aws.redshift

Filters

consecutive-aws-backups

Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.

example:

policies:
  - name: dynamodb-consecutive-aws-backup-count
    resource: dynamodb-table
    filters:
      - type: consecutive-aws-backups
        count: 7
        period: days
        status: 'COMPLETED'
properties:
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - COMPLETED
    - PARTIAL
    - DELETING
    - EXPIRED
  type:
    enum:
    - consecutive-aws-backups
required:
- count
- period
- status
- type

Permissions - backup:ListRecoveryPointsByResource

consecutive-snapshots

Returns Clusters where number of consective daily backups is equal to/or greater than n days.

example:

policies:
  - name: redshift-daily-snapshot-count
    resource: redshift
    filters:
      - type: consecutive-snapshots
        count: 7
        period: days
        status: available
properties:
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - available
    - creating
    - final snapshot
    - failed
  type:
    enum:
    - consecutive-snapshots
required:
- count
- period
- status
- type

Permissions - redshift:DescribeClusterSnapshots, redshift:DescribeClusters

default-vpc

Matches if an redshift database is in the default vpc

example:

policies:
  - name: redshift-default-vpc
    resource: redshift
    filters:
      - default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

Permissions - ec2:DescribeVpcs

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey

param

Filter redshift clusters based on parameter values

example:

policies:
  - name: redshift-param-ssl
    resource: redshift
    filters:
      - type: param
        key: require_ssl
        value: false
        op: eq
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - param
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - redshift:DescribeClusterParameters

Actions

delete

Action to delete a redshift cluster

To prevent unwanted deletion of redshift clusters, it is recommended to apply a filter to the rule

example:

policies:
  - name: redshift-no-ssl
    resource: redshift
    filters:
      - type: param
        key: require_ssl
        value: false
        op: eq
    actions:
      - type: delete
properties:
  skip-snapshot:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - redshift:DeleteCluster

enable-vpc-routing

Action to enable enhanced vpc routing on a redshift cluster

More: https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html

example:

policies:
  - name: redshift-enable-enhanced-routing
    resource: redshift
    filters:
      - type: value
        key: EnhancedVpcRouting
        value: false
        op: eq
    actions:
      - type: enable-vpc-routing
        value: true
properties:
  type:
    enum:
    - enable-vpc-routing
  value:
    type: boolean
required:
- type

Permissions - redshift:ModifyCluster

pause

Parent base class for filters and actions.

properties:
  type:
    enum:
    - pause
required:
- type

Permissions - redshift:PauseCluster

resume

Parent base class for filters and actions.

properties:
  type:
    enum:
    - resume
required:
- type

Permissions - redshift:ResumeCluster

retention

Action to set the snapshot retention period (in days)

example:

policies:
  - name: redshift-snapshot-retention
    resource: redshift
    filters:
      - type: value
        key: AutomatedSnapshotRetentionPeriod
        value: 21
        op: ne
    actions:
      - type: retention
        days: 21
properties:
  days:
    type: number
  type:
    enum:
    - retention
required:
- type

Permissions - redshift:ModifyCluster

set-attributes

Action to modify Redshift clusters

example:

policies:
    - name: redshift-modify-cluster
      resource: redshift
      filters:
        - type: value
          key: AllowVersionUpgrade
          value: false
      actions:
        - type: set-attributes
          attributes:
            AllowVersionUpgrade: true
properties:
  attributes:
    type: object
  type:
    enum:
    - set-attributes
required:
- attributes

Permissions - redshift:ModifyCluster

set-logging

Action to enable/disable Redshift logging for a Redshift Cluster.

example:

policies:
  - name: redshift-test
    resource: redshift
    filters:
      - type: logging
        key: LoggingEnabled
        value: false
    actions:
      - type: set-logging
        bucket: redshiftlogtest
        prefix: redshiftlogs
        state: enabled
properties:
  bucket:
    type: string
  prefix:
    type: string
  state:
    enum:
    - enabled
    - disabled
  type:
    enum:
    - set-logging
required:
- state

Permissions - redshift:EnableLogging

set-public-access

Action to set the ‘PubliclyAccessible’ setting on a redshift cluster

example:

policies:
    - name: redshift-set-public-access
      resource: redshift
      filters:
        - PubliclyAccessible: true
      actions:
        - type: set-public-access
          state: false
properties:
  state:
    type: boolean
  type:
    enum:
    - set-public-access
required:
- type

Permissions - redshift:ModifyCluster

snapshot

Action to take a snapshot of a redshift cluster

example:

policies:
  - name: redshift-snapshot
    resource: redshift
    filters:
      - type: value
        key: ClusterStatus
        value: available
        op: eq
    actions:
      - snapshot
properties:
  type:
    enum:
    - snapshot
required:
- type

Permissions - redshift:CreateClusterSnapshot