aws.vpc-endpoint¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeVpcEndpoints
has-statement¶
Find resources with matching endpoint policy statements.
- example:
policies:
- name: vpc-endpoint-policy
resource: aws.vpc-endpoint
filters:
- type: has-statement
statements:
- Action: "*"
Effect: "Allow"
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
Permissions - ec2:DescribeVpcEndpoints
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory