aws.rds¶
Resource manager for RDS DB instances.
Filters¶
consecutive-snapshots¶
Returns instances where number of consective daily snapshots is equal to/or greater than n days.
- example
policies:
- name: rds-daily-snapshot-count
resource: rds
filters:
- type: consecutive-snapshots
days: 7
properties:
days:
minimum: 1
type: number
type:
enum:
- consecutive-snapshots
required:
- days
- type
Permissions - rds:DescribeDBSnapshots, rds:DescribeDBInstances
db-option-groups¶
This filter describes RDS option groups for associated RDS instances.
- example
policies:
- name: rds-data-in-transit-encrypted
resource: aws.rds
filters:
- type: db-option-groups
key: OptionName
value: NATIVE_NETWORK_ENCRYPTION
op: eq
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- db-option-groups
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - rds:DescribeDBInstances, rds:DescribeOptionGroups
db-parameter¶
Applies value type filter on set db parameter values. :example:
policies:
- name: rds-pg
resource: rds
filters:
- type: db-parameter
key: someparam
op: eq
value: someval
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- db-parameter
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - rds:DescribeDBInstances, rds:DescribeDBParameters
default-vpc¶
Matches if an rds database is in the default vpc
- example
policies:
- name: default-vpc-rds
resource: rds
filters:
- type: default-vpc
properties:
type:
enum:
- default-vpc
required:
- type
Permissions - ec2:DescribeVpcs
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-alias¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- kms-alias
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - kms:ListAliases
upgrade-available¶
Scan DB instances for available engine upgrades
This will pull DB instances & check their specific engine for any engine version with higher release numbers than the current one
This will also annotate the rds instance with ‘target_engine’ which is the most recent version of the engine available
- example
policies:
- name: rds-upgrade-available
resource: rds
filters:
- type: upgrade-available
major: False
properties:
major:
type: boolean
type:
enum:
- upgrade-available
value:
type: boolean
required:
- type
Permissions - rds:DescribeDBEngineVersions
Actions¶
auto-patch¶
Toggle AutoMinorUpgrade flag on RDS instance
‘window’ parameter needs to be in the format ‘ddd:hh:mm-ddd:hh:mm’ and have at least 30 minutes between start & end time. If ‘window’ is not specified, AWS will assign a random maintenance window to each instance selected.
- example
policies:
- name: enable-rds-autopatch
resource: rds
filters:
- AutoMinorVersionUpgrade: false
actions:
- type: auto-patch
minor: true
window: Mon:23:00-Tue:01:00
properties:
minor:
type: boolean
type:
enum:
- auto-patch
window:
type: string
required:
- type
Permissions - rds:ModifyDBInstance
delete¶
Deletes selected RDS instances
This will delete RDS instances. It is recommended to apply with a filter to avoid deleting all RDS instances in the account.
- example
policies:
- name: rds-delete
resource: rds
filters:
- default-vpc
actions:
- type: delete
skip-snapshot: true
properties:
copy-restore-info:
type: boolean
skip-snapshot:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBInstance, rds:AddTagsToResource
modify-db¶
Modifies an RDS instance based on specified parameter using ModifyDbInstance.
‘Update’ is an array with with key value pairs that should be set to the property and value you wish to modify. ‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.
- example
policies:
- name: disable-rds-deletion-protection
resource: rds
filters:
- DeletionProtection: true
- PubliclyAccessible: true
actions:
- type: modify-db
update:
- property: 'DeletionProtection'
value: false
- property: 'PubliclyAccessible'
value: false
immediate: true
properties:
immediate:
type: boolean
type:
enum:
- modify-db
update:
items:
properties:
property:
enum:
- AllocatedStorage
- DBInstanceClass
- DBSubnetGroupName
- DBSecurityGroups
- VpcSecurityGroupIds
- MasterUserPassword
- DBParameterGroupName
- BackupRetentionPeriod
- PreferredBackupWindow
- PreferredMaintenanceWindow
- MultiAZ
- EngineVersion
- AllowMajorVersionUpgrade
- AutoMinorVersionUpgrade
- LicenseModel
- Iops
- OptionGroupName
- NewDBInstanceIdentifier
- StorageType
- TdeCredentialArn
- TdeCredentialPassword
- CACertificateIdentifier
- Domain
- CopyTagsToSnapshot
- MonitoringInterval
- MonitoringRoleARN
- DBPortNumber
- PubliclyAccessible
- DomainIAMRoleName
- PromotionTier
- EnableIAMDatabaseAuthentication
- EnablePerformanceInsights
- PerformanceInsightsKMSKeyId
- PerformanceInsightsRetentionPeriod
- CloudwatchLogsExportConfiguration
- ProcessorFeatures
- UseDefaultProcessorFeatures
- DeletionProtection
- MaxAllocatedStorage
- CertificateRotationRestart
type: string
value: {}
type: object
type: array
required:
- update
Permissions - rds:ModifyDBInstance
resize¶
Change the allocated storage of an rds instance.
- example
This will find databases using over 85% of their allocated storage, and resize them to have an additional 30% storage the resize here is async during the next maintenance.
policies:
- name: rds-resize-up
resource: rds
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: 30
This will find databases using under 20% of their allocated storage, and resize them to be 30% smaller, the resize here is configured to be immediate.
policies:
- name: rds-resize-down
resource: rds
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: -30
immediate: true
properties:
immediate:
type: boolean
percent:
type: number
type:
enum:
- resize
required:
- type
Permissions - rds:ModifyDBInstance
retention¶
Sets the ‘BackupRetentionPeriod’ value for automated snapshots, enforce (min, max, exact) sets retention days occordingly. :example:
policies:
- name: rds-snapshot-retention
resource: rds
filters:
- type: value
key: BackupRetentionPeriod
value: 7
op: lt
actions:
- type: retention
days: 7
copy-tags: true
enforce: exact
properties:
copy-tags:
type: boolean
days:
type: number
enforce:
enum:
- min
- max
- exact
type: string
type:
enum:
- retention
required:
- type
Permissions - rds:ModifyDBInstance
set-public-access¶
This action allows for toggling an RDS instance ‘PubliclyAccessible’ flag to true or false
- example
policies:
- name: disable-rds-public-accessibility
resource: rds
filters:
- PubliclyAccessible: true
actions:
- type: set-public-access
state: false
properties:
state:
type: boolean
type:
enum:
- set-public-access
required:
- type
Permissions - rds:ModifyDBInstance
snapshot¶
Creates a manual snapshot of a RDS instance
- example
policies:
- name: rds-snapshot
resource: rds
actions:
- snapshot
properties:
type:
enum:
- snapshot
required:
- type
Permissions - rds:CreateDBSnapshot
start¶
Start an rds instance.
properties:
type:
enum:
- start
required:
- type
Permissions - rds:StartDBInstance
stop¶
Stop an rds instance.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html
properties:
type:
enum:
- stop
required:
- type
Permissions - rds:StopDBInstance
upgrade¶
Upgrades a RDS instance to the latest major/minor version available
Use of the ‘immediate’ flag (default False) will automatically upgrade the RDS engine disregarding the existing maintenance window.
- example
policies:
- name: upgrade-rds-minor
resource: rds
actions:
- type: upgrade
major: False
immediate: False
properties:
immediate:
type: boolean
major:
type: boolean
type:
enum:
- upgrade
required:
- type
Permissions - rds:ModifyDBInstance