aws.subnet
Filters
ip-address-usage
Filter subnets based on available IP addresses.
- example:
Show subnets with no addresses in use.
policies:
- name: empty-subnets
resource: aws.subnet
filters:
- type: ip-address-usage
key: NumberUsed
value: 0
- example:
Show subnets where 90% or more addresses are in use.
policies:
- name: almost-full-subnets
resource: aws.subnet
filters:
- type: ip-address-usage
key: PercentUsed
op: greater-than
value: 90
This filter allows key to be:
MaxAvailable: the number of addresses available based on a subnet’s CIDR block size (minus the 5 addresses reserved by AWS)NumberUsed:MaxAvailableminus the subnet’sAvailableIpAddressCountvaluePercentUsed:NumberUseddivided byMaxAvailable
properties:
default:
type: object
key:
enum:
- MaxAvailable
- NumberUsed
- PercentUsed
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- ip-address-usage
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
vpc-endpoint
Filters subnets based on their vpc-endpoints
- example:
policies:
- name: athena-endpoint-enabled
resource: subnet
filters:
- type: vpc-endpoint
key: ServiceName
value: com.amazonaws.us-east-1.athena
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- vpc-endpoint
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeVpcEndpoints, tag:GetResources
Actions
delete
Action to delete a Subnet.
- example:
Delete empty development subnets
policies:
- name: delete-subnet
resource: aws.subnet
filters:
- tag:Environment: dev
- type: ip-address-usage
key: NumberUsed
value: 0
actions:
- type: delete
properties:
type:
enum:
- delete
required:
- type
Permissions - ec2:DeleteSubnet
modify
Modify subnet attributes.
- example:
policies:
- name: turn-on-public-ip-protection
resource: aws.subnet
filters:
- type: value
key: "MapPublicIpOnLaunch.enabled"
value: false
actions:
- type: modify
MapPublicIpOnLaunch: false
properties:
AssignIpv6AddressOnCreation:
type: boolean
CustomerOwnedIpv4Pool:
type: string
DisableLniAtDeviceIndex:
type: boolean
EnableDns64:
type: boolean
EnableLniAtDeviceIndex:
type: integer
EnableResourceNameDnsAAAARecordOnLaunch:
type: boolean
EnableResourceNameDnsARecordOnLaunch:
type: boolean
MapCustomerOwnedIpOnLaunch:
type: boolean
MapPublicIpOnLaunch:
type: boolean
PrivateDnsHostnameTypeOnLaunch:
enum:
- ip-name
- resource-name
type: string
type:
enum:
- modify
required:
- type
Permissions - ec2:ModifySubnetAttribute
set-flow-log
Set flow logs for a network resource
- example:
policies:
- name: vpc-enable-flow-logs
resource: vpc
filters:
- type: flow-logs
enabled: false
actions:
- type: set-flow-log
attrs:
DeliverLogsPermissionArn: arn:iam:role
LogGroupName: /custodian/vpc/flowlogs/
attrs are passed through to create_flow_log and are per the api documentation
properties:
DeliverLogsPermissionArn:
type: string
LogDestination:
type: string
LogDestinationType:
enum:
- s3
- cloud-watch-logs
LogFormat:
type: string
LogGroupName:
type: string
MaxAggregationInterval:
type: integer
TrafficType:
enum:
- ACCEPT
- REJECT
- ALL
type: string
attrs:
type: object
state:
type: boolean
type:
enum:
- set-flow-log
required:
- type
Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup