aws.rds

Resource manager for RDS DB instances.

Filters

consecutive-aws-backups

Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.

example:

policies:
  - name: dynamodb-consecutive-aws-backup-count
    resource: dynamodb-table
    filters:
      - type: consecutive-aws-backups
        count: 7
        period: days
        status: 'COMPLETED'
properties:
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - COMPLETED
    - PARTIAL
    - DELETING
    - EXPIRED
  type:
    enum:
    - consecutive-aws-backups
required:
- count
- period
- status
- type

Permissions - backup:ListRecoveryPointsByResource

consecutive-snapshots

Returns instances where number of consective daily snapshots is equal to/or greater than n days.

example:

policies:
  - name: rds-daily-snapshot-count
    resource: rds
    filters:
      - type: consecutive-snapshots
        days: 7
properties:
  days:
    minimum: 1
    type: number
  type:
    enum:
    - consecutive-snapshots
required:
- days
- type

Permissions - rds:DescribeDBSnapshots, rds:DescribeDBInstances

db-option-groups

This filter describes RDS option groups for associated RDS instances. Use this filter in conjunction with jmespath and value filter operators to filter RDS instance based on their option groups

example:

policies:
  - name: rds-data-in-transit-encrypted
    resource: aws.rds
    filters:
      - type: db-option-groups
        key: Options[].OptionName
        op: intersect
        value:
          - SSL
          - NATIVE_NETWORK_ENCRYPTION
example:

policies:
  - name: rds-oracle-encryption-in-transit
    resource: aws.rds
    filters:
      - Engine: oracle-ee
      - type: db-option-groups
        key: Options[].OptionSettings[?Name == 'SQLNET.ENCRYPTION_SERVER'].Value[]
        value:
          - REQUIRED
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - db-option-groups
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - rds:DescribeDBInstances, rds:DescribeOptionGroups

db-parameter

Applies value type filter on set db parameter values. :example:

policies:
  - name: rds-pg
    resource: rds
    filters:
      - type: db-parameter
        key: someparam
        op: eq
        value: someval
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - db-parameter
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - rds:DescribeDBInstances, rds:DescribeDBParameters

default-vpc

Matches if an rds database is in the default vpc

example:

policies:
  - name: default-vpc-rds
    resource: rds
    filters:
      - type: default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

Permissions - ec2:DescribeVpcs

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-alias

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - kms-alias
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListAliases

pending-maintenance

Scan DB instances for those with pending maintenance

example:

policies:
  - name: rds-pending-maintenance
    resource: aws.rds
    filters:
      - pending-maintenance
      - type: value
        key: '"c7n:PendingMaintenance"[].PendingMaintenanceActionDetails[].Action'
        op: intersect
        value:
          - system-update
properties:
  type:
    enum:
    - pending-maintenance
required:
- type

Permissions - rds:DescribePendingMaintenanceActions

upgrade-available

Scan DB instances for available engine upgrades

This will pull DB instances & check their specific engine for any engine version with higher release numbers than the current one

This will also annotate the rds instance with ‘target_engine’ which is the most recent version of the engine available

example:

policies:
  - name: rds-upgrade-available
    resource: rds
    filters:
      - type: upgrade-available
        major: False
properties:
  major:
    type: boolean
  type:
    enum:
    - upgrade-available
  value:
    type: boolean
required:
- type

Permissions - rds:DescribeDBEngineVersions

Actions

auto-patch

Toggle AutoMinorUpgrade flag on RDS instance

‘window’ parameter needs to be in the format ‘ddd:hh:mm-ddd:hh:mm’ and have at least 30 minutes between start & end time. If ‘window’ is not specified, AWS will assign a random maintenance window to each instance selected.

example:

policies:
  - name: enable-rds-autopatch
    resource: rds
    filters:
      - AutoMinorVersionUpgrade: false
    actions:
      - type: auto-patch
        minor: true
        window: Mon:23:00-Tue:01:00
properties:
  minor:
    type: boolean
  type:
    enum:
    - auto-patch
  window:
    type: string
required:
- type

Permissions - rds:ModifyDBInstance

delete

Deletes selected RDS instances

This will delete RDS instances. It is recommended to apply with a filter to avoid deleting all RDS instances in the account.

example:

policies:
  - name: rds-delete
    resource: rds
    filters:
      - default-vpc
    actions:
      - type: delete
        skip-snapshot: true
properties:
  copy-restore-info:
    type: boolean
  skip-snapshot:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - rds:DeleteDBInstance, rds:AddTagsToResource

modify-db

Modifies an RDS instance based on specified parameter using ModifyDbInstance.

‘Update’ is an array with with key value pairs that should be set to the property and value you wish to modify. ‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.

example:

policies:
  - name: disable-rds-deletion-protection
    resource: rds
    filters:
      - DeletionProtection: true
      - PubliclyAccessible: true
    actions:
      - type: modify-db
        update:
          - property: 'DeletionProtection'
            value: false
          - property: 'PubliclyAccessible'
            value: false
        immediate: true
properties:
  immediate:
    type: boolean
  type:
    enum:
    - modify-db
  update:
    items:
      properties:
        property:
          enum:
          - AllocatedStorage
          - DBInstanceClass
          - DBSubnetGroupName
          - DBSecurityGroups
          - VpcSecurityGroupIds
          - MasterUserPassword
          - DBParameterGroupName
          - BackupRetentionPeriod
          - PreferredBackupWindow
          - PreferredMaintenanceWindow
          - MultiAZ
          - EngineVersion
          - AllowMajorVersionUpgrade
          - AutoMinorVersionUpgrade
          - LicenseModel
          - Iops
          - OptionGroupName
          - NewDBInstanceIdentifier
          - StorageType
          - TdeCredentialArn
          - TdeCredentialPassword
          - CACertificateIdentifier
          - Domain
          - CopyTagsToSnapshot
          - MonitoringInterval
          - MonitoringRoleARN
          - DBPortNumber
          - PubliclyAccessible
          - DomainIAMRoleName
          - PromotionTier
          - EnableIAMDatabaseAuthentication
          - EnablePerformanceInsights
          - PerformanceInsightsKMSKeyId
          - PerformanceInsightsRetentionPeriod
          - CloudwatchLogsExportConfiguration
          - ProcessorFeatures
          - UseDefaultProcessorFeatures
          - DeletionProtection
          - MaxAllocatedStorage
          - CertificateRotationRestart
          type: string
        value: {}
      type: object
    type: array
required:
- update

Permissions - rds:ModifyDBInstance

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

resize

Change the allocated storage of an rds instance.

example:

This will find databases using over 85% of their allocated storage, and resize them to have an additional 30% storage the resize here is async during the next maintenance.

policies:
  - name: rds-resize-up
    resource: rds
    filters:
      - type: metrics
        name: FreeStorageSpace
        percent-attr: AllocatedStorage
        attr-multiplier: 1073741824
        value: 90
        op: greater-than
    actions:
      - type: resize
        percent: 30

This will find databases using under 20% of their allocated storage, and resize them to be 30% smaller, the resize here is configured to be immediate.

policies:
  - name: rds-resize-down
    resource: rds
    filters:
      - type: metrics
        name: FreeStorageSpace
        percent-attr: AllocatedStorage
        attr-multiplier: 1073741824
        value: 90
        op: greater-than
    actions:
      - type: resize
        percent: -30
        immediate: true
properties:
  immediate:
    type: boolean
  percent:
    type: number
  type:
    enum:
    - resize
required:
- type

Permissions - rds:ModifyDBInstance

retention

Sets the ‘BackupRetentionPeriod’ value for automated snapshots, enforce (min, max, exact) sets retention days occordingly. :example:

policies:
  - name: rds-snapshot-retention
    resource: rds
    filters:
      - type: value
        key: BackupRetentionPeriod
        value: 7
        op: lt
    actions:
      - type: retention
        days: 7
        copy-tags: true
        enforce: exact
properties:
  copy-tags:
    type: boolean
  days:
    type: number
  enforce:
    enum:
    - min
    - max
    - exact
    type: string
  type:
    enum:
    - retention
required:
- type

Permissions - rds:ModifyDBInstance

set-public-access

This action allows for toggling an RDS instance ‘PubliclyAccessible’ flag to true or false

example:

policies:
  - name: disable-rds-public-accessibility
    resource: rds
    filters:
      - PubliclyAccessible: true
    actions:
      - type: set-public-access
        state: false
properties:
  state:
    type: boolean
  type:
    enum:
    - set-public-access
required:
- type

Permissions - rds:ModifyDBInstance

set-snapshot-copy-tags

Enables copying tags from rds instance to snapshot

DEPRECATED - use modify-db instead with CopyTagsToSnapshot

example:
policies:
  - name: enable-rds-snapshot-tags
    resource: rds
    filters:
      - type: value
        key: Engine
        value: aurora
        op: eq
    actions:
      - type: set-snapshot-copy-tags
        enable: True
properties:
  enable:
    type: boolean
  type:
    enum:
    - set-snapshot-copy-tags
required:
- type

Permissions - rds:ModifyDBInstance

snapshot

Creates a manual snapshot of a RDS instance

example:

policies:
  - name: rds-snapshot
    resource: rds
    actions:
      - snapshot
properties:
  type:
    enum:
    - snapshot
required:
- type

Permissions - rds:CreateDBSnapshot

start

Start an rds instance.

properties:
  type:
    enum:
    - start
required:
- type

Permissions - rds:StartDBInstance

stop

Stop an rds instance.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html

properties:
  type:
    enum:
    - stop
required:
- type

Permissions - rds:StopDBInstance

upgrade

Upgrades a RDS instance to the latest major/minor version available

Use of the ‘immediate’ flag (default False) will automatically upgrade the RDS engine disregarding the existing maintenance window.

example:

policies:
  - name: upgrade-rds-minor
    resource: rds
    actions:
      - type: upgrade
        major: False
        immediate: False
properties:
  immediate:
    type: boolean
  major:
    type: boolean
  type:
    enum:
    - upgrade
required:
- type

Permissions - rds:ModifyDBInstance