aws.ses-email-identity¶
Filters¶
has-statement¶
Find resources with matching access policy statements. :Example:
policies:
- name: sns-check-statement-id
resource: sns
filters:
- type: has-statement
statement_ids:
- BlockNonSSL
policies:
- name: sns-check-block-non-ssl
resource: sns
filters:
- type: has-statement
statements:
- Effect: Deny
Action: 'SNS:Publish'
Principal: '*'
Condition:
Bool:
"aws:SecureTransport": "false"
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
Actions¶
rename-tag¶
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources