aws.resource-share-self

Filters

external-share

Check a Resource Share’s associations for non-allowlisted entities

example:

policies:
  - name: ram-external-share
    resource: resource-share-self
    filters:
      - type: external-share
        allowlist_entities:
          - "123456789012"
          - arn:aws:iam::111111111111:role/MyRole
          - o-abcd1234
          - ou-ab12-34cd567890ef
          - aws:aws:iam::22222222222:user/MyUser
          - lambda.amazonaws.com
        allowlist_entities_from:
            expr: keys(not_null(accounts, `[]`))
            url: s3://my-bucket/my-aws-accounts.json
properties:
  allowlist_entities:
    items:
      type: string
    type: array
  allowlist_entities_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  type:
    enum:
    - external-share
required:
- type

Permissions - ram:GetResourceShareAssociations

Actions

delete

Action to delete a Resource Share

example:

policies:
  - name: delete-ram-resource-share
    resource: resource-share-self
    filters:
    - type: external-share
      allowlist_entities:
      - "123456789012"
      - o-abcd1234
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - ram:DeleteResourceShare

disassociate

Action to disassociate principals from a Resource Share https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ram/client/disassociate_resource_share.html :example:

policies:
  - name: disassociate-ram-resource-share
    resource: resource-share-self
    filters:
    - type: external-share
      allowlist_entities:
        - "123456789012"
        - o-abcd1234
    actions:
    - type: disassociate
      principals: matched
properties:
  principals:
    enum:
    - matched
    - all
  type:
    enum:
    - disassociate
required:
- principals
- type

Permissions - ram:DisassociateResourceShare

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources