aws.rds-snapshot

Resource manager for RDS DB snapshots.

Filters

• age

• config-compliance

• cross-account

• event

• finding

• json-diff

• latest

• list-item

• marked-for-op

• onhour

• ops-item

• reduce

• tag-count

• value

age

Filters RDS snapshots based on age (in days)

example:

policies:
  - name: rds-snapshot-expired
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - rds:DescribeDBSnapshotAttributes

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

latest

Return the latest snapshot for each database.

properties:
  automatic:
    type: boolean
  type:
    enum:
    - latest
required:
- type

Permissions - rds:DescribeDBSnapshots

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• region-copy

• remove-tag

• restore

• set-permissions

• tag

• webhook

delete

Deletes a RDS snapshot resource

example:

policies:
  - name: rds-snapshot-delete-stale
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - rds:DeleteDBSnapshot

region-copy

Copy a snapshot across regions.

Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.

Example:

- name: copy-encrypted-snapshots
  description: |
    copy snapshots under 1 day old to dr region with kms
  resource: rds-snapshot
  region: us-east-1
  filters:
   - Status: available
   - type: value
     key: SnapshotCreateTime
     value_type: age
     value: 1
     op: less-than
  actions:
    - type: region-copy
      target_region: us-east-2
      target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
      copy_tags: true
      tags:
        OriginRegion: us-east-1

properties:
  copy_tags:
    type: boolean
  tags:
    type: object
  target_key:
    type: string
  target_region:
    type: string
  type:
    enum:
    - region-copy
required:
- target_region

Permissions - rds:CopyDBSnapshot

restore

Restore an rds instance from a snapshot.

Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.

additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.

properties:
  modify_options:
    type: object
  restore_options:
    type: object
  type:
    enum:
    - restore
required:
- type

Permissions - rds:ModifyDBInstance, rds:ModifyDBParameterGroup, rds:ModifyOptionGroup, rds:RebootDBInstance, rds:RestoreDBInstanceFromDBSnapshot

set-permissions

Set permissions for copying or restoring an RDS snapshot

Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts.

Use remove: matched in combination with the cross-account filter for more flexible removal options such as preserving access for a set of whitelisted accounts:

example:

policies:
  - name: rds-snapshot-remove-cross-account
    resource: rds-snapshot
    filters:
      - type: cross-account
        whitelist:
          - '112233445566'
    actions:
      - type: set-permissions
        remove: matched

properties:
  add:
    items:
      oneOf:
      - maxLength: 12
        minLength: 12
        type: string
      - enum:
        - all
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        oneOf:
        - maxLength: 12
          minLength: 12
          type: string
        - enum:
          - all
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - rds:ModifyDBSnapshotAttribute