:
policies:
- name: rds-snapshot-expired
resource: rds-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- age
required:
- type
cross-account
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - rds:DescribeDBSnapshotAttributes
instance
Filter snapshots by their database attributes.
- example:
Find snapshots without an extant database
policies:
- name: rds-snapshot-orphan
resource: aws.rds-snapshot
filters:
- type: instance
value: 0
value_type: resource_count
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- instance
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - rds:DescribeDBInstances, tag:GetResources
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
latest
Return the latest snapshot for each database.
properties:
automatic:
type: boolean
type:
enum:
- latest
required:
- type
Permissions - rds:DescribeDBSnapshots
Actions
delete
Deletes a RDS snapshot resource
- example:
policies:
- name: rds-snapshot-delete-stale
resource: rds-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBSnapshot
region-copy
Copy a snapshot across regions.
Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.
Example:
- name: copy-encrypted-snapshots
description: |
copy snapshots under 1 day old to dr region with kms
resource: rds-snapshot
region: us-east-1
filters:
- Status: available
- type: value
key: SnapshotCreateTime
value_type: age
value: 1
op: less-than
actions:
- type: region-copy
target_region: us-east-2
target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
copy_tags: true
tags:
OriginRegion: us-east-1
properties:
copy_tags:
type: boolean
tags:
type: object
target_key:
type: string
target_region:
type: string
type:
enum:
- region-copy
required:
- target_region
Permissions - rds:CopyDBSnapshot
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
restore
Restore an rds instance from a snapshot.
Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.
additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.
properties:
modify_options:
type: object
restore_options:
type: object
type:
enum:
- restore
required:
- type
Permissions - rds:ModifyDBInstance, rds:ModifyDBParameterGroup, rds:ModifyOptionGroup, rds:RebootDBInstance, rds:RestoreDBInstanceFromDBSnapshot
set-permissions
Set permissions for copying or restoring an RDS snapshot
Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.
Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:
- example:
policies:
- name: rds-snapshot-remove-cross-account
resource: rds-snapshot
filters:
- type: cross-account
whitelist:
- '112233445566'
actions:
- type: set-permissions
remove: matched
properties:
add:
items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
remove:
oneOf:
- enum:
- matched
- items:
oneOf:
- maxLength: 12
minLength: 12
type: string
- enum:
- all
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - rds:ModifyDBSnapshotAttribute