aws.subnet

Filters

flow-logs

Are flow logs enabled on the resource.

ie to find all vpcs with flows logs disabled we can do this

example

policies:
  - name: flow-logs-enabled
    resource: vpc
    filters:
      - flow-logs

or to find all vpcs with flow logs but that don’t match a particular configuration.

example

policies:
  - name: flow-mis-configured
    resource: vpc
    filters:
      - not:
        - type: flow-logs
          enabled: true
          set-op: or
          op: equal
          # equality operator applies to following keys
          traffic-type: all
          status: active
          log-group: vpc-logs
properties:
  deliver-status:
    enum:
    - success
    - failure
  destination:
    type: string
  destination-type:
    enum:
    - s3
    - cloud-watch-logs
  enabled:
    default: false
    type: boolean
  log-group:
    type: string
  op:
    default: equal
    enum:
    - equal
    - not-equal
  set-op:
    default: or
    enum:
    - or
    - and
  status:
    enum:
    - active
  traffic-type:
    enum:
    - accept
    - reject
    - all
  type:
    enum:
    - flow-logs
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Actions

set-flow-log

Create flow logs for a network resource

example

policies:
  - name: vpc-enable-flow-logs
    resource: vpc
    filters:
      - type: flow-logs
        enabled: false
    actions:
      - type: set-flow-log
        DeliverLogsPermissionArn: arn:iam:role
        LogGroupName: /custodian/vpc/flowlogs/
properties:
  DeliverLogsPermissionArn:
    type: string
  LogDestination:
    type: string
  LogDestinationType:
    enum:
    - s3
    - cloud-watch-logs
  LogGroupName:
    type: string
  TrafficType:
    enum:
    - ACCEPT
    - REJECT
    - ALL
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-flow-log