aws.subnet

Filters

flow-logs

Are flow logs enabled on the resource.

ie to find all vpcs with flows logs disabled we can do this

example:

policies:
  - name: flow-logs-enabled
    resource: vpc
    filters:
      - flow-logs

or to find all vpcs with flow logs but that don’t match a particular configuration.

example:

policies:
  - name: flow-mis-configured
    resource: vpc
    filters:
      - not:
        - type: flow-logs
          enabled: true
          set-op: or
          op: equal
          # equality operator applies to following keys
          traffic-type: all
          status: active
          log-group: vpc-logs
properties:
  deliver-status:
    enum:
    - success
    - failure
  destination:
    type: string
  destination-type:
    enum:
    - s3
    - cloud-watch-logs
  enabled:
    default: false
    type: boolean
  log-format:
    type: string
  log-group:
    type: string
  op:
    default: equal
    enum:
    - equal
    - not-equal
  set-op:
    default: or
    enum:
    - or
    - and
  status:
    enum:
    - active
  traffic-type:
    enum:
    - accept
    - reject
    - all
  type:
    enum:
    - flow-logs
required:
- type

Permissions - ec2:DescribeFlowLogs

ip-address-usage

Filter subnets based on available IP addresses.

example:

Show subnets with no addresses in use.

policies:
  - name: empty-subnets
    resource: aws.subnet
    filters:
      - type: ip-address-usage
        key: NumberUsed
        value: 0
example:

Show subnets where 90% or more addresses are in use.

policies:
  - name: almost-full-subnets
    resource: aws.subnet
    filters:
      - type: ip-address-usage
        key: PercentUsed
        op: greater-than
        value: 90

This filter allows key to be:

  • MaxAvailable: the number of addresses available based on a subnet’s CIDR block size (minus the 5 addresses reserved by AWS)

  • NumberUsed: MaxAvailable minus the subnet’s AvailableIpAddressCount value

  • PercentUsed: NumberUsed divided by MaxAvailable

properties:
  default:
    type: object
  key:
    enum:
    - MaxAvailable
    - NumberUsed
    - PercentUsed
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - ip-address-usage
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

vpc-endpoint

Filters subnets based on their vpc-endpoints

example:

policies:
  - name: athena-endpoint-enabled
    resource: subnet
    filters:
      - type: vpc-endpoint
        key: ServiceName
        value: com.amazonaws.us-east-1.athena
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - vpc-endpoint
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - ec2:DescribeVpcEndpoints

Actions

modify

Modify subnet attributes.

example:

policies:
  - name: turn-on-public-ip-protection
    resource: aws.subnet
    filters:
      - type: value
        key: "MapPublicIpOnLaunch.enabled"
        value: false
    actions:
      - type: modify
        MapPublicIpOnLaunch: false
properties:
  AssignIpv6AddressOnCreation:
    type: boolean
  CustomerOwnedIpv4Pool:
    type: string
  DisableLniAtDeviceIndex:
    type: boolean
  EnableDns64:
    type: boolean
  EnableLniAtDeviceIndex:
    type: integer
  EnableResourceNameDnsAAAARecordOnLaunch:
    type: boolean
  EnableResourceNameDnsARecordOnLaunch:
    type: boolean
  MapCustomerOwnedIpOnLaunch:
    type: boolean
  MapPublicIpOnLaunch:
    type: boolean
  PrivateDnsHostnameTypeOnLaunch:
    enum:
    - ip-name
    - resource-name
    type: string
  type:
    enum:
    - modify
required:
- type

Permissions - ec2:ModifySubnetAttribute

set-flow-log

Create flow logs for a network resource

example:

policies:
  - name: vpc-enable-flow-logs
    resource: vpc
    filters:
      - type: flow-logs
        enabled: false
    actions:
      - type: set-flow-log
        DeliverLogsPermissionArn: arn:iam:role
        LogGroupName: /custodian/vpc/flowlogs/
properties:
  DeliverLogsPermissionArn:
    type: string
  LogDestination:
    type: string
  LogDestinationType:
    enum:
    - s3
    - cloud-watch-logs
  LogFormat:
    type: string
  LogGroupName:
    type: string
  MaxAggregationInterval:
    type: integer
  TrafficType:
    enum:
    - ACCEPT
    - REJECT
    - ALL
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-flow-log

Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup