aws.sqs

Filters

• config-compliance

• cross-account

• dead-letter

• event

• finding

• has-statement

• iam-analyzer

• json-diff

• kms-key

• list-item

• marked-for-op

• metrics

• ops-item

• reduce

• value

cross-account

Filter SQS queues which have cross account permissions

example:

policies:
  - name: sqs-cross-account
    resource: sqs
    filters:
      - type: cross-account

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - sqs:GetQueueAttributes

dead-letter

Filter for sqs queues that are dead letter queues

example:

policies:
 - name: find-dead-letter-queues
   resource: aws.sqs
   filters:
     - type: dead-letter

properties:
  type:
    enum:
    - dead-letter
required:
- type

has-statement

Find resources with matching access policy statements.

If you want to return resource statements that include the listed Action or NotAction, you can use PartialMatch instead of an exact match.

example:

policies:
  - name: sns-check-statement-id
    resource: sns
    filters:
      - type: has-statement
        statement_ids:
          - BlockNonSSL
policies:
  - name: sns-check-block-non-ssl
    resource: sns
    filters:
      - type: has-statement
        statements:
          - Effect: Deny
            Action: 'SNS:Publish'
            Principal: '*'
            Condition:
                Bool:
                    "aws:SecureTransport": "false"
            PartialMatch: 'Action'

properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        PartialMatch:
          anyOf:
          - enum:
            - Action
            - NotAction
            type: string
          - items:
            - enum:
              - Action
              - NotAction
              type: string
            type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS

properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• modify-policy

• notify

• post-finding

• post-item

• put-metric

• remove-statements

• remove-tag

• rename-tag

• set-encryption

• set-retention-period

• tag

• webhook

delete

Action to delete a SQS queue

To prevent unwanted deletion of SQS queues, it is recommended to include a filter

example:

policies:
  - name: sqs-delete
    resource: sqs
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - sqs:DeleteQueue

remove-statements

Action to remove policy statements from SQS

example:

policies:
   - name: remove-sqs-cross-account
     resource: sqs
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched

properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - sqs:GetQueueAttributes, sqs:RemovePermission

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-encryption

Action to set encryption key on SQS queue

you can also optionally set data key ‘reuse-period’, or use with the service managed encryption by not specifying a key.

example:

policies:
  - name: sqs-set-encrypt
    resource: sqs
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: set-encryption
        key: "<alias of kms key>"

properties:
  enabled:
    type: boolean
  key:
    type: string
  reuse-period:
    maximum: 86400
    minimum: 60
    type: integer
  type:
    enum:
    - set-encryption
required:
- type

Permissions - sqs:SetQueueAttributes

set-retention-period

Action to set the retention period on an SQS queue (in seconds)

example:

policies:
  - name: sqs-reduce-long-retention-period
    resource: sqs
    filters:
      - type: value
        key: MessageRetentionPeriod
        value_type: integer
        value: 345600
        op: ge
    actions:
      - type: set-retention-period
        period: 86400

properties:
  period:
    maximum: 1209600
    minimum: 60
    type: integer
  type:
    enum:
    - set-retention-period
required:
- type

Permissions - sqs:SetQueueAttributes