aws.sqs

Filters

cross-account

Filter SQS queues which have cross account permissions

example:

policies:
  - name: sqs-cross-account
    resource: sqs
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - sqs:GetQueueAttributes

dead-letter

Filter for sqs queues that are dead letter queues

example:

policies:
 - name: find-dead-letter-queues
   resource: aws.sqs
   filters:
     - type: dead-letter
properties:
  type:
    enum:
    - dead-letter
required:
- type

has-statement

Find resources with matching access policy statements. :Example:

policies:
  - name: sns-check-statement-id
    resource: sns
    filters:
      - type: has-statement
        statement_ids:
          - BlockNonSSL
policies:
  - name: sns-check-block-non-ssl
    resource: sns
    filters:
      - type: has-statement
        statements:
          - Effect: Deny
            Action: 'SNS:Publish'
            Principal: '*'
            Condition:
                Bool:
                    "aws:SecureTransport": "false"
properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey

Actions

delete

Action to delete a SQS queue

To prevent unwanted deletion of SQS queues, it is recommended to include a filter

example:

policies:
  - name: sqs-delete
    resource: sqs
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - sqs:DeleteQueue

remove-statements

Action to remove policy statements from SQS

example:

policies:
   - name: remove-sqs-cross-account
     resource: sqs
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - sqs:GetQueueAttributes, sqs:RemovePermission

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-encryption

Action to set encryption key on SQS queue

you can also optionally set data key ‘reuse-period’, or use with the service managed encryption by not specifying a key.

example:

policies:
  - name: sqs-set-encrypt
    resource: sqs
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: set-encryption
        key: "<alias of kms key>"
properties:
  enabled:
    type: boolean
  key:
    type: string
  reuse-period:
    maximum: 86400
    minimum: 60
    type: integer
  type:
    enum:
    - set-encryption
required:
- type

Permissions - sqs:SetQueueAttributes

set-retention-period

Action to set the retention period on an SQS queue (in seconds)

example:

policies:
  - name: sqs-reduce-long-retention-period
    resource: sqs
    filters:
      - type: value
        key: MessageRetentionPeriod
        value_type: integer
        value: 345600
        op: ge
    actions:
      - type: set-retention-period
        period: 86400
properties:
  period:
    maximum: 1209600
    minimum: 60
    type: integer
  type:
    enum:
    - set-retention-period
required:
- type

Permissions - sqs:SetQueueAttributes