aws.rds-snapshot¶
Resource manager for RDS DB snapshots.
Filters¶
age¶
Filters RDS snapshots based on age (in days)
- example
policies:
- name: rds-snapshot-expired
resource: rds-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- age
required:
- type
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - rds:DescribeDBSnapshotAttributes
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
latest¶
Return the latest snapshot for each database.
properties:
automatic:
type: boolean
type:
enum:
- latest
required:
- type
Permissions - rds:DescribeDBSnapshots
Actions¶
delete¶
Deletes a RDS snapshot resource
- example
policies:
- name: rds-snapshot-delete-stale
resource: rds-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBSnapshot
region-copy¶
Copy a snapshot across regions.
Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.
Example:
- name: copy-encrypted-snapshots
description: |
copy snapshots under 1 day old to dr region with kms
resource: rds-snapshot
region: us-east-1
filters:
- Status: available
- type: value
key: SnapshotCreateTime
value_type: age
value: 1
op: less-than
actions:
- type: region-copy
target_region: us-east-2
target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
copy_tags: true
tags:
OriginRegion: us-east-1
properties:
copy_tags:
type: boolean
tags:
type: object
target_key:
type: string
target_region:
type: string
type:
enum:
- region-copy
required:
- target_region
Permissions - rds:CopyDBSnapshot
restore¶
Restore an rds instance from a snapshot.
Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.
additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.
properties:
modify_options:
type: object
restore_options:
type: object
type:
enum:
- restore
required:
- type
Permissions - rds:ModifyDBInstance, rds:ModifyDBParameterGroup, rds:ModifyOptionGroup, rds:RebootDBInstance, rds:RestoreDBInstanceFromDBSnapshot