aws.redshift¶
Filters¶
consecutive-aws-backups¶
Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.
- example:
policies:
- name: dynamodb-consecutive-aws-backup-count
resource: dynamodb-table
filters:
- type: consecutive-aws-backups
count: 7
period: days
status: 'COMPLETED'
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- COMPLETED
- PARTIAL
- DELETING
- EXPIRED
type:
enum:
- consecutive-aws-backups
required:
- count
- period
- status
- type
Permissions - backup:ListRecoveryPointsByResource
consecutive-snapshots¶
Returns Clusters where number of consective daily backups is equal to/or greater than n days.
- example:
policies:
- name: redshift-daily-snapshot-count
resource: redshift
filters:
- type: consecutive-snapshots
count: 7
period: days
status: available
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- available
- creating
- final snapshot
- failed
type:
enum:
- consecutive-snapshots
required:
- count
- period
- status
- type
Permissions - redshift:DescribeClusterSnapshots, redshift:DescribeClusters
default-vpc¶
Matches if an redshift database is in the default vpc
- example:
policies:
- name: redshift-default-vpc
resource: redshift
filters:
- default-vpc
properties:
type:
enum:
- default-vpc
required:
- type
Permissions - ec2:DescribeVpcs
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key¶
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
param¶
Filter redshift clusters based on parameter values
- example:
policies:
- name: redshift-param-ssl
resource: redshift
filters:
- type: param
key: require_ssl
value: false
op: eq
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- param
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - redshift:DescribeClusterParameters
Actions¶
delete¶
Action to delete a redshift cluster
To prevent unwanted deletion of redshift clusters, it is recommended to apply a filter to the rule
- example:
policies:
- name: redshift-no-ssl
resource: redshift
filters:
- type: param
key: require_ssl
value: false
op: eq
actions:
- type: delete
properties:
skip-snapshot:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - redshift:DeleteCluster
enable-vpc-routing¶
Action to enable enhanced vpc routing on a redshift cluster
More: https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html
- example:
policies:
- name: redshift-enable-enhanced-routing
resource: redshift
filters:
- type: value
key: EnhancedVpcRouting
value: false
op: eq
actions:
- type: enable-vpc-routing
value: true
properties:
type:
enum:
- enable-vpc-routing
value:
type: boolean
required:
- type
Permissions - redshift:ModifyCluster
pause¶
Parent base class for filters and actions.
properties:
type:
enum:
- pause
required:
- type
Permissions - redshift:PauseCluster
resume¶
Parent base class for filters and actions.
properties:
type:
enum:
- resume
required:
- type
Permissions - redshift:ResumeCluster
retention¶
Action to set the snapshot retention period (in days)
- example:
policies:
- name: redshift-snapshot-retention
resource: redshift
filters:
- type: value
key: AutomatedSnapshotRetentionPeriod
value: 21
op: ne
actions:
- type: retention
days: 21
properties:
days:
type: number
type:
enum:
- retention
required:
- type
Permissions - redshift:ModifyCluster
set-attributes¶
Action to modify Redshift clusters
- example:
policies:
- name: redshift-modify-cluster
resource: redshift
filters:
- type: value
key: AllowVersionUpgrade
value: false
actions:
- type: set-attributes
attributes:
AllowVersionUpgrade: true
properties:
attributes:
type: object
type:
enum:
- set-attributes
required:
- attributes
Permissions - redshift:ModifyCluster
set-logging¶
Action to enable/disable Redshift logging for a Redshift Cluster.
- example:
policies:
- name: redshift-test
resource: redshift
filters:
- type: logging
key: LoggingEnabled
value: false
actions:
- type: set-logging
bucket: redshiftlogtest
prefix: redshiftlogs
state: enabled
properties:
bucket:
type: string
prefix:
type: string
state:
enum:
- enabled
- disabled
type:
enum:
- set-logging
required:
- state
Permissions - redshift:EnableLogging
set-public-access¶
Action to set the ‘PubliclyAccessible’ setting on a redshift cluster
- example:
policies:
- name: redshift-set-public-access
resource: redshift
filters:
- PubliclyAccessible: true
actions:
- type: set-public-access
state: false
properties:
state:
type: boolean
type:
enum:
- set-public-access
required:
- type
Permissions - redshift:ModifyCluster
snapshot¶
Action to take a snapshot of a redshift cluster
- example:
policies:
- name: redshift-snapshot
resource: redshift
filters:
- type: value
key: ClusterStatus
value: available
op: eq
actions:
- snapshot
properties:
type:
enum:
- snapshot
required:
- type
Permissions - redshift:CreateClusterSnapshot