aws.vpc
Filters
dhcp-options
Filter VPCs based on their dhcp options
- example:
if an option value is specified as a list, then all elements must be present. if an option value is specified as a string, then that string must be present.
vpcs not matching a given option value can be found via specifying a present: false parameter.
properties:
domain-name:
oneOf:
- items:
type: string
type: array
- type: string
domain-name-servers:
oneOf:
- items:
type: string
type: array
- type: string
ntp-servers:
oneOf:
- items:
type: string
type: array
- type: string
present:
type: boolean
type:
enum:
- dhcp-options
required:
- type
Permissions - ec2:DescribeDhcpOptions
internet-gateway
Filter VPCs based on Internet Gateway attributes
- example:
policies:
- name: vpc-by-igw
resource: vpc
filters:
- type: internet-gateway
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- internet-gateway
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeInternetGateways
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
nat-gateway
Filter VPCs based on NAT Gateway attributes
- example:
policies:
- name: vpc-by-nat
resource: vpc
filters:
- type: nat-gateway
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- nat-gateway
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeNatGateways
security-group
Filter VPCs based on Security Group attributes
- example:
policies:
- name: vpc-by-sg
resource: vpc
filters:
- type: security-group
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- security-group
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeSecurityGroups
subnet
Filter VPCs based on Subnet attributes
- example:
policies:
- name: vpc-by-subnet
resource: vpc
filters:
- type: subnet
key: tag:Color
value: Gray
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- subnet
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeSubnets
vpc-attributes
Filters VPCs based on their DNS attributes
- example:
policies:
- name: dns-hostname-enabled
resource: vpc
filters:
- type: vpc-attributes
dnshostnames: True
properties:
addressusage:
type: boolean
dnshostnames:
type: boolean
dnssupport:
type: boolean
type:
enum:
- vpc-attributes
required:
- type
Permissions - ec2:DescribeVpcAttribute
vpc-endpoint
Filters vpcs based on their vpc-endpoints
- example:
policies:
- name: s3-vpc-endpoint-enabled
resource: vpc
filters:
- type: vpc-endpoint
key: ServiceName
value: com.amazonaws.us-east-1.s3
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- vpc-endpoint
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeVpcEndpoints, tag:GetResources
Actions
delete-empty
Delete an empty VPC
For example, if you want to delete an empty VPC
- example:
- name: aws-ec2-vpc-delete resource: vpc actions: - type: delete-empty
properties:
type:
enum:
- delete-empty
required:
- type
Permissions - ec2:DeleteVpc
modify
Modify vpc settings
properties:
addressusage:
type: boolean
dnshostnames:
type: boolean
dnssupport:
type: boolean
type:
enum:
- modify
required:
- type
Permissions - ec2:ModifyVpcAttribute
set-flow-log
Set flow logs for a network resource
- example:
policies:
- name: vpc-enable-flow-logs
resource: vpc
filters:
- type: flow-logs
enabled: false
actions:
- type: set-flow-log
attrs:
DeliverLogsPermissionArn: arn:iam:role
LogGroupName: /custodian/vpc/flowlogs/
attrs are passed through to create_flow_log and are per the api documentation
properties:
DeliverLogsPermissionArn:
type: string
LogDestination:
type: string
LogDestinationType:
enum:
- s3
- cloud-watch-logs
LogFormat:
type: string
LogGroupName:
type: string
MaxAggregationInterval:
type: integer
TrafficType:
enum:
- ACCEPT
- REJECT
- ALL
type: string
attrs:
type: object
state:
type: boolean
type:
enum:
- set-flow-log
required:
- type
Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup