aws.rds-snapshot

Resource manager for RDS DB snapshots.

Filters

age

Filters RDS snapshots based on age (in days)

example:

policies:
  - name: rds-snapshot-expired
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - rds:DescribeDBSnapshotAttributes

instance

Filter snapshots by their database attributes.

example:

Find snapshots without an extant database

policies:
  - name: rds-snapshot-orphan
    resource: aws.rds-snapshot
    filters:
     - type: instance
       value: 0
       value_type: resource_count
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - instance
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - rds:DescribeDBInstances, tag:GetResources

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

latest

Return the latest snapshot for each database.

properties:
  automatic:
    type: boolean
  type:
    enum:
    - latest
required:
- type

Permissions - rds:DescribeDBSnapshots

Actions

delete

Deletes a RDS snapshot resource

example:

policies:
  - name: rds-snapshot-delete-stale
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - rds:DeleteDBSnapshot

region-copy

Copy a snapshot across regions.

Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.

Example:

- name: copy-encrypted-snapshots
  description: |
    copy snapshots under 1 day old to dr region with kms
  resource: rds-snapshot
  region: us-east-1
  filters:
   - Status: available
   - type: value
     key: SnapshotCreateTime
     value_type: age
     value: 1
     op: less-than
  actions:
    - type: region-copy
      target_region: us-east-2
      target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
      copy_tags: true
      tags:
        OriginRegion: us-east-1
properties:
  copy_tags:
    type: boolean
  tags:
    type: object
  target_key:
    type: string
  target_region:
    type: string
  type:
    enum:
    - region-copy
required:
- target_region

Permissions - rds:CopyDBSnapshot

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

restore

Restore an rds instance from a snapshot.

Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.

additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.

properties:
  modify_options:
    type: object
  restore_options:
    type: object
  type:
    enum:
    - restore
required:
- type

Permissions - rds:ModifyDBInstance, rds:ModifyDBParameterGroup, rds:ModifyOptionGroup, rds:RebootDBInstance, rds:RestoreDBInstanceFromDBSnapshot

set-permissions

Set permissions for copying or restoring an RDS snapshot

Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.

Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:

example:

policies:
  - name: rds-snapshot-remove-cross-account
    resource: rds-snapshot
    filters:
      - type: cross-account
        whitelist:
          - '112233445566'
    actions:
      - type: set-permissions
        remove: matched
properties:
  add:
    items:
      oneOf:
      - maxLength: 12
        minLength: 12
        type: string
      - enum:
        - all
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        oneOf:
        - maxLength: 12
          minLength: 12
          type: string
        - enum:
          - all
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - rds:ModifyDBSnapshotAttribute