aws.rds-snapshot

Resource manager for RDS DB snapshots.

Filters

age

Filters RDS snapshots based on age (in days)

example

policies:
  - name: rds-snapshot-expired
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

latest

Return the latest snapshot for each database.

properties:
  automatic:
    type: boolean
  type:
    enum:
    - latest
required:
- type

Actions

delete

Deletes a RDS snapshot resource

example

policies:
  - name: rds-snapshot-delete-stale
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

region-copy

Copy a snapshot across regions.

Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.

Example:

- name: copy-encrypted-snapshots
  description: |
    copy snapshots under 1 day old to dr region with kms
  resource: rdb-snapshot
  region: us-east-1
  filters:
   - Status: available
   - type: value
     key: SnapshotCreateTime
     value_type: age
     value: 1
     op: less-than
  actions:
    - type: region-copy
      target_region: us-east-2
      target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
      copy_tags: true
      tags:
        - OriginRegion: us-east-1
properties:
  copy_tags:
    type: boolean
  tags:
    type: object
  target_key:
    type: string
  target_region:
    type: string
  type:
    enum:
    - region-copy
required:
- target_region

restore

Restore an rds instance from a snapshot.

Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.

additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.

properties:
  modify_options:
    type: object
  restore_options:
    type: object
  type:
    enum:
    - restore
required:
- type