aws.vpc

Filters

dhcp-options

Filter VPCs based on their dhcp options

example:

policies:
   - name: vpcs-in-domain
     resource: vpc
     filters:
       - type: dhcp-options
         domain-name: ec2.internal

if an option value is specified as a list, then all elements must be present. if an option value is specified as a string, then that string must be present.

vpcs not matching a given option value can be found via specifying a present: false parameter.

properties:
  domain-name:
    oneOf:
    - items:
        type: string
      type: array
    - type: string
  domain-name-servers:
    oneOf:
    - items:
        type: string
      type: array
    - type: string
  ntp-servers:
    oneOf:
    - items:
        type: string
      type: array
    - type: string
  present:
    type: boolean
  type:
    enum:
    - dhcp-options
required:
- type

Permissions - ec2:DescribeDhcpOptions

internet-gateway

Filter VPCs based on Internet Gateway attributes

example:

policies:
  - name: vpc-by-igw
    resource: vpc
    filters:
      - type: internet-gateway
        key: tag:Color
        value: Gray
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - internet-gateway
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeInternetGateways

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

nat-gateway

Filter VPCs based on NAT Gateway attributes

example:

policies:
  - name: vpc-by-nat
    resource: vpc
    filters:
      - type: nat-gateway
        key: tag:Color
        value: Gray
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - nat-gateway
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeNatGateways

security-group

Filter VPCs based on Security Group attributes

example:

policies:
  - name: vpc-by-sg
    resource: vpc
    filters:
      - type: security-group
        key: tag:Color
        value: Gray
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - security-group
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeSecurityGroups

subnet

Filter VPCs based on Subnet attributes

example:

policies:
  - name: vpc-by-subnet
    resource: vpc
    filters:
      - type: subnet
        key: tag:Color
        value: Gray
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - subnet
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeSubnets

vpc-attributes

Filters VPCs based on their DNS attributes

example:

policies:
  - name: dns-hostname-enabled
    resource: vpc
    filters:
      - type: vpc-attributes
        dnshostnames: True
properties:
  addressusage:
    type: boolean
  dnshostnames:
    type: boolean
  dnssupport:
    type: boolean
  type:
    enum:
    - vpc-attributes
required:
- type

Permissions - ec2:DescribeVpcAttribute

vpc-endpoint

Filters vpcs based on their vpc-endpoints

example:

policies:
  - name: s3-vpc-endpoint-enabled
    resource: vpc
    filters:
      - type: vpc-endpoint
        key: ServiceName
        value: com.amazonaws.us-east-1.s3
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - vpc-endpoint
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeVpcEndpoints, tag:GetResources

Actions

delete-empty

Delete an empty VPC

For example, if you want to delete an empty VPC

example:
- name: aws-ec2-vpc-delete
  resource: vpc
  actions:
    - type: delete-empty
properties:
  type:
    enum:
    - delete-empty
required:
- type

Permissions - ec2:DeleteVpc

modify

Modify vpc settings

properties:
  addressusage:
    type: boolean
  dnshostnames:
    type: boolean
  dnssupport:
    type: boolean
  type:
    enum:
    - modify
required:
- type

Permissions - ec2:ModifyVpcAttribute

set-flow-log

Set flow logs for a network resource

example:

policies:
  - name: vpc-enable-flow-logs
    resource: vpc
    filters:
      - type: flow-logs
        enabled: false
    actions:
      - type: set-flow-log
        attrs:
          DeliverLogsPermissionArn: arn:iam:role
          LogGroupName: /custodian/vpc/flowlogs/

attrs are passed through to create_flow_log and are per the api documentation

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2/client/create_flow_logs.html

properties:
  DeliverLogsPermissionArn:
    type: string
  LogDestination:
    type: string
  LogDestinationType:
    enum:
    - s3
    - cloud-watch-logs
  LogFormat:
    type: string
  LogGroupName:
    type: string
  MaxAggregationInterval:
    type: integer
  TrafficType:
    enum:
    - ACCEPT
    - REJECT
    - ALL
    type: string
  attrs:
    type: object
  state:
    type: boolean
  type:
    enum:
    - set-flow-log
required:
- type

Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup