GCP Common Filters¶
Filters
access-approval¶
Filter Resources based on access approval configuration
- name: project-access-approval
resource: gcp.project
filters:
- type: access-approval
key: enrolledServices.cloudProduct
value: "all"
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- access-approval
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
alerts¶
GCP Filter to find Alerts for a Log Metric Filter.
- name: log-metric-filter-has-alert
resource: gcp.log-project-metric
filters:
- type: alerts
properties:
type:
enum:
- alerts
required:
- type
bucket¶
Allows filtering on the bucket targeted by the log sink. If the sink does not target a bucket it does not match this filter.
https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks https://cloud.google.com/storage/docs/json_api/v1/buckets#resource
- example:
Find Sinks that target a bucket which is not using Bucket Lock
policies:
- name: sink-target-bucket-not-locked
resource: gcp.log-project-sink
filters:
- type: bucket
key: retentionPolicy.isLocked
op: ne
value: true
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- bucket
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
compute-meta¶
Allows filtering on project-level compute metadata including common instance metadata and quotas.
- example:
Find Projects that have not enabled OS Login for compute instances
policies:
- name: project-compute-os-login-not-enabled
resource: gcp.project
filters:
- type: compute-meta
key: "commonInstanceMetadata.items[?key==`enable-oslogin`].value | [0]"
op: ne
value_type: normalize
value: true
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- compute-meta
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
effective-firewall¶
Filters instances by their effective firewall rules. See getEffectiveFirewalls for valid fields.
- example:
Filter all instances that have a firewall rule that allows public acess
policies:
- name: find-publicly-accessable-instances
resource: gcp.instance
filters:
- type: effective-firewall
key: firewalls[*].sourceRanges[]
op: contains
value: "0.0.0.0/0"
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- effective-firewall
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
essential-contacts¶
Filter Resources based on essential contacts configuration
- name: org-essential-contacts
resource: gcp.organization
filters:
- type: essential-contacts
count: 2
count_op: gte
attrs:
- validationState: VALID
- type: value
key: notificationCategorySubscriptions
value: TECHNICAL
op: contains
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- essential-contacts
required:
- type
event¶
Filter a resource based on an event.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- event
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
list-item¶
Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.
- example:
policies:
- name: security-group-with-22-open-to-world
resource: aws.security-group
filters:
- type: list-item
key: IpPermissions
attrs:
- type: value
key: IpRanges[].CidrIp
value: '0.0.0.0/0'
op: in
value_type: swap
- type: value
key: FromPort
value: 22
- type: value
key: ToPort
value: 22
- name: find-task-def-not-using-registry
resource: aws.ecs-task-definition
filters:
- not:
- type: list-item
key: containerDefinitions
attrs:
- not:
- type: value
key: image
value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
op: regex
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
key:
type: string
type:
enum:
- list-item
required:
- type
offhour¶
Schedule offhours for resources see offhours for features and configuration.
properties:
default_tz:
type: string
fallback-schedule:
type: string
fallback_schedule:
type: string
offhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
tag:
type: string
type:
enum:
- offhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- offhour
- default_tz
- type
onhour¶
Schedule offhours for resources see offhours for features and configuration.
properties:
default_tz:
type: string
fallback-schedule:
type: string
fallback_schedule:
type: string
onhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
tag:
type: string
type:
enum:
- onhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- onhour
- default_tz
- type
recommend¶
Use GCP Resource Recommendations to filter resources
for a complete list and applicable resource types see https://cloud.google.com/recommender/docs/recommenders
ie. find idle compute disks to snapshot and delete.
- example:
policies:
- name: gcp-unused-disk
resource: gcp.disk
filters:
- type: recommend
id: google.compute.disk.IdleResourceRecommender
actions:
- snapshot
- delete
properties:
id:
type: string
type:
enum:
- recommend
required:
- id
reduce¶
Generic reduce filter to group, sort, and limit your resources.
This example will select the longest running instance from each ASG, then randomly choose 10% of those, maxing at 15 total instances.
- example:
- name: oldest-instance-by-asg
resource: ec2
filters:
- "tag:aws:autoscaling:groupName": present
- type: reduce
group-by: "tag:aws:autoscaling:groupName"
sort-by: "LaunchTime"
order: asc
limit: 1
Or you might want to randomly select a 10 percent of your resources, but no more than 15.
- example:
- name: random-selection
resource: ec2
filters:
- type: reduce
order: randomize
limit: 15
limit-percent: 10
properties:
discard:
minimum: 0
type: number
discard-percent:
maximum: 100
minimum: 0
type: number
group-by:
oneOf:
- type: string
- key:
type: string
type: object
value_regex: string
value_type:
enum:
- string
- number
- date
limit:
minimum: 0
type: number
limit-percent:
maximum: 100
minimum: 0
type: number
null-order:
enum:
- first
- last
order:
enum:
- asc
- desc
- reverse
- randomize
sort-by:
oneOf:
- type: string
- key:
type: string
type: object
value_regex: string
value_type:
enum:
- string
- number
- date
type:
enum:
- reduce
required:
- type
scc-findings¶
Filters resources based on their Security Command Center (SCC) findings.
- name: bucket-contains-high-finding
resource: gcp.bucket
filters:
- type: scc-findings
org: 11111111111111
key: severity
value: HIGH
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
org:
type: integer
type:
enum:
- scc-findings
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- org
- type
value¶
Generic value filter using jmespath
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- value
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type