aws.vpc¶
Filters¶
dhcp-options¶
Filter VPCs based on their dhcp options
- example
policies: - name: vpcs-in-domain resource: vpc filters: - type: dhcp-options domain-name: ec2.internal
if an option value is specified as a list, then all elements must be present. if an option value is specified as a string, then that string must be present.
vpcs not matching a given option value can be found via specifying a present: false parameter.
properties:
domain-name:
oneOf:
- items:
type: string
type: array
- type: string
domain-name-servers:
oneOf:
- items:
type: string
type: array
- type: string
ntp-servers:
oneOf:
- items:
type: string
type: array
- type: string
present:
type: boolean
type:
enum:
- dhcp-options
required:
- type
Permissions - ec2:DescribeDhcpOptions
flow-logs¶
Are flow logs enabled on the resource.
ie to find all vpcs with flows logs disabled we can do this
- example
policies:
- name: flow-logs-enabled
resource: vpc
filters:
- flow-logs
or to find all vpcs with flow logs but that don’t match a particular configuration.
- example
policies:
- name: flow-mis-configured
resource: vpc
filters:
- not:
- type: flow-logs
enabled: true
set-op: or
op: equal
# equality operator applies to following keys
traffic-type: all
status: active
log-group: vpc-logs
properties:
deliver-status:
enum:
- success
- failure
destination:
type: string
destination-type:
enum:
- s3
- cloud-watch-logs
enabled:
default: false
type: boolean
log-format:
type: string
log-group:
type: string
op:
default: equal
enum:
- equal
- not-equal
set-op:
default: or
enum:
- or
- and
status:
enum:
- active
traffic-type:
enum:
- accept
- reject
- all
type:
enum:
- flow-logs
required:
- type
Permissions - ec2:DescribeFlowLogs
internet-gateway¶
Filter VPCs based on Internet Gateway attributes
- example
policies:
- name: vpc-by-igw
resource: vpc
filters:
- type: internet-gateway
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- internet-gateway
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - ec2:DescribeInternetGateways
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
nat-gateway¶
Filter VPCs based on NAT Gateway attributes
- example
policies:
- name: vpc-by-nat
resource: vpc
filters:
- type: nat-gateway
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- nat-gateway
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - ec2:DescribeNatGateways
security-group¶
Filter VPCs based on Security Group attributes
- example
policies:
- name: vpc-by-sg
resource: vpc
filters:
- type: security-group
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- security-group
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - ec2:DescribeSecurityGroups
subnet¶
Filter VPCs based on Subnet attributes
- example
policies:
- name: vpc-by-subnet
resource: vpc
filters:
- type: subnet
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- subnet
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - ec2:DescribeSubnets
vpc-attributes¶
Filters VPCs based on their DNS attributes
- example
policies:
- name: dns-hostname-enabled
resource: vpc
filters:
- type: vpc-attributes
dnshostnames: True
properties:
dnshostnames:
type: boolean
dnssupport:
type: boolean
type:
enum:
- vpc-attributes
required:
- type
Permissions - ec2:DescribeVpcAttribute
vpc-endpoint¶
Filters vpcs based on their vpc-endpoints
- example
policies:
- name: s3-vpc-endpoint-enabled
resource: vpc
filters:
- type: vpc-endpoint
key: ServiceName
value: com.amazonaws.us-east-1.s3
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- vpc-endpoint
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - ec2:DescribeVpcEndpoints
Actions¶
set-flow-log¶
Create flow logs for a network resource
- example
policies:
- name: vpc-enable-flow-logs
resource: vpc
filters:
- type: flow-logs
enabled: false
actions:
- type: set-flow-log
DeliverLogsPermissionArn: arn:iam:role
LogGroupName: /custodian/vpc/flowlogs/
properties:
DeliverLogsPermissionArn:
type: string
LogDestination:
type: string
LogDestinationType:
enum:
- s3
- cloud-watch-logs
LogFormat:
type: string
LogGroupName:
type: string
MaxAggregationInterval:
type: integer
TrafficType:
enum:
- ACCEPT
- REJECT
- ALL
type: string
state:
type: boolean
type:
enum:
- set-flow-log
Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup