aws.resource-share-self
Filters
external-share
Check a Resource Share’s associations for non-allowlisted entities
- example:
policies:
- name: ram-external-share
resource: resource-share-self
filters:
- type: external-share
allowlist_entities:
- "123456789012"
- arn:aws:iam::111111111111:role/MyRole
- o-abcd1234
- ou-ab12-34cd567890ef
- aws:aws:iam::22222222222:user/MyUser
- lambda.amazonaws.com
allowlist_entities_from:
expr: keys(not_null(accounts, `[]`))
url: s3://my-bucket/my-aws-accounts.json
properties:
allowlist_entities:
items:
type: string
type: array
allowlist_entities_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
type:
enum:
- external-share
required:
- type
Permissions - ram:GetResourceShareAssociations
Actions
delete
Action to delete a Resource Share
- example:
policies:
- name: delete-ram-resource-share
resource: resource-share-self
filters:
- type: external-share
allowlist_entities:
- "123456789012"
- o-abcd1234
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - ram:DeleteResourceShare
disassociate
Action to disassociate principals from a Resource Share https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ram/client/disassociate_resource_share.html :example:
policies:
- name: disassociate-ram-resource-share
resource: resource-share-self
filters:
- type: external-share
allowlist_entities:
- "123456789012"
- o-abcd1234
actions:
- type: disassociate
principals: matched
properties:
principals:
enum:
- matched
- all
type:
enum:
- disassociate
required:
- principals
- type
Permissions - ram:DisassociateResourceShare
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources