aws.rds-snapshot

Resource manager for RDS DB snapshots.

Filters

age

Filters RDS snapshots based on age (in days)

example:

policies:
  - name: rds-snapshot-expired
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

cross-account

Check a resource’s embedded iam policy for cross account access.

Permissions - rds:DescribeDBSnapshotAttributes

instance

Filter snapshots by their database attributes.

example:

Find snapshots without an extant database

policies:
  - name: rds-snapshot-orphan
    resource: aws.rds-snapshot
    filters:
     - type: instance
       value: 0
       value_type: resource_count

Permissions - rds:DescribeDBInstances, tag:GetResources

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

Permissions - config:GetResourceConfigHistory

latest

Return the latest snapshot for each database.

Permissions - rds:DescribeDBSnapshots

Actions

delete

Deletes a RDS snapshot resource

example:

policies:
  - name: rds-snapshot-delete-stale
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

Permissions - rds:DeleteDBSnapshot

region-copy

Copy a snapshot across regions.

Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.

Example:

- name: copy-encrypted-snapshots
  description: |
    copy snapshots under 1 day old to dr region with kms
  resource: rds-snapshot
  region: us-east-1
  filters:
   - Status: available
   - type: value
     key: SnapshotCreateTime
     value_type: age
     value: 1
     op: less-than
  actions:
    - type: region-copy
      target_region: us-east-2
      target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
      copy_tags: true
      tags:
        OriginRegion: us-east-1

Permissions - rds:CopyDBSnapshot

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

Permissions - tag:TagResources, tag:UntagResources

restore

Restore an rds instance from a snapshot.

Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.

additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.

Permissions - rds:ModifyDBInstance, rds:ModifyDBParameterGroup, rds:ModifyOptionGroup, rds:RebootDBInstance, rds:RestoreDBInstanceFromDBSnapshot

set-permissions

Set permissions for copying or restoring an RDS snapshot

Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.

Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:

example:

policies:
  - name: rds-snapshot-remove-cross-account
    resource: rds-snapshot
    filters:
      - type: cross-account
        whitelist:
          - '112233445566'
    actions:
      - type: set-permissions
        remove: matched

Permissions - rds:ModifyDBSnapshotAttribute