aws.readiness-check
Filters
cross-account
Check a resource’s embedded iam policy for cross account access.
Supports a whitelist_patterns option to skip principals whose identifier
matches any of the provided fnmatch patterns. This is
useful for ignoring unique identifiers left behind by deleted IAM principals
(e.g. AIDA* for deleted IAM users, AROA* for deleted IAM roles)
which AWS substitutes into resource policies when the original principal is
removed. See IAM unique identifiers
for the full list of prefixes.
- type: cross-account
whitelist_patterns:
- "AIDA*"
- "AROA*"
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - route53-recovery-readiness:ListCrossAccountAuthorizations
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory