aws.redshift-snapshot

Resource manager for Redshift snapshots.

Filters

• age

• config-compliance

• cross-account

• event

• finding

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• tag-count

• value

age

Filters redshift snapshots based on age (in days)

example:

policies:
  - name: redshift-old-snapshots
    resource: redshift-snapshot
    filters:
      - type: age
        days: 21
        op: gt

properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - age
required:
- type

cross-account

Filter all accounts that allow access to non-whitelisted accounts

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - redshift:DescribeClusterSnapshots

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• rename-tag

• revoke-access

• tag

• webhook

delete

Filters redshift snapshots based on age (in days)

example:

policies:
  - name: redshift-delete-old-snapshots
    resource: redshift-snapshot
    filters:
      - type: age
        days: 21
        op: gt
    actions:
      - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - redshift:DeleteClusterSnapshot

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

revoke-access

Revokes ability of accounts to restore a snapshot

example:

policies:
  - name: redshift-snapshot-revoke-access
    resource: redshift-snapshot
    filters:
      - type: cross-account
        whitelist:
          - 012345678910
    actions:
      - type: revoke-access

properties:
  type:
    enum:
    - revoke-access
required:
- type

Permissions - redshift:RevokeSnapshotAccess