aws.rds
Resource manager for RDS DB instances.
Filters
consecutive-aws-backups
Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.
- example:
policies:
- name: dynamodb-consecutive-aws-backup-count
resource: dynamodb-table
filters:
- type: consecutive-aws-backups
count: 7
period: days
status: 'COMPLETED'
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- COMPLETED
- PARTIAL
- DELETING
- EXPIRED
type:
enum:
- consecutive-aws-backups
required:
- count
- period
- status
- type
Permissions - backup:ListRecoveryPointsByResource
consecutive-snapshots
Returns instances where number of consective daily snapshots is equal to/or greater than n days.
- example:
policies:
- name: rds-daily-snapshot-count
resource: rds
filters:
- type: consecutive-snapshots
days: 7
properties:
days:
minimum: 1
type: number
type:
enum:
- consecutive-snapshots
required:
- days
- type
Permissions - rds:DescribeDBSnapshots, rds:DescribeDBInstances
db-option-groups
This filter describes RDS option groups for associated RDS instances. Use this filter in conjunction with jmespath and value filter operators to filter RDS instance based on their option groups
- example:
policies:
- name: rds-data-in-transit-encrypted
resource: aws.rds
filters:
- type: db-option-groups
key: Options[].OptionName
op: intersect
value:
- SSL
- NATIVE_NETWORK_ENCRYPTION
- example:
policies:
- name: rds-oracle-encryption-in-transit
resource: aws.rds
filters:
- Engine: oracle-ee
- type: db-option-groups
key: Options[].OptionSettings[?Name == 'SQLNET.ENCRYPTION_SERVER'].Value[]
value:
- REQUIRED
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- db-option-groups
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - rds:DescribeDBInstances, rds:DescribeOptionGroups
db-parameter
Applies value type filter on set db parameter values. :example:
policies:
- name: rds-pg
resource: rds
filters:
- type: db-parameter
key: someparam
op: eq
value: someval
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- db-parameter
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - rds:DescribeDBInstances, rds:DescribeDBParameters
default-vpc
Matches if an rds database is in the default vpc
- example:
policies:
- name: default-vpc-rds
resource: rds
filters:
- type: default-vpc
properties:
type:
enum:
- default-vpc
required:
- type
Permissions - ec2:DescribeVpcs
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-alias
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- kms-alias
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListAliases
pending-maintenance
Scan DB instances for those with pending maintenance
- example:
policies:
- name: rds-pending-maintenance
resource: aws.rds
filters:
- pending-maintenance
- type: value
key: '"c7n:PendingMaintenance"[].PendingMaintenanceActionDetails[].Action'
op: intersect
value:
- system-update
properties:
type:
enum:
- pending-maintenance
required:
- type
Permissions - rds:DescribePendingMaintenanceActions
upgrade-available
Scan DB instances for available engine upgrades
This will pull DB instances & check their specific engine for any engine version with higher release numbers than the current one
This will also annotate the rds instance with ‘target_engine’ which is the most recent version of the engine available
- example:
policies:
- name: rds-upgrade-available
resource: rds
filters:
- type: upgrade-available
major: False
properties:
major:
type: boolean
type:
enum:
- upgrade-available
value:
type: boolean
required:
- type
Permissions - rds:DescribeDBEngineVersions
Actions
auto-patch
Toggle AutoMinorUpgrade flag on RDS instance
‘window’ parameter needs to be in the format ‘ddd:hh:mm-ddd:hh:mm’ and have at least 30 minutes between start & end time. If ‘window’ is not specified, AWS will assign a random maintenance window to each instance selected.
- example:
policies:
- name: enable-rds-autopatch
resource: rds
filters:
- AutoMinorVersionUpgrade: false
actions:
- type: auto-patch
minor: true
window: Mon:23:00-Tue:01:00
properties:
minor:
type: boolean
type:
enum:
- auto-patch
window:
type: string
required:
- type
Permissions - rds:ModifyDBInstance
delete
Deletes selected RDS instances
This will delete RDS instances. It is recommended to apply with a filter to avoid deleting all RDS instances in the account.
- example:
policies:
- name: rds-delete
resource: rds
filters:
- default-vpc
actions:
- type: delete
skip-snapshot: true
properties:
copy-restore-info:
type: boolean
skip-snapshot:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - rds:DeleteDBInstance, rds:AddTagsToResource
modify-db
Modifies an RDS instance based on specified parameter using ModifyDbInstance.
‘Update’ is an array with with key value pairs that should be set to the property and value you wish to modify. ‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.
- example:
policies:
- name: disable-rds-deletion-protection
resource: rds
filters:
- DeletionProtection: true
- PubliclyAccessible: true
actions:
- type: modify-db
update:
- property: 'DeletionProtection'
value: false
- property: 'PubliclyAccessible'
value: false
immediate: true
properties:
immediate:
type: boolean
type:
enum:
- modify-db
update:
items:
properties:
property:
enum:
- AllocatedStorage
- DBInstanceClass
- DBSubnetGroupName
- DBSecurityGroups
- VpcSecurityGroupIds
- MasterUserPassword
- DBParameterGroupName
- BackupRetentionPeriod
- PreferredBackupWindow
- PreferredMaintenanceWindow
- MultiAZ
- EngineVersion
- AllowMajorVersionUpgrade
- AutoMinorVersionUpgrade
- LicenseModel
- Iops
- OptionGroupName
- NewDBInstanceIdentifier
- StorageType
- TdeCredentialArn
- TdeCredentialPassword
- CACertificateIdentifier
- Domain
- CopyTagsToSnapshot
- MonitoringInterval
- MonitoringRoleARN
- DBPortNumber
- PubliclyAccessible
- DomainIAMRoleName
- PromotionTier
- EnableIAMDatabaseAuthentication
- EnablePerformanceInsights
- PerformanceInsightsKMSKeyId
- PerformanceInsightsRetentionPeriod
- CloudwatchLogsExportConfiguration
- ProcessorFeatures
- UseDefaultProcessorFeatures
- DeletionProtection
- MaxAllocatedStorage
- CertificateRotationRestart
type: string
value: {}
type: object
type: array
required:
- update
Permissions - rds:ModifyDBInstance
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
resize
Change the allocated storage of an rds instance.
- example:
This will find databases using over 85% of their allocated storage, and resize them to have an additional 30% storage the resize here is async during the next maintenance.
policies:
- name: rds-resize-up
resource: rds
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: 30
This will find databases using under 20% of their allocated storage, and resize them to be 30% smaller, the resize here is configured to be immediate.
policies:
- name: rds-resize-down
resource: rds
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: -30
immediate: true
properties:
immediate:
type: boolean
percent:
type: number
type:
enum:
- resize
required:
- type
Permissions - rds:ModifyDBInstance
retention
Sets the ‘BackupRetentionPeriod’ value for automated snapshots, enforce (min, max, exact) sets retention days occordingly. :example:
policies:
- name: rds-snapshot-retention
resource: rds
filters:
- type: value
key: BackupRetentionPeriod
value: 7
op: lt
actions:
- type: retention
days: 7
copy-tags: true
enforce: exact
properties:
copy-tags:
type: boolean
days:
type: number
enforce:
enum:
- min
- max
- exact
type: string
type:
enum:
- retention
required:
- type
Permissions - rds:ModifyDBInstance
set-public-access
This action allows for toggling an RDS instance ‘PubliclyAccessible’ flag to true or false
- example:
policies:
- name: disable-rds-public-accessibility
resource: rds
filters:
- PubliclyAccessible: true
actions:
- type: set-public-access
state: false
properties:
state:
type: boolean
type:
enum:
- set-public-access
required:
- type
Permissions - rds:ModifyDBInstance
snapshot
Creates a manual snapshot of a RDS instance
- example:
policies:
- name: rds-snapshot
resource: rds
actions:
- snapshot
properties:
type:
enum:
- snapshot
required:
- type
Permissions - rds:CreateDBSnapshot
start
Start an rds instance.
properties:
type:
enum:
- start
required:
- type
Permissions - rds:StartDBInstance
stop
Stop an rds instance.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html
properties:
type:
enum:
- stop
required:
- type
Permissions - rds:StopDBInstance
upgrade
Upgrades a RDS instance to the latest major/minor version available
Use of the ‘immediate’ flag (default False) will automatically upgrade the RDS engine disregarding the existing maintenance window.
- example:
policies:
- name: upgrade-rds-minor
resource: rds
actions:
- type: upgrade
major: False
immediate: False
properties:
immediate:
type: boolean
major:
type: boolean
type:
enum:
- upgrade
required:
- type
Permissions - rds:ModifyDBInstance