c7n.resources package

Submodules

c7n.resources.account module

AWS Account as a custodian resource.

class c7n.resources.account.Account(ctx, data)

Bases: c7n.manager.ResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_arns(resources)

get_model()

Returns the resource meta-model.

classmethod get_permissions()

get_resources(resource_ids)

Retrieve a set of resources by id.

classmethod has_arn()

class resource_type

Bases: object

filter_name = None

id = 'account_id'

name = 'account_name'

resources()

type = 'account'

class c7n.resources.account.AccountCredentialReport(data, manager=None)

Bases: c7n.resources.iam.CredentialReport

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'credential'

class c7n.resources.account.AccountPasswordPolicy(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Check an account’s password policy.

Note that on top of the default password policy fields, we also add an extra key, PasswordPolicyConfigured which will be set to true or false to signify if the given account has attempted to set a policy at all.

Example

policies:
  - name: password-policy-check
    resource: account
    region: us-east-1
    filters:
      - type: password-policy
        key: MinimumPasswordLength
        value: 10
        op: ge
      - type: password-policy
        key: RequireSymbols
        value: true

permissions = ('iam:GetAccountPasswordPolicy',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['password-policy']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'password-policy'

class c7n.resources.account.CloudTrailEnabled(data, manager=None)

Bases: c7n.filters.core.Filter

Verify cloud trail enabled for this account per specifications.

Returns an annotated account resource if trail is not enabled.

Of particular note, the current-region option will evaluate whether cloudtrail is available in the current region, either as a multi region trail or as a trail with it as the home region.

Example

policies:
  - name: account-cloudtrail-enabled
    resource: account
    region: us-east-1
    filters:
      - type: check-cloudtrail
        global-events: true
        multi-region: true
        running: true

permissions = ('cloudtrail:DescribeTrails', 'cloudtrail:GetTrailStatus')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'current-region': {'type': 'boolean'}, 'file-digest': {'type': 'boolean'}, 'global-events': {'type': 'boolean'}, 'kms': {'type': 'boolean'}, 'kms-key': {'type': 'string'}, 'multi-region': {'type': 'boolean'}, 'notifies': {'type': 'boolean'}, 'running': {'type': 'boolean'}, 'type': {'enum': ['check-cloudtrail']}}, 'required': ['type'], 'type': 'object'}

type = 'check-cloudtrail'

class c7n.resources.account.ConfigEnabled(data, manager=None)

Bases: c7n.filters.core.Filter

Is config service enabled for this account

Example

policies:
  - name: account-check-config-services
    resource: account
    region: us-east-1
    filters:
      - type: check-config
        all-resources: true
        global-resources: true
        running: true

permissions = ('config:DescribeDeliveryChannels', 'config:DescribeConfigurationRecorders', 'config:DescribeConfigurationRecorderStatus')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'all-resources': {'type': 'boolean'}, 'global-resources': {'type': 'boolean'}, 'running': {'type': 'boolean'}, 'type': {'enum': ['check-config']}}, 'required': ['type'], 'type': 'object'}

type = 'check-config'

class c7n.resources.account.EnableDataEvents(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Ensure all buckets in account are setup to log data events.

Note this works via a single trail for data events per https://aws.amazon.com/about-aws/whats-new/2017/09/aws-cloudtrail-enables-option-to-add-all-amazon-s3-buckets-to-data-events/

This trail should NOT be used for api management events, the configuration here is soley for data events. If directed to create a trail this will do so without management events.

Example

policies:
  - name: s3-enable-data-events-logging
    resource: account
    actions:
     - type: enable-data-events
       data-trail:
         name: s3-events
         multi-region: us-east-1

add_data_trail(client, trail_cfg)

get_permissions()

process(resources)

schema = {'additionalProperties': False, 'properties': {'data-trail': {'additionalProperties': False, 'properties': {'create': {'title': 'Should we create trail if needed for events?', 'type': 'boolean'}, 'key-id': {'title': 'If creating, Enable kms on the trail', 'type': 'string'}, 'multi-region': {'title': 'If creating, use this region for all data trails', 'type': 'string'}, 'name': {'title': 'The name of the event trail', 'type': 'string'}, 's3-bucket': {'title': 'If creating, the bucket to store trail event data', 'type': 'string'}, 's3-prefix': {'type': 'string'}, 'topic': {'title': 'If creating, the sns topic for the trail to send updates', 'type': 'string'}, 'type': {'enum': ['ReadOnly', 'WriteOnly', 'All']}}, 'required': ['name'], 'type': 'object'}, 'type': {'enum': ['enable-data-events']}}, 'required': ['data-trail', 'type'], 'type': 'object'}

type = 'enable-data-events'

validate()

class c7n.resources.account.EnableTrail(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enables logging on the trail(s) named in the policy

Example

policies:
  - name: trail-test
    description: Ensure CloudTrail logging is enabled
    resource: account
    actions:
      - type: enable-cloudtrail
        trail: mytrail
        bucket: trails

permissions = ('cloudtrail:CreateTrail', 'cloudtrail:DescribeTrails', 'cloudtrail:GetTrailStatus', 'cloudtrail:StartLogging', 'cloudtrail:UpdateTrail', 's3:CreateBucket', 's3:GetBucketPolicy', 's3:PutBucketPolicy')

process(accounts)

Create or enable CloudTrail

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'bucket-region': {'type': 'string'}, 'file-digest': {'type': 'boolean'}, 'global-events': {'type': 'boolean'}, 'kms': {'type': 'boolean'}, 'kms-key': {'type': 'string'}, 'multi-region': {'type': 'boolean'}, 'notify': {'type': 'string'}, 'trail': {'type': 'string'}, 'type': {'enum': ['enable-cloudtrail']}}, 'required': ('bucket',), 'type': 'object'}

type = 'enable-cloudtrail'

class c7n.resources.account.GuardDutyEnabled(data, manager=None)

Bases: c7n.filters.multiattr.MultiAttrFilter

Check if the guard duty service is enabled.

This allows looking at account’s detector and its associated master if any.

Example

Check to ensure guard duty is active on account and associated to a master.

policies:
  - name: guardduty-enabled
    resource: account
    filters:
      - type: guard-duty
        Detector.Status: ENABLED
        Master.AccountId: "00011001"
        Master.RelationshipStatus: ENABLED

annotation = 'c7n:guard-duty'

get_target(resource)

Return the resource, or related resource that should be attribute matched.

permissions = ('guardduty:GetMasterAccount', 'guardduty:ListDetectors', 'guardduty:GetDetector')

schema = {'additionalProperties': False, 'patternProperties': {'^Detector': {'oneOf': [{'type': 'object'}, {'type': 'string'}]}, '^Master': {'oneOf': [{'type': 'object'}, {'type': 'string'}]}}, 'properties': {'match-operator': {'enum': ['or', 'and']}, 'type': {'enum': ['guard-duty']}}, 'type': 'object'}

type = 'guard-duty'

validate()

validate filter config, return validation error or self

class c7n.resources.account.HasVirtualMFA(data, manager=None)

Bases: c7n.filters.core.Filter

Is the account configured with a virtual MFA device?

Example

policies:
    - name: account-with-virtual-mfa
      resource: account
      region: us-east-1
      filters:
        - type: has-virtual-mfa
          value: true

account_has_virtual_mfa(account)

mfa_belongs_to_root_account(mfa)

permissions = ('iam:ListVirtualMFADevices',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-virtual-mfa']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'has-virtual-mfa'

class c7n.resources.account.IAMSummary(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Return annotated account resource if iam summary filter matches.

Some use cases include, detecting root api keys or mfa usage.

Example iam summary wrt to matchable fields:

{
      "AccessKeysPerUserQuota": 2,
      "AccountAccessKeysPresent": 0,
      "AccountMFAEnabled": 1,
      "AccountSigningCertificatesPresent": 0,
      "AssumeRolePolicySizeQuota": 2048,
      "AttachedPoliciesPerGroupQuota": 10,
      "AttachedPoliciesPerRoleQuota": 10,
      "AttachedPoliciesPerUserQuota": 10,
      "GroupPolicySizeQuota": 5120,
      "Groups": 1,
      "GroupsPerUserQuota": 10,
      "GroupsQuota": 100,
      "InstanceProfiles": 0,
      "InstanceProfilesQuota": 100,
      "MFADevices": 3,
      "MFADevicesInUse": 2,
      "Policies": 3,
      "PoliciesQuota": 1000,
      "PolicySizeQuota": 5120,
      "PolicyVersionsInUse": 5,
      "PolicyVersionsInUseQuota": 10000,
      "Providers": 0,
      "RolePolicySizeQuota": 10240,
      "Roles": 4,
      "RolesQuota": 250,
      "ServerCertificates": 0,
      "ServerCertificatesQuota": 20,
      "SigningCertificatesPerUserQuota": 2,
      "UserPolicySizeQuota": 2048,
      "Users": 5,
      "UsersQuota": 5000,
      "VersionsPerPolicyQuota": 5,
  }

For example to determine if an account has either not been enabled with root mfa or has root api keys.

policies:
  - name: root-keys-or-no-mfa
    resource: account
    filters:
      - type: iam-summary
        key: AccountMFAEnabled
        value: true
        op: eq
        value_type: swap

permissions = ('iam:GetAccountSummary',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['iam-summary']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'iam-summary'

class c7n.resources.account.RequestLimitIncrease(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

File support ticket to raise limit.

Example

policies:
  - name: account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EBS
        limits:
          - Provisioned IOPS (SSD) storage (GiB)
        threshold: 60.5
    actions:
      - type: request-limit-increase
        notify: [email, email2]
        ## You can use one of either percent-increase or an amount-increase.
        percent-increase: 50
        message: "Please raise the below account limit(s); \n {limits}"

default_severity = 'normal'

default_subject = '[Account:{account}]Raise the following limit(s) of {service} in {region}'

default_template = 'Please raise the below account limit(s); \n {limits}'

permissions = ('support:CreateCase',)

process(resources)

schema = {'notify': {'type': 'array'}, 'oneOf': [{'required': ['type', 'percent-increase']}, {'required': ['type', 'amount-increase']}], 'properties': {'amount-increase': {'minimum': 1, 'type': 'number'}, 'message': {'type': 'string'}, 'minimum-increase': {'minimum': 1, 'type': 'number'}, 'percent-increase': {'minimum': 1, 'type': 'number'}, 'severity': {'enum': ['urgent', 'high', 'normal', 'low'], 'type': 'string'}, 'subject': {'type': 'string'}, 'type': {'enum': ['request-limit-increase']}}, 'type': 'object'}

service_code_mapping = {'AutoScaling': 'auto-scaling', 'CloudFormation': 'aws-cloudformation', 'EBS': 'amazon-elastic-block-store', 'EC2': 'amazon-elastic-compute-cloud-linux', 'ELB': 'elastic-load-balancing', 'IAM': 'aws-identity-and-access-management', 'Kinesis': 'amazon-kinesis', 'RDS': 'amazon-relational-database-service-aurora', 'VPC': 'amazon-virtual-private-cloud'}

type = 'request-limit-increase'

class c7n.resources.account.S3PublicBlock(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Check for s3 public blocks on an account.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

annotate = False

annotation_key = 'c7n:s3-public-block'

augment(resources)

permissions = ('s3:GetAccountPublicAccessBlock',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['s3-public-block']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 's3-public-block'

class c7n.resources.account.ServiceLimit(data, manager=None)

Bases: c7n.filters.core.Filter

Check if account’s service limits are past a given threshold.

Supported limits are per trusted advisor, which is variable based on usage in the account and support level enabled on the account.

• service: AutoScaling limit: Auto Scaling groups

• service: AutoScaling limit: Launch configurations

• service: EBS limit: Active snapshots

• service: EBS limit: Active volumes

• service: EBS limit: General Purpose (SSD) volume storage (GiB)

• service: EBS limit: Magnetic volume storage (GiB)

• service: EBS limit: Provisioned IOPS

• service: EBS limit: Provisioned IOPS (SSD) storage (GiB)

• service: EC2 limit: Elastic IP addresses (EIPs)

# Note this is extant for each active instance type in the account # however the total value is against sum of all instance types. # see issue https://github.com/cloud-custodian/cloud-custodian/issues/516

• service: EC2 limit: On-Demand instances - m3.medium

• service: EC2 limit: Reserved Instances - purchase limit (monthly)

• service: ELB limit: Active load balancers

• service: IAM limit: Groups

• service: IAM limit: Instance profiles

• service: IAM limit: Roles

• service: IAM limit: Server certificates

• service: IAM limit: Users

• service: RDS limit: DB instances

• service: RDS limit: DB parameter groups

• service: RDS limit: DB security groups

• service: RDS limit: DB snapshots per user

• service: RDS limit: Storage quota (GB)

• service: RDS limit: Internet gateways

• service: SES limit: Daily sending quota

• service: VPC limit: VPCs

• service: VPC limit: VPC Elastic IP addresses (EIPs)

Example

policies:
  - name: account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EC2
        threshold: 1.0
  - name: specify-region-for-global-service
    region: us-east-1
    resource: account
    filters:
      - type: service-limit
        services:
          - IAM
        limits:
          - Roles

check_id = 'eW7HH0l7J9'

check_limit = ('region', 'service', 'check', 'limit', 'extant', 'color')

global_services = {'IAM'}

permissions = ('support:DescribeTrustedAdvisorCheckResult',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'limits': {'items': {'type': 'string'}, 'type': 'array'}, 'refresh_period': {'type': 'integer'}, 'services': {'items': {'enum': ['EC2', 'ELB', 'VPC', 'AutoScaling', 'RDS', 'EBS', 'SES', 'IAM']}, 'type': 'array'}, 'threshold': {'type': 'number'}, 'type': {'enum': ['service-limit']}}, 'required': ['type'], 'type': 'object'}

type = 'service-limit'

validate()

validate filter config, return validation error or self

class c7n.resources.account.SetS3PublicBlock(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Configure S3 Public Access Block on an account.

All public access block attributes can be set. If not specified they are merged with the extant configuration.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

Example

permissions = ('s3:PutAccountPublicAccessBlock', 's3:GetAccountPublicAccessBlock')

process(resources)

schema = {'additionalProperties': False, 'properties': {'BlockPublicAcls': {'type': 'boolean'}, 'BlockPublicPolicy': {'type': 'boolean'}, 'IgnorePublicAcls': {'type': 'boolean'}, 'RestrictPublicBuckets': {'type': 'boolean'}, 'state': {'default': True, 'type': 'boolean'}, 'type': {'enum': ['set-s3-public-block']}}, 'required': ['type'], 'type': 'object'}

type = 'set-s3-public-block'

validate()

class c7n.resources.account.SetShieldAdvanced(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enable/disable Shield Advanced on an account.

permissions = ('shield:CreateSubscription', 'shield:DeleteSubscription')

process(resources)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['set-shield-advanced']}}, 'required': ['type'], 'type': 'object'}

type = 'set-shield-advanced'

class c7n.resources.account.SetXrayEncryption(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enable specific xray encryption.

Example

policies:
  - name: xray-default-encrypt
    resource: aws.account
    actions:
      - type: set-xray-encrypt
        key: default
  - name: xray-kms-encrypt
    resource: aws.account
    actions:
      - type: set-xray-encrypt
        key: alias/some/alias/key

permissions = ('xray:PutEncryptionConfig',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'key': {'type': 'string'}, 'type': {'enum': ['set-xray-encrypt']}}, 'required': ['key', 'type'], 'type': 'object'}

type = 'set-xray-encrypt'

class c7n.resources.account.ShieldEnabled(data, manager=None)

Bases: c7n.filters.core.Filter

permissions = ('shield:DescribeSubscription',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['shield-enabled']}}, 'required': ['type'], 'type': 'object'}

type = 'shield-enabled'

class c7n.resources.account.XrayEncrypted(data, manager=None)

Bases: c7n.filters.core.Filter

Determine if xray is encrypted.

Example

policies:
  - name: xray-encrypt-with-default
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: default
  - name: xray-encrypt-with-kms
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: kms
  - name: xray-encrypt-with-specific-key
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: alias/my-alias or arn or keyid

permissions = ('xray:GetEncryptionConfig',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'key': {'type': 'string'}, 'type': {'enum': ['xray-encrypt-key']}}, 'required': ['key', 'type'], 'type': 'object'}

type = 'xray-encrypt-key'

c7n.resources.account.cloudtrail_policy(original, bucket_name, account_id, bucket_region)

add CloudTrail permissions to an S3 policy, preserving existing

c7n.resources.account.get_account(session_factory, config)

c7n.resources.acm module

class c7n.resources.acm.Certificate(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::ACM::Certificate'

date = 'CreatedAt'

detail_spec = ('describe_certificate', 'CertificateArn', 'CertificateArn', 'Certificate')

dimension = None

enum_spec = ('list_certificates', 'CertificateSummaryList', None)

filter_name = None

id = 'CertificateArn'

name = 'DomainName'

service = 'acm'

type = 'certificate'

universal_taggable = <object object>

type = 'acm-certificate'

class c7n.resources.acm.CertificateDeleteAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete an ACM Certificate To avoid unwanted deletions of certificates, it is recommended to apply a filter to the rule :example:

policies:
  - name: acm-certificate-delete-expired
    resource: acm-certificate
    filters:
      - type: value
        key: NotAfter
        value_type: expiration
        op: lt
        value: 0
    actions:
      - delete

permissions = ('acm:DeleteCertificate',)

process(certificates)

process_cert(client, cert)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.acm.DescribeCertificate(manager)

Bases: c7n.query.DescribeSource

augment(resources)

c7n.resources.ami module

class c7n.resources.ami.AMI(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

date = 'CreationDate'

detail_spec = None

dimension = None

enum_spec = ('describe_images', 'Images', None)

filter_name = 'ImageIds'

filter_type = 'list'

id = 'ImageId'

name = 'Name'

service = 'ec2'

type = 'image'

resources(query=None)

type = 'ami'

class c7n.resources.ami.AmiCrossAccountFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('ec2:DescribeImageAttribute',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_resource_set(client, accounts, resource_set)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

class c7n.resources.ami.Copy(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to copy AMIs with optional encryption

This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.

Note there is a max in flight of 5 per account/region.

Example

policies:
  - name: ami-ensure-encrypted
    resource: ami
    filters:
      - type: value
        key: encrypted
        value: true
    actions:
      - type: copy
        encrypt: true
        key-id: 00000000-0000-0000-0000-000000000000

permissions = ('ec2:CopyImage',)

process(images)

schema = {'additionalProperties': False, 'properties': {'description': {'type': 'string'}, 'encrypt': {'type': 'boolean'}, 'key-id': {'type': 'string'}, 'name': {'type': 'string'}, 'region': {'type': 'string'}, 'type': {'enum': ['copy']}}, 'type': 'object'}

type = 'copy'

class c7n.resources.ami.Deregister(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to deregister AMI

To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)

Example

policies:
  - name: ami-deregister-old
    resource: ami
    filters:
      - type: image-age
        days: 90
    actions:
      - deregister

permissions = ('ec2:DeregisterImage',)

process(images)

schema = {'additionalProperties': False, 'properties': {'delete-snapshots': {'type': 'boolean'}, 'type': {'enum': ['deregister']}}, 'required': ['type'], 'type': 'object'}

snap_expr = {'type': 'projection', 'children': [{'type': 'flatten', 'children': [{'type': 'field', 'children': [], 'value': 'BlockDeviceMappings'}]}, {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'Ebs'}, {'type': 'field', 'children': [], 'value': 'SnapshotId'}]}]}

type = 'deregister'

class c7n.resources.ami.DescribeImageSource(manager)

Bases: c7n.query.DescribeSource

get_resources(ids, cache=True)

class c7n.resources.ami.ErrorHandler

Bases: object

static extract_bad_ami(e)

Handle various client side errors when describing images

class c7n.resources.ami.ImageAgeFilter(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filters images based on the age (in days)

Example

policies:
  - name: ami-remove-launch-permissions
    resource: ami
    filters:
      - type: image-age
        days: 30

date_attribute = 'CreationDate'

schema = {'additionalProperties': False, 'properties': {'days': {'minimum': 0, 'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['image-age']}}, 'required': ['type'], 'type': 'object'}

type = 'image-age'

class c7n.resources.ami.ImageUnusedFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filters images based on usage

true: image has no instances spawned from it false: image has instances spawned from it

Example

policies:
  - name: ami-unused
    resource: ami
    filters:
      - type: unused
        value: true

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.ami.RemoveLaunchPermissions(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to remove the ability to launch an instance from an AMI

This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it

Example

policies:
  - name: ami-remove-launch-permissions
    resource: ami
    filters:
      - type: image-age
        days: 60
    actions:
      - remove-launch-permissions

permissions = ('ec2:ResetImageAttribute',)

process(images)

process_image(client, image)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['remove-launch-permissions']}}, 'required': ['type'], 'type': 'object'}

type = 'remove-launch-permissions'

c7n.resources.apigw module

class c7n.resources.apigw.DeleteRestIntegration(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete an api integration. Useful if the integration type is a security risk.

Example

permissions = ('apigateway:Delete',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete-integration']}}, 'required': ['type'], 'type': 'object'}

type = 'delete-integration'

class c7n.resources.apigw.DeleteStage(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete an api stage

Example

permissions = ('apigateway:Delete',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.apigw.DescribeRestResource(manager)

Bases: c7n.query.ChildDescribeSource

augment(resources)

get_query()

type = 'describe-rest-resource'

class c7n.resources.apigw.DescribeRestStage(manager)

Bases: c7n.query.ChildDescribeSource

augment(resources)

get_query()

type = 'describe-rest-stage'

class c7n.resources.apigw.FilterRestIntegration(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter rest resources based on a key value for the rest method integration of the api

Example

policies:
  - name: api-method-integrations-with-type-aws
    resource: rest-resource
    filters:
      - type: rest-integration
        key: type
        value: AWS

permissions = ('apigateway:GET',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_task_set(client, task_set)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'method': {'enum': ['all', 'ANY', 'PUT', 'GET', 'POST', 'DELETE', 'OPTIONS', 'HEAD', 'PATCH'], 'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['rest-integration']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'rest-integration'

class c7n.resources.apigw.FilterRestMethod(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter rest resources based on a key value for the rest method of the api

Example

policies:
  - name: api-without-key-required
    resource: rest-resource
    filters:
      - type: rest-method
        key: apiKeyRequired
        value: false

permissions = ('apigateway:GET',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_task_set(client, task_set)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'method': {'enum': ['all', 'ANY', 'PUT', 'GET', 'POST', 'DELETE', 'OPTIONS', 'HEAD', 'PATCH'], 'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['rest-method']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'rest-method'

class c7n.resources.apigw.RestAccount(ctx, data)

Bases: c7n.manager.ResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_model()

Returns the resource meta-model.

classmethod get_permissions()

get_resources(resource_ids)

Retrieve a set of resources by id.

classmethod has_arn()

class resource_type

Bases: object

arn = False

dimensions = None

id = 'account_id'

name = 'account_id'

service = 'apigateway'

resources()

type = 'rest-account'

class c7n.resources.apigw.RestApi(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::ApiGateway::RestApi'

date = 'createdDate'

dimension = 'GatewayName'

enum_spec = ('get_rest_apis', 'items', None)

filter_name = None

id = 'id'

name = 'name'

service = 'apigateway'

type = 'restapis'

type = 'rest-api'

class c7n.resources.apigw.RestApiCrossAccount(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('apigateway:GET',)

policy_attribute = 'policy'

type = 'cross-account'

class c7n.resources.apigw.RestApiVpcLink(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('get_vpc_links', 'items', None)

filter_name = None

id = 'id'

name = 'name'

service = 'apigateway'

type = None

type = 'rest-vpclink'

class c7n.resources.apigw.RestResource(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

child_source = 'describe-rest-resource'

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('get_resources', 'items', None)

id = 'id'

name = 'path'

parent_spec = ('rest-api', 'restApiId', None)

service = 'apigateway'

type = 'rest-resource'

class c7n.resources.apigw.RestStage(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

child_source = 'describe-rest-stage'

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::ApiGateway::Stage'

date = 'createdDate'

dimension = None

enum_spec = ('get_stages', 'item', None)

id = 'stageName'

name = 'stageName'

parent_spec = ('rest-api', 'restApiId', None)

service = 'apigateway'

type = None

universal_taggable = True

type = 'rest-stage'

class c7n.resources.apigw.UpdateAccount(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Update the cloudwatch role associated to a rest account

Example

policies:
  - name: correct-rest-account-log-role
    resource: rest-account
    filters:
      - cloudwatchRoleArn: arn:aws:iam::000000000000:role/GatewayLogger
    actions:
      - type: update
        patch:
          - op: replace
            path: /cloudwatchRoleArn
            value: arn:aws:iam::000000000000:role/BetterGatewayLogger

permissions = ('apigateway:PATCH',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'patch': {'items': {'additonalProperties': False, 'properties': {'from': {'type': 'string'}, 'op': {'enum': ['add', 'remove', 'update', 'copy', 'replace', 'test']}, 'path': {'type': 'string'}, 'value': {'type': 'string'}}, 'required': ['op', 'path'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['update']}}, 'required': ['patch', 'type'], 'type': 'object'}

type = 'update'

class c7n.resources.apigw.UpdateApi(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Update configuration of a REST API.

Non-exhaustive list of updateable attributes. https://docs.aws.amazon.com/apigateway/api-reference/link-relation/restapi-update/#remarks

Example

contrived example to update description on api gateways

policies:
  - name: apigw-description
    resource: rest-api
    filters:
      - description: empty
    actions:
      - type: update
        patch:
         - op: replace
           path: /description
           value: "not empty :-)"

permissions = ('apigateway:PATCH',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'patch': {'items': {'additonalProperties': False, 'properties': {'from': {'type': 'string'}, 'op': {'enum': ['add', 'remove', 'update', 'copy', 'replace', 'test']}, 'path': {'type': 'string'}, 'value': {'type': 'string'}}, 'required': ['op', 'path'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['update']}}, 'required': ['patch', 'type'], 'type': 'object'}

type = 'update'

class c7n.resources.apigw.UpdateRestIntegration(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Change or remove api integration properties based on key value

Example

permissions = ('apigateway:PATCH',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'patch': {'items': {'additonalProperties': False, 'properties': {'from': {'type': 'string'}, 'op': {'enum': ['add', 'remove', 'update', 'copy', 'replace', 'test']}, 'path': {'type': 'string'}, 'value': {'type': 'string'}}, 'required': ['op', 'path'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['update-integration']}}, 'required': ['patch', 'type'], 'type': 'object'}

type = 'update-integration'

validate()

class c7n.resources.apigw.UpdateRestMethod(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Change or remove api method behaviors based on key value

Example

permissions = ('apigateway:GET',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'patch': {'items': {'additonalProperties': False, 'properties': {'from': {'type': 'string'}, 'op': {'enum': ['add', 'remove', 'update', 'copy', 'replace', 'test']}, 'path': {'type': 'string'}, 'value': {'type': 'string'}}, 'required': ['op', 'path'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['update-method']}}, 'required': ['patch', 'type'], 'type': 'object'}

type = 'update-method'

validate()

class c7n.resources.apigw.UpdateStage(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Update/remove values of an api stage

Example

policies:
  - name: disable-stage-caching
    resource: rest-stage
    filters:
      - methodSettings."*/*".cachingEnabled: true
    actions:
      - type: update
        patch:
          - op: replace
            path: /*/*/caching/enabled
            value: 'false'

permissions = ('apigateway:PATCH',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'patch': {'items': {'additonalProperties': False, 'properties': {'from': {'type': 'string'}, 'op': {'enum': ['add', 'remove', 'update', 'copy', 'replace', 'test']}, 'path': {'type': 'string'}, 'value': {'type': 'string'}}, 'required': ['op', 'path'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['update']}}, 'required': ['patch', 'type'], 'type': 'object'}

type = 'update'

c7n.resources.appelb module

Application Load Balancers

class c7n.resources.appelb.AppELB(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for v2 ELBs (AKA ALBs).

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_arn(r)

classmethod get_permissions()

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::ElasticLoadBalancingV2::LoadBalancer'

date = 'CreatedTime'

dimension = 'LoadBalancer'

enum_spec = ('describe_load_balancers', 'LoadBalancers', None)

filter_name = 'Names'

filter_type = 'list'

id = 'LoadBalancerArn'

name = 'LoadBalancerName'

service = 'elbv2'

type = 'loadbalancer/app'

static retry(func, *args, **kw)

type = 'app-elb'

class c7n.resources.appelb.AppELBAttributeFilterBase

Bases: object

Mixin base class for filters that query LB attributes.

initialize(albs)

class c7n.resources.appelb.AppELBDefaultVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Filter all ELB that exist within the default vpc

Example

policies:
  - name: appelb-in-default-vpc
    resource: app-elb
    filters:
      - default-vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.appelb.AppELBDeleteAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete an ELB

To avoid unwanted deletions of ELB, it is recommended to apply a filter to the rule

Example

policies:
  - name: appelb-delete-failed-elb
    resource: app-elb
    filters:
      - State: failed
    actions:
      - delete

permissions = ('elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes')

process(load_balancers)

process_alb(client, alb)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.appelb.AppELBHealthCheckProtocolMismatchFilter(data, manager=None)

Bases: c7n.filters.core.Filter, c7n.resources.appelb.AppELBTargetGroupFilterBase

Filter AppELBs with mismatched health check protocols

A mismatched health check protocol is where the protocol on the target group does not match the load balancer health check protocol

Example

policies:
  - name: appelb-healthcheck-mismatch
    resource: app-elb
    filters:
      - healthcheck-protocol-mismatch

permissions = ('elasticloadbalancing:DescribeTargetGroups',)

process(albs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['healthcheck-protocol-mismatch']}}, 'required': ['type'], 'type': 'object'}

type = 'healthcheck-protocol-mismatch'

class c7n.resources.appelb.AppELBListenerFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter, c7n.resources.appelb.AppELBListenerFilterBase

Filter ALB based on matching listener attributes

Adding the matched flag will filter on previously matched listeners

Example

policies:
  - name: app-elb-invalid-ciphers
    resource: app-elb
    filters:
      - type: listener
        key: Protocol
        value: HTTPS
      - type: listener
        key: SslPolicy
        value: ['ELBSecurityPolicy-TLS-1-1-2017-01','ELBSecurityPolicy-TLS-1-2-2017-01']
        op: ni
        matched: true
    actions:
      - type: modify-listener
        sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"

permissions = ('elasticloadbalancing:DescribeLoadBalancerAttributes',)

process(albs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'matched': {'type': 'boolean'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['listener']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'listener'

validate()

validate filter config, return validation error or self

class c7n.resources.appelb.AppELBListenerFilterBase

Bases: object

Mixin base class for filters that query LB listeners.

initialize(albs)

permissions = ('elasticloadbalancing:DescribeListeners',)

class c7n.resources.appelb.AppELBMarkForOpAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to create a delayed action on an ELB to start at a later date

Example

policies:
  - name: appelb-failed-mark-for-op
    resource: app-elb
    filters:
      - "tag:custodian_elb_cleanup": absent
      - State: failed
    actions:
      - type: mark-for-op
        tag: custodian_elb_cleanup
        msg: "AppElb failed: {op}@{action_date}"
        op: delete
        days: 1

batch_size = 1

type = 'mark-for-op'

class c7n.resources.appelb.AppELBModifyListenerPolicy(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to modify the policy for an App ELB

Example

policies:
  - name: appelb-modify-listener
    resource: app-elb
    filters:
      - type: listener
        key: Protocol
        value: HTTP
    actions:
      - type: modify-listener
        protocol: HTTPS
        sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
        certificate: "arn:aws:acm:region:123456789012:certificate/12345678-                    1234-1234-1234-123456789012"

permissions = ('elasticloadbalancing:ModifyListener',)

process(load_balancers)

schema = {'additionalProperties': False, 'properties': {'certificate': {'type': 'string'}, 'port': {'type': 'integer'}, 'protocol': {'enum': ['HTTP', 'HTTPS']}, 'sslpolicy': {'type': 'string'}, 'type': {'enum': ['modify-listener']}}, 'required': ['type'], 'type': 'object'}

type = 'modify-listener'

validate()

class c7n.resources.appelb.AppELBRemoveTagAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag/tags from an ELB

Example

policies:
  - name: appelb-delete-expired-tag
    resource: app-elb
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: remove-tag
        tags: ["ExpiredTag"]

batch_size = 1

permissions = ('elasticloadbalancing:RemoveTags',)

process_resource_set(client, resource_set, tag_keys)

type = 'remove-tag'

class c7n.resources.appelb.AppELBTagAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag/tags on an ELB

Example

policies:
  - name: appelb-create-required-tag
    resource: app-elb
    filters:
      - "tag:RequiredTag": absent
    actions:
      - type: tag
        key: RequiredTag
        value: RequiredValue

batch_size = 1

permissions = ('elasticloadbalancing:AddTags',)

process_resource_set(client, resource_set, ts)

type = 'tag'

class c7n.resources.appelb.AppELBTargetGroup(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for v2 ELB target groups.

action_registry = <c7n.actions.core.ActionRegistry object>

augment(target_groups)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

classmethod get_permissions()

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('describe_target_groups', 'TargetGroups', None)

filter_name = None

filter_type = None

id = 'TargetGroupArn'

name = 'TargetGroupName'

service = 'elbv2'

type = 'app-elb-target-group'

static retry(func, *args, **kw)

type = 'app-elb-target-group'

class c7n.resources.appelb.AppELBTargetGroupDefaultVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Filter all application elb target groups within the default vpc

Example

policies:
  - name: appelb-targetgroups-default-vpc
    resource: app-elb-target-group
    filters:
      - default-vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.appelb.AppELBTargetGroupDeleteAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete ELB target group

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any app elb target groups.

Example

policies:
  - name: appelb-targetgroups-delete-unused
    resource: app-elb-target-group
    filters:
      - "tag:SomeTag": absent
    actions:
      - delete

permissions = ('elasticloadbalancing:DeleteTargetGroup',)

process(resources)

process_target_group(client, target_group)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.appelb.AppELBTargetGroupFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter, c7n.resources.appelb.AppELBTargetGroupFilterBase

Filter ALB based on matching target group value

permissions = ('elasticloadbalancing:DescribeTargetGroups',)

process(albs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['target-group']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'target-group'

class c7n.resources.appelb.AppELBTargetGroupFilterBase

Bases: object

Mixin base class for filters that query LB target groups.

initialize(albs)

class c7n.resources.appelb.AppELBTargetGroupMarkForOpAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to specify a delayed action on an ELB target group

type = 'mark-for-op'

class c7n.resources.appelb.AppELBTargetGroupRemoveTagAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag/tags from ELB target group

Example

policies:
  - name: appelb-targetgroup-remove-expired-tag
    resource: app-elb-target-group
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: remove-tag
        tags: ["ExpiredTag"]

batch_size = 1

permissions = ('elasticloadbalancing:RemoveTags',)

process_resource_set(client, resource_set, tag_keys)

type = 'remove-tag'

class c7n.resources.appelb.AppELBTargetGroupTagAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag/tags on an ELB target group

Example

policies:
  - name: appelb-targetgroup-add-required-tag
    resource: app-elb-target-group
    filters:
      - "tag:RequiredTag": absent
    actions:
      - type: tag
        key: RequiredTag
        value: RequiredValue

batch_size = 1

permissions = ('elasticloadbalancing:AddTags',)

process_resource_set(client, resource_set, ts)

type = 'tag'

class c7n.resources.appelb.AppElbMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

Filter app load balancer by metric values.

See available metrics here https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html

Custodian defaults to specifying dimensions for the app elb only. Target Group dimension not supported atm.

get_dimensions(resource)

type = 'metrics'

class c7n.resources.appelb.ConfigAppElb(manager)

Bases: c7n.query.ConfigSource

load_resource(item)

class c7n.resources.appelb.DescribeAppElb(manager)

Bases: c7n.query.DescribeSource

augment(albs)

get_resources(ids, cache=True)

Support server side filtering on arns or names

class c7n.resources.appelb.IsLoggingFilter(data, manager=None)

Bases: c7n.filters.core.Filter, c7n.resources.appelb.AppELBAttributeFilterBase

Matches AppELBs that are logging to S3.

bucket and prefix are optional

Example

policies:
    - name: alb-is-logging-test
      resource: app-elb
      filters:
        - type: is-logging

    - name: alb-is-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-logging
          bucket: prodlogs
          prefix: alblogs

permissions = ('elasticloadbalancing:DescribeLoadBalancerAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'prefix': {'type': 'string'}, 'type': {'enum': ['is-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'is-logging'

class c7n.resources.appelb.IsNotLoggingFilter(data, manager=None)

Bases: c7n.filters.core.Filter, c7n.resources.appelb.AppELBAttributeFilterBase

Matches AppELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

Example

policies:
    - name: alb-is-not-logging-test
      resource: app-elb
      filters:
        - type: is-not-logging

    - name: alb-is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs

permissions = ('elasticloadbalancing:DescribeLoadBalancerAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'prefix': {'type': 'string'}, 'type': {'enum': ['is-not-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'is-not-logging'

class c7n.resources.appelb.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'SecurityGroups[]'

type = 'security-group'

class c7n.resources.appelb.SetS3Logging(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to enable/disable S3 logging for an application loadbalancer.

Example

policies:
  - name: elbv2-test
    resource: app-elb
    filters:
      - type: value
        key: Attributes."access_logs.s3.enabled"
        value: False
    actions:
      - type: set-s3-logging
        bucket: elbv2logtest
        prefix: dahlogs
        state: enabled

permissions = ('elasticloadbalancing:ModifyLoadBalancerAttributes',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'prefix': {'type': 'string'}, 'state': {'enum': ['enabled', 'disabled']}, 'type': {'enum': ['set-s3-logging']}}, 'required': ('state',), 'type': 'object'}

type = 'set-s3-logging'

validate()

class c7n.resources.appelb.SetWaf(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enable/Disable waf protection on applicable resource.

permissions = ('waf-regional:AssociateWebACL', 'waf-regional:ListWebACLs')

process(resources)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['set-waf']}, 'web-acl': {'type': 'string'}}, 'required': ['web-acl', 'type'], 'type': 'object'}

type = 'set-waf'

validate()

class c7n.resources.appelb.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'AvailabilityZones[].SubnetId'

type = 'subnet'

class c7n.resources.appelb.VpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'VpcId'

type = 'vpc'

class c7n.resources.appelb.WafEnabled(data, manager=None)

Bases: c7n.filters.core.Filter

permissions = ('waf-regional:ListResourcesForWebACL', 'waf-regional:ListWebACLs')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['waf-enabled']}, 'web-acl': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'waf-enabled'

c7n.resources.appelb.parse_attribute_value(v)

c7n.resources.asg module

class c7n.resources.asg.ASG(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::AutoScaling::AutoScalingGroup'

date = 'CreatedTime'

default_report_fields = ('AutoScalingGroupName', 'CreatedTime', 'LaunchConfigurationName', 'count:Instances', 'DesiredCapacity', 'HealthCheckType', 'list:LoadBalancerNames')

dimension = 'AutoScalingGroupName'

enum_spec = ('describe_auto_scaling_groups', 'AutoScalingGroups', None)

filter_name = 'AutoScalingGroupNames'

filter_type = 'list'

id = 'AutoScalingGroupName'

name = 'AutoScalingGroupName'

service = 'autoscaling'

type = 'autoScalingGroup'

static retry(func, *args, **kw)

type = 'asg'

class c7n.resources.asg.CapacityDelta(data, manager=None)

Bases: c7n.filters.core.Filter

Filter returns ASG that have less instances than desired or required

Example

policies:
  - name: asg-capacity-delta
    resource: asg
    filters:
      - capacity-delta

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['capacity-delta']}}, 'required': ['type'], 'type': 'object'}

type = 'capacity-delta'

class c7n.resources.asg.ConfigValidFilter(data, manager=None)

Bases: c7n.filters.core.Filter

get_appelb_target_groups()

get_asg_errors(asg)

get_elbs()

get_images()

get_key_pairs()

get_permissions()

get_security_groups()

get_snapshots()

get_subnets()

initialize(asgs)

process(asgs, event=None)

Bulk process resources and return filtered set.

validate()

validate filter config, return validation error or self

class c7n.resources.asg.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete an ASG

The ‘force’ parameter is needed when deleting an ASG that has instances attached to it.

Example

policies:
  - name: asg-unencrypted
    resource: asg
    filters:
      - type: not-encrypted
        exclude_image: true
    actions:
      - type: delete
        force: true

permissions = ('autoscaling:DeleteAutoScalingGroup',)

process(asgs)

process_asg(client, asg)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.asg.GroupTagTrim(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagTrim

Action to trim the number of tags to avoid hitting tag limits

Example

policies:
  - name: asg-tag-trim
    resource: asg
    filters:
      - type: tag-count
        count: 10
    actions:
      - type: tag-trim
        space: 1
        preserve:
          - OwnerName
          - OwnerContact

max_tag_count = 10

permissions = ('autoscaling:DeleteTags',)

process_tag_removal(client, resource, candidates)

type = 'tag-trim'

class c7n.resources.asg.ImageAgeFilter(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filter asg by image age (in days).

Example

policies:
  - name: asg-older-image
    resource: asg
    filters:
      - type: image-age
        days: 90
        op: ge

date_attribute = 'CreationDate'

get_resource_date(asg)

permissions = ('ec2:DescribeImages', 'autoscaling:DescribeLaunchConfigurations')

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['image-age']}}, 'required': ['type'], 'type': 'object'}

type = 'image-age'

class c7n.resources.asg.ImageFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter asg by image

Example

policies:
  - name: non-windows-asg
    resource: asg
    filters:
      - type: image
        key: Platform
        value: Windows
        op: ne

permissions = ('ec2:DescribeImages', 'autoscaling:DescribeLaunchConfigurations')

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['image']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'image'

class c7n.resources.asg.InvalidConfigFilter(data, manager=None)

Bases: c7n.resources.asg.ConfigValidFilter

Filter autoscale groups to find those that are structurally invalid.

Structurally invalid means that the auto scale group will not be able to launch an instance succesfully as the configuration has

• invalid subnets

• invalid security groups

• invalid key pair name

• invalid launch config volume snapshots

• invalid amis

• invalid health check elb (slower)

Internally this tries to reuse other resource managers for better cache utilization.

Example

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['invalid']}}, 'required': ['type'], 'type': 'object'}

type = 'invalid'

class c7n.resources.asg.LaunchConfig(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::AutoScaling::LaunchConfiguration'

date = 'CreatedTime'

dimension = None

enum_spec = ('describe_launch_configurations', 'LaunchConfigurations', None)

filter_name = 'LaunchConfigurationNames'

filter_type = 'list'

id = 'LaunchConfigurationName'

name = 'LaunchConfigurationName'

service = 'autoscaling'

type = 'launchConfiguration'

type = 'launch-config'

class c7n.resources.asg.LaunchConfigAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filter ASG launch configuration by age (in days)

Example

policies:
  - name: asg-launch-config-old
    resource: launch-config
    filters:
      - type: age
        days: 90
        op: ge

date_attribute = 'CreatedTime'

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['age']}}, 'required': ['type'], 'type': 'object'}

type = 'age'

class c7n.resources.asg.LaunchConfigDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Filters all unused launch configurations

Example

policies:
  - name: asg-unused-launch-config-delete
    resource: launch-config
    filters:
      - unused
    actions:
      - delete

permissions = ('autoscaling:DeleteLaunchConfiguration',)

process(configs)

process_config(client, config)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.asg.LaunchConfigFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter asg by launch config attributes.

This will also filter to launch template data in addition to launch configurations.

Example

policies:
  - name: launch-configs-with-public-address
    resource: asg
    filters:
      - type: launch-config
        key: AssociatePublicIpAddress
        value: true

permissions = ('autoscaling:DescribeLaunchConfigurations',)

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['launch-config']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'launch-config'

class c7n.resources.asg.LaunchInfo(manager)

Bases: object

get(asg)

get_image_ids()

get_image_map()

get_launch_configs(asgs)

Return a mapping of launch configs for the given set of asgs

get_launch_id(asg)

get_launch_templates(asgs)

get_security_group_ids()

initialize(asgs)

items()

permissions = ('ec2:DescribeLaunchTemplateVersions', 'autoscaling:DescribeLaunchConfigurations')

class c7n.resources.asg.MarkForOp(data=None, manager=None, log_dir=None)

Bases: c7n.resources.asg.Tag

Action to create a delayed action for a later date

Example

policies:
  - name: asg-suspend-schedule
    resource: asg
    filters:
      - type: value
        key: MinSize
        value: 2
    actions:
      - type: mark-for-op
        tag: custodian_suspend
        message: "Suspending: {op}@{action_date}"
        op: suspend
        days: 7

default_template = 'AutoScaleGroup does not meet org policy: {op}@{action_date}'

process(asgs)

schema = {'additionalProperties': False, 'properties': {'days': {'minimum': 0, 'type': 'number'}, 'hours': {'minimum': 0, 'type': 'number'}, 'key': {'type': 'string'}, 'message': {'type': 'string'}, 'op': {'type': 'string'}, 'tag': {'type': 'string'}, 'type': {'enum': ['mark-for-op']}}, 'required': ['type'], 'type': 'object'}

type = 'mark-for-op'

validate()

class c7n.resources.asg.NotEncryptedFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Check if an ASG is configured to have unencrypted volumes.

Checks both the ami snapshots and the launch configuration.

Example

policies:
  - name: asg-unencrypted
    resource: asg
    filters:
      - type: not-encrypted
        exclude_image: true

get_snapshots(snap_ids)

get snapshots corresponding to id, but tolerant of invalid id’s.

get_unencrypted_configs()

retrieve configs that have unencrypted ebs voluems referenced.

get_unencrypted_images()

retrieve images which have unencrypted snapshots referenced.

images = None

permissions = ('ec2:DescribeImages', 'ec2:DescribeSnapshots', 'autoscaling:DescribeLaunchConfigurations')

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'exclude_image': {'type': 'boolean'}, 'type': {'enum': ['not-encrypted']}}, 'required': ['type'], 'type': 'object'}

type = 'not-encrypted'

unencrypted_configs = None

unencrypted_images = None

class c7n.resources.asg.PropagateTags(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Propagate tags to an asg instances.

In AWS changing an asg tag does not propagate to instances.

This action exists to do that, and can also trim older tags not present on the asg anymore that are present on instances.

Example

policies:
  - name: asg-propagate-required
    resource: asg
    filters:
      - "tag:OwnerName": present
    actions:
      - type: propagate-tags
        tags:
          - OwnerName

get_instance_map(asgs)

permissions = ('ec2:DeleteTags', 'ec2:CreateTags')

process(asgs)

process_asg(asg)

prune_instance_tags(client, asg, tag_set, instances)

Remove tags present on all asg instances which are not present on the asg.

schema = {'additionalProperties': False, 'properties': {'tags': {'items': {'type': 'string'}, 'type': 'array'}, 'trim': {'type': 'boolean'}, 'type': {'enum': ['propagate-tags']}}, 'required': ['type'], 'type': 'object'}

type = 'propagate-tags'

validate()

class c7n.resources.asg.PropagatedTagFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filter ASG based on propagated tags

This filter is designed to find all autoscaling groups that have a list of tag keys (provided) that are set to propagate to new instances. Using this will allow for easy validation of asg tag sets are in place across an account for compliance.

Example

permissions = ('autoscaling:DescribeLaunchConfigurations', 'autoscaling:DescribeAutoScalingGroups')

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'keys': {'items': {'type': 'string'}, 'type': 'array'}, 'match': {'type': 'boolean'}, 'propagate': {'type': 'boolean'}, 'type': {'enum': ['progagated-tags', 'propagated-tags']}}, 'required': ['type'], 'type': 'object'}

type = 'progagated-tags'

class c7n.resources.asg.RemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to remove tag/tags from an ASG

Example

policies:
  - name: asg-remove-unnecessary-tags
    resource: asg
    filters:
      - "tag:UnnecessaryTag": present
    actions:
      - type: remove-tag
        key: UnnecessaryTag

batch_size = 1

permissions = ('autoscaling:DeleteTags',)

process(asgs)

process_resource_set(client, asgs, tags)

schema = {'additionalProperties': False, 'properties': {'key': {'type': 'string'}, 'tags': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['remove-tag', 'untag', 'unmark']}}, 'required': ['type'], 'type': 'object'}

type = 'remove-tag'

class c7n.resources.asg.RenameTag(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Rename a tag on an AutoScaleGroup.

Example

policies:
  - name: asg-rename-owner-tag
    resource: asg
    filters:
      - "tag:OwnerNames": present
    actions:
      - type: rename-tag
        propagate: true
        source: OwnerNames
        dest: OwnerName

get_permissions()

process(asgs)

process_asg(asg)

Move source tag to destination tag.

Check tag count on asg Create new tag tag Delete old tag Check tag count on instance Create new tag Delete old tag

propagate_instance_tag(source, destination_tag, asg)

schema = {'additionalProperties': False, 'properties': {'dest': {'type': 'string'}, 'propagate': {'type': 'boolean'}, 'source': {'type': 'string'}, 'type': {'enum': ['rename-tag']}}, 'required': ['source', 'dest', 'type'], 'type': 'object'}

type = 'rename-tag'

class c7n.resources.asg.Resize(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to resize the min/max/desired instances in an ASG

There are several ways to use this action:

1. set min/desired to current running instances

policies:
  - name: asg-resize
    resource: asg
    filters:
      - capacity-delta
    actions:
      - type: resize
        desired-size: "current"

2. apply a fixed resize of min, max or desired, optionally saving the previous values to a named tag (for restoring later):

policies:
  - name: offhours-asg-off
    resource: asg
    filters:
      - type: offhour
        offhour: 19
        default_tz: bst
    actions:
      - type: resize
        min-size: 0
        desired-size: 0
        save-options-tag: OffHoursPrevious

3. restore previous values for min/max/desired from a tag:

policies:
  - name: offhours-asg-on
    resource: asg
    filters:
      - type: onhour
        onhour: 8
        default_tz: bst
    actions:
      - type: resize
        restore-options-tag: OffHoursPrevious

permissions = ('autoscaling:UpdateAutoScalingGroup', 'autoscaling:CreateOrUpdateTags')

process(asgs)

schema = {'additionalProperties': False, 'properties': {'desired-size': {'anyOf': [{'enum': ['current']}, {'type': 'integer', 'minimum': 0}]}, 'desired_size': {'anyOf': [{'enum': ['current']}, {'type': 'integer', 'minimum': 0}]}, 'max-size': {'minimum': 0, 'type': 'integer'}, 'min-size': {'minimum': 0, 'type': 'integer'}, 'restore-options-tag': {'type': 'string'}, 'save-options-tag': {'type': 'string'}, 'type': {'enum': ['resize']}}, 'required': ['type'], 'type': 'object'}

type = 'resize'

class c7n.resources.asg.Resume(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Resume a suspended autoscale group and its instances

Parameter ‘delay’ is the amount of time (in seconds) to wait between resuming instances in the asg, and restarting the internal asg processed which gives some grace period before health checks turn on within the ASG (default value: 30)

Example

policies:
  - name: asg-resume-processes
    resource: asg
    filters:
      - "tag:Resume": present
    actions:
      - type: resume
        delay: 300

permissions = ('autoscaling:ResumeProcesses', 'ec2:StartInstances')

process(asgs)

resume_asg(asg_client, asg)

Resume asg processes.

resume_asg_instances(ec2_client, asg)

Resume asg instances.

schema = {'additionalProperties': False, 'properties': {'delay': {'type': 'number'}, 'type': {'enum': ['resume']}}, 'required': ['type'], 'type': 'object'}

type = 'resume'

class c7n.resources.asg.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = ''

get_related_ids(asgs)

permissions = ('ec2:DescribeSecurityGroups', 'ec2:DescribeLaunchTemplateVersions', 'autoscaling:DescribeLaunchConfigurations')

process(asgs, event=None)

Bulk process resources and return filtered set.

type = 'security-group'

class c7n.resources.asg.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = ''

get_related_ids(asgs)

type = 'subnet'

class c7n.resources.asg.Suspend(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to suspend ASG processes and instances

AWS ASG suspend/resume and process docs

https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html

Example

policies:
  - name: asg-suspend-processes
    resource: asg
    filters:
      - "tag:SuspendTag": present
    actions:
      - type: suspend

ASG_PROCESSES = {'AZRebalance', 'AddToLoadBalancer', 'AlarmNotification', 'HealthCheck', 'Launch', 'ReplaceUnhealthy', 'ScheduledActions', 'Terminate'}

permissions = ('autoscaling:SuspendProcesses', 'ec2:StopInstances')

process(asgs)

process_asg(asg)

Multistep process to stop an asg aprori of setup

• suspend processes

• stop instances

schema = {'additionalProperties': False, 'properties': {'exclude': {'items': {'enum': ['Launch', 'Terminate', 'HealthCheck', 'ReplaceUnhealthy', 'AZRebalance', 'AlarmNotification', 'ScheduledActions', 'AddToLoadBalancer']}, 'title': 'ASG Processes to not suspend', 'type': 'array'}, 'type': {'enum': ['suspend']}}, 'required': ['type'], 'type': 'object'}

type = 'suspend'

class c7n.resources.asg.Tag(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to add a tag to an ASG

The propagate parameter can be used to specify that the tag being added will need to be propagated down to each ASG instance associated or simply to the ASG itself.

Example

policies:
  - name: asg-add-owner-tag
    resource: asg
    filters:
      - "tag:OwnerName": absent
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName
        propagate: true

batch_size = 1

get_client()

get_tag_set()

permissions = ('autoscaling:CreateOrUpdateTags',)

process(asgs)

process_resource_set(client, asgs, tags)

schema = {'additionalProperties': False, 'properties': {'key': {'type': 'string'}, 'msg': {'type': 'string'}, 'propagate': {'type': 'boolean'}, 'tag': {'type': 'string'}, 'tags': {'type': 'object'}, 'type': {'enum': ['tag', 'mark']}, 'value': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'tag'

class c7n.resources.asg.UnusedLaunchConfig(data, manager=None)

Bases: c7n.filters.core.Filter

Filters all launch configurations that are not in use but exist

Example

policies:
  - name: asg-unused-launch-config
    resource: launch-config
    filters:
      - unused

get_permissions()

process(configs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.asg.UserDataFilter(data, manager)

Bases: c7n.filters.core.ValueFilter

Filter on ASG’s whose launch configs have matching userdata. Note: It is highly recommended to use regexes with the ?sm flags, since Custodian uses re.match() and userdata spans multiple lines.

example

policies:
  - name: lc_userdata
    resource: asg
    filters:
      - type: user-data
        op: regex
        value: (?smi).*password=
    actions:
      - delete

annotation = 'c7n:user-data'

batch_size = 50

get_permissions()

process(asgs, event=None)

Get list of autoscaling groups whose launch configs match the user-data filter.

Returns

List of ASG’s with matching launch configs

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['user-data']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'user-data'

class c7n.resources.asg.ValidConfigFilter(data, manager=None)

Bases: c7n.resources.asg.ConfigValidFilter

Filters autoscale groups to find those that are structurally valid.

This operates as the inverse of the invalid filter for multi-step workflows.

See details on the invalid filter for a list of checks made.

Example

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['valid']}}, 'required': ['type'], 'type': 'object'}

type = 'valid'

class c7n.resources.asg.VpcIdFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filters ASG based on the VpcId

This filter is available as a ValueFilter as the vpc-id is not natively associated to the results from describing the autoscaling groups.

Example

policies:
  - name: asg-vpc-xyz
    resource: asg
    filters:
      - type: vpc-id
        value: vpc-12ab34cd

permissions = ('ec2:DescribeSubnets',)

process(asgs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['vpc-id']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'vpc-id'

c7n.resources.aws module

class c7n.resources.aws.AWS

Bases: object

get_session_factory(options)

initialize(options)

initialize_policies(policy_collection, options)

Return a set of policies targetted to the given regions.

Supports symbolic regions like ‘all’. This will automatically filter out policies if their being targetted to a region that does not support the service. Global services will target a single region (us-east-1 if only all specified, else first region in the list).

Note for region partitions (govcloud and china) an explicit region from the partition must be passed in.

resource_prefix = 'aws'

resources = <c7n.registry.PluginRegistry object>

type = 'aws'

class c7n.resources.aws.ApiStats(ctx, config=None)

Bases: c7n.output.DeltaStats

get_metadata()

get_snapshot()

type = 'aws'

class c7n.resources.aws.Arn

Bases: c7n.resources.aws._Arn

classmethod parse(arn)

class c7n.resources.aws.CloudWatchLogOutput(ctx, config=None)

Bases: c7n.output.LogOutput

get_handler()

log_format = '%(asctime)s - %(levelname)s - %(name)s - %(message)s'

type = 'aws'

class c7n.resources.aws.MetricsOutput(ctx, config=None)

Bases: c7n.output.Metrics

Send metrics data to cloudwatch

permissions = ('cloudWatch:PutMetricData',)

static retry(func, *args, **kw)

type = 'aws'

class c7n.resources.aws.S3Output(ctx, config)

Bases: c7n.output.DirectoryOutput

Usage:

with S3Output(session_factory, 's3://bucket/prefix'):
    log.info('xyz')  # -> log messages sent to custodian-run.log.gz

get_output_path(output_url)

static join(*parts)

permissions = ('S3:PutObject',)

type = 's3'

upload()

class c7n.resources.aws.XrayContext(*args, **kw)

Bases: aws_xray_sdk.core.context.Context

handle_context_missing()

Custodian has a few api calls out of band of policy execution.

• Resolving account alias.

• Cloudwatch Log group/stream discovery/creation (when using -l on cli)

Also we want to folks to optionally based on configuration using xray so default to disabling context missing output.

class c7n.resources.aws.XrayEmitter

Bases: object

flush()

send_entity(entity)

class c7n.resources.aws.XrayTracer(ctx, config)

Bases: object

emitter = <c7n.resources.aws.XrayEmitter object>

in_lambda = False

classmethod initialize()

service_name = 'custodian'

subsegment(name)

type = 'xray'

use_daemon = False

c7n.resources.aws.fake_session()

c7n.resources.aws.get_profile_session(options)

c7n.resources.aws.get_service_region_map(regions, resource_types)

c7n.resources.aws.shape_validate(params, shape_name, service)

c7n.resources.awslambda module

class c7n.resources.awslambda.AWSLambda(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::Lambda::Function'

date = 'LastModified'

dimension = 'FunctionName'

enum_spec = ('list_functions', 'Functions', None)

filter_name = None

id = 'FunctionName'

name = 'FunctionName'

service = 'lambda'

type = 'function'

universal_taggable = <object object>

type = 'lambda'

class c7n.resources.awslambda.ConfigLambda(manager)

Bases: c7n.query.ConfigSource

load_resource(item)

class c7n.resources.awslambda.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a lambda function (including aliases and older versions).

Example

policies:
  - name: lambda-delete-dotnet-functions
    resource: lambda
    filters:
      - Runtime: dotnetcore1.0
    actions:
      - delete

permissions = ('lambda:DeleteFunction',)

process(functions)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.awslambda.DeleteLayerVersion(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('lambda:DeleteLayerVersion',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.awslambda.DescribeLambda(manager)

Bases: c7n.query.DescribeSource

augment(resources)

class c7n.resources.awslambda.LambdaCrossAccountAccessFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filters lambda functions with cross-account permissions

The whitelist parameter can be used to prevent certain accounts from being included in the results (essentially stating that these accounts permissions are allowed to exist)

This can be useful when combining this filter with the delete action.

Example

policies:
  - name: lambda-cross-account
    resource: lambda
    filters:
      - type: cross-account
        whitelist:
          - 'IAM-Policy-Cross-Account-Access'

permissions = ('lambda:GetPolicy',)

policy_attribute = 'c7n:Policy'

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'cross-account'

class c7n.resources.awslambda.LambdaEventSource(data, manager=None)

Bases: c7n.filters.core.ValueFilter

annotation_key = 'c7n:EventSources'

permissions = ('lambda:GetPolicy',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['event-source']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'event-source'

class c7n.resources.awslambda.LambdaLayerVersion(data, options)

Bases: c7n.query.QueryResourceManager

Note custodian models the lambda layer version.

Layers end up being a logical asset, the physical asset for use and management is the layer verison.

To ease that distinction, we support querying just the latest layer version or having a policy against all layer versions.

By default we query all versions, the following is an example to query just the latest.

policies:
  - name: lambda-layer
    resource: lambda
    query:
      - version: latest

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = None

date = 'CreatedDate'

dimension = None

enum_spec = ('list_layers', 'Layers', None)

filter_name = None

id = 'LayerName'

name = 'LayerName'

service = 'lambda'

type = 'function'

type = 'lambda-layer'

class c7n.resources.awslambda.LambdaPermissions(data, manager=None)

Bases: c7n.resources.iam.CheckPermissions

get_iam_arns(resources)

type = 'check-permissions'

class c7n.resources.awslambda.LayerCrossAccount(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

get_resource_policy(r)

permissions = ('lambda:GetLayerVersionPolicy',)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'cross-account'

class c7n.resources.awslambda.LayerRemovePermissions(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

permissions = ('lambda:GetLayerVersionPolicy', 'lambda:RemoveLayerVersionPermission')

process(resources)

process_resource(client, r)

schema = {'additionalProperties': False, 'properties': {'statement_ids': {'oneOf': [{'enum': ['matched']}, {'type': 'array', 'items': {'type': 'string'}}]}, 'type': {'enum': ['remove-statements']}}, 'required': ['statement_ids', 'type'], 'type': 'object'}

type = 'remove-statements'

class c7n.resources.awslambda.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy/permission statements from lambda functions.

Example

policies:
  - name: lambda-remove-cross-accounts
    resource: lambda
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched

permissions = ('lambda:GetPolicy', 'lambda:RemovePermission')

process(resources)

process_resource(client, resource)

schema = {'additionalProperties': False, 'properties': {'statement_ids': {'oneOf': [{'enum': ['matched']}, {'type': 'array', 'items': {'type': 'string'}}]}, 'type': {'enum': ['remove-statements']}}, 'required': ['statement_ids', 'type'], 'type': 'object'}

type = 'remove-statements'

class c7n.resources.awslambda.ReservedConcurrency(data, manager=None)

Bases: c7n.filters.core.ValueFilter

annotation_key = 'c7n:FunctionInfo'

permissions = ('lambda:GetFunction',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['reserved-concurrency']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'reserved-concurrency'

validate()

validate filter config, return validation error or self

value_key = '"c7n:FunctionInfo".Concurrency.ReservedConcurrentExecutions'

class c7n.resources.awslambda.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcConfig.SecurityGroupIds[]'

type = 'security-group'

class c7n.resources.awslambda.SetConcurrency(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Set lambda function concurrency to the desired level.

Can be used to set the reserved function concurrency to an exact value, to delete reserved concurrency, or to set the value to an attribute of the resource.

permissions = ('lambda:DeleteFunctionConcurrency', 'lambda:PutFunctionConcurrency')

process(functions)

schema = {'additionalProperties': False, 'properties': {'expr': {'type': 'boolean'}, 'type': {'enum': ['set-concurrency']}, 'value': {'oneOf': [{'type': 'string'}, {'type': 'integer'}, {'type': 'null'}]}}, 'required': ('value',), 'type': 'object'}

type = 'set-concurrency'

validate()

class c7n.resources.awslambda.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'VpcConfig.SubnetIds[]'

type = 'subnet'

class c7n.resources.awslambda.VpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'VpcConfig.VpcId'

type = 'vpc'

c7n.resources.awslambda.get_lambda_policies(client, executor_factory, resources, log)

c7n.resources.awslambda.get_layer_version_paginator(client)

c7n.resources.backup module

class c7n.resources.backup.BackupPlan(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(resource_ids, cache=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

arn = 'BackupPlanArn'

detail_spec = ('get_backup_plan', 'BackupPlanId', 'BackupPlanId', 'BackupPlan')

dimension = None

enum_spec = ('list_backup_plans', 'BackupPlansList', None)

filter_name = None

filter_type = None

id = 'BackupPlanName'

name = 'BackupPlanId'

service = 'backup'

type = 'backup-plan'

c7n.resources.batch module

class c7n.resources.batch.ComputeEnvironment(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'computeEnvironmentArn'

dimension = None

enum_spec = ('describe_compute_environments', 'computeEnvironments', None)

filter_name = 'computeEnvironments'

filter_type = 'list'

id = 'computeEnvironmentName'

name = 'computeEnvironmentName'

service = 'batch'

type = 'batch-compute'

class c7n.resources.batch.ComputeSGFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'computeResources.securityGroupIds'

type = 'security-group'

class c7n.resources.batch.ComputeSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'computeResources.subnets'

type = 'subnet'

class c7n.resources.batch.DefinitionDeregister(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.batch.StateTransitionFilter

Deregisters a batch definition

Example

deregister_definition(r)

permissions = ('batch:DeregisterJobDefinition',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['deregister']}}, 'required': ['type'], 'type': 'object'}

type = 'deregister'

valid_origin_states = ('ACTIVE',)

class c7n.resources.batch.DeleteComputeEnvironment(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.batch.StateTransitionFilter

Delete an AWS batch compute environment

Example

delete_environment(client, r)

permissions = ('batch:DeleteComputeEnvironment',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

valid_origin_states = ('DISABLED',)

valid_origin_status = ('VALID', 'INVALID')

class c7n.resources.batch.JobDefinition(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'jobDefinitionArn'

dimension = None

enum_spec = ('describe_job_definitions', 'jobDefinitions', None)

filter_name = 'jobDefinitions'

filter_type = 'list'

id = 'jobDefinitionName'

name = 'jobDefinitionName'

service = 'batch'

type = 'batch-definition'

class c7n.resources.batch.StateTransitionFilter

Bases: object

Filter resources by state.

Try to simplify construction for policy authors by automatically filtering elements (filters or actions) to the resource states they are valid for.

filter_resource_state(resources, key, states=None)

valid_origin_states = ()

class c7n.resources.batch.UpdateComputeEnvironment(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.batch.StateTransitionFilter

Updates an AWS batch compute environment

Example

permissions = ('batch:UpdateComputeEnvironment',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'computeEnvironment': {'type': 'string'}, 'computeResources': {'additionalProperties': False, 'properties': {'desiredvCpus': {'type': 'integer'}, 'maxvCpus': {'type': 'integer'}, 'minvCpus': {'type': 'integer'}}, 'type': 'object'}, 'serviceRole': {'type': 'string'}, 'state': {'enum': ['ENABLED', 'DISABLED'], 'type': 'string'}, 'type': {'enum': ['update-environment']}}, 'type': 'object'}

type = 'update-environment'

valid_origin_status = ('VALID', 'INVALID')

c7n.resources.cfn module

class c7n.resources.cfn.CloudFormation(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::CloudFormation::Stack'

date = 'CreationTime'

dimension = None

enum_spec = ('describe_stacks', 'Stacks[]', None)

filter_name = 'StackName'

filter_type = 'scalar'

id = 'StackName'

name = 'StackName'

service = 'cloudformation'

type = 'stack'

type = 'cfn'

class c7n.resources.cfn.CloudFormationAddTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to tag a cloudformation stack

Example

permissions = ('cloudformation:UpdateStack',)

process_resource_set(client, stacks, tags)

type = 'tag'

class c7n.resources.cfn.CloudFormationRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tags from a cloudformation stack

Example

process_resource_set(client, stacks, keys)

type = 'remove-tag'

class c7n.resources.cfn.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete cloudformation stacks

It is recommended to use a filter to avoid unwanted deletion of stacks

Example

policies:
  - name: cloudformation-delete-failed-stacks
    resource: cfn
    filters:
      - StackStatus: ROLLBACK_COMPLETE
    actions:
      - delete

permissions = ('cloudformation:DeleteStack',)

process(stacks)

process_stacks(stack)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.cfn.SetProtection(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to disable termination protection

It is recommended to use a filter to avoid unwanted deletion of stacks

Example

policies:
  - name: cloudformation-disable-protection
    resource: cfn
    filters:
      - StackStatus: CREATE_COMPLETE
    actions:
      - type: set-protection
        state: False

permissions = ('cloudformation:UpdateStack',)

process(stacks)

process_stacks(client, stack)

schema = {'additionalProperties': False, 'properties': {'state': {'default': False, 'type': 'boolean'}, 'type': {'enum': ['set-protection']}}, 'required': ['type'], 'type': 'object'}

type = 'set-protection'

c7n.resources.cloudfront module

class c7n.resources.cloudfront.DescribeDistribution(manager)

Bases: c7n.query.DescribeSource

augment(resources)

class c7n.resources.cloudfront.DescribeStreamingDistribution(manager)

Bases: c7n.query.DescribeSource

augment(resources)

class c7n.resources.cloudfront.Distribution(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

get_arn(r)

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::CloudFront::Distribution'

date = 'LastModifiedTime'

dimension = 'DistributionId'

enum_spec = ('list_distributions', 'DistributionList.Items', None)

filter_name = None

global_resource = True

id = 'Id'

name = 'DomainName'

service = 'cloudfront'

type = 'distribution'

universal_taggable = True

type = 'distribution'

class c7n.resources.cloudfront.DistributionDisableAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to disable a Distribution

Example

policies:
  - name: distribution-delete
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: disable

permissions = ('distribution:GetDistributionConfig', 'distribution:UpdateDistribution')

process(distributions)

process_distribution(client, distribution)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['disable']}}, 'required': ['type'], 'type': 'object'}

type = 'disable'

class c7n.resources.cloudfront.DistributionMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

Filter cloudfront distributions based on metric values

Example

policies:
  - name: cloudfront-distribution-errors
    resource: distribution
    filters:
      - type: metrics
        name: Requests
        value: 3
        op: ge

get_dimensions(resource)

type = 'metrics'

class c7n.resources.cloudfront.DistributionSSLAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set mandatory https-only on a Distribution

Example

policies:
  - name: distribution-set-ssl
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: set-protocols
        ViewerProtocolPolicy: https-only

permissions = ('distribution:GetDistributionConfig', 'distribution:UpdateDistribution')

process(distributions)

process_distribution(client, distribution)

schema = {'additionalProperties': False, 'properties': {'OriginProtocolPolicy': {'enum': ['http-only', 'match-viewer', 'https-only']}, 'OriginSslProtocols': {'items': {'enum': ['SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2']}, 'type': 'array'}, 'ViewerProtocolPolicy': {'enum': ['allow-all', 'https-only', 'redirect-to-https']}, 'type': {'enum': ['set-protocols']}}, 'type': 'object'}

type = 'set-protocols'

class c7n.resources.cloudfront.IsWafEnabled(data, manager=None)

Bases: c7n.filters.core.Filter

permissions = ('waf:ListWebACLs',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['waf-enabled']}, 'web-acl': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'waf-enabled'

class c7n.resources.cloudfront.MismatchS3Origin(data, manager=None)

Bases: c7n.filters.core.Filter

Check for existence of S3 bucket referenced by Cloudfront,

and verify whether owner is different from Cloudfront account owner.

Example

policies:
  - name: mismatch-s3-origin
    resource: distribution
    filters:
      - type: mismatch-s3-origin
        check_custom_origins: true

is_s3_domain(x)

permissions = ('s3:ListBuckets',)

process(resources, event=None)

Bulk process resources and return filtered set.

static retry(func, *args, **kw)

s3_prefix = re.compile('.*(?=\\.s3(-.*)?\\.amazonaws.com)')

s3_suffix = re.compile('^([^.]+\\.)?s3(-.*)?\\.amazonaws.com')

schema = {'additionalProperties': False, 'properties': {'check_custom_origins': {'type': 'boolean'}, 'type': {'enum': ['mismatch-s3-origin']}}, 'required': ['type'], 'type': 'object'}

type = 'mismatch-s3-origin'

class c7n.resources.cloudfront.SetWaf(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('cloudfront:UpdateDistribution', 'waf:ListWebACLs')

process(resources)

static retry(func, *args, **kw)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['set-waf']}, 'web-acl': {'type': 'string'}}, 'required': ['web-acl', 'type'], 'type': 'object'}

type = 'set-waf'

class c7n.resources.cloudfront.StreamingDistribution(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

get_arn(r)

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::CloudFront::StreamingDistribution'

date = 'LastModifiedTime'

dimension = 'DistributionId'

enum_spec = ('list_streaming_distributions', 'StreamingDistributionList.Items', None)

filter_name = None

id = 'Id'

name = 'DomainName'

service = 'cloudfront'

type = 'streaming-distribution'

universal_taggable = True

type = 'streaming-distribution'

class c7n.resources.cloudfront.StreamingDistributionDisableAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to disable a Streaming Distribution

Example

policies:
  - name: streaming-distribution-delete
    resource: streaming-distribution
    filters:
      - type: value
        key: S3Origin.OriginAccessIdentity
        value: ''
    actions:
      - type: disable

permissions = ('streaming-distribution:GetStreamingDistributionConfig', 'streaming-distribution:UpdateStreamingDistribution')

process(distributions)

process_distribution(client, distribution)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['disable']}}, 'required': ['type'], 'type': 'object'}

type = 'disable'

c7n.resources.cloudsearch module

class c7n.resources.cloudsearch.CloudSearch(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = 'DomainName'

enum_spec = ('describe_domains', 'DomainStatusList', None)

filter_name = 'DomainNames'

filter_type = 'list'

id = 'DomainName'

name = 'DomainName'

service = 'cloudsearch'

type = 'domain'

type = 'cloudsearch'

class c7n.resources.cloudsearch.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('cloudsearch:DeleteDomain',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

c7n.resources.cloudtrail module

class c7n.resources.cloudtrail.CloudTrail(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'TrailARN'

config_type = 'AWS::CloudTrail::Trail'

dimension = None

enum_spec = ('describe_trails', 'trailList', None)

filter_name = 'trailNameList'

filter_type = 'list'

id = 'TrailARN'

name = 'Name'

service = 'cloudtrail'

type = 'cloudtrail'

class c7n.resources.cloudtrail.IsShadow(data, manager=None)

Bases: c7n.filters.core.Filter

Identify shadow trails (secondary copies), shadow trails can’t be modified directly, the origin trail needs to be modified.

Shadow trails are created for multi-region trails as well for organizational trails.

embedded = False

is_shadow(t)

permissions = ('cloudtrail:DescribeTrails',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['is-shadow']}}, 'required': ['type'], 'type': 'object'}

type = 'is-shadow'

class c7n.resources.cloudtrail.SetLogging(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Set the logging state of a trail

Example

policies:
  - name: cloudtrail-not-active
    resource: aws.cloudtrail
    filters:
     - type: status
       key: IsLogging
       value: False
    actions:
     - type: set-logging
       enabled: True

get_permissions()

process(resources)

schema = {'additionalProperties': False, 'properties': {'enabled': {'type': 'boolean'}, 'type': {'enum': ['set-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'set-logging'

class c7n.resources.cloudtrail.Status(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter a cloudtrail by its status.

Example

policies:
  - name: cloudtrail-not-active
    resource: aws.cloudtrail
    filters:
    - type: status
      key: IsLogging
      value: False

annotation_key = 'c7n:TrailStatus'

permissions = ('cloudtrail:GetTrailStatus',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['status']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'status'

class c7n.resources.cloudtrail.UpdateTrail(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Update trail attributes.

Example

policies:
  - name: cloudtrail-set-log
    resource: aws.cloudtrail
    filters:
     - or:
       - KmsKeyId: empty
       - LogFileValidationEnabled: false
    actions:
     - type: update-trail
       attributes:
         KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef
         EnableLogFileValidation: true

permissions = ('cloudtrail:UpdateTrail',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'attributes': {'type': 'object'}, 'type': {'enum': ['update-trail']}}, 'required': ('attributes',), 'type': 'object'}

shape = 'UpdateTrailRequest'

type = 'update-trail'

validate()

c7n.resources.code module

class c7n.resources.code.BuildSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'vpcConfig.securityGroupIds[]'

type = 'security-group'

class c7n.resources.code.BuildSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'vpcConfig.subnets[]'

type = 'subnet'

class c7n.resources.code.BuildVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'vpcConfig.vpcId'

type = 'vpc'

class c7n.resources.code.CodeBuildProject(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

arn = 'arn'

batch_detail_spec = ('batch_get_projects', 'names', None, 'projects', None)

config_type = 'AWS::CodeBuild::Project'

date = 'created'

dimension = None

enum_spec = ('list_projects', 'projects', None)

filter_name = None

id = 'name'

name = 'name'

service = 'codebuild'

type = 'project'

universal_taggable = <object object>

type = 'codebuild'

class c7n.resources.code.CodeDeployPipeline(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'created'

detail_spec = ('get_pipeline', 'name', 'name', 'pipeline')

dimension = None

enum_spec = ('list_pipelines', 'pipelines', None)

filter_name = None

id = 'name'

name = 'name'

service = 'codepipeline'

type = ''

static retry(func, *args, **kw)

type = 'codepipeline'

class c7n.resources.code.CodeRepository(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'Arn'

batch_detail_spec = ('batch_get_repositories', 'repositoryNames', 'repositoryName', 'repositories', None)

date = 'creationDate'

dimension = None

enum_spec = ('list_repositories', 'repositories', None)

filter_name = None

id = 'repositoryId'

name = 'repositoryName'

service = 'codecommit'

static retry(func, *args, **kw)

type = 'codecommit'

class c7n.resources.code.DeleteProject(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete code build

It is recommended to use a filter to avoid unwanted deletion of builds

Example

policies:
  - name: codebuild-delete
    resource: codebuild
    actions:
      - delete

permissions = ('codebuild:DeleteProject',)

process(projects)

process_project(client, project)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.code.DeleteRepository(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete code commit

It is recommended to use a filter to avoid unwanted deletion of repos

Example

policies:
  - name: codecommit-delete
    resource: codecommit
    actions:
      - delete

permissions = ('codecommit:DeleteRepository',)

process(repositories)

process_repository(client, repository)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.code.DescribeBuild(manager)

Bases: c7n.query.DescribeSource

augment(resources)

c7n.resources.cognito module

class c7n.resources.cognito.CognitoIdentityPool(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

detail_spec = ('describe_identity_pool', 'IdentityPoolId', 'IdentityPoolId', None)

dimension = None

enum_spec = ('list_identity_pools', 'IdentityPools', {'MaxResults': 60})

filter_name = None

id = 'IdentityPoolId'

name = 'IdentityPoolName'

service = 'cognito-identity'

type = 'identitypool'

type = 'identity-pool'

class c7n.resources.cognito.CognitoUserPool(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

detail_spec = ('describe_user_pool', 'UserPoolId', 'Id', 'UserPool')

dimension = None

enum_spec = ('list_user_pools', 'UserPools', {'MaxResults': 60})

filter_name = None

id = 'Id'

name = 'Name'

service = 'cognito-idp'

type = 'userpool'

type = 'user-pool'

class c7n.resources.cognito.DeleteIdentityPool(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete cognito identity pool

It is recommended to use a filter to avoid unwanted deletion of pools

Example

policies:
  - name: identity-pool-delete
    resource: identity-pool
    actions:
      - delete

permissions = ('cognito-identity:DeleteIdentityPool',)

process(pools)

process_pool(pool)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.cognito.DeleteUserPool(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete cognito user pool

It is recommended to use a filter to avoid unwanted deletion of pools

Example

policies:
  - name: user-pool-delete
    resource: user-pool
    actions:
      - delete

permissions = ('cognito-idp:DeleteUserPool',)

process(pools)

process_pool(pool)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

c7n.resources.config module

class c7n.resources.config.ConfigRecorder(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

dimension = None

enum_spec = ('describe_configuration_recorders', 'ConfigurationRecorders', None)

filter_name = 'ConfigurationRecorderNames'

filter_type = 'list'

id = 'name'

name = 'name'

service = 'config'

type = 'config-recorder'

class c7n.resources.config.ConfigRule(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ConfigRuleArn'

dimension = None

enum_spec = ('describe_config_rules', 'ConfigRules', None)

filter_name = 'ConfigRuleNames'

filter_type = 'list'

id = 'ConfigRuleName'

name = 'ConfigRuleName'

service = 'config'

type = 'config-rule'

class c7n.resources.config.DeleteRule(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('config:DeleteConfigRule',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.config.RuleStatus(data, manager=None)

Bases: c7n.filters.core.ValueFilter

annotate = False

permissions = ('config:DescribeConfigRuleEvaluationStatus',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['status']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'status'

c7n.resources.cw module

class c7n.resources.cw.Alarm(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::CloudWatch::Alarm'

date = 'AlarmConfigurationUpdatedTimestamp'

dimension = None

enum_spec = ('describe_alarms', 'MetricAlarms', None)

filter_name = 'AlarmNames'

filter_type = 'list'

id = 'AlarmArn'

name = 'AlarmName'

service = 'cloudwatch'

type = 'alarm'

static retry(func, *args, **kw)

type = 'alarm'

class c7n.resources.cw.AlarmDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a cloudwatch alarm.

Example

policies:
  - name: cloudwatch-delete-stale-alarms
    resource: alarm
    filters:
      - type: value
        value_type: age
        key: StateUpdatedTimestamp
        value: 30
        op: ge
      - StateValue: INSUFFICIENT_DATA
    actions:
      - delete

permissions = ('cloudwatch:DeleteAlarms',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.cw.CrossAccountFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('events:ListTargetsByRule',)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

class c7n.resources.cw.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Example

policies:
  - name: cloudwatch-delete-stale-log-group
    resource: log-group
    filters:
      - type: last-write
        days: 182.5
    actions:
      - delete

permissions = ('logs:DeleteLogGroup',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.cw.DeleteTarget(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('events:RemoveTargets',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.cw.EncryptLogGroup(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Encrypt/Decrypt a log group

Example

permissions = ('logs:AssociateKmsKey', 'logs:DisassociateKmsKey', 'kms:DescribeKey')

process(resources)

resolve_key(key)

schema = {'additionalProperties': False, 'properties': {'kms-key': {'type': 'string'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['set-encryption']}}, 'required': ['type'], 'type': 'object'}

type = 'set-encryption'

validate()

class c7n.resources.cw.EventRule(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('list_rules', 'Rules', None)

filter_name = 'NamePrefix'

filter_type = 'scalar'

id = 'Name'

name = 'Name'

service = 'events'

type = 'event-rule'

type = 'event-rule'

class c7n.resources.cw.EventRuleMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.cw.EventRuleTarget(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('list_targets_by_rule', 'Targets', None)

filter_name = None

filter_type = None

id = 'Id'

name = 'Id'

parent_spec = ('event-rule', 'Rule', True)

service = 'events'

type = 'event-rule-target'

type = 'event-rule-target'

class c7n.resources.cw.LastWriteDays(data, manager=None)

Bases: c7n.filters.core.Filter

Filters CloudWatch log groups by last write

Example

policies:
  - name: cloudwatch-stale-groups
    resource: log-group
    filters:
      - type: last-write
        days: 60

check_group(client, group)

permissions = ('logs:DescribeLogStreams',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'type': {'enum': ['last-write']}}, 'required': ['type'], 'type': 'object'}

type = 'last-write'

class c7n.resources.cw.LogCrossAccountFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('logs:DescribeSubscriptionFilters',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_resource_set(client, accounts, resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

class c7n.resources.cw.LogGroup(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

filter_registry = <c7n.filters.core.FilterRegistry object>

get_arns(resources)

class resource_type

Bases: object

date = 'creationTime'

dimension = 'LogGroupName'

enum_spec = ('describe_log_groups', 'logGroups', None)

filter_name = 'logGroupNamePrefix'

filter_type = 'scalar'

id = 'arn'

name = 'logGroupName'

service = 'logs'

type = 'log-group'

type = 'log-group'

class c7n.resources.cw.Retention(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set the retention period (in days) for CloudWatch log groups

Example

policies:
  - name: cloudwatch-set-log-group-retention
    resource: log-group
    actions:
      - type: retention
        days: 200

permissions = ('logs:PutRetentionPolicy',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'integer'}, 'type': {'enum': ['retention']}}, 'required': ['type'], 'type': 'object'}

type = 'retention'

c7n.resources.datapipeline module

Data Pipeline

class c7n.resources.datapipeline.DataPipeline(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

batch_detail_spec = ('describe_pipeline', 'pipelineIds', 'id', 'pipelineDescriptionList', None)

date = None

dimension = 'name'

enum_spec = ('list_pipelines', 'pipelineIdList', None)

filter_name = None

id = 'id'

name = 'name'

service = 'datapipeline'

type = 'dataPipeline'

static retry(func, *args, **kw)

type = 'datapipeline'

class c7n.resources.datapipeline.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete DataPipeline

It is recommended to use a filter to avoid unwanted deletion of DataPipeline

Example

policies:
  - name: datapipeline-delete
    resource: datapipeline
    actions:
      - delete

permissions = ('datapipeline:DeletePipeline',)

process(pipelines)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.datapipeline.MarkForOpPipeline(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example

policies:
  - name: pipeline-delete-unused
    resource: datapipeline
    filters:
      - "tag:custodian_cleanup": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Unused data pipeline: {op}@{action_date}"
        op: delete
        days: 7

type = 'mark-for-op'

class c7n.resources.datapipeline.TagPipeline(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a pipeline

Example

policies:
  - name: tag-pipeline
    resource: datapipeline
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value

permissions = ('datapipeline:AddTags',)

process_resource_set(client, pipelines, tags)

type = 'tag'

class c7n.resources.datapipeline.UntagPipeline(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on a pipeline

Example

policies:
  - name: pipeline-remove-tag
    resource: datapipeline
    filters:
      - "tag:OutdatedTag": present
    actions:
      - type: remove-tag
        tags: ["OutdatedTag"]

permissions = ('datapipeline:RemoveTags',)

process_resource_set(client, pipelines, tags)

type = 'remove-tag'

c7n.resources.directconnect module

class c7n.resources.directconnect.DirectConnect(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('describe_connections', 'connections', None)

filter_name = 'connectionId'

id = 'connectionId'

name = 'connectionName'

service = 'directconnect'

type = 'dxcon'

type = 'directconnect'

c7n.resources.directory module

class c7n.resources.directory.CloudDirectory(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'DirectoryArn'

dimension = None

enum_spec = ('list_directories', 'Directories', {'state': 'ENABLED'})

filter_name = None

id = 'DirectoryArn'

name = 'Name'

service = 'clouddirectory'

type = 'directory'

universal_taggable = <object object>

type = 'cloud-directory'

class c7n.resources.directory.Directory(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(directories)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('ds:ListTagsForResource',)

class resource_type

Bases: object

dimension = None

enum_spec = ('describe_directories', 'DirectoryDescriptions', None)

filter_name = 'DirectoryIds'

filter_type = 'list'

id = 'DirectoryId'

name = 'Name'

service = 'ds'

type = 'directory'

type = 'directory'

class c7n.resources.directory.DirectoryRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tags from a directory

Example

permissions = ('ds:RemoveTagsFromResource',)

process_resource_set(client, directories, tags)

type = 'remove-tag'

class c7n.resources.directory.DirectorySecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcSettings.SecurityGroupId'

type = 'security-group'

class c7n.resources.directory.DirectorySubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'VpcSettings.SubnetIds'

type = 'subnet'

class c7n.resources.directory.DirectoryTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Add tags to a directory

Example

permissions = ('ds:AddTagToResource',)

process_resource_set(client, directories, tags)

type = 'tag'

class c7n.resources.directory.DirectoryVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'VpcSettings.VpcId'

type = 'vpc'

c7n.resources.dlm module

class c7n.resources.dlm.DLMPolicy(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

detail_spec = ('get_lifecycle_policy', 'PolicyId', 'PolicyId', 'Policy')

dimension = None

enum_spec = ('get_lifecycle_policies', 'Policies', None)

filter_name = 'PolicyIds'

filter_type = 'list'

id = 'PolicyId'

name = 'PolicyId'

service = 'dlm'

type = 'dlm-policy'

c7n.resources.dms module

class c7n.resources.dms.DeleteDmsEndpoint(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a DMS endpoint

Example

permissions = ('dms:DeleteEndpoint',)

process(endpoints)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.dms.DmsEndpoints(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'EndpointArn'

date = None

detail_spec = None

dimension = None

enum_spec = ('describe_endpoints', 'Endpoints', None)

filter_name = None

id = 'EndpointArn'

name = 'EndpointIdentifier'

service = 'dms'

type = 'dms-endpoint'

class c7n.resources.dms.InstanceDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('dms:DeleteReplicationInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.dms.InstanceDescribe(manager)

Bases: c7n.query.DescribeSource

augment(resources)

get_resources(resource_ids)

process_resource_set(client, resources)

class c7n.resources.dms.InstanceMarkForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Tag a replication instance for action at a later time

Example

policies:
    - name: delete-single-az-dms
      resource: dms-instance
      filters:
        - MultiAZ: False
      actions:
        - type: mark-for-op
          tag: custodian_dms_cleanup
          op: delete
          days: 7

type = 'mark-for-op'

class c7n.resources.dms.InstanceRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tag(s) from a replication instance

Example

policies:
    - name: delete-single-az-dms
      resource: dms-instance
      filters:
        - "tag:InvalidTag": present
      actions:
        - type: remove-tag
          tags: ["InvalidTag"]

permissions = ('dms:RemoveTagsFromResource',)

process_resource_set(client, resources, tags)

type = 'remove-tag'

class c7n.resources.dms.InstanceTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Add tag(s) to a replication instance

Example

policies:
    - name: tag-dms-required
      resource: dms-instance
      filters:
        - "tag:RequireTag": absent
      actions:
        - type: tag
          key: RequiredTag
          value: RequiredTagValue

permissions = ('dms:AddTagsToResource',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.dms.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

RelatedIdsExpression = 'KmsKeyId'

type = 'kms-key'

class c7n.resources.dms.ModifyDmsEndpoint(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Modify the attributes of a DMS endpoint

Example

AWS ModifyEndpoint Documentation https://docs.aws.amazon.com/dms/latest/APIReference/API_ModifyEndpoint.html

permissions = ('dms:ModifyEndpoint',)

process(endpoints)

schema = {'additionalProperties': False, 'properties': {'CertificateArn': {'type': 'string'}, 'DatabaseName': {'type': 'string'}, 'DynamoDbSettings': {'additionalProperties': False, 'properties': {'ServiceAccessRoleArn': {'type': 'string'}}, 'required': ['ServiceAccessRoleArn'], 'type': 'object'}, 'EndpointIdentifier': {'type': 'string'}, 'EngineName': {'enum': ['mysql', 'oracle', 'postgres', 'mariadb', 'aurora', 'redshift', 'S3', 'sybase', 'dynamodb', 'mongodb', 'sqlserver']}, 'ExtraConnectionAttributes': {'type': 'string'}, 'MongoDbSettings': {'additionalProperties': False, 'properties': {'AuthMechanism': {'enum': ['default', 'mongodb_cr', 'scram_sha_1'], 'type': 'string'}, 'AuthSource': {'type': 'string'}, 'DatabaseName': {'type': 'string'}, 'DocsToInvestigate': {'minimum': 1, 'type': 'integer'}, 'ExtractDocId': {'type': 'string'}, 'NestingLevel': {'enum': ['NONE', 'none', 'ONE', 'one'], 'type': 'string'}, 'Password': {'type': 'string'}, 'Port': {'maximum': 65535, 'minimum': 1, 'type': 'integer'}, 'ServerName': {'type': 'string'}, 'Username': {'type': 'string'}}, 'type': 'object'}, 'Password': {'type': 'string'}, 'Port': {'maximum': 65536, 'minimum': 1, 'type': 'integer'}, 'S3Settings': {'additionalProperties': False, 'properties': {'BucketFolder': {'type': 'string'}, 'BucketName': {'type': 'string'}, 'CompressionType': {'enum': ['none', 'gzip'], 'type': 'string'}, 'CsvDelimiter': {'type': 'string'}, 'CsvRowDelimiter': {'type': 'string'}, 'ExternalTableDefinition': {'type': 'string'}, 'ServiceAccessRoleArn': {'type': 'string'}}, 'type': 'object'}, 'ServerName': {'type': 'string'}, 'SslMode': {'enum': ['none', 'require', 'verify-ca', 'verify-full'], 'type': 'string'}, 'Username': {'type': 'string'}, 'type': {'enum': ['modify-endpoint']}}, 'type': 'object'}

type = 'modify-endpoint'

class c7n.resources.dms.ModifyReplicationInstance(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Modify replication instance(s) to apply new settings

Example

AWS ModifyReplicationInstance Documentation:

https://docs.aws.amazon.com/dms/latest/APIReference/API_ModifyReplicationInstance.html

permissions = ('dms:ModifyReplicationInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'AllocatedStorage': {'type': 'integer'}, 'AllowMajorVersionUpgrade': {'type': 'boolean'}, 'ApplyImmediately': {'type': 'boolean'}, 'AutoMinorVersionUpgrade': {'type': 'boolean'}, 'EngineVersion': {'type': 'string'}, 'MultiAZ': {'type': 'boolean'}, 'PreferredMaintenanceWindow': {'type': 'string'}, 'ReplicationInstanceArn': {'type': 'string'}, 'ReplicationInstanceClass': {'type': 'string'}, 'ReplicationInstanceIdentifier': {'type': 'string'}, 'VpcSecurityGroupIds': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['modify-instance']}}, 'type': 'object'}

type = 'modify-instance'

class c7n.resources.dms.ReplicationInstance(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

filters = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

arn = 'ReplicationInstanceArn'

date = 'InstanceCreateTime'

dimension = None

enum_spec = ('describe_replication_instances', 'ReplicationInstances', None)

filter_name = None

filter_type = None

id = 'ReplicationInstanceIdentifier'

name = 'ReplicationInstanceIdentifier'

service = 'dms'

type = 'rep'

static retry(func, *args, **kw)

type = 'dms-instance'

class c7n.resources.dms.SecurityGroup(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcSecurityGroups[].VpcSecurityGroupId'

type = 'security-group'

class c7n.resources.dms.Subnet(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'ReplicationSubnetGroup.Subnets[].SubnetIdentifier'

type = 'subnet'

class c7n.resources.dms.Vpc(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'ReplicationSubnetGroup.VpcId'

type = 'vpc'

c7n.resources.dynamodb module

class c7n.resources.dynamodb.Backup(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::DynamoDB::Table'

date = 'BackupCreationDateTime'

detail_spec = None

dimension = 'TableName'

enum_spec = ('list_backups', 'BackupSummaries', None)

filter_name = None

id = 'Table'

name = 'TableName'

service = 'dynamodb'

type = 'table'

type = 'dynamodb-backup'

class c7n.resources.dynamodb.ConfigTable(manager)

Bases: c7n.query.ConfigSource

load_resource(item)

class c7n.resources.dynamodb.CreateBackup(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.dynamodb.StatusFilter

Creates a manual backup of a DynamoDB table. Use of the optional

prefix flag will attach a user specified prefix. Otherwise, the backup prefix will default to ‘Backup’.

Example

policies:
  - name: dynamodb-create-backup
    resource: dynamodb-table
    actions:
      - type: backup
        prefix: custom

permissions = ('dynamodb:CreateBackup',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'prefix': {'type': 'string'}, 'type': {'enum': ['backup']}}, 'required': ['type'], 'type': 'object'}

type = 'backup'

valid_status = ('ACTIVE',)

class c7n.resources.dynamodb.DaxDeleteCluster(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete a DAX cluster

Example

permissions = ('dax:DeleteCluster',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.dynamodb.DaxMarkForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example

policies:
  - name: dax-mark-tag-compliance
    resource: dax
    filters:
      - "tag:custodian_cleanup": absent
      - "tag:OwnerName": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Missing tag 'OwnerName': {op}@{action_date}"
        op: delete
        days: 7

type = 'mark-for-op'

class c7n.resources.dynamodb.DaxModifySecurityGroup(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

permissions = ('dax:UpdateCluster',)

process(resources)

type = 'modify-security-groups'

class c7n.resources.dynamodb.DaxRemoveTagging(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on a resource

Example

policies:
  - name: dax-remove-tag
    resource: dax
    filters:
      - "tag:OutdatedTag": present
    actions:
      - type: remove-tag
        tags: ["OutdatedTag"]

permissions = ('dax:UntagResource',)

process_resource_set(client, resources, tag_keys)

type = 'remove-tag'

class c7n.resources.dynamodb.DaxSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'SecurityGroups[].SecurityGroupIdentifier'

type = 'security-group'

class c7n.resources.dynamodb.DaxSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

Filters DAX clusters based on their associated subnet group

Example

policies:
  - name: dax-no-auto-public
    resource: dax
    filters:
      - type: subnet
        key: MapPublicIpOnLaunch
        value: False

RelatedIdsExpression = ''

get_related_ids(resources)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'subnet'

class c7n.resources.dynamodb.DaxTagging(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a resource

Example

policies:
  - name: dax-cluster-tag
    resource: dax
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value

permissions = ('dax:TagResource',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.dynamodb.DaxUpdateCluster(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Updates a DAX cluster configuration

Example

permissions = ('dax:UpdateCluster',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'Description': {'type': 'string'}, 'NotificationTopicArn': {'type': 'string'}, 'NotificationTopicStatus': {'type': 'string'}, 'ParameterGroupName': {'type': 'string'}, 'PreferredMaintenanceWindow': {'type': 'string'}, 'type': {'enum': ['update-cluster']}}, 'type': 'object'}

type = 'update-cluster'

class c7n.resources.dynamodb.DeleteBackup(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.dynamodb.StatusFilter

Deletes backups of a DynamoDB table

Example

policies:
  - name: dynamodb-delete-backup
    resource: dynamodb-backup
    filters:
      - type: value
        key: BackupCreationDateTime
        op: greater-than
        value_type: age
        value: 28
    actions:
      - type: delete

permissions = ('dynamodb:DeleteBackup',)

process(backups)

process_dynamodb_backups(table_set, c)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

valid_status = ('AVAILABLE',)

class c7n.resources.dynamodb.DeleteTable(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.dynamodb.StatusFilter

Action to delete dynamodb tables

Example

policies:
  - name: delete-empty-tables
    resource: dynamodb-table
    filters:
      - TableSizeBytes: 0
    actions:
      - delete

delete_table(client, table_set)

permissions = ('dynamodb:DeleteTable',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

valid_status = ('ACTIVE',)

class c7n.resources.dynamodb.DescribeDaxCluster(manager)

Bases: c7n.query.DescribeSource

augment(clusters)

get_resources(ids, cache=True)

Retrieve dax resources for serverless policies or related resources

class c7n.resources.dynamodb.DescribeTable(manager)

Bases: c7n.query.DescribeSource

augment(resources)

class c7n.resources.dynamodb.DynamoDbAccelerator(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(ids, cache=True, augment=True)

Override in order to disable the augment for serverless policies. list_tags on dax resources always fail until the cluster is finished creating.

get_source(source_type)

permissions = ('dax:ListTags',)

class resource_type

Bases: object

config_type = 'AWS::DAX::Cluster'

date = None

detail_spec = None

dimension = None

enum_spec = ('describe_clusters', 'Clusters', None)

filter_name = None

id = 'ClusterArn'

name = 'ClusterName'

service = 'dax'

type = 'cluster'

type = 'dax'

class c7n.resources.dynamodb.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

Example

policies:
    - name: dynamodb-kms-key-filters
      resource: dynamodb-table
      filters:
        - type: kms-key
          key: c7n:AliasName
          value: "^(alias/aws/dynamodb)"
          op: regex

RelatedIdsExpression = 'SSEDescription.KMSMasterKeyArn'

type = 'kms-key'

class c7n.resources.dynamodb.SetStream(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.dynamodb.StatusFilter

Action to enable/disable streams on table.

Example

policies:
  - name: stream-update
    resource: dynamodb-table
    filters:
      - TableName: 'test'
      - TableStatus: 'ACTIVE'
    actions:
      - type: set-stream
        state: True
        stream_view_type: 'NEW_IMAGE'

permissions = ('dynamodb:UpdateTable',)

process(tables)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'stream_view_type': {'type': 'string'}, 'type': {'enum': ['set-stream']}}, 'required': ['type'], 'type': 'object'}

type = 'set-stream'

valid_status = ('ACTIVE',)

class c7n.resources.dynamodb.StatusFilter

Bases: object

Filter tables by status

filter_backup_state(tables, states=None)

filter_table_state(tables, states=None)

valid_states = ()

class c7n.resources.dynamodb.Stream(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'StreamArn'

date = 'CreationDateTime'

detail_spec = ('describe_stream', 'StreamArn', 'StreamArn', 'StreamDescription')

dimension = 'TableName'

enum_spec = ('list_streams', 'Streams', None)

filter_name = None

id = 'StreamArn'

name = 'TableName'

service = 'dynamodbstreams'

type = 'dynamodb-stream'

class c7n.resources.dynamodb.Table(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

permissions = ('dynamodb:ListTagsOfResource',)

class resource_type

Bases: object

config_type = 'AWS::DynamoDB::Table'

date = 'CreationDateTime'

detail_spec = ('describe_table', 'TableName', None, 'Table')

dimension = 'TableName'

enum_spec = ('list_tables', 'TableNames', None)

filter_name = None

id = 'TableName'

name = 'TableName'

service = 'dynamodb'

type = 'table'

type = 'dynamodb-table'

c7n.resources.ebs module

class c7n.resources.ebs.AttachedInstanceFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter volumes based on filtering on their attached instance

Example

policies:
  - name: instance-ebs-volumes
    resource: ebs
    filters:
      - instance

get_instance_mapping(resources)

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['instance']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'instance'

class c7n.resources.ebs.CopyInstanceTags(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Copy instance tags to its attached volume.

Useful for cost allocation to ebs volumes and tracking usage info for volumes.

Mostly useful for volumes not set to delete on termination, which are otherwise candidates for garbage collection, copying the instance tags gives us more semantic information to determine if their useful, as well letting us know the last time the volume was actually used.

Example

policies:
  - name: ebs-copy-instance-tags
    resource: ebs
    filters:
      - type: value
        key: "Attachments[0].Device"
        value: not-null
    actions:
      - type: copy-instance-tags
        tags:
          - Name

get_permissions()

get_volume_tags(volume, instance, attachment)

initialize(volumes)

process(volumes)

process_instance_set(client, instance_ids)

process_instance_volumes(client, instance, volumes)

schema = {'additionalProperties': False, 'properties': {'tags': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['copy-instance-tags']}}, 'required': ['type'], 'type': 'object'}

type = 'copy-instance-tags'

class c7n.resources.ebs.CopySnapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Copy a snapshot across regions

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html

Example

policies:
  - name: copy-snapshot-east-west
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: le
    actions:
      - type: copy
        target_region: us-west-2
        target_key: target_kms_key
        encrypted: true

permissions = ('ec2:CreateTags', 'ec2:CopySnapshot', 'ec2:DescribeSnapshots')

process(resources)

process_resource_set(resource_set)

schema = {'additionalProperties': False, 'properties': {'encrypted': {'type': 'boolean'}, 'target_key': {'type': 'string'}, 'target_region': {'type': 'string'}, 'type': {'enum': ['copy']}}, 'required': ['type'], 'type': 'object'}

type = 'copy'

validate()

class c7n.resources.ebs.CreateSnapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Snapshot an EBS volume

Example

policies:
  - name: snapshot-volumes
    resource: ebs
    filters:
      - Attachments: []
      - State: available
    actions:
      - snapshot

permissions = ('ec2:CreateSnapshot',)

process(volumes)

process_volume(client, volume)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['snapshot']}}, 'required': ['type'], 'type': 'object'}

type = 'snapshot'

class c7n.resources.ebs.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete an ebs volume.

If the force boolean is true, we will detach an attached volume from an instance. Note this cannot be done for running instance root volumes.

Example

policies:
  - name: delete-unattached-volumes
    resource: ebs
    filters:
      - Attachments: []
      - State: available
    actions:
      - delete

permissions = ('ec2:DetachVolume', 'ec2:DeleteVolume', 'ec2:DescribeVolumes')

process(volumes)

process_volume(client, volume)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.ebs.EBS(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::Volume'

date = 'createTime'

default_report_fields = ('VolumeId', 'Attachments[0].InstanceId', 'Size', 'VolumeType', 'KmsKeyId')

dimension = 'VolumeId'

enum_spec = ('describe_volumes', 'Volumes', None)

filter_name = 'VolumeIds'

filter_type = 'list'

id = 'VolumeId'

metrics_namespace = 'AWS/EBS'

name = 'VolumeId'

service = 'ec2'

type = 'volume'

type = 'ebs'

class c7n.resources.ebs.EncryptInstanceVolumes(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Encrypt extant volumes attached to an instance

• Requires instance restart

• Not suitable for autoscale groups.

Multistep process:

• Stop instance (if running)

• For each volume

  • Create snapshot

  • Wait on snapshot creation

  • Copy Snapshot to create encrypted snapshot

  • Wait on snapshot creation

  • Create encrypted volume from snapshot

  • Wait on volume creation

  • Delete transient snapshots

  • Detach Unencrypted Volume

  • Attach Encrypted Volume

  • Set DeleteOnTermination instance attribute equal to source volume

• For each volume

  • Delete unencrypted volume

• Start Instance (if originally running)

• For each newly encrypted volume

  • Delete transient tags

Example

policies:
  - name: encrypt-unencrypted-ebs
    resource: ebs
    filters:
      - Encrypted: false
    actions:
      - type: encrypt-instance-volumes
        key: alias/encrypted

create_encrypted_volume(ec2, v, key_id, instance_id)

get_encryption_key()

permissions = ('ec2:CopySnapshot', 'ec2:CreateSnapshot', 'ec2:CreateVolume', 'ec2:DescribeInstances', 'ec2:DescribeSnapshots', 'ec2:DescribeVolumes', 'ec2:StopInstances', 'ec2:StartInstances', 'ec2:ModifyInstanceAttribute', 'ec2:DeleteTags')

process(volumes)

process_volume(client, instance_id, vol_set)

Encrypt attached unencrypted ebs volumes

vol_set corresponds to all the unencrypted volumes on a given instance.

schema = {'additionalProperties': False, 'properties': {'delay': {'type': 'number'}, 'key': {'type': 'string'}, 'type': {'enum': ['encrypt-instance-volumes']}, 'verbose': {'type': 'boolean'}}, 'required': ['key', 'type'], 'type': 'object'}

stop_instance(client, instance_id)

type = 'encrypt-instance-volumes'

validate()

wait_on_resource(*args, **kw)

class c7n.resources.ebs.ErrorHandler

Bases: object

static extract_bad_snapshot(e)

Handle various client side errors when describing snapshots

static remove_snapshot(rid, resource_set)

class c7n.resources.ebs.FaultTolerantSnapshots(data, manager=None)

Bases: c7n.filters.core.Filter

This filter will return any EBS volume that does/does not have a snapshot within the last 7 days. ‘Fault-Tolerance’ in this instance means that, in the event of a failure, the volume can be restored from a snapshot with (reasonable) data loss

• name: ebs-volume-tolerance

• resource: ebs

• filters: [{

  ‘type’: ‘fault-tolerant’, ‘tolerant’: True}]

check_id = 'H7IgTzjTYb'

permissions = ('support:RefreshTrustedAdvisorCheck', 'support:DescribeTrustedAdvisorCheckResult')

process(resources, event=None)

Bulk process resources and return filtered set.

pull_check_results()

schema = {'additionalProperties': False, 'properties': {'tolerant': {'type': 'boolean'}, 'type': {'enum': ['fault-tolerant']}}, 'required': ['type'], 'type': 'object'}

type = 'fault-tolerant'

class c7n.resources.ebs.HealthFilter(data, manager=None)

Bases: c7n.filters.health.HealthEventFilter

load_resource(config, rid)

permissions = ('health:DescribeEvents', 'health:DescribeAffectedEntities', 'health:DescribeEventDetails', 'config:GetResourceConfigHistory')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'statuses': {'items': {'enum': ['open', 'upcoming', 'closed'], 'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['health-event']}, 'types': {'items': {'enum': ['AWS_EBS_DEGRADED_EBS_VOLUME_PERFORMANCE', 'AWS_EBS_VOLUME_LOST'], 'type': 'string'}, 'type': 'array'}}, 'required': ['type'], 'type': 'object'}

type = 'health-event'

class c7n.resources.ebs.KmsKeyAlias(data, manager=None)

Bases: c7n.resources.kms.ResourceKmsKeyAlias

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'kms-alias'

class c7n.resources.ebs.ModifyVolume(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Modify an ebs volume online.

Note this action requires use of modifyable filter

Intro Blog & Use Cases:

https://aws.amazon.com/blogs/aws/amazon-ebs-update-new-elastic-volumes-change-everything/

Docs:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modify-volume.html

Considerations:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/limitations.html

Example

Find under utilized provisioned iops volumes older than a week and change their type.

policies:
 - name: ebs-remove-piops
   resource: ebs
   filters:
    - type: value
      key: CreateDate
      value_type: age
      value: 7
      op: greater-than
    - VolumeType: io1
    - type: metrics
      name: VolumeConsumedReadWriteOps
      statistics: Maximum
      value: 100
      op: less-than
      days: 7
    - modifyable
   actions:
    - type: modify
      volume-type: gp2

iops-percent and size-percent can be used to modify respectively iops on io1 volumes and volume size.

When converting to io1, iops-percent is used to set the iops allocation for the new volume against the extant value for the old volume.

Example

Double storage and quadruple iops for all io1 volumes.

policies:
 - name: ebs-remove-piops
   resource: ebs
   filters:
     - VolumeType: io1
     - modifyable
   actions:
     - type: modify
       size-percent: 200
       iops-percent: 400

Note resizing down aka shrinking requires OS and FS support and potentially additional preparation, else data-loss may occur. To prevent accidents, shrinking must be explicitly enabled by also setting shrink: true on the action.

permissions = ('ec2:ModifyVolumeAttribute',)

process(resources)

process_resource_set(client, resource_set)

schema = {'additionalProperties': False, 'properties': {'iops-percent': {'type': 'number'}, 'shrink': False, 'size-percent': {'type': 'number'}, 'type': {'enum': ['modify']}, 'volume-type': {'enum': ['io1', 'gp2', 'st1', 'sc1']}}, 'required': ['type'], 'type': 'object'}

type = 'modify'

validate()

class c7n.resources.ebs.ModifyableVolume(data, manager=None)

Bases: c7n.filters.core.Filter

Check if an ebs volume is modifyable online.

Considerations:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/limitations.html

Consideration Summary

• only current instance types are supported (one exception m3.medium) Current Generation Instances (2017-2) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#current-gen-instances

• older magnetic volume types are not supported

• shrinking volumes is not supported

• must wait at least 6hrs between modifications to the same volume.

• volumes must have been attached after nov 1st, 2016.

See custodian schema ebs.actions.modify for examples.

older_generation = {'c1.medium', 'c1.xlarge', 'cc2.8xlarge', 'cg1.4xlarge', 'cr1.8xlarge', 'hi1.4xlarge', 'hs1.8xlarge', 'm1.large', 'm1.medium', 'm1.small', 'm1.xlarge', 'm2.2xlarge', 'm2.4xlarge', 'm2.xlarge', 'm3.2xlarge', 'm3.large', 'm3.xlarge', 't1.micro'}

permissions = ('ec2:DescribeInstances',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['modifyable']}}, 'required': ['type'], 'type': 'object'}

type = 'modifyable'

class c7n.resources.ebs.Snapshot(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(ids, cache=True, augment=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

date = 'StartTime'

default_report_fields = ('SnapshotId', 'VolumeId', 'tag:InstanceId', 'VolumeSize', 'StartTime', 'State')

detail_spec = None

dimension = None

enum_spec = ('describe_snapshots', 'Snapshots', None)

filter_name = 'SnapshotIds'

filter_type = 'list'

id = 'SnapshotId'

name = 'SnapshotId'

service = 'ec2'

type = 'snapshot'

resources(query=None)

type = 'ebs-snapshot'

class c7n.resources.ebs.SnapshotAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

EBS Snapshot Age Filter

Filters an EBS snapshot based on the age of the snapshot (in days)

Example

policies:
  - name: ebs-snapshots-week-old
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: ge

date_attribute = 'StartTime'

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['age']}}, 'required': ['type'], 'type': 'object'}

type = 'age'

class c7n.resources.ebs.SnapshotCrossAccountAccess(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('ec2:DescribeSnapshotAttribute',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_resource_set(client, resource_set)

type = 'cross-account'

class c7n.resources.ebs.SnapshotDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Deletes EBS snapshots

Example

policies:
  - name: delete-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

permissions = ('ec2:DeleteSnapshot',)

process(snapshots)

process_snapshot_set(client, snapshots_set)

schema = {'additionalProperties': False, 'properties': {'skip-ami-snapshots': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.ebs.SnapshotQueryParser

Bases: c7n.utils.QueryParser

QuerySchema = {'description': (<class 'str'>,), 'owner-alias': ('amazon', 'amazon-marketplace', 'microsoft'), 'owner-id': (<class 'str'>,), 'progress': (<class 'str'>,), 'snapshot-id': (<class 'str'>,), 'start-time': (<class 'str'>,), 'status': ('pending', 'completed', 'error'), 'tag': (<class 'str'>,), 'tag-key': (<class 'str'>,), 'volume-id': (<class 'str'>,), 'volume-size': (<class 'str'>,)}

type_name = 'EBS'

class c7n.resources.ebs.SnapshotSkipAmiSnapshots(data, manager=None)

Bases: c7n.filters.core.Filter

Filter to remove snapshots of AMIs from results

This filter is ‘true’ by default.

Example

implicit with no parameters, ‘true’ by default

policies:
  - name: delete-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - skip-ami-snapshots

Example

explicit with parameter

policies:
  - name: delete-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - type: skip-ami-snapshots
        value: false

get_permissions()

process(snapshots, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['skip-ami-snapshots']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'skip-ami-snapshots'

class c7n.resources.ebs.SnapshotTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

permissions = ('ec2:CreateTags',)

process_resource_set(client, resource_set, tags)

type = 'tag'

class c7n.resources.ebs.SnapshotUnusedFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filters snapshots based on usage

true: snapshot is not used by launch-template, launch-config, or ami.

false: snapshot is being used by launch-template, launch-config, or ami.

Example

policies:
  - name: snapshot-unused
    resource: ebs-snapshot
    filters:
      - type: unused
        value: true

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.ebs.VolumeDetach(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Detach an EBS volume from an Instance.

If ‘Force’ Param is True, then we’ll do a forceful detach of the Volume. The default value for ‘Force’ is False.

example

policies:
  - name: instance-ebs-volumes
    resource: ebs
    filters:
      - VolumeId :  volumeid
    actions:
      - detach

permissions = ('ec2:DetachVolume',)

process(volumes, event=None)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['detach']}}, 'required': ['type'], 'type': 'object'}

type = 'detach'

c7n.resources.ec2 module

class c7n.resources.ec2.AttachedVolume(data, manager=None)

Bases: c7n.filters.core.ValueFilter

EC2 instances with EBS backed volume

Filters EC2 instances with EBS backed storage devices (non ephemeral)

Example

policies:
  - name: ec2-encrypted-ebs-volumes
    resource: ec2
    filters:
      - type: ebs
        key: Encrypted
        value: true

get_permissions()

get_volume_mapping(resources)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'operator': {'enum': ['and', 'or']}, 'skip-devices': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['ebs']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'ebs'

class c7n.resources.ec2.AutorecoverAlarm(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

Adds a cloudwatch metric alarm to recover an EC2 instance.

This action takes effect on instances that are NOT part of an ASG.

Example

policies:
  - name: ec2-autorecover-alarm
    resource: ec2
    filters:
      - singleton
    actions:
      - autorecover-alarm

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

filter_asg_membership = <c7n.filters.core.ValueFilter object>

permissions = ('ec2:DescribeInstanceStatus', 'ec2:RecoverInstances', 'ec2:DescribeInstanceRecoveryAttribute')

process(instances)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['autorecover-alarm']}}, 'required': ['type'], 'type': 'object'}

type = 'autorecover-alarm'

valid_origin_states = ('running', 'stopped', 'pending', 'stopping')

class c7n.resources.ec2.ComputePermissions(data, manager=None)

Bases: c7n.resources.iam.CheckPermissions

get_iam_arns(resources)

type = 'check-permissions'

class c7n.resources.ec2.DefaultVpc(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Matches if an ec2 database is in the default vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.ec2.DescribeEC2(manager)

Bases: c7n.query.DescribeSource

augment(resources)

EC2 API and AWOL Tags

While ec2 api generally returns tags when doing describe_x on for various resources, it may also silently fail to do so unless a tag is used as a filter.

See footnote on for official documentation. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_CLI

Apriori we may be using custodian to ensure tags (including name), so there isn’t a good default to ensure that we will always get tags from describe_x calls.

class c7n.resources.ec2.DisableApiTermination(data, manager=None)

Bases: c7n.filters.core.Filter

EC2 instances with disableApiTermination attribute set

Filters EC2 instances with disableApiTermination attribute set to true.

Example

policies:
  - name: termination-protection-enabled
    resource: ec2
    filters:
      - type: termination-protected

Example

policies:
  - name: termination-protection-NOT-enabled
    resource: ec2
    filters:
      - not:
        - type: termination-protected

get_permissions()

is_termination_protection_enabled(client, inst)

permissions = ('ec2:DescribeInstanceAttribute',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['termination-protected']}}, 'required': ['type'], 'type': 'object'}

type = 'termination-protected'

class c7n.resources.ec2.EC2(ctx, data)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

permissions = ('ec2:DescribeTags',)

resource_query()

class resource_type

Bases: object

config_type = 'AWS::EC2::Instance'

date = 'LaunchTime'

default_report_fields = ('CustodianDate', 'InstanceId', 'tag:Name', 'InstanceType', 'LaunchTime', 'VpcId', 'PrivateIpAddress')

detail_spec = None

dimension = 'InstanceId'

enum_spec = ('describe_instances', 'Reservations[].Instances[]', None)

filter_name = 'InstanceIds'

filter_type = 'list'

id = 'InstanceId'

name = 'PublicDnsName'

service = 'ec2'

shape = 'Instance'

type = 'instance'

resources(query=None)

type = 'ec2'

class c7n.resources.ec2.EC2ModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

Modify security groups on an instance.

permissions = ('ec2:ModifyNetworkInterfaceAttribute',)

process(instances)

sg_expr = {'type': 'projection', 'children': [{'type': 'flatten', 'children': [{'type': 'field', 'children': [], 'value': 'Groups'}]}, {'type': 'field', 'children': [], 'value': 'GroupId'}]}

type = 'modify-security-groups'

class c7n.resources.ec2.EC2NetworkLocation(data, manager=None)

Bases: c7n.filters.vpc.NetworkLocation, c7n.resources.ec2.StateTransitionFilter

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'network-location'

valid_origin_states = ('pending', 'running', 'shutting-down', 'stopping', 'stopped')

class c7n.resources.ec2.EphemeralInstanceFilter(data, manager=None)

Bases: c7n.filters.core.Filter

EC2 instances with ephemeral storage

Filters EC2 instances that have ephemeral storage (an instance-store backed root device)

Example

policies:
  - name: ec2-ephemeral-instances
    resource: ec2
    filters:
      - type: ephemeral

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

static is_ephemeral(i)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['ephemeral']}}, 'required': ['type'], 'type': 'object'}

type = 'ephemeral'

class c7n.resources.ec2.ImageAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter, c7n.resources.ec2.InstanceImageBase

EC2 AMI age filter

Filters EC2 instances based on the age of their AMI image (in days)

Example

policies:
  - name: ec2-ancient-ami
    resource: ec2
    filters:
      - type: image-age
        op: ge
        days: 90

date_attribute = 'CreationDate'

get_permissions()

get_resource_date(i)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['image-age']}}, 'required': ['type'], 'type': 'object'}

type = 'image-age'

class c7n.resources.ec2.InstanceAgeFilter(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filters instances based on their age (in days)

Example

policies:
  - name: ec2-30-days-plus
    resource: ec2
    filters:
      - type: instance-age
        op: ge
        days: 30

date_attribute = 'LaunchTime'

ebs_key_func = operator.itemgetter('AttachTime')

get_resource_date(i)

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'hours': {'type': 'number'}, 'minutes': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['instance-age']}}, 'required': ['type'], 'type': 'object'}

type = 'instance-age'

class c7n.resources.ec2.InstanceAttribute(data, manager=None)

Bases: c7n.filters.core.ValueFilter

EC2 Instance Value FIlter on a given instance attribute.

Filters EC2 Instances with the given instance attribute

Example

policies:
  - name: ec2-unoptimized-ebs
    resource: ec2
    filters:
      - type: instance-attribute
        attribute: ebsOptimized
        key: "Value"
        value: false

get_instance_attribute(resources, attribute)

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'attribute': {'enum': ('instanceType', 'kernel', 'ramdisk', 'userData', 'disableApiTermination', 'instanceInitiatedShutdownBehavior', 'rootDeviceName', 'blockDeviceMapping', 'productCodes', 'sourceDestCheck', 'groupSet', 'ebsOptimized', 'sriovNetSupport', 'enaSupport')}, 'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['instance-attribute']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ('attribute',), 'type': 'object'}

type = 'instance-attribute'

valid_attrs = ('instanceType', 'kernel', 'ramdisk', 'userData', 'disableApiTermination', 'instanceInitiatedShutdownBehavior', 'rootDeviceName', 'blockDeviceMapping', 'productCodes', 'sourceDestCheck', 'groupSet', 'ebsOptimized', 'sriovNetSupport', 'enaSupport')

class c7n.resources.ec2.InstanceFinding(data=None, manager=None, log_dir=None)

Bases: c7n.actions.securityhub.PostFinding

format_resource(r)

type = 'post-finding'

class c7n.resources.ec2.InstanceImage(data, manager=None)

Bases: c7n.filters.core.ValueFilter, c7n.resources.ec2.InstanceImageBase

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['image']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'image'

class c7n.resources.ec2.InstanceImageBase

Bases: object

get_base_image_mapping()

get_instance_image(instance)

get_local_image_mapping(image_ids)

prefetch_instance_images(instances)

class c7n.resources.ec2.InstanceOffHour(data, manager=None)

Bases: c7n.filters.offhours.OffHour, c7n.resources.ec2.StateTransitionFilter

Custodian OffHour filter

Filters running EC2 instances with the intent to stop at a given hour of the day. A list of days to excluded can be included as a list of strings with the format YYYY-MM-DD. Alternatively, the list (using the same syntax) can be taken from a specified url.

Example

policies:
  - name: offhour-evening-stop
    resource: ec2
    filters:
      - type: offhour
        tag: custodian_downtime
        default_tz: et
        offhour: 20
    actions:
      - stop

  - name: offhour-evening-stop-skip-holidays
    resource: ec2
    filters:
      - type: offhour
        tag: custodian_downtime
        default_tz: et
        offhour: 20
        skip-days: ['2017-12-25']
    actions:
      - stop

  - name: offhour-evening-stop-skip-holidays-from
    resource: ec2
    filters:
      - type: offhour
        tag: custodian_downtime
        default_tz: et
        offhour: 20
        skip-days-from:
          expr: 0
          format: csv
          url: 's3://location/holidays.csv'
    actions:
      - stop

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'offhour'

valid_origin_states = ('running',)

class c7n.resources.ec2.InstanceOnHour(data, manager=None)

Bases: c7n.filters.offhours.OnHour, c7n.resources.ec2.StateTransitionFilter

Custodian OnHour filter

Filters stopped EC2 instances with the intent to start at a given hour of the day. A list of days to excluded can be included as a list of strings with the format YYYY-MM-DD. Alternatively, the list (using the same syntax) can be taken from a specified url.

Example

policies:
  - name: onhour-morning-start
    resource: ec2
    filters:
      - type: onhour
        tag: custodian_downtime
        default_tz: et
        onhour: 6
    actions:
      - start

  - name: onhour-morning-start-skip-holidays
    resource: ec2
    filters:
      - type: onhour
        tag: custodian_downtime
        default_tz: et
        onhour: 6
        skip-days: ['2017-12-25']
    actions:
      - start

  - name: onhour-morning-start-skip-holidays-from
    resource: ec2
    filters:
      - type: onhour
        tag: custodian_downtime
        default_tz: et
        onhour: 6
        skip-days-from:
          expr: 0
          format: csv
          url: 's3://location/holidays.csv'
    actions:
      - start

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'onhour'

valid_origin_states = ('stopped',)

class c7n.resources.ec2.LaunchTemplate(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

get_asg_templates(asgs)

get_resources(rids, cache=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

date = 'CreateTime'

dimension = None

enum_spec = ('describe_launch_templates', 'LaunchTemplates', None)

filter_name = 'LaunchTemplateIds'

filter_type = 'list'

id = 'LaunchTemplateId'

name = 'LaunchTemplateName'

service = 'ec2'

type = 'launch-template'

type = 'launch-template-version'

class c7n.resources.ec2.PropagateSpotTags(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Propagate Tags that are set at Spot Request level to EC2 instances.

Example

MAX_TAG_COUNT = 50

permissions = ('ec2:DescribeInstances', 'ec2:DescribeSpotInstanceRequests', 'ec2:DescribeTags', 'ec2:CreateTags')

process(instances)

process_request_instances(client, request, instances)

schema = {'additionalProperties': False, 'properties': {'only_tags': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['propagate-spot-tags']}}, 'required': ['type'], 'type': 'object'}

type = 'propagate-spot-tags'

class c7n.resources.ec2.QueryFilter(data)

Bases: object

classmethod parse(data)

query()

validate()

class c7n.resources.ec2.Reboot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

reboots a previously running EC2 instance.

Example

policies:
  - name: ec2-reboot-instances
    resource: ec2
    query:
      - instance-state-name: running
    actions:
      - reboot

http://docs.aws.amazon.com/cli/latest/reference/ec2/reboot-instances.html

batch_size = 10

exception = None

permissions = ('ec2:RebootInstances',)

process(instances)

process_instance_set(client, instances)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['reboot']}}, 'required': ['type'], 'type': 'object'}

type = 'reboot'

valid_origin_states = ('running',)

class c7n.resources.ec2.ReservedInstance(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'Start'

dimension = None

enum_spec = ('describe_reserved_instances', 'ReservedInstances', None)

filter_name = 'ReservedInstancesIds'

filter_type = 'list'

id = 'ReservedInstancesId'

name = 'ReservedInstancesId'

service = 'ec2'

type = 'reserved-instances'

type = 'ec2-reserved'

class c7n.resources.ec2.Resize(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

Change an instance’s size.

An instance can only be resized when its stopped, this action can optionally restart an instance if needed to effect the instance type change. Instances are always left in the run state they were found in.

There are a few caveats to be aware of, instance resizing needs to maintain compatibility for architecture, virtualization type hvm/pv, and ebs optimization at minimum.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html

get_permissions()

process(resources)

process_resource_set(instance_set)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'string'}, 'restart': {'type': 'boolean'}, 'type': {'enum': ['resize']}, 'type-map': {'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'resize'

valid_origin_states = ('running', 'stopped')

class c7n.resources.ec2.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'SecurityGroups[].GroupId'

type = 'security-group'

class c7n.resources.ec2.SetInstanceProfile(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

Sets (add, modify, remove) the instance profile for a running EC2 instance.

Example

policies:
  - name: set-default-instance-profile
    resource: ec2
    filters:
      - IamInstanceProfile: absent
    actions:
      - type: set-instance-profile
        name: default

https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html

permissions = ('ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile', 'iam:PassRole')

process(instances)

schema = {'additionalProperties': False, 'properties': {'name': {'type': 'string'}, 'type': {'enum': ['set-instance-profile']}}, 'required': ['type'], 'type': 'object'}

type = 'set-instance-profile'

valid_origin_states = ('running', 'pending', 'stopped', 'stopping')

class c7n.resources.ec2.SingletonFilter(data, manager=None)

Bases: c7n.filters.core.Filter, c7n.resources.ec2.StateTransitionFilter

EC2 instances without autoscaling or a recover alarm

Filters EC2 instances that are not members of an autoscaling group and do not have Cloudwatch recover alarms.

Example

policies:
  - name: ec2-recover-instances
    resource: ec2
    filters:
      - singleton
    actions:
      - type: tag
        key: problem
        value: instance is not resilient

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

has_recover_alarm(i)

in_asg = <c7n.filters.core.ValueFilter object>

permissions = ('cloudwatch:DescribeAlarmsForMetric',)

process(instances, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['singleton']}}, 'required': ['type'], 'type': 'object'}

type = 'singleton'

valid_origin_states = ('running', 'stopped', 'pending', 'stopping')

class c7n.resources.ec2.Snapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Snapshots volumes attached to an EC2 instance

Example

policies:
  - name: ec2-snapshots
    resource: ec2
    actions:
      - type: snapshot
        copy-tags:
          - Name

get_snapshot_tags(resource, block_device)

permissions = ('ec2:CreateSnapshot', 'ec2:CreateTags')

process(resources)

process_volume_set(client, resource)

schema = {'additionalProperties': False, 'properties': {'copy-tags': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['snapshot']}}, 'required': ['type'], 'type': 'object'}

type = 'snapshot'

class c7n.resources.ec2.SsmStatus(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter ec2 instances by their ssm status information.

Example

Find ubuntu 18.04 instances are active with ssm.

policies:
  - name: ec2-recover-instances
    resource: ec2
    filters:
      - type: ssm
        key: PingStatus
        value: Online
      - type: ssm
        key: PlatformName
        value: Ubuntu
      - type: ssm
        key: PlatformVersion
        value: 18.04

annotation = 'c7n:SsmState'

permissions = ('ssm:DescribeInstanceInformation',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_resource_set(client, resources)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['ssm']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'ssm'

class c7n.resources.ec2.Start(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

Starts a previously stopped EC2 instance.

Example

policies:
  - name: ec2-start-stopped-instances
    resource: ec2
    query:
      - instance-state-name: stopped
    actions:
      - start

http://docs.aws.amazon.com/cli/latest/reference/ec2/start-instances.html

batch_size = 10

exception = None

permissions = ('ec2:StartInstances',)

process(instances)

process_instance_set(client, instances, itype, izone)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['start']}}, 'required': ['type'], 'type': 'object'}

type = 'start'

valid_origin_states = ('stopped',)

class c7n.resources.ec2.StateTransitionAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Age an instance has been in the given state.

policies:
  - name: ec2-state-running-7-days
    resource: ec2
    filters:
      - type: state-age
        op: ge
        days: 7

RE_PARSE_AGE = re.compile('\\(.*?\\)')

date_attribute = 'dummy'

get_resource_date(i)

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['state-age']}}, 'required': ['type'], 'type': 'object'}

type = 'state-age'

class c7n.resources.ec2.StateTransitionFilter

Bases: object

Filter instances by state.

Try to simplify construction for policy authors by automatically filtering elements (filters or actions) to the instances states they are valid for.

For more details see

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html

filter_instance_state(instances, states=None)

valid_origin_states = ()

class c7n.resources.ec2.Stop(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

Stops a running EC2 instances

Example

policies:
  - name: ec2-stop-running-instances
    resource: ec2
    query:
      - instance-state-name: running
    actions:
      - stop

get_permissions()

process(instances)

schema = {'additionalProperties': False, 'properties': {'terminate-ephemeral': {'type': 'boolean'}, 'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

split_on_storage(instances)

type = 'stop'

valid_origin_states = ('running',)

class c7n.resources.ec2.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'SubnetId'

type = 'subnet'

class c7n.resources.ec2.Terminate(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.ec2.StateTransitionFilter

Terminate a set of instances.

While ec2 offers a bulk delete api, any given instance can be configured with api deletion termination protection, so we can’t use the bulk call reliabily, we need to process the instances individually. Additionally If we’re configured with ‘force’ then we’ll turn off instance termination protection.

Example

policies:
  - name: ec2-process-termination
    resource: ec2
    filters:
      - type: marked-for-op
        op: terminate
    actions:
      - terminate

disable_deletion_protection(client, instances)

get_permissions()

process(instances)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['terminate']}}, 'required': ['type'], 'type': 'object'}

type = 'terminate'

valid_origin_states = ('running', 'stopped', 'pending', 'stopping')

class c7n.resources.ec2.UpTimeFilter(data, manager=None)

Bases: c7n.filters.core.AgeFilter

date_attribute = 'LaunchTime'

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['instance-uptime']}}, 'required': ['type'], 'type': 'object'}

type = 'instance-uptime'

class c7n.resources.ec2.UserData(data, manager)

Bases: c7n.filters.core.ValueFilter

Filter on EC2 instances which have matching userdata. Note: It is highly recommended to use regexes with the ?sm flags, since Custodian uses re.match() and userdata spans multiple lines.

example

policies:
  - name: ec2_userdata_stop
    resource: ec2
    filters:
      - type: user-data
        op: regex
        value: (?smi).*password=
    actions:
      - stop

annotation = 'c7n:user-data'

batch_size = 50

permissions = ('ec2:DescribeInstanceAttribute',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_instance_set(client, resources)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['user-data']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'user-data'

class c7n.resources.ec2.VpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'VpcId'

type = 'vpc'

c7n.resources.ec2.deserialize_user_data(user_data)

c7n.resources.ec2.extract_instance_id(state_error)

Extract an instance id from an error

c7n.resources.ecr module

class c7n.resources.ecr.ECR(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'repositoryArn'

dimension = None

enum_spec = ('describe_repositories', 'repositories', None)

filter_name = 'repositoryNames'

filter_type = 'list'

id = 'repositoryArn'

name = 'repositoryName'

service = 'ecr'

type = 'ecr'

class c7n.resources.ecr.ECRCrossAccountAccessFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filters all EC2 Container Registries (ECR) with cross-account access

Example

policies:
  - name: ecr-cross-account
    resource: ecr
    filters:
      - type: cross-account
        whitelist_from:
          expr: "accounts.*.accountNumber"
          url: accounts_url

permissions = ('ecr:GetRepositoryPolicy',)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'cross-account'

class c7n.resources.ecr.ECRRemoveTags(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

permissions = ('ecr:UntagResource',)

process_resource_set(client, resources, tags)

type = 'remove-tag'

class c7n.resources.ecr.ECRTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

permissions = ('ecr:TagResource',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.ecr.LifecycleRule(data, manager=None)

Bases: c7n.filters.core.Filter

Lifecycle rule filtering

Example

policies:
 - name: ecr-life
   resource: aws.ecr
   filters:
     - type: lifecycle-rule
       state: False
       match:
         - selection.tagStatus: untagged
         - action.type: expire
         - type: value
           key: selection.countNumber
           value: 30
           op: less-than

permissions = ('ecr:GetLifecyclePolicy',)

policy_annotation = 'c7n:lifecycle-policy'

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'match': {'items': {'oneOf': [{'$ref': '#/definitions/filters/value'}, {'type': 'object', 'minProperties': 1, 'maxProperties': 1}]}, 'type': 'array'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['lifecycle-rule']}}, 'required': ['type'], 'type': 'object'}

type = 'lifecycle-rule'

class c7n.resources.ecr.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy statements from ECR

Example

policies:
  - name: ecr-remove-cross-accounts
    resource: ecr
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched

permissions = ('ecr:SetRepositoryPolicy', 'ecr:GetRepositoryPolicy')

process(resources)

process_resource(client, resource)

type = 'remove-statements'

class c7n.resources.ecr.SetLifecycle(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Set the lifecycle policy for ECR repositories.

Note at the moment this is limited to set/delete/replacement of lifecycle policies, not merge.

permissions = ('ecr:PutLifecyclePolicy', 'ecr:DeleteLifecyclePolicy')

process(resources)

schema = {'additionalProperties': False, 'properties': {'rules': {'items': {'additionalProperties': False, 'properties': {'action': {'additionalProperties': False, 'properties': {'type': {'enum': ['expire']}}, 'required': ['type'], 'type': 'object'}, 'description': {'type': 'string'}, 'rulePriority': {'type': 'integer'}, 'selection': {'addtionalProperties': False, 'properties': {'countNumber': {'type': 'integer'}, 'countType': {'enum': ['imageCountMoreThan', 'sinceImagePushed']}, 'countUnit': {'enum': ['hours', 'days']}, 'tagPrefixList': {'items': {'type': 'string'}, 'type': 'array'}, 'tagStatus': {'enum': ['tagged', 'untagged', 'any']}}, 'required': ['countType', 'countUnit'], 'type': 'object'}}, 'required': ['rulePriority', 'action', 'selection'], 'type': 'object'}, 'type': 'array'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['set-lifecycle']}}, 'required': ['type'], 'type': 'object'}

type = 'set-lifecycle'

validate()

c7n.resources.ecr.lifecycle_rule_validate(policy, rule)

c7n.resources.ecs module

class c7n.resources.ecs.ContainerInstance(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

chunk_size = 100

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'containerInstanceArn'

dimension = None

enum_spec = ('list_container_instances', 'containerInstanceArns', None)

id = 'containerInstance'

name = 'containerInstance'

parent_spec = ('ecs', 'cluster', None)

service = 'ecs'

source_type

type = 'ecs-container-instance'

class c7n.resources.ecs.DeleteService(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete service(s).

permissions = ('ecs:DeleteService',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.ecs.DeleteTaskDefinition(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete/DeRegister a task definition.

The definition will be marked as InActive. Currently running services and task can still reference, new services & tasks can’t.

permissions = ('ecs:DeregisterTaskDefinition',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.ecs.ECSCluster(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'clusterArn'

batch_detail_spec = ('describe_clusters', 'clusters', None, 'clusters', {'include': ['TAGS']})

dimension = None

enum_spec = ('list_clusters', 'clusterArns', None)

filter_name = None

id = 'clusterArn'

name = 'clusterName'

service = 'ecs'

type = 'ecs'

class c7n.resources.ecs.ECSClusterResourceDescribeSource(manager)

Bases: c7n.query.ChildDescribeSource

augment(resources)

get_resources(ids, cache=True)

Retrieve ecs resources for serverless policies or related resources

Requires arns in new format. https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-resource-ids.html

class c7n.resources.ecs.ECSContainerInstanceDescribeSource(manager)

Bases: c7n.resources.ecs.ECSClusterResourceDescribeSource

process_cluster_resources(client, cluster_id, container_instances)

type = 'describe-ecs-container-instance'

class c7n.resources.ecs.ECSMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.ecs.ECSServiceDescribeSource(manager)

Bases: c7n.resources.ecs.ECSClusterResourceDescribeSource

process_cluster_resources(client, cluster_id, services)

type = 'describe-ecs-service'

class c7n.resources.ecs.ECSTaggable(data, manager=None)

Bases: c7n.filters.core.Filter

Filter ECS resources on arn-format https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-resource-ids.html :example:

policies:
    - name: taggable
      resource: ecs-service
      filters:
        - type: taggable
          state: True

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['taggable']}}, 'required': ['type'], 'type': 'object'}

type = 'taggable'

class c7n.resources.ecs.ECSTaskDescribeSource(manager)

Bases: c7n.resources.ecs.ECSClusterResourceDescribeSource

process_cluster_resources(client, cluster_id, tasks)

type = 'describe-ecs-task'

class c7n.resources.ecs.MarkEcsResourceForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Mark ECS resources for deferred action (ecs, ecs-task-definition, ecs-service, ecs-task, ecs-container-instance)

Requires arns in new format for tasks, services, and container-instances. https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-resource-ids.html

Example

policies:
  - name: ecs-service-invalid-tag-stop
    resource: ecs-service
    filters:
      - "tag:InvalidTag": present
      - type: taggable
        state: true
    actions:
      - type: mark-for-op
        op: delete
        days: 1

type = 'mark-for-op'

class c7n.resources.ecs.RelatedTaskDefinitionFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

permissions = ('ecs:DescribeTaskDefinition', 'ecs:ListTaskDefinitions')

process(resources, event=None)

Bulk process resources and return filtered set.

related_key = 'taskDefinition'

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['task-definition']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

class c7n.resources.ecs.RemoveTagEcsResource(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tag(s) from ECS resources (ecs, ecs-task-definition, ecs-service, ecs-task, ecs-container-instance)

Example

policies:
  - name: ecs-service-remove-tag
    resource: ecs-service
    filters:
      - type: taggable
        state: true
    actions:
      - type: remove-tag
        tags: ["BadTag"]

batch_size = 1

permissions = ('ecs:UntagResource',)

process_resource_set(client, resources, keys)

type = 'remove-tag'

class c7n.resources.ecs.Service(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

chunk_size = 10

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(ids, cache=True, augment=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

arn = 'serviceArn'

dimension = None

enum_spec = ('list_services', 'serviceArns', None)

filter_name = None

id = 'serviceArn'

name = 'serviceName'

parent_spec = ('ecs', 'cluster', None)

service = 'ecs'

supports_trailevents = True

source_type

type = 'ecs-service'

class c7n.resources.ecs.ServiceMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.ecs.ServiceTaskDefinitionFilter(data, manager=None)

Bases: c7n.resources.ecs.RelatedTaskDefinitionFilter

Filter services by their task definitions.

Example

Find any fargate services that are running with a particular image in the task and stop them.

policies:
  - name: fargate-readonly-tasks
    resource: ecs-task
    filters:
      - launchType: FARGATE
      - type: task-definition
        key: "containerDefinitions[].image"
        value: "elasticsearch/elasticsearch:6.4.3"
        value_type: swap
        op: contains
    actions:
      - type: stop

type = 'task-definition'

class c7n.resources.ecs.SetState(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Updates a container instance to either ACTIVE or DRAINING

Example

policies:
    - name: drain-container-instances
      resource: ecs-container-instance
      actions:
        - type: set-state
          state: DRAINING

permissions = ('ecs:UpdateContainerInstancesState',)

process(resources)

process_cluster(cluster, c_instances)

schema = {'additionalProperties': False, 'properties': {'state': {'enum': ['DRAINING', 'ACTIVE'], 'type': 'string'}, 'type': {'enum': ['set-state']}}, 'required': ['type'], 'type': 'object'}

type = 'set-state'

class c7n.resources.ecs.StopTask(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Stop/Delete a currently running task.

permissions = ('ecs:StopTask',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'reason': {'type': 'string'}, 'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

class c7n.resources.ecs.TagEcsResource(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on an ECS resource (ecs, ecs-task-definition, ecs-service, ecs-task, ecs-container-instance)

Requires arns in new format for tasks, services, and container-instances. https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-resource-ids.html

Example

policies:
  - name: tag-ecs-service
    resource: ecs-service
    filters:
      - "tag:target-tag": absent
      - type: taggable
        state: true
    actions:
      - type: tag
        key: target-tag
        value: target-value

batch_size = 1

permissions = ('ecs:TagResource',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.ecs.Task(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

chunk_size = 100

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(ids, cache=True, augment=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

arn = 'taskArn'

dimension = None

enum_spec = ('list_tasks', 'taskArns', None)

filter_name = None

id = 'taskArn'

name = 'taskArn'

parent_spec = ('ecs', 'cluster', None)

service = 'ecs'

supports_trailevents = True

source_type

type = 'ecs-task'

class c7n.resources.ecs.TaskDefinition(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(ids, cache=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

arn = 'taskDefinitionArn'

dimension = None

enum_spec = ('list_task_definitions', 'taskDefinitionArns', None)

filter_name = None

filter_type = None

id = 'taskDefinitionArn'

name = 'taskDefinitionArn'

service = 'ecs'

type = 'ecs-task-definition'

class c7n.resources.ecs.TaskTaskDefinitionFilter(data, manager=None)

Bases: c7n.resources.ecs.RelatedTaskDefinitionFilter

Filter tasks by their task definition.

Example

Find any fargate tasks that are running without read only root and stop them.

policies:
  - name: fargate-readonly-tasks
    resource: ecs-task
    filters:
      - launchType: FARGATE
      - type: task-definition
        key: "containerDefinitions[].readonlyRootFilesystem"
        value: None
        value_type: swap
        op: contains
    actions:
      - type: stop

related_key = 'taskDefinitionArn'

type = 'task-definition'

class c7n.resources.ecs.UpdateAgent(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Updates the agent on a container instance

permissions = ('ecs:UpdateContainerAgent',)

process(resources)

process_instance(client, cluster, instance)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['update-agent']}}, 'required': ['type'], 'type': 'object'}

type = 'update-agent'

class c7n.resources.ecs.UpdateService(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to update service

Example

policies:
  - name: no-public-ips-services
    resource: ecs-service
    filters:
      - 'networkConfiguration.awsvpcConfiguration.assignPublicIp': 'ENABLED'
    actions:
      - type: modify
        update:
          networkConfiguration:
            awsvpcConfiguration:
              assignPublicIp: DISABLED

permissions = ('ecs:UpdateService',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['modify']}, 'update': {'deploymentConfiguration': {'properties': {'maximumPercent': {'type': 'integer'}, 'minimumHealthyPercent': {'type': 'integer'}}, 'type': 'object'}, 'desiredCount': {'type': 'integer'}, 'forceNewDeployment': {'default': False, 'type': 'boolean'}, 'healthCheckGracePeriodSeconds': {'type': 'integer'}, 'networkConfiguration': {'properties': {'awsvpcConfiguration': {'properties': {'assignPublicIp': {'enum': ['ENABLED', 'DISABLED'], 'type': 'string'}, 'securityGroups': {'items': {'type': 'string'}}, 'subnets': {'items': {'type': 'string'}, 'minItems': 1, 'type': 'array'}}, 'type': 'object'}}, 'type': 'object'}, 'platformVersion': {'type': 'string'}, 'taskDefinition': {'type': 'string'}}}, 'required': ['type'], 'type': 'object'}

type = 'modify'

c7n.resources.ecs.ecs_tag_normalize(resources)

normalize tag format on ecs resources to match common aws format.

c7n.resources.ecs.ecs_taggable(model, r)

c7n.resources.efs module

class c7n.resources.efs.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('efs:DescribeMountTargets', 'efs:DeleteMountTargets', 'efs:DeleteFileSystem')

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

unmount_filesystems(resources)

class c7n.resources.efs.ElasticFileSystem(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

class resource_type

Bases: object

date = 'CreationTime'

detail_spec = None

dimension = 'FileSystemId'

enum_spec = ('describe_file_systems', 'FileSystems', None)

filter_name = 'FileSystemId'

filter_type = 'scalar'

id = 'FileSystemId'

name = 'Name'

resource_type = 'elasticfilesystem:file-system'

service = 'efs'

type = 'file-system'

type = 'efs'

class c7n.resources.efs.ElasticFileSystemMountTarget(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

date = None

dimension = None

enum_spec = ('describe_mount_targets', 'MountTargets', None)

filter_name = 'MountTargetId'

filter_type = 'scalar'

id = 'MountTargetId'

name = 'MountTargetId'

parent_spec = ('efs', 'FileSystemId', None)

service = 'efs'

type = 'efs-mount-target'

class c7n.resources.efs.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

Example

policies:
    - name: efs-kms-key-filters
      resource: efs
      filters:
        - type: kms-key
          key: c7n:AliasName
          value: "^(alias/aws/)"
          op: regex

RelatedIdsExpression = 'KmsKeyId'

type = 'kms-key'

class c7n.resources.efs.SecurityGroup(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = ''

efs_group_cache = None

get_related_ids(resources)

type = 'security-group'

class c7n.resources.efs.Subnet(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'SubnetId'

type = 'subnet'

c7n.resources.eks module

class c7n.resources.eks.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('eks:DeleteCluster',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.eks.EKS(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'arn'

date = 'createdAt'

detail_spec = ('describe_cluster', 'name', None, 'cluster')

dimension = None

enum_spec = ('list_clusters', 'clusters', None)

filter_name = None

id = 'name'

name = 'name'

service = 'eks'

type = 'eks'

class c7n.resources.eks.EKSSGFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'resourcesVpcConfig.securityGroupIds[]'

type = 'security-group'

class c7n.resources.eks.EKSSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'resourcesVpcConfig.subnetIds[]'

type = 'subnet'

class c7n.resources.eks.EKSVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'resourcesVpcConfig.vpcId'

type = 'vpc'

class c7n.resources.eks.UpdateConfig(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('eks:UpdateClusterConfig',)

process(resources)

schema = {'additionalProperties': False, 'oneOf': [{'required': ['type', 'logging']}, {'required': ['type', 'resourcesVpcConfig']}, {'required': ['type', 'logging', 'resourcesVpcConfig']}], 'properties': {'logging': {'type': 'object'}, 'resourcesVpcConfig': {'type': 'object'}, 'type': {'enum': ['update-config']}}, 'type': 'object'}

shape = 'UpdateClusterConfigRequest'

type = 'update-config'

validate()

c7n.resources.elasticache module

class c7n.resources.elasticache.CopyClusterTags(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Copy specified tags from Elasticache cluster to Snapshot :example:

- name: elasticache-test
  resource: cache-snapshot
  filters:
     - type: value
       key: SnapshotName
       op: in
       value:
        - test-tags-backup
  actions:
    - type: copy-cluster-tags
      tags:
        - tag1
        - tag2

get_permissions()

process(snapshots)

schema = {'additionalProperties': False, 'properties': {'tags': {'items': {'type': 'string'}, 'minItems': 1, 'type': 'array'}, 'type': {'enum': ['copy-cluster-tags']}}, 'required': ('tags',), 'type': 'object'}

type = 'copy-cluster-tags'

class c7n.resources.elasticache.DeleteElastiCacheCluster(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete an elasticache cluster

To prevent unwanted deletion of elasticache clusters, it is recommended to include a filter

Example

policies:
  - name: elasticache-delete-stale-clusters
    resource: cache-cluster
    filters:
      - type: value
        value_type: age
        key: CacheClusterCreateTime
        op: ge
        value: 90
    actions:
      - type: delete
        skip-snapshot: false

permissions = ('elasticache:DeleteCacheCluster', 'elasticache:DeleteReplicationGroup')

process(clusters)

schema = {'additionalProperties': False, 'properties': {'skip-snapshot': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.elasticache.DeleteElastiCacheSnapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete elasticache snapshots

To prevent unwanted deletion of elasticache snapshots, it is recommended to apply a filter

Example

policies:
  - name: elasticache-stale-snapshots
    resource: cache-snapshot
    filters:
      - type: age
        days: 30
        op: ge
    actions:
      - delete

permissions = ('elasticache:DeleteSnapshot',)

process(snapshots)

process_snapshot_set(client, snapshots_set)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.elasticache.ElastiCacheCluster(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

permissions = ('elasticache:ListTagsForResource',)

class resource_type

Bases: object

date = 'CacheClusterCreateTime'

dimension = 'CacheClusterId'

enum_spec = ('describe_cache_clusters', 'CacheClusters[]', None)

filter_name = 'CacheClusterId'

filter_type = 'scalar'

id = 'CacheClusterId'

name = 'CacheClusterId'

service = 'elasticache'

type = 'cluster'

universal_taggable = True

static retry(func, *args, **kw)

type = 'cache-cluster'

class c7n.resources.elasticache.ElastiCacheSnapshot(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

permissions = ('elasticache:ListTagsForResource',)

class resource_type

Bases: object

date = 'StartTime'

dimension = None

enum_spec = ('describe_snapshots', 'Snapshots', None)

filter_name = 'SnapshotName'

filter_type = 'scalar'

id = 'SnapshotName'

name = 'SnapshotName'

service = 'elasticache'

type = 'snapshot'

universal_taggable = True

static retry(func, *args, **kw)

type = 'cache-snapshot'

class c7n.resources.elasticache.ElastiCacheSnapshotAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filters elasticache snapshots based on their age (in days)

Example

policies:
  - name: elasticache-stale-snapshots
    resource: cache-snapshot
    filters:
      - type: age
        days: 30
        op: ge

date_attribute = 'dummy'

get_resource_date(snapshot)

Override superclass method as there is no single snapshot date attribute.

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['age']}}, 'required': ['type'], 'type': 'object'}

type = 'age'

class c7n.resources.elasticache.ElastiCacheSubnetGroup(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('describe_cache_subnet_groups', 'CacheSubnetGroups', None)

filter_name = 'CacheSubnetGroupName'

filter_type = 'scalar'

id = 'CacheSubnetGroupName'

name = 'CacheSubnetGroupName'

service = 'elasticache'

type = 'subnet-group'

type = 'cache-subnet-group'

class c7n.resources.elasticache.ElasticacheClusterModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

Modify security groups on an Elasticache cluster.

Looks at the individual clusters and modifies the Replication Group’s configuration for Security groups so all nodes get affected equally

permissions = ('elasticache:ModifyReplicationGroup',)

process(clusters)

type = 'modify-security-groups'

class c7n.resources.elasticache.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'SecurityGroups[].SecurityGroupId'

type = 'security-group'

class c7n.resources.elasticache.SnapshotElastiCacheCluster(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to snapshot an elasticache cluster

Example

policies:
  - name: elasticache-cluster-snapshot
    resource: cache-cluster
    filters:
      - type: value
        key: CacheClusterStatus
        op: not-in
        value: ["deleted","deleting","creating"]
    actions:
      - snapshot

permissions = ('elasticache:CreateSnapshot',)

process(clusters)

process_cluster_snapshot(client, cluster)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['snapshot']}}, 'required': ['type'], 'type': 'object'}

type = 'snapshot'

class c7n.resources.elasticache.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

Filters elasticache clusters based on their associated subnet

Example

policies:
  - name: elasticache-in-subnet-x
    resource: cache-cluster
    filters:
      - type: subnet
        key: SubnetId
        value: subnet-12ab34cd

RelatedIdsExpression = ''

get_related_ids(resources)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'subnet'

c7n.resources.elasticbeanstalk module

class c7n.resources.elasticbeanstalk.ElasticBeanstalk(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ApplicationArn'

default_report_fields = ('ApplicationName', 'DateCreated', 'DateUpdated')

dimension = None

enum_spec = ('describe_applications', 'Applications', None)

filter_name = 'ApplicationNames'

filter_type = 'list'

id = 'ApplicationName'

name = 'ApplicationName'

service = 'elasticbeanstalk'

type = 'elasticbeanstalk'

class c7n.resources.elasticbeanstalk.ElasticBeanstalkEnvironment(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for Elasticbeanstalk Environments

action_registry = <c7n.actions.core.ActionRegistry object>

augment(envs)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('elasticbeanstalk:ListTagsForResource',)

class resource_type

Bases: object

arn = 'EnvironmentArn'

default_report_fields = ('EnvironmentName', 'DateCreated', 'DateUpdated')

dimension = None

enum_spec = ('describe_environments', 'Environments', None)

filter_name = 'EnvironmentNames'

filter_type = 'list'

id = 'EnvironmentName'

name = 'EnvironmentName'

service = 'elasticbeanstalk'

type = 'elasticbeanstalk-environment'

class c7n.resources.elasticbeanstalk.RemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Removes a tag or set of tags from ElasticBeanstalk Environments

Note that this will cause an update to the environment to deploy the tag changes to all resources.

Example

policies:
  - name: eb-env-unmark
    resource: elasticbeanstalk-environment
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: remove-tag
        tags: ["ExpiredTag"]

batch_size = 5

permissions = ('elasticbeanstalk:UpdateTagsForResource',)

process_resource_set(client, envs, tag_keys)

type = 'remove-tag'

class c7n.resources.elasticbeanstalk.Tag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Tag an ElasticBeanstalk Environment with a key/value

Note that this will cause an update to the environment to deploy the tag changes to all resources.

Example

policies:
  - name: eb-env-tag-owner-tag
    resource: elasticbeanstalk-environment
    filters:
      - "tag:OwnerName": absent
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName

batch_size = 5

permissions = ('elasticbeanstalk:UpdateTagsForResource',)

process_resource_set(client, envs, ts)

type = 'tag'

class c7n.resources.elasticbeanstalk.TagDelayedAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Mark an ElasticBeanstalk Environment for specific custodian action

Note that this will cause an update to the environment to deploy the tag changes to all resources.

Example

policies:
  - name: mark-for-delete
    resource: elasticbeanstalk-environment
    filters:
      - type: value
        key: CNAME
        op: regex
        value: .*inactive.*
    actions:
      - type: mark-for-op
        op: terminate
        days: 7

type = 'mark-for-op'

class c7n.resources.elasticbeanstalk.Terminate(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Terminate an ElasticBeanstalk Environment.

Example

policies:
  - name: eb-env-termination
    resource: elasticbeanstalk-environment
    filters:
      - type: marked-for-op
        op: terminate
    actions:
      - terminate

permissions = ('elasticbeanstalk:TerminateEnvironment',)

process(envs)

schema = {'additionalProperties': False, 'properties': {'force': {'default': False, 'type': 'boolean'}, 'terminate_resources': {'default': True, 'type': 'boolean'}, 'type': {'enum': ['terminate']}}, 'required': ['type'], 'type': 'object'}

type = 'terminate'

c7n.resources.elasticsearch module

class c7n.resources.elasticsearch.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('es:DeleteElastisearchDomain',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.elasticsearch.ElasticSearchAddTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on an existing elasticsearch domain

Example

policies:
  - name: es-add-tag
    resource: elasticsearch
    filters:
      - "tag:DesiredTag": absent
    actions:
      - type: tag
        key: DesiredTag
        value: DesiredValue

permissions = ('es:AddTags',)

process_resource_set(client, domains, tags)

type = 'tag'

class c7n.resources.elasticsearch.ElasticSearchDomain(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(domains)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

get_resources(resource_ids)

Retrieve a set of resources by id.

class resource_type

Bases: object

dimension = 'DomainName'

enum_spec = ('list_domain_names', 'DomainNames[].DomainName', None)

filter_name = None

id = 'DomainName'

name = 'Name'

service = 'es'

type = 'elasticsearch'

static retry(func, *args, **kw)

type = 'elasticsearch'

class c7n.resources.elasticsearch.ElasticSearchMarkForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Tag an elasticsearch domain for action later

Example

policies:
  - name: es-delete-missing
    resource: elasticsearch
    filters:
      - "tag:DesiredTag": absent
    actions:
      - type: mark-for-op
        days: 7
        op: delete
        tag: c7n_es_delete

type = 'mark-for-op'

class c7n.resources.elasticsearch.ElasticSearchModifySG(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

Modify security groups on an Elasticsearch domain

permissions = ('es:UpdateElasticsearchDomainConfig',)

process(domains)

type = 'modify-security-groups'

class c7n.resources.elasticsearch.ElasticSearchRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Removes tag(s) on an existing elasticsearch domain

Example

policies:
  - name: es-remove-tag
    resource: elasticsearch
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: remove-tag
        tags: ['ExpiredTag']

permissions = ('es:RemoveTags',)

process_resource_set(client, domains, tags)

type = 'remove-tag'

class c7n.resources.elasticsearch.Metrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.elasticsearch.SecurityGroup(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VPCOptions.SecurityGroupIds[]'

type = 'security-group'

class c7n.resources.elasticsearch.Subnet(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'VPCOptions.SubnetIds[]'

type = 'subnet'

class c7n.resources.elasticsearch.Vpc(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'VPCOptions.VPCId'

type = 'vpc'

c7n.resources.elb module

Elastic Load Balancers

class c7n.resources.elb.DefaultVpc(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Matches if an elb database is in the default vpc

Example

policies:
  - name: elb-default-vpc
    resource: elb
    filters:
      - type: default-vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.elb.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete ELB(s)

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.

Example

policies:
  - name: elb-delete-unused
    resource: elb
    filters:
      - Instances: []
    actions:
      - delete

permissions = ('elasticloadbalancing:DeleteLoadBalancer',)

process(load_balancers)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.elb.DescribeELB(manager)

Bases: c7n.query.DescribeSource

augment(resources)

class c7n.resources.elb.DisableS3Logging(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Disable s3 logging for ElasticLoadBalancers.

Example

policies:
  - name: turn-off-elb-logs
    resource: elb
    filters:
      - type: is-logging
        bucket: prodbucket
    actions:
      - type: disable-s3-logging

permissions = ('elasticloadbalancing:ModifyLoadBalancerAttributes',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['disable-s3-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'disable-s3-logging'

class c7n.resources.elb.ELB(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_arn(r)

get_arns(resources)

classmethod get_permissions()

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::ElasticLoadBalancing::LoadBalancer'

date = 'CreatedTime'

default_report_fields = ('LoadBalancerName', 'DNSName', 'VPCId', 'count:Instances', 'list:ListenerDescriptions[].Listener.LoadBalancerPort')

detail_spec = None

dimension = 'LoadBalancerName'

enum_spec = ('describe_load_balancers', 'LoadBalancerDescriptions', None)

filter_name = 'LoadBalancerNames'

filter_type = 'list'

id = 'LoadBalancerName'

name = 'DNSName'

resource_type = 'elasticloadbalancing:loadbalancer'

service = 'elb'

type = 'loadbalancer'

static retry(func, *args, **kw)

type = 'elb'

class c7n.resources.elb.ELBAttributeFilterBase

Bases: object

Mixin base class for filters that query LB attributes.

initialize(elbs)

class c7n.resources.elb.ELBModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

Modify VPC security groups on an ELB.

permissions = ('elasticloadbalancing:ApplySecurityGroupsToLoadBalancer',)

process(load_balancers)

type = 'modify-security-groups'

class c7n.resources.elb.EnableS3Logging(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to enable S3 logging for Elastic Load Balancers.

Example

policies:
  - name: elb-test
    resource: elb
    filters:
      - type: is-not-logging
    actions:
      - type: enable-s3-logging
        bucket: elblogtest
        prefix: dahlogs
        emit_interval: 5

permissions = ('elasticloadbalancing:ModifyLoadBalancerAttributes',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'emit_interval': {'type': 'integer'}, 'prefix': {'type': 'string'}, 'type': {'enum': ['enable-s3-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'enable-s3-logging'

class c7n.resources.elb.HealthCheckProtocolMismatch(data, manager=None)

Bases: c7n.filters.core.Filter

Filters ELB that have a healtch check protocol mismatch

The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.

Example

policies:
  - name: elb-healthcheck-mismatch
    resource: elb
    filters:
      - type: healthcheck-protocol-mismatch

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['healthcheck-protocol-mismatch']}}, 'required': ['type'], 'type': 'object'}

type = 'healthcheck-protocol-mismatch'

class c7n.resources.elb.Instance(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter ELB by an associated instance value(s)

Example

policies:
  - name: elb-image-filter
    resource: elb
    filters:
      - type: instance
        key: ImageId
        value: ami-01ab23cd

annotate = False

get_permissions()

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['instance']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'instance'

class c7n.resources.elb.IsLoggingFilter(data, manager=None)

Bases: c7n.filters.core.Filter, c7n.resources.elb.ELBAttributeFilterBase

Matches ELBs that are logging to S3.

bucket and prefix are optional

Example

policies:
- name: elb-is-logging-test
  resource: elb
  filters:
    - type: is-logging

- name: elb-is-logging-bucket-and-prefix-test
  resource: elb
  filters:
    - type: is-logging
      bucket: prodlogs
      prefix: elblogs

permissions = ('elasticloadbalancing:DescribeLoadBalancerAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'prefix': {'type': 'string'}, 'type': {'enum': ['is-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'is-logging'

class c7n.resources.elb.IsNotLoggingFilter(data, manager=None)

Bases: c7n.filters.core.Filter, c7n.resources.elb.ELBAttributeFilterBase

Matches ELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

Example

policies:
    - name: elb-is-not-logging-test
      resource: elb
      filters:
        - type: is-not-logging

    - name: is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs

permissions = ('elasticloadbalancing:DescribeLoadBalancerAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'bucket': {'type': 'string'}, 'prefix': {'type': 'string'}, 'type': {'enum': ['is-not-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'is-not-logging'

class c7n.resources.elb.IsSSLFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filters ELB that are using a SSL policy

Example

policies:
  - name: elb-using-ssl
    resource: elb
    filters:
      - type: is-ssl

process(balancers, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['is-ssl']}}, 'required': ['type'], 'type': 'object'}

type = 'is-ssl'

class c7n.resources.elb.RemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) from ELB(s)

Example

policies:
  - name: elb-remove-old-tag
    resource: elb
    filters:
      - "tag:OldTagKey": present
    actions:
      - type: remove-tag
        tags: [OldTagKey1, OldTagKey2]

batch_size = 1

permissions = ('elasticloadbalancing:RemoveTags',)

process_resource_set(client, resource_set, tag_keys)

type = 'remove-tag'

class c7n.resources.elb.SSLPolicyFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.

whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols

Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).

Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:

Example

policies:
  - name: elb-ssl-policies
    resource: elb
    filters:
      - type: ssl-policy
        blacklist:
            - "Protocol-SSLv2"
            - "Protocol-SSLv3"
  - name: elb-modern-tls
    resource: elb
    filters:
      - type: ssl-policy
        matching: "^Protocol-"
        whitelist:
            - "Protocol-TLSv1.1"
            - "Protocol-TLSv1.2"

create_elb_active_attributes_tuples(elb_policy_tuples)

creates a list of tuples for all attributes that are marked as “true” in the load balancer’s polices, e.g. (myelb,[‘Protocol-SSLv1’,’Protocol-SSLv2’])

create_elb_active_policy_attribute_tuples(elbs)

Returns a list of tuples of active SSL policies attributes for each elb [(elb[‘Protocol-SSLv1’,’Protocol-SSLv2’,…])]

create_elb_custom_policy_tuples(balancers)

creates a list of tuples (elb,[sslpolicy1,sslpolicy2…]) for all custom policies on the ELB

permissions = ('elasticloadbalancing:DescribeLoadBalancerPolicies',)

process(balancers, event=None)

Bulk process resources and return filtered set.

process_elb_policy_set(client, elb_policy_set)

schema = {'additionalProperties': False, 'oneOf': [{'required': ['type', 'whitelist']}, {'required': ['type', 'blacklist']}], 'properties': {'blacklist': {'items': {'type': 'string'}, 'type': 'array'}, 'matching': {'type': 'string'}, 'type': {'enum': ['ssl-policy']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}}, 'type': 'object'}

type = 'ssl-policy'

validate()

validate filter config, return validation error or self

class c7n.resources.elb.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

ELB security group filter

RelatedIdsExpression = 'SecurityGroups[]'

type = 'security-group'

class c7n.resources.elb.SetELBShieldProtection(data=None, manager=None, log_dir=None)

Bases: c7n.resources.shield.SetShieldProtection

clear_stale(client, protections)

type = 'set-shield'

class c7n.resources.elb.SetSslListenerPolicy(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set the ELB SSL listener policy

Example

policies:
  - name: elb-set-listener-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Policy-01
        attributes:
          - Protocol-SSLv3
          - Protocol-TLSv1.1
          - DHE-RSA-AES256-SHA256

permissions = ('elasticloadbalancing:CreateLoadBalancerPolicy', 'elasticloadbalancing:SetLoadBalancerPoliciesOfListener')

process(load_balancers)

process_elb(client, elb)

schema = {'additionalProperties': False, 'properties': {'attributes': {'items': {'type': 'string'}, 'type': 'array'}, 'name': {'type': 'string'}, 'type': {'enum': ['set-ssl-listener-policy']}}, 'required': ['name', 'attributes', 'type'], 'type': 'object'}

type = 'set-ssl-listener-policy'

class c7n.resources.elb.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

ELB subnet filter

RelatedIdsExpression = 'Subnets[]'

type = 'subnet'

class c7n.resources.elb.Tag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to add tag(s) to ELB(s)

Example

policies:
  - name: elb-add-owner-tag
    resource: elb
    filters:
      - "tag:OwnerName": missing
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName

batch_size = 1

permissions = ('elasticloadbalancing:AddTags',)

process_resource_set(client, resource_set, tags)

type = 'tag'

class c7n.resources.elb.TagDelayedAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example

policies:
  - name: elb-delete-unused
    resource: elb
    filters:
      - "tag:custodian_cleanup": absent
      - Instances: []
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Unused ELB - No Instances: {op}@{action_date}"
        op: delete
        days: 7

type = 'mark-for-op'

class c7n.resources.elb.VpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

ELB vpc filter

RelatedIdsExpression = 'VPCId'

type = 'vpc'

c7n.resources.elb.is_ssl(b)

c7n.resources.emr module

class c7n.resources.emr.EMRCluster(ctx, data)

Bases: c7n.query.QueryResourceManager

Resource manager for Elastic MapReduce clusters

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

consolidate_query_filter()

filter_registry = <c7n.filters.core.FilterRegistry object>

classmethod get_permissions()

get_resources(ids)

Retrieve a set of resources by id.

class resource_type

Bases: object

cluster_states = ['WAITING', 'BOOTSTRAPPING', 'RUNNING', 'STARTING']

date = 'Status.Timeline.CreationDateTime'

dimension = None

enum_spec = ('list_clusters', 'Clusters', {'ClusterStates': ['WAITING', 'BOOTSTRAPPING', 'RUNNING', 'STARTING']})

filter_name = None

id = 'Id'

name = 'Name'

service = 'emr'

type = 'emr'

resources(query=None)

static retry(func, *args, **kw)

type = 'emr'

class c7n.resources.emr.EMRMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.emr.QueryFilter(data)

Bases: object

classmethod parse(data)

query()

validate()

class c7n.resources.emr.TagDelayedAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example

policies:
  - name: emr-mark-for-op
    resource: emr
    filters:
      - "tag:Name": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        op: terminate
        days: 4
        msg: "Cluster does not have required tags"

type = 'mark-for-op'

class c7n.resources.emr.TagTable(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a resource

Example

policies:
  - name: emr-tag-table
    resource: emr
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value

batch_size = 1

permissions = ('elasticmapreduce:AddTags',)

process_resource_set(client, resources, tags)

static retry(func, *args, **kw)

type = 'tag'

class c7n.resources.emr.Terminate(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to terminate EMR cluster(s)

It is recommended to apply a filter to the terminate action to avoid termination of all EMR clusters

Example

policies:
  - name: emr-terminate
    resource: emr
    query:
      - ClusterStates: [STARTING, BOOTSTRAPPING, RUNNING, WAITING]
    actions:
      - terminate

delay = 5

permissions = ('elasticmapreduce:TerminateJobFlows',)

process(emrs)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['terminate']}}, 'required': ['type'], 'type': 'object'}

type = 'terminate'

class c7n.resources.emr.UntagTable(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on a resource

Example

policies:
  - name: emr-remove-tag
    resource: emr
    filters:
      - "tag:target-tag": present
    actions:
      - type: remove-tag
        tags: ["target-tag"]

batch_size = 5

concurrency = 2

permissions = ('elasticmapreduce:RemoveTags',)

process_resource_set(client, resources, tag_keys)

type = 'remove-tag'

c7n.resources.fsx module

class c7n.resources.fsx.BackupFileSystem(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Create Backups of File Systems

Tags are specified in key value pairs, e.g.: BackupSource: CloudCustodian

Example

permissions = ('fsx:CreateBackup',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'copy-tags': {'oneOf': [{'type': 'boolean'}, {'type': 'array', 'items': {'type': 'string'}}]}, 'tags': {'type': 'object'}, 'type': {'enum': ['backup']}}, 'required': ['type'], 'type': 'object'}

type = 'backup'

class c7n.resources.fsx.DeleteBackup(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete backups

Example

permissions = ('fsx:DeleteBackup',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.fsx.DeleteFileSystem(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete Filesystems

Example

permissions = ('fsx:DeleteFileSystem',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'copy-tags': {'oneOf': [{'type': 'array', 'items': {'type': 'string'}}, {'type': 'boolean'}]}, 'skip-snapshot': {'type': 'boolean'}, 'tags': {'type': 'object'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.fsx.FSx(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ResourceARN'

date = 'CreationTime'

dimension = None

enum_spec = ('describe_file_systems', 'FileSystems', None)

filter_name = None

id = 'FileSystemId'

name = 'FileSystemId'

service = 'fsx'

type = 'fsx'

class c7n.resources.fsx.FSxBackup(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ResourceARN'

date = 'CreationTime'

dimension = None

enum_spec = ('describe_backups', 'Backups', None)

filter_name = None

id = 'BackupId'

name = 'BackupId'

service = 'fsx'

type = 'fsx-backup'

class c7n.resources.fsx.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

Example

policies:
    - name: fsx-kms-key-filters
      resource: fsx
      filters:
        - type: kms-key
          key: c7n:AliasName
          value: "^(alias/aws/fsx)"
          op: regex

RelatedIdsExpression = 'KmsKeyId'

type = 'kms-key'

class c7n.resources.fsx.KmsFilterFsxBackup(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

Example

policies:
    - name: fsx-backup-kms-key-filters
      resource: fsx-backup
      filters:
        - type: kms-key
          key: c7n:AliasName
          value: "^(alias/aws/fsx)"
          op: regex

RelatedIdsExpression = 'KmsKeyId'

type = 'kms-key'

class c7n.resources.fsx.MarkForOpFileSystem(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

permissions = ('fsx:TagResource',)

type = 'mark-for-op'

class c7n.resources.fsx.TagFileSystem(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

batch_size = 5

concurrency = 2

permissions = ('fsx:TagResource',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.fsx.UnTagFileSystem(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

batch_size = 5

concurrency = 2

permissions = ('fsx:UntagResource',)

process_resource_set(client, resources, tag_keys)

type = 'remove-tag'

class c7n.resources.fsx.UpdateFileSystem(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Update FSx resource configurations

Example

Reference: https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html

permissions = ('fsx:UpdateFileSystem',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'LustreConfiguration': {'type': 'object'}, 'WindowsConfiguration': {'type': 'object'}, 'type': {'enum': ['update']}}, 'required': ['type'], 'type': 'object'}

type = 'update'

c7n.resources.gamelift module

class c7n.resources.gamelift.GameLiftBuild(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

date = 'CreationTime'

dimension = None

enum_spec = ('list_builds', 'Builds', None)

filter_name = None

id = 'BuildId'

name = 'Name'

service = 'gamelift'

type = 'gamelift-build'

class c7n.resources.gamelift.GameLiftFleet(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'FleetArn'

batch_detail_spec = ('describe_fleet_attributes', 'FleetIds', None, 'FleetAttributes', None)

date = 'CreationTime'

dimension = None

enum_spec = ('list_fleets', 'FleetIds', None)

filter_name = None

id = 'FleetId'

name = 'Name'

service = 'gamelift'

type = 'gamelift-fleet'

c7n.resources.glacier module

class c7n.resources.glacier.Glacier(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('glacier:ListTagsForVault',)

class resource_type

Bases: object

arn = 'VaultARN'

dimension = None

enum_spec = ('list_vaults', 'VaultList', None)

filter_name = None

id = 'VaultARN'

name = 'VaultName'

service = 'glacier'

universal_taggable = True

static retry(func, *args, **kw)

type = 'glacier'

class c7n.resources.glacier.GlacierCrossAccountAccessFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filter to return all glacier vaults with cross account access permissions

The whitelist parameter will omit the accounts that match from the return

Example

permissions = ('glacier:GetVaultAccessPolicy',)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'cross-account'

class c7n.resources.glacier.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy statements from Glacier

Example

policies:
  - name: glacier-cross-account
    resource: glacier
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched

permissions = ('glacier:SetVaultAccessPolicy', 'glacier:GetVaultAccessPolicy')

process(resources)

process_resource(client, resource)

type = 'remove-statements'

c7n.resources.glue module

class c7n.resources.glue.ConnectionSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'PhysicalConnectionRequirements.SecurityGroupIdList[]'

type = 'security-group'

class c7n.resources.glue.ConnectionSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'PhysicalConnectionRequirements.SubnetId'

type = 'subnet'

class c7n.resources.glue.DeleteConnection(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a connection from the data catalog

Example

delete_connection(r)

permissions = ('glue:DeleteConnection',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.glue.DeleteDevEndpoint(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Deletes public Glue Dev Endpoints

Example

delete_dev_endpoint(client, endpoint_set)

permissions = ('glue:DeleteDevEndpoint',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.glue.GlueConnection(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('glue:GetConnections',)

class resource_type

Bases: object

arn = False

date = 'CreationTime'

detail_spec = None

dimension = None

enum_spec = ('get_connections', 'ConnectionList', None)

filter_name = None

id = 'Name'

name = 'Name'

service = 'glue'

type = 'glue-connection'

class c7n.resources.glue.GlueDevEndpoint(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('glue:GetDevEndpoints',)

class resource_type

Bases: object

arn = False

date = 'CreatedTimestamp'

detail_spec = None

dimension = None

enum_spec = ('get_dev_endpoints', 'DevEndpoints', None)

filter_name = None

id = 'EndpointName'

name = 'EndpointName'

service = 'glue'

type = 'glue-dev-endpoint'

c7n.resources.health module

class c7n.resources.health.HealthEvents(ctx, data)

Bases: c7n.query.QueryResourceManager

Query resource manager for AWS health events

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('health:DescribeEvents', 'health:DescribeEventDetails', 'health:DescribeAffectedEntities')

resource_query()

class resource_type

Bases: object

date = 'startTime'

dimension = None

enum_spec = ('describe_events', 'events', None)

filter_name = None

filter_type = None

id = 'arn'

name = 'eventTypeCode'

service = 'health'

type = 'event'

resources(query=None)

type = 'health-event'

class c7n.resources.health.QueryFilter(data)

Bases: object

classmethod parse(data)

query()

validate()

c7n.resources.hsm module

class c7n.resources.hsm.CloudHSM(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'HsmArn'

date = None

detail_spec = ('describe_hsm', 'HsmArn', None, None)

dimension = None

enum_spec = ('list_hsms', 'HsmList', None)

filter_name = None

id = 'HsmArn'

name = 'Name'

service = 'cloudhsm'

type = 'hsm'

class c7n.resources.hsm.CloudHSMCluster(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

class resource_type

Bases: object

dimension = None

enum_spec = ('describe_clusters', 'Clusters', None)

filter_name = 'Filters'

filter_type = 'scalar'

id = 'ClusterId'

name = 'ClusterId'

resource_type = 'cloudhsm'

service = 'cloudhsmv2'

type = 'cluster'

type = 'cloudhsm-cluster'

class c7n.resources.hsm.HSMClient(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ClientArn'

date = None

detail_spec = ('describe_luna_client', 'ClientArn', None, None)

dimension = None

enum_spec = ('list_luna_clients', 'ClientList', None)

filter_name = None

id = 'ClientArn'

name = 'Label'

service = 'cloudhsm'

type = 'hsm-client'

class c7n.resources.hsm.PartitionGroup(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'HapgArn'

date = 'LastModifiedTimestamp'

detail_spec = ('describe_hapg', 'HapgArn', None, None)

dimension = None

enum_spec = ('list_hapgs', 'HapgList', None)

filter_name = None

id = 'HapgArn'

name = 'HapgSerial'

service = 'cloudhsm'

type = 'hsm-hapg'

class c7n.resources.hsm.RemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) from CloudHSM Cluster(s)

Example

policies:
  - name: cloudhsm
    resource: aws.cloudhsm-cluster
    filters:
      - "tag:OldTagKey": present
    actions:
      - type: remove-tag
        tags: [OldTagKey1, OldTagKey2]

permissions = ('cloudhsmv2:UntagResource',)

process_resource_set(client, clusters, tag_keys)

type = 'remove-tag'

class c7n.resources.hsm.Tag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to add tag(s) to CloudHSM Cluster(s)

Example

policies:
  - name: cloudhsm
    resource: aws.cloudhsm-cluster
    filters:
      - "tag:OwnerName": missing
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName

permissions = ('cloudhsmv2:TagResource',)

process_resource_set(client, clusters, tags)

type = 'tag'

c7n.resources.iam module

class c7n.resources.iam.AllowAllIamPolicies(data, manager=None)

Bases: c7n.filters.core.Filter

Check if IAM policy resource(s) have allow-all IAM policy statement block.

This allows users to implement CIS AWS check 1.24 which states that no policy must exist with the following requirements.

Policy must have ‘Action’ and Resource = ‘*’ with ‘Effect’ = ‘Allow’

The policy will trigger on the following IAM policy (statement). For example:

Additionally, the policy checks if the statement has no ‘Condition’ or ‘NotAction’

For example, if the user wants to check all used policies and filter on allow all:

- name: iam-no-used-all-all-policy
  resource: iam-policy
  filters:
    - type: used
    - type: has-allow-all

Note that scanning and getting all policies and all statements can take a while. Use it sparingly or combine it with filters such as ‘used’ as above.

has_allow_all_policy(client, resource)

permissions = ('iam:ListPolicies', 'iam:ListPolicyVersions')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-allow-all']}}, 'required': ['type'], 'type': 'object'}

type = 'has-allow-all'

class c7n.resources.iam.CheckPermissions(data, manager=None)

Bases: c7n.filters.core.Filter

Check IAM permissions associated with a resource.

Example

Find users that can create other users

policies:
  - name: super-users
    resource: iam-user
    filters:
      - type: check-permissions
        match: allowed
        actions:
         - iam:CreateUser

eval_annotation = 'c7n:perm-matches'

get_eval_matcher()

get_evaluations(client, arn, r, actions)

get_iam_arns(resources)

get_permissions()

policy_annotation = 'c7n:policy'

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'actions': {'items': {'type': 'string'}, 'type': 'array'}, 'match': {'oneOf': [{'enum': ['allowed', 'denied']}, {'$ref': '#/definitions/filters/valuekv'}, {'$ref': '#/definitions/filters/value'}]}, 'match-operator': {'enum': ['and', 'or']}, 'type': {'enum': ['check-permissions']}}, 'required': ('actions', 'match'), 'type': 'object'}

schema_alias = True

type = 'check-permissions'

class c7n.resources.iam.CredentialReport(data, manager=None)

Bases: c7n.filters.core.Filter

Use IAM Credential report to filter users.

The IAM Credential report aggregates multiple pieces of information on iam users. This makes it highly efficient for querying multiple aspects of a user that would otherwise require per user api calls.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

For example if we wanted to retrieve all users with mfa who have never used their password but have active access keys from the last month

- name: iam-mfa-active-keys-no-login
  resource: iam-user
  filters:
    - type: credential
      key: mfa_active
      value: true
    - type: credential
      key: password_last_used
      value: absent
    - type: credential
      key: access_keys.last_used
      value_type: age
      value: 30
      op: less-than

Credential Report Transforms

We perform some default transformations from the raw credential report. Sub-objects (access_key_1, cert_2) are turned into array of dictionaries for matching purposes with their common prefixes stripped. N/A values are turned into None, TRUE/FALSE are turned into boolean values.

fetch_credential_report()

get_credential_report()

get_value_or_schema_default(k)

list_sub_objects = (('access_key_1_', 'access_keys'), ('access_key_2_', 'access_keys'), ('cert_1_', 'certs'), ('cert_2_', 'certs'))

match(resource, info)

matched_annotation_key = 'c7n:matched-keys'

permissions = ('iam:GenerateCredentialReport', 'iam:GetCredentialReport')

process(resources, event=None)

Bulk process resources and return filtered set.

classmethod process_user_record(info)

Type convert the csv record, modifies in place.

schema = {'additionalProperties': False, 'properties': {'key': {'enum': ['user', 'arn', 'user_creation_time', 'password_enabled', 'password_last_used', 'password_last_changed', 'password_next_rotation', 'mfa_active', 'access_keys', 'access_keys.active', 'access_keys.last_used_date', 'access_keys.last_used_region', 'access_keys.last_used_service', 'access_keys.last_rotated', 'certs', 'certs.active', 'certs.last_rotated'], 'title': 'report key to search', 'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'report_delay': {'default': 10, 'title': 'Number of seconds to wait for report generation.', 'type': 'number'}, 'report_generate': {'default': True, 'title': 'Generate a report if none is present.', 'type': 'boolean'}, 'report_max_age': {'default': 86400, 'title': 'Number of seconds to consider a report valid.', 'type': 'number'}, 'type': {'enum': ['credential']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_type': {'ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

class c7n.resources.iam.DescribePolicy(manager)

Bases: c7n.query.DescribeSource

get_resources(resource_ids, cache=True)

resources(query=None)

class c7n.resources.iam.DescribeUser(manager)

Bases: c7n.query.DescribeSource

get_resources(resource_ids, cache=True)

class c7n.resources.iam.Group(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_resources(resource_ids, cache=True)

For IAM Groups on events, resource ids are Group Names.

class resource_type

Bases: object

arn = 'Arn'

config_type = 'AWS::IAM::Group'

date = 'CreateDate'

detail_spec = None

dimension = None

enum_spec = ('list_groups', 'Groups', None)

filter_name = None

global_resource = True

id = 'GroupName'

name = 'GroupName'

service = 'iam'

type = 'group'

type = 'iam-group'

class c7n.resources.iam.GroupMembership(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter IAM users based on attached group values

Example

policies:
  - name: iam-users-in-admin-group
    resource: iam-user
    filters:
      - type: group
        key: GroupName
        value: Admins

get_user_groups(client, user_set)

permissions = ('iam:ListGroupsForUser',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['group']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'group'

class c7n.resources.iam.IamGroupInlinePolicy(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM groups that have an inline-policy based on boolean value: True: Filter all groups that have an inline-policy attached False: Filter all groups that do not have an inline-policy attached

Example

- name: iam-groups-with-inline-policy
  resource: iam-group
  filters:
    - type: has-inline-policy
      value: True

permissions = ('iam:ListGroupPolicies',)

process(resources, events=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-inline-policy']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'has-inline-policy'

class c7n.resources.iam.IamGroupUsers(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM groups that have users attached based on True/False value: True: Filter all IAM groups with users assigned to it False: Filter all IAM groups without any users assigned to it

Example

- name: empty-iam-group
  resource: iam-group
  filters:
    - type: has-users
      value: False

permissions = ('iam:GetGroup',)

process(resources, events=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-users']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'has-users'

class c7n.resources.iam.IamRoleInlinePolicy(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM roles that have an inline-policy attached True: Filter roles that have an inline-policy False: Filter roles that do not have an inline-policy

Example

policies:
  - name: iam-roles-with-inline-policies
    resource: iam-role
    filters:
      - type: has-inline-policy
        value: True

permissions = ('iam:ListRolePolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-inline-policy']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'has-inline-policy'

class c7n.resources.iam.IamRoleUsage(data, manager=None)

Bases: c7n.filters.core.Filter

collect_profile_roles()

get_permissions()

instance_profile_usage()

scan_asg_roles()

scan_ec2_roles()

scan_ecs_roles()

scan_lambda_roles()

service_role_usage()

class c7n.resources.iam.IamUserInlinePolicy(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM users that have an inline-policy attached

True: Filter users that have an inline-policy False: Filter users that do not have an inline-policy

permissions = ('iam:ListUserPolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-inline-policy']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'has-inline-policy'

class c7n.resources.iam.InstanceProfile(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'Arn'

date = 'CreateDate'

dimension = None

enum_spec = ('list_instance_profiles', 'InstanceProfiles', None)

filter_name = None

global_resource = True

id = 'InstanceProfileId'

name = 'InstanceProfileId'

service = 'iam'

type = 'instance-profile'

type = 'iam-profile'

class c7n.resources.iam.NoSpecificIamRoleManagedPolicy(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM roles that do not have a specific policy attached

For example, if the user wants to check all roles without ‘ip-restriction’:

Example

policies:
  - name: iam-roles-no-ip-restriction
    resource: iam-role
    filters:
      - type: no-specific-managed-policy
        value: ip-restriction

permissions = ('iam:ListAttachedRolePolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['no-specific-managed-policy']}, 'value': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'no-specific-managed-policy'

class c7n.resources.iam.Policy(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

arn = 'Arn'

config_type = 'AWS::IAM::Policy'

date = 'CreateDate'

dimension = None

enum_spec = ('list_policies', 'Policies', None)

filter_name = None

global_resource = True

id = 'PolicyId'

name = 'PolicyName'

service = 'iam'

type = 'policy'

type = 'iam-policy'

class c7n.resources.iam.PolicyDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete an IAM Policy.

For example, if you want to automatically delete all unused IAM policies.

Example

- name: iam-delete-unused-policies
  resource: iam-policy
  filters:
    - type: unused
  actions:
    - delete

permissions = ('iam:DeletePolicy',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.iam.PolicyQueryParser

Bases: c7n.utils.QueryParser

QuerySchema = {'OnlyAttached': <class 'bool'>, 'PathPrefix': (<class 'str'>,), 'PolicyUsageFilter': ('PermissionsPolicy', 'PermissionsBoundary'), 'Scope': ('All', 'AWS', 'Local')}

multi_value = False

value_key = 'Value'

class c7n.resources.iam.Role(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'Arn'

config_type = 'AWS::IAM::Role'

date = 'CreateDate'

detail_spec = ('get_role', 'RoleName', 'RoleName', 'Role')

dimension = None

enum_spec = ('list_roles', 'Roles', None)

filter_name = None

global_resource = True

id = 'RoleName'

name = 'RoleName'

service = 'iam'

type = 'role'

type = 'iam-role'

class c7n.resources.iam.RoleCrossAccountAccess(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('iam:ListRoles',)

policy_attribute = 'AssumeRolePolicyDocument'

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

class c7n.resources.iam.RoleDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete an IAM Role.

For example, if you want to automatically delete an unused IAM role.

Example

- name: iam-delete-unused-role
  resource: iam-role
  filters:
    - type: usage
      match-operator: all
      LastAuthenticated: null
  actions:
    - delete

permissions = ('iam:DeleteRole',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.iam.RoleRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tags from an iam role.

permissions = ('iam:UntagRole',)

process_resource_set(client, roles, tags)

type = 'remove-tag'

class c7n.resources.iam.RoleTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Tag an iam role.

permissions = ('iam:TagRole',)

process_resource_set(client, roles, tags)

type = 'tag'

class c7n.resources.iam.ServerCertificate(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'Expiration'

dimension = None

enum_spec = ('list_server_certificates', 'ServerCertificateMetadataList', None)

filter_name = None

global_resource = True

id = 'ServerCertificateId'

name = 'ServerCertificateName'

service = 'iam'

type = 'server-certificate'

type = 'iam-certificate'

class c7n.resources.iam.ServiceUsage(data, manager=None)

Bases: c7n.filters.core.Filter

Filter iam resources by their api/service usage.

Note recent activity (last 4hrs) may not be shown, evaluation is against the last 365 days of data.

Each service access record is evaluated against all specified attributes. Attribute filters can be specified in short form k:v pairs or in long form as a value type filter.

match-operator allows to specify how a resource is treated across service access record matches. ‘any’ means a single matching service record will return the policy resource as matching. ‘all’ means all service access records have to match.

Find iam users that have not used any services in the last year

Example

- name: unused-users
  resource: iam-user
  filters:
    - type: usage
      match-operator: all
      LastAuthenticated: null

Find iam users that have used dynamodb in last 30 days

Example

- name: unused-users
  resource: iam-user
  filters:
    - type: usage
      ServiceNamespace: dynamodb
      TotalAuthenticatedEntities: 1
      LastAuthenticated:
        type: value
        value_type: age
        op: less-than
        value: 30
      match-operator: any

https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/

JOB_COMPLETE = 'COMPLETED'

SERVICE_ATTR = {'LastAuthenticated', 'LastAuthenticatedEntity', 'ServiceName', 'ServiceNamespace', 'TotalAuthenticatedEntities'}

permissions = ('iam:GenerateServiceLastAccessedDetails', 'iam:GetServiceLastAccessedDetails')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'LastAuthenticated': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'LastAuthenticatedEntity': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'ServiceName': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'ServiceNamespace': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'TotalAuthenticatedEntities': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'match-operator': {'enum': ['all', 'any']}, 'poll-delay': {'type': 'number'}, 'type': {'enum': ['usage']}}, 'required': ('match-operator',), 'type': 'object'}

schema_alias = True

schema_attr = {'LastAuthenticated': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'LastAuthenticatedEntity': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'ServiceName': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'ServiceNamespace': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'TotalAuthenticatedEntities': {'oneOf': [{'type': 'string'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'null'}, {'$ref': '#/definitions/filters/value'}]}, 'match-operator': {'enum': ['all', 'any']}, 'poll-delay': {'type': 'number'}}

type = 'usage'

class c7n.resources.iam.SetPolicy(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Set a specific IAM policy as attached or detached on a role.

You will identify the policy by its arn.

Returns a list of roles modified by the action.

For example, if you want to automatically attach a policy to all roles which don’t have it…

Example

- name: iam-attach-role-policy
  resource: iam-role
  filters:
    - type: no-specific-managed-policy
      value: my-iam-policy
  actions:
    - type: set-policy
      state: attached
      arn: arn:aws:iam::123456789012:policy/my-iam-policy

permissions = ('iam:AttachRolePolicy', 'iam:DetachRolePolicy')

process(resources)

schema = {'additionalProperties': False, 'properties': {'arn': {'type': 'string'}, 'state': {'enum': ['attached', 'detached']}, 'type': {'enum': ['set-policy']}}, 'required': ['state', 'arn', 'type'], 'type': 'object'}

type = 'set-policy'

class c7n.resources.iam.SpecificIamRoleManagedPolicy(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM roles that has a specific policy attached

For example, if the user wants to check all roles with ‘admin-policy’:

Example

policies:
  - name: iam-roles-have-admin
    resource: iam-role
    filters:
      - type: has-specific-managed-policy
        value: admin-policy

permissions = ('iam:ListAttachedRolePolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['has-specific-managed-policy']}, 'value': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'has-specific-managed-policy'

class c7n.resources.iam.UnusedIamPolicies(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM policies that are not being used

Example

policies:
  - name: iam-policy-unused
    resource: iam-policy
    filters:
      - type: unused

permissions = ('iam:ListPolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.iam.UnusedIamRole(data, manager=None)

Bases: c7n.resources.iam.IamRoleUsage

Filter IAM roles that are either being used or not

This filter has been deprecated. Please use the ‘used’ filter with the ‘state’ attribute to get unused iam roles

Checks for usage on EC2, Lambda, ECS only

Example

policies:
  - name: iam-roles-not-in-use
    resource: iam-role
    filters:
      - type: used
        state: false

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.iam.UnusedInstanceProfiles(data, manager=None)

Bases: c7n.resources.iam.IamRoleUsage

Filter IAM profiles that are not being used

Example

policies:
  - name: iam-instance-profiles-not-in-use
    resource: iam-profile
    filters:
      - type: unused

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.iam.UsedIamPolicies(data, manager=None)

Bases: c7n.filters.core.Filter

Filter IAM policies that are being used

Example

policies:
  - name: iam-policy-used
    resource: iam-policy
    filters:
      - type: used

permissions = ('iam:ListPolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['used']}}, 'required': ['type'], 'type': 'object'}

type = 'used'

class c7n.resources.iam.UsedIamRole(data, manager=None)

Bases: c7n.resources.iam.IamRoleUsage

Filter IAM roles that are either being used or not

Checks for usage on EC2, Lambda, ECS only

Example

policies:
  - name: iam-role-in-use
    resource: iam-role
    filters:
      - type: used
        state: true

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['used']}}, 'required': ['type'], 'type': 'object'}

type = 'used'

class c7n.resources.iam.UsedInstanceProfiles(data, manager=None)

Bases: c7n.resources.iam.IamRoleUsage

Filter IAM profiles that are being used

Example

policies:
  - name: iam-instance-profiles-in-use
    resource: iam-profile
    filters:
      - type: used

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['used']}}, 'required': ['type'], 'type': 'object'}

type = 'used'

class c7n.resources.iam.User(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

arn = 'Arn'

config_type = 'AWS::IAM::User'

date = 'CreateDate'

detail_spec = ('get_user', 'UserName', 'UserName', 'User')

dimension = None

enum_spec = ('list_users', 'Users', None)

filter_name = None

global_resource = True

id = 'UserName'

name = 'UserName'

service = 'iam'

type = 'user'

type = 'iam-user'

class c7n.resources.iam.UserAccessKey(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter IAM users based on access-key values

Example

policies:
  - name: iam-users-with-active-keys
    resource: iam-user
    filters:
      - type: access-key
        key: Status
        value: Active

annotate = False

annotation_key = 'c7n:AccessKeys'

get_user_keys(client, user_set)

matched_annotation_key = 'c7n:matched-keys'

permissions = ('iam:ListAccessKeys',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['access-key']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'access-key'

class c7n.resources.iam.UserCredentialReport(data, manager=None)

Bases: c7n.resources.iam.CredentialReport

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'credential'

class c7n.resources.iam.UserDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a user or properties of a user.

For example if you want to have a whitelist of valid (machine-)users and want to ensure that no users have been clicked without documentation.

You can use both the ‘credential’ or the ‘username’ filter. ‘credential’ will have an SLA of 4h, (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html), but the added benefit of performing less API calls, whereas ‘username’ will make more API calls, but have a SLA of your cache.

Example

# using a 'credential' filter'
- name: iam-only-whitelisted-users
  resource: iam-user
  filters:
    - type: credential
      key: user
      op: not-in
      value:
        - valid-user-1
        - valid-user-2
  actions:
    - delete

# using a 'username' filter with 'UserName'
- name: iam-only-whitelisted-users
  resource: iam-user
  filters:
    - type: value
      key: UserName
      op: not-in
      value:
        - valid-user-1
        - valid-user-2
  actions:
    - delete

 # using a 'username' filter with 'Arn'
- name: iam-only-whitelisted-users
  resource: iam-user
  filters:
    - type: value
      key: Arn
      op: not-in
      value:
        - arn:aws:iam:123456789012:user/valid-user-1
        - arn:aws:iam:123456789012:user/valid-user-2
  actions:
    - delete

Additionally, you can specify the options to delete properties of an iam-user, including console-access, access-keys, attached-user-policies, inline-user-policies, mfa-devices, groups, ssh-keys, signing-certificates, and service-specific-credentials.

Note: using options will _not_ delete the user itself, only the items specified by options that are attached to the respective iam-user. To delete a user completely, use the delete action without specifying options.

Example

- name: delete-console-access-unless-valid
  comment: |
    finds iam-users with console access and deletes console access unless
    the username is included in whitelist
  resource: iam-user
  filters:
    - type: username
      key: UserName
      op: not-in
      value:
        - valid-user-1
        - valid-user-2
    - type: credential
      key: Status
      value: Active
  actions:
    - type: delete
      options:
        - console-access

- name: delete-misc-access-for-iam-user
  comment: |
    deletes multiple options from test_user
  resource: iam-user
  filters:
    - UserName: test_user
  actions:
    - type: delete
      options:
        - mfa-devices
        - access-keys
        - ssh-keys

COMPOUND_OPTIONS = {'user-policies': ['attached-user-policies', 'inline-user-policies']}

ORDERED_OPTIONS = {'access-keys': 'delete_access_keys', 'attached-user-policies': 'delete_attached_user_policies', 'console-access': 'delete_console_access', 'groups': 'delete_groups', 'inline-user-policies': 'delete_inline_user_policies', 'mfa-devices': 'delete_hw_mfa_devices', 'service-specific-credentials': 'delete_service_specific_credentials', 'signing-certificates': 'delete_signing_certificates', 'ssh-keys': 'delete_ssh_keys'}

static delete_access_keys(client, r)

static delete_attached_user_policies(client, r)

static delete_console_access(client, r)

static delete_groups(client, r)

static delete_hw_mfa_devices(client, r)

static delete_inline_user_policies(client, r)

static delete_service_specific_credentials(client, r)

static delete_signing_certificates(client, r)

static delete_ssh_keys(client, r)

static delete_user(client, r)

permissions = ('iam:ListAttachedUserPolicies', 'iam:ListAccessKeys', 'iam:ListGroupsForUser', 'iam:ListMFADevices', 'iam:ListServiceSpecificCredentials', 'iam:ListSigningCertificates', 'iam:ListSSHPublicKeys', 'iam:DeactivateMFADevice', 'iam:DeleteAccessKey', 'iam:DeleteLoginProfile', 'iam:DeleteSigningCertificate', 'iam:DeleteSSHPublicKey', 'iam:DeleteUser', 'iam:DeleteUserPolicy', 'iam:DetachUserPolicy', 'iam:RemoveUserFromGroup')

process(resources)

process_user(client, r)

schema = {'additionalProperties': False, 'properties': {'options': {'items': {'enum': ['console-access', 'access-keys', 'attached-user-policies', 'inline-user-policies', 'mfa-devices', 'groups', 'ssh-keys', 'signing-certificates', 'service-specific-credentials', 'user-policies'], 'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.iam.UserFinding(data=None, manager=None, log_dir=None)

Bases: c7n.actions.securityhub.OtherResourcePostFinding

format_resource(r)

type = 'post-finding'

class c7n.resources.iam.UserMfaDevice(*args, **kw)

Bases: c7n.filters.core.ValueFilter

Filter iam-users based on mfa-device status

Example

policies:
  - name: mfa-enabled-users
    resource: iam-user
    filters:
      - type: mfa-device
        key: UserName
        value: not-null

permissions = ('iam:ListMfaDevices',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['mfa-device']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'mfa-device'

class c7n.resources.iam.UserPolicy(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter IAM users based on attached policy values

Example

policies:
  - name: iam-users-with-admin-access
    resource: iam-user
    filters:
      - type: policy
        key: PolicyName
        value: AdministratorAccess

permissions = ('iam:ListAttachedUserPolicies',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['policy']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'policy'

user_policies(user_set)

class c7n.resources.iam.UserRemoveAccessKey(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete or disable user’s access keys.

For example if we wanted to disable keys after 90 days of non-use and delete them after 180 days of nonuse:

Example

- name: iam-mfa-active-key-no-login
  resource: iam-user
  actions:
    - type: remove-keys
      disable: true
      age: 90
    - type: remove-keys
      age: 180

permissions = ('iam:ListAccessKeys', 'iam:UpdateAccessKey', 'iam:DeleteAccessKey')

process(resources)

schema = {'additionalProperties': False, 'properties': {'age': {'type': 'number'}, 'disable': {'type': 'boolean'}, 'matched': {'type': 'boolean'}, 'type': {'enum': ['remove-keys']}}, 'required': ['type'], 'type': 'object'}

type = 'remove-keys'

validate()

class c7n.resources.iam.UserRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tags from an iam user.

permissions = ('iam:UntagUser',)

process_resource_set(client, users, tags)

type = 'remove-tag'

class c7n.resources.iam.UserTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Tag an iam user.

permissions = ('iam:TagUser',)

process_resource_set(client, users, tags)

type = 'tag'

c7n.resources.iam.resolve_credential_keys(m_keys, keys)

c7n.resources.iot module

class c7n.resources.iot.IoT(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'thingArn'

default_report_fields = ('thingName', 'thingTypeName')

dimension = None

enum_spec = ('list_things', 'things', None)

id = 'thingName'

name = 'thingName'

service = 'iot'

type = 'iot'

c7n.resources.kafka module

class c7n.resources.kafka.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('kafka:DeleteCluster',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.kafka.Kafka(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ClusterArn'

date = 'CreationTime'

dimension = None

enum_spec = ('list_clusters', 'ClusterInfoList', None)

filter_name = 'ClusterNameFilter'

filter_type = 'scalar'

id = 'ClusterArn'

name = 'ClusterName'

service = 'kafka'

type = 'kafka'

class c7n.resources.kafka.KafkaSGFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'BrokerNodeGroupInfo.SecurityGroups[]'

type = 'security-group'

class c7n.resources.kafka.KafkaSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'BrokerNodeGroupInfo.ClientSubnets[]'

type = 'subnet'

c7n.resources.kinesis module

class c7n.resources.kinesis.AnalyticsApp(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ApplicationARN'

detail_spec = ('describe_application', 'ApplicationName', 'ApplicationName', 'ApplicationDetail')

dimension = None

enum_spec = ('list_applications', 'ApplicationSummaries', None)

filter_name = None

filter_type = None

id = 'ApplicationARN'

name = 'ApplicationName'

service = 'kinesisanalytics'

type = 'kinesis-analytics'

class c7n.resources.kinesis.AppDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('kinesisanalytics:DeleteApplication',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.kinesis.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('kinesis:DeleteStream',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.kinesis.DeliveryStream(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'CreateTimestamp'

detail_spec = ('describe_delivery_stream', 'DeliveryStreamName', None, 'DeliveryStreamDescription')

dimension = 'DeliveryStreamName'

enum_spec = ('list_delivery_streams', 'DeliveryStreamNames', None)

filter_name = None

filter_type = None

id = 'DeliveryStreamName'

name = 'DeliveryStreamName'

service = 'firehose'

type = 'deliverystream'

type = 'firehose'

class c7n.resources.kinesis.Encrypt(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('kinesis:UpdateStream',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'key': {'type': 'string'}, 'type': {'enum': ['encrypt']}}, 'required': ('key',), 'type': 'object'}

type = 'encrypt'

class c7n.resources.kinesis.FirehoseDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('firehose:DeleteDeliveryStream',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.kinesis.FirehoseEncryptS3Destination(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set encryption key a Firehose S3 destination

Example

policies:
  - name: encrypt-s3-destination
    resource: firehose
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: encrypt-s3-destination
        key_arn: <arn of KMS key/alias>

DEST_MD = {'ElasticsearchDestinationDescription': {'clear': ['S3BackupMode'], 'encrypt_path': 'S3DestinationDescription.EncryptionConfiguration', 'remap': [('S3DestinationDescription', 'S3Update')], 'update': 'ElasticsearchDestinationUpdate'}, 'ExtendedS3DestinationDescription': {'clear': ['S3BackupMode'], 'encrypt_path': 'EncryptionConfiguration', 'remap': [], 'update': 'ExtendedS3DestinationUpdate'}, 'RedshiftDestinationDescription': {'clear': ['S3BackupMode', 'ClusterJDBCURL', 'CopyCommand', 'Username'], 'encrypt_path': 'S3DestinationDescription.EncryptionConfiguration', 'remap': [('S3DestinationDescription', 'S3Update')], 'update': 'RedshiftDestinationUpdate'}, 'SplunkDestinationDescription': {'clear': ['S3BackupMode'], 'encrypt_path': 'S3DestinationDescription.EncryptionConfiguration', 'remap': [('S3DestinationDescription', 'S3Update')], 'update': 'SplunkDestinationUpdate'}}

permissions = ('firehose:UpdateDestination',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'key_arn': {'type': 'string'}, 'type': {'enum': ['encrypt-s3-destination']}}, 'required': ('key_arn',), 'type': 'object'}

type = 'encrypt-s3-destination'

class c7n.resources.kinesis.KinesisStream(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

detail_spec = ('describe_stream', 'StreamName', None, 'StreamDescription')

dimension = 'StreamName'

enum_spec = ('list_streams', 'StreamNames', None)

filter_name = None

filter_type = None

id = 'StreamName'

name = 'StreamName'

service = 'kinesis'

type = 'stream'

universal_taggable = True

static retry(func, *args, **kw)

type = 'kinesis'

c7n.resources.kms module

class c7n.resources.kms.GrantCount(data, manager=None)

Bases: c7n.filters.core.Filter

Filters KMS key grants

This can be used to ensure issues around grant limits are monitored

Example

policies:
  - name: kms-grants
    resource: kms
    filters:
      - type: grant-count
        min: 100

permissions = ('kms:ListGrants',)

process(keys, event=None)

Bulk process resources and return filtered set.

process_key(client, key)

schema = {'additionalProperties': False, 'properties': {'min': {'minimum': 0, 'type': 'integer'}, 'type': {'enum': ['grant-count']}}, 'required': ['type'], 'type': 'object'}

type = 'grant-count'

class c7n.resources.kms.KMSCrossAccountAccessFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filter KMS keys which have cross account permissions

Example

policies:
  - name: kms-key-cross-account
    resource: kms-key
    filters:
      - type: cross-account

permissions = ('kms:GetKeyPolicy',)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'cross-account'

class c7n.resources.kms.Key(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('list_keys', 'Keys', None)

filter_name = None

id = 'KeyArn'

name = 'KeyId'

service = 'kms'

type = 'key'

universal_taggable = True

type = 'kms-key'

class c7n.resources.kms.KeyAlias(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

dimension = None

enum_spec = ('list_aliases', 'Aliases', None)

filter_name = None

id = 'AliasArn'

name = 'AliasName'

service = 'kms'

type = 'key-alias'

type = 'kms'

class c7n.resources.kms.KeyRotationStatus(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filters KMS keys by the rotation status

Example

policies:
  - name: kms-key-disabled-rotation
    resource: kms-key
    filters:
      - type: key-rotation-status
        key: KeyRotationEnabled
        value: false

permissions = ('kms:GetKeyRotationStatus',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['key-rotation-status']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'key-rotation-status'

class c7n.resources.kms.KmsKeyRotation(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Toggle KMS key rotation

Example

permissions = ('kms:EnableKeyRotation',)

process(keys)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['set-rotation']}}, 'required': ['type'], 'type': 'object'}

type = 'set-rotation'

class c7n.resources.kms.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy statements from KMS

Example

policies:
   - name: kms-key-cross-account
     resource: kms-key
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched

permissions = ('kms:GetKeyPolicy', 'kms:PutKeyPolicy')

process(resources)

process_resource(client, resource, key_id)

type = 'remove-statements'

class c7n.resources.kms.ResourceKmsKeyAlias(data, manager=None)

Bases: c7n.filters.core.ValueFilter

get_matching_aliases(resources, event=None)

get_permissions()

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['kms-alias']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

c7n.resources.lightsail module

class c7n.resources.lightsail.Database(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'arn'

date = 'createdAt'

dimension = None

enum_spec = ('get_relational_databases', 'relationDatabases', None)

filter_name = None

id = 'arn'

name = 'name'

service = 'lightsail'

type = 'lightsail-db'

class c7n.resources.lightsail.Instance(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'arn'

date = 'createdAt'

dimension = None

enum_spec = ('get_instances', 'instances', None)

filter_name = None

id = 'arn'

name = 'name'

service = 'lightsail'

type = 'lightsail-instance'

class c7n.resources.lightsail.LoadBalancer(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'arn'

date = 'createdAt'

dimension = None

enum_spec = ('get_load_balancers', 'loadBalancers', None)

filter_name = None

id = 'arn'

name = 'name'

service = 'lightsail'

type = 'lightsail-elb'

c7n.resources.ml module

class c7n.resources.ml.DeleteMLModel(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete machine learning model

It is recommended to use a filter to avoid unwanted deletion of models

Example

policies:
  - name: ml-model-delete
    resource: ml-model
    actions:
      - delete

permissions = ('machinelearning:DeleteMLModel',)

process(models)

process_model(model)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.ml.MLModel(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'CreatedAt'

dimension = None

enum_spec = ('describe_ml_models', 'Results', None)

id = 'MLModelId'

name = 'Name'

service = 'machinelearning'

type = 'mlmodel'

type = 'ml-model'

c7n.resources.mq module

class c7n.resources.mq.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a set of message brokers

permissions = ('mq:DeleteBroker',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.mq.MQMetrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.mq.MQSGFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'SecurityGroups[]'

type = 'security-group'

class c7n.resources.mq.MQSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'SubnetIds[]'

type = 'subnet'

class c7n.resources.mq.MarkForOpMessageBroker(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example

policies:
  - name: mq-delete-unused
    resource: message-broker
    filters:
      - "tag:custodian_cleanup": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Unused mq"
        op: delete
        days: 7

type = 'mark-for-op'

class c7n.resources.mq.MarkedForOp(data, manager=None)

Bases: c7n.tags.TagActionFilter

permissions = ('mq:ListBrokers',)

type = 'marked-for-op'

class c7n.resources.mq.MessageBroker(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'BrokerArn'

date = None

detail_spec = ('describe_broker', 'BrokerId', 'BrokerId', None)

dimension = 'Broker'

enum_spec = ('list_brokers', 'BrokerSummaries', None)

filter_name = None

id = 'BrokerId'

metrics_namespace = 'AWS/AmazonMQ'

name = 'BrokerName'

service = 'mq'

type = 'message-broker'

class c7n.resources.mq.TagMessageBroker(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a mq

Example

policies:
  - name: tag-mq
    resource: message-broker
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value

permissions = ('mq:TagMessageBroker',)

process_resource_set(client, mq, new_tags)

type = 'tag'

class c7n.resources.mq.UntagMessageBroker(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on mq

Example

policies:
  - name: mq-remove-tag
    resource: message-broker
    filters:
      - "tag:OutdatedTag": present
    actions:
      - type: remove-tag
        tags: ["OutdatedTag"]

permissions = ('mq:UntagMessageBroker',)

process_resource_set(client, mq, tags)

type = 'remove-tag'

c7n.resources.opsworks module

class c7n.resources.opsworks.CMDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete Opswork for Chef Automate server

It is recommended to use a filter to avoid unwanted deletion of servers

Example

policies:
  - name: opsworks-cm-delete
    resource: opswork-cm
    actions:
      - delete

permissions = ('opsworks-cm:DeleteServer',)

process(servers)

process_server(server)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.opsworks.DeleteStack(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.opsworks.StateTransitionFilter

Action to delete Opswork Stack

It is recommended to use a filter to avoid unwanted deletion of stacks

Example

policies:
  - name: opswork-delete
    resource: opswork-stack
    actions:
      - delete

permissions = ('opsworks:DescribeApps', 'opsworks:DescribeLayers', 'opsworks:DescribeInstances', 'opsworks:DeleteStack', 'opsworks:DeleteApp', 'opsworks:DeleteLayer', 'opsworks:DeleteInstance')

process(stacks)

process_stack(stack)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

valid_origin_states = ('terminating', 'stopping', 'shutting_down', 'terminated', 'stopped')

class c7n.resources.opsworks.OpsworkStack(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'Arn'

date = 'CreatedAt'

dimension = 'StackId'

enum_spec = ('describe_stacks', 'Stacks', None)

filter_name = 'StackIds'

filter_type = 'list'

id = 'StackId'

name = 'Name'

service = 'opsworks'

type = 'opswork-stack'

class c7n.resources.opsworks.OpsworksCM(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'ServerArn'

date = 'CreatedAt'

dimension = None

enum_spec = ('describe_servers', 'Servers', None)

filter_name = 'ServerName'

filter_type = 'scalar'

id = 'ServerName'

name = 'ServerName'

service = 'opsworkscm'

type = 'opswork-cm'

class c7n.resources.opsworks.StateTransitionFilter

Bases: object

Filter instances by state.

Try to simplify construction for policy authors by automatically filtering elements (filters or actions) to the instances states they are valid for. Separate from ec2 class as uses [‘status’] instead of [‘State’][‘Name’].

For more details see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html

filter_instance_state(instances, states=None)

valid_origin_states = ()

class c7n.resources.opsworks.StopStack(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to stop Opswork Stack (Stops all instances under stack)

It is recommended to use a filter to avoid unwanted stopping of stacks

Example

policies:
  - name: opswork-stop
    resource: opswork-stack
    actions:
      - stop

permissions = ('opsworks:StopStack',)

process(stacks)

process_stack(stack)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

c7n.resources.rds module

RDS Resource Manager

Example Policies

Find rds instances that are publicly available

policies:
   - name: rds-public
     resource: rds
     filters:
      - PubliclyAccessible: true

Find rds instances that are not encrypted

policies:
   - name: rds-non-encrypted
     resource: rds
     filters:
      - type: value
        key: StorageEncrypted
        value: true
        op: ne

class c7n.resources.rds.AutoPatch(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Toggle AutoMinorUpgrade flag on RDS instance

‘window’ parameter needs to be in the format ‘ddd:hh:mm-ddd:hh:mm’ and have at least 30 minutes between start & end time. If ‘window’ is not specified, AWS will assign a random maintenance window to each instance selected.

Example

policies:
  - name: enable-rds-autopatch
    resource: rds
    filters:
      - AutoMinorVersionUpgrade: false
    actions:
      - type: auto-patch
        minor: true
        window: Mon:23:00-Tue:01:00

permissions = ('rds:ModifyDBInstance',)

process(dbs)

schema = {'additionalProperties': False, 'properties': {'minor': {'type': 'boolean'}, 'type': {'enum': ['auto-patch']}, 'window': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'auto-patch'

class c7n.resources.rds.ConfigRDS(manager)

Bases: c7n.query.ConfigSource

load_resource(item)

class c7n.resources.rds.ConfigRDSSnapshot(manager)

Bases: c7n.query.ConfigSource

load_resource(item)

class c7n.resources.rds.CopySnapshotTags(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enables copying tags from rds instance to snapshot

DEPRECATED - use modify-db instead with CopyTagsToSnapshot

permissions = ('rds:ModifyDBInstances',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'enable': {'type': 'boolean'}, 'type': {'enum': ['set-snapshot-copy-tags']}}, 'required': ['type'], 'type': 'object'}

set_snapshot_tags(client, r)

type = 'set-snapshot-copy-tags'

class c7n.resources.rds.CrossAccountAccess(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('rds:DescribeDBSnapshotAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_resource_set(resource_set)

type = 'cross-account'

class c7n.resources.rds.DbInstanceFinding(data=None, manager=None, log_dir=None)

Bases: c7n.actions.securityhub.OtherResourcePostFinding

fields = [{'key': 'DBSubnetGroupName', 'expr': 'DBSubnetGroup.DBSubnetGroupName'}, {'key': 'VpcId', 'expr': 'DBSubnetGroup.VpcId'}]

type = 'post-finding'

class c7n.resources.rds.DefaultVpc(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Matches if an rds database is in the default vpc

Example

policies:
  - name: default-vpc-rds
    resource: rds
    filters:
      - type: default-vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.rds.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Deletes selected RDS instances

This will delete RDS instances. It is recommended to apply with a filter to avoid deleting all RDS instances in the account.

Example

policies:
  - name: rds-delete
    resource: rds
    filters:
      - default-vpc
    actions:
      - type: delete
        skip-snapshot: true

copy_restore_info(client, instance)

permissions = ('rds:DeleteDBInstance', 'rds:AddTagsToResource')

process(dbs)

schema = {'additionalProperties': False, 'properties': {'copy-restore-info': {'type': 'boolean'}, 'skip-snapshot': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

validate()

class c7n.resources.rds.DescribeRDS(manager)

Bases: c7n.query.DescribeSource

augment(dbs)

class c7n.resources.rds.DescribeRDSSnapshot(manager)

Bases: c7n.query.DescribeSource

augment(snaps)

class c7n.resources.rds.KmsKeyAlias(data, manager=None)

Bases: c7n.resources.kms.ResourceKmsKeyAlias

process(dbs, event=None)

Bulk process resources and return filtered set.

type = 'kms-alias'

class c7n.resources.rds.LatestSnapshot(data, manager=None)

Bases: c7n.filters.core.Filter

Return the latest snapshot for each database.

permissions = ('rds:DescribeDBSnapshots',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'automatic': {'type': 'boolean'}, 'type': {'enum': ['latest']}}, 'required': ['type'], 'type': 'object'}

type = 'latest'

class c7n.resources.rds.ModifyDb(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Modifies an RDS instance based on specified parameter using ModifyDbInstance.

‘Update’ is an array with with key value pairs that should be set to the property and value you wish to modify. ‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.

Example

policies:
  - name: disable-rds-deletion-protection
    resource: rds
    filters:
      - DeletionProtection: true
      - PubliclyAccessible: true
    actions:
      - type: modify-db
        update:
          - property: 'DeletionProtection'
            value: false
          - property: 'PubliclyAccessible'
            value: false
        immediate: true

permissions = ('rds:ModifyDBInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'immediate': {'type': 'boolean'}, 'type': {'enum': ['modify-db']}, 'update': {'items': {'properties': {'property': {'enum': ['AllocatedStorage', 'DBInstanceClass', 'DBSubnetGroupName', 'DBSecurityGroups', 'VpcSecurityGroupIds', 'MasterUserPassword', 'DBParameterGroupName', 'BackupRetentionPeriod', 'PreferredBackupWindow', 'PreferredMaintenanceWindow', 'MultiAZ', 'EngineVersion', 'AllowMajorVersionUpgrade', 'AutoMinorVersionUpgrade', 'LicenseModel', 'Iops', 'OptionGroupName', 'NewDBInstanceIdentifier', 'StorageType', 'TdeCredentialArn', 'TdeCredentialPassword', 'CACertificateIdentifier', 'Domain', 'CopyTagsToSnapshot', 'MonitoringInterval', 'DBPortNumber', 'PubliclyAccessible', 'DomainIAMRoleName', 'PromotionTier', 'EnableIAMDatabaseAuthentication', 'EnablePerformanceInsights', 'PerformanceInsightsKMSKeyId', 'PerformanceInsightsRetentionPeriod', 'CloudwatchLogsExportConfiguration', 'UseDefaultProcessorFeatures', 'DeletionProtection'], 'type': 'string'}, 'value': {}}, 'type': 'object'}, 'type': 'array'}}, 'required': ('update',), 'type': 'object'}

type = 'modify-db'

class c7n.resources.rds.ParameterFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Applies value type filter on set db parameter values. :example:

policies:
  - name: rds-pg
    resource: rds
    filters:
      - type: db-parameter
        key: someparam
        op: eq
        value: someval

permissions = ('rds:DescribeDBInstances', 'rds:DescribeDBParameters')

process(resources, event=None)

Bulk process resources and return filtered set.

static recast(val, datatype)

Re-cast the value based upon an AWS supplied datatype and treat nulls sensibly.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['db-parameter']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'db-parameter'

class c7n.resources.rds.RDS(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for RDS DB instances.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

get_source(source_type)

class resource_type

Bases: object

arn = 'DBInstanceArn'

config_type = 'AWS::RDS::DBInstance'

date = 'InstanceCreateTime'

default_report_fields = ('DBInstanceIdentifier', 'DBName', 'Engine', 'EngineVersion', 'MultiAZ', 'AllocatedStorage', 'StorageEncrypted', 'PubliclyAccessible', 'InstanceCreateTime')

dimension = 'DBInstanceIdentifier'

enum_spec = ('describe_db_instances', 'DBInstances', None)

filter_name = 'DBInstanceIdentifier'

filter_type = 'scalar'

id = 'DBInstanceIdentifier'

name = 'Endpoint.Address'

service = 'rds'

type = 'db'

type = 'rds'

class c7n.resources.rds.RDSModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

permissions = ('rds:ModifyDBInstance', 'rds:ModifyDBCluster')

process(rds_instances)

type = 'modify-security-groups'

class c7n.resources.rds.RDSOffHour(data, manager=None)

Bases: c7n.filters.offhours.OffHour

Scheduled action on rds instance.

type = 'offhour'

class c7n.resources.rds.RDSOnHour(data, manager=None)

Bases: c7n.filters.offhours.OnHour

Scheduled action on rds instance.

type = 'onhour'

class c7n.resources.rds.RDSSetPublicAvailability(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

This action allows for toggling an RDS instance ‘PubliclyAccessible’ flag to true or false

Example

policies:
  - name: disable-rds-public-accessibility
    resource: rds
    filters:
      - PubliclyAccessible: true
    actions:
      - type: set-public-access
        state: false

permissions = ('rds:ModifyDBInstance',)

process(rds)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['set-public-access']}}, 'required': ['type'], 'type': 'object'}

set_accessibility(r)

type = 'set-public-access'

class c7n.resources.rds.RDSSnapshot(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for RDS DB snapshots.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::RDS::DBSnapshot'

date = 'SnapshotCreateTime'

dimension = None

enum_spec = ('describe_db_snapshots', 'DBSnapshots', None)

filter_name = None

filter_type = None

id = 'DBSnapshotIdentifier'

name = 'DBSnapshotIdentifier'

resource_type = 'rds:snapshot'

service = 'rds'

type = 'rds-snapshot'

static retry(func, *args, **kw)

type = 'rds-snapshot'

class c7n.resources.rds.RDSSnapshotAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filters RDS snapshots based on age (in days)

Example

policies:
  - name: rds-snapshot-expired
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

date_attribute = 'SnapshotCreateTime'

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['age']}}, 'required': ['type'], 'type': 'object'}

type = 'age'

class c7n.resources.rds.RDSSnapshotDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Deletes a RDS snapshot resource

Example

policies:
  - name: rds-snapshot-delete-stale
    resource: rds-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete

permissions = ('rds:DeleteDBSnapshot',)

process(snapshots)

process_snapshot_set(snapshots_set)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.rds.RDSSnapshotOnHour(data, manager=None)

Bases: c7n.filters.offhours.OnHour

Scheduled action on rds snapshot.

type = 'onhour'

class c7n.resources.rds.RDSSubnetGroup(data, options)

Bases: c7n.query.QueryResourceManager

RDS subnet group.

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('describe_db_subnet_groups', 'DBSubnetGroups', None)

filter_name = 'DBSubnetGroupName'

filter_type = 'scalar'

id = 'DBSubnetGroupName'

name = 'DBSubnetGroupName'

service = 'rds'

type = 'rds-subnet-group'

type = 'rds-subnet-group'

class c7n.resources.rds.RDSSubnetGroupDeleteAction(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete RDS Subnet Group

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any rds subnet groups.

Example

policies:
  - name: rds-subnet-group-delete-unused
    resource: rds-subnet-group
    filters:
      - Instances: []
    actions:
      - delete

permissions = ('rds:DeleteDBSubnetGroup',)

process(subnet_group)

process_subnetgroup(subnet_group)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.rds.RDSSubscription(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::DB::EventSubscription'

date = 'SubscriptionCreateTime'

dimension = None

enum_spec = ('describe_event_subscriptions', 'EventSubscriptionsList', None)

filter_name = None

filter_type = None

id = 'EventSubscriptionArn'

name = 'EventSubscriptionArn'

service = 'rds'

type = 'rds-subscription'

type = 'rds-subscription'

class c7n.resources.rds.RegionCopySnapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Copy a snapshot across regions.

Note there is a max in flight for cross region rds snapshots of 5 per region. This action will attempt to retry automatically for an hr.

Example:

- name: copy-encrypted-snapshots
  description: |
    copy snapshots under 1 day old to dr region with kms
  resource: rdb-snapshot
  region: us-east-1
  filters:
   - Status: available
   - type: value
     key: SnapshotCreateTime
     value_type: age
     value: 1
     op: less-than
  actions:
    - type: region-copy
      target_region: us-east-2
      target_key: arn:aws:kms:us-east-2:0000:key/cb291f53-c9cf61
      copy_tags: true
      tags:
        - OriginRegion: us-east-1

max_attempts = 30

min_delay = 120

permissions = ('rds:CopyDBSnapshot',)

process(resources)

process_resource(target, key, tags, snapshot)

process_resource_set(resource_set)

schema = {'additionalProperties': False, 'properties': {'copy_tags': {'type': 'boolean'}, 'tags': {'type': 'object'}, 'target_key': {'type': 'string'}, 'target_region': {'type': 'string'}, 'type': {'enum': ['region-copy']}}, 'required': ('target_region',), 'type': 'object'}

type = 'region-copy'

validate()

class c7n.resources.rds.ReservedRDS(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'StartTime'

dimension = None

enum_spec = ('describe_reserved_db_instances', 'ReservedDBInstances', None)

filter_name = 'ReservedDBInstances'

filter_type = 'list'

id = 'ReservedDBInstanceId'

name = 'ReservedDBInstanceId'

service = 'rds'

type = 'reserved-db'

type = 'rds-reserved'

class c7n.resources.rds.ResizeInstance(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Change the allocated storage of an rds instance.

Example

This will find databases using over 85% of their allocated storage, and resize them to have an additional 30% storage the resize here is async during the next maintenance.

policies:
  - name: rds-snapshot-retention
    resource: rds
    filters:
      - type: metrics
        name: FreeStorageSpace
        percent-attr: AllocatedStorage
        attr-multiplier: 1073741824
        value: 90
        op: greater-than
    actions:
      - type: resize
        percent: 30

This will find databases using under 20% of their allocated storage, and resize them to be 30% smaller, the resize here is configured to be immediate.

policies:
  - name: rds-snapshot-retention
    resource: rds
    filters:
      - type: metrics
        name: FreeStorageSpace
        percent-attr: AllocatedStorage
        attr-multiplier: 1073741824
        value: 90
        op: greater-than
    actions:
      - type: resize
        percent: -30
        immediate: true

permissions = ('rds:ModifyDBInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'immediate': {'type': 'boolean'}, 'percent': {'type': 'number'}, 'type': {'enum': ['resize']}}, 'required': ['type'], 'type': 'object'}

type = 'resize'

class c7n.resources.rds.RestoreInstance(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Restore an rds instance from a snapshot.

Note this requires the snapshot or db deletion be taken with the copy-restore-info boolean flag set to true, as various instance metadata is stored on the snapshot as tags.

additional parameters to restore db instance api call be overriden via restore_options settings. various modify db instance parameters can be specified via modify_options settings.

get_restore_from_tags(snapshot)

permissions = ('rds:ModifyDBInstance', 'rds:ModifyDBParameterGroup', 'rds:ModifyOptionGroup', 'rds:RebootDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot')

poll_period = 60

process(resources)

process_instance(client, r)

restore_keys = {'DBSubnetGroupName', 'InstanceClass', 'MultiAZ', 'OptionGroupName', 'ParameterGroupName', 'StorageType', 'VPCSecurityGroups'}

schema = {'additionalProperties': False, 'properties': {'modify_options': {'type': 'object'}, 'restore_options': {'type': 'object'}, 'type': {'enum': ['restore']}}, 'required': ['type'], 'type': 'object'}

type = 'restore'

validate()

class c7n.resources.rds.RetentionWindow(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Sets the ‘BackupRetentionPeriod’ value for automated snapshots, enforce (min, max, exact) sets retention days occordingly. :example:

policies:
  - name: rds-snapshot-retention
    resource: rds
    filters:
      - type: value
        key: BackupRetentionPeriod
        value: 7
        op: lt
    actions:
      - type: retention
        days: 7
        copy-tags: true
        enforce: exact

date_attribute = 'BackupRetentionPeriod'

permissions = ('rds:ModifyDBInstance',)

process(dbs)

process_snapshot_retention(resource)

schema = {'additionalProperties': False, 'properties': {'copy-tags': {'type': 'boolean'}, 'days': {'type': 'number'}, 'enforce': {'enum': ['min', 'max', 'exact'], 'type': 'string'}, 'type': {'enum': ['retention']}}, 'required': ['type'], 'type': 'object'}

set_retention_window(resource, retention, copy_tags)

type = 'retention'

class c7n.resources.rds.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcSecurityGroups[].VpcSecurityGroupId'

type = 'security-group'

class c7n.resources.rds.Snapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Creates a manual snapshot of a RDS instance

Example

policies:
  - name: rds-snapshot
    resource: rds
    actions:
      - snapshot

permissions = ('rds:CreateDBSnapshot',)

process(dbs)

process_rds_snapshot(resource)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['snapshot']}}, 'required': ['type'], 'type': 'object'}

type = 'snapshot'

class c7n.resources.rds.Start(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Start an rds instance.

permissions = ('rds:StartDBInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['start']}}, 'required': ['type'], 'type': 'object'}

type = 'start'

class c7n.resources.rds.Stop(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Stop an rds instance.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html

permissions = ('rds:StopDBInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

class c7n.resources.rds.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'DBSubnetGroup.Subnets[].SubnetIdentifier'

type = 'subnet'

class c7n.resources.rds.TagTrim(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagTrim

permissions = ('rds:RemoveTagsFromResource',)

process_tag_removal(client, resource, candidates)

type = 'tag-trim'

class c7n.resources.rds.UnusedRDSSubnetGroup(data, manager=None)

Bases: c7n.filters.core.Filter

Filters all launch rds subnet groups that are not in use but exist

Example

policies:
  - name: rds-subnet-group-delete-unused
    resource: rds-subnet-group
    filters:
      - unused

get_permissions()

process(configs, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.rds.UpgradeAvailable(data, manager=None)

Bases: c7n.filters.core.Filter

Scan DB instances for available engine upgrades

This will pull DB instances & check their specific engine for any engine version with higher release numbers than the current one

This will also annotate the rds instance with ‘target_engine’ which is the most recent version of the engine available

Example

policies:
  - name: rds-upgrade-available
    resource: rds
    filters:
      - type: upgrade-available
        major: False

permissions = ('rds:DescribeDBEngineVersions',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'major': {'type': 'boolean'}, 'type': {'enum': ['upgrade-available']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'upgrade-available'

class c7n.resources.rds.UpgradeMinor(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Upgrades a RDS instance to the latest major/minor version available

Use of the ‘immediate’ flag (default False) will automatically upgrade the RDS engine disregarding the existing maintenance window.

Example

policies:
  - name: upgrade-rds-minor
    resource: rds
    actions:
      - type: upgrade
        major: False
        immediate: False

permissions = ('rds:ModifyDBInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'immediate': {'type': 'boolean'}, 'major': {'type': 'boolean'}, 'type': {'enum': ['upgrade']}}, 'required': ['type'], 'type': 'object'}

type = 'upgrade'

class c7n.resources.rds.VpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'DBSubnetGroup.Subnets[].VpcId'

type = 'vpc'

c7n.resources.rdscluster module

class c7n.resources.rdscluster.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete a RDS cluster

To prevent unwanted deletion of clusters, it is recommended to apply a filter to the rule

Example

policies:
  - name: rds-cluster-delete-unused
    resource: rds-cluster
    filters:
      - type: metrics
        name: CPUUtilization
        days: 21
        value: 1.0
        op: le
    actions:
      - type: delete
        skip-snapshot: false
        delete-instances: true

permissions = ('rds:DeleteDBCluster',)

process(clusters)

schema = {'additionalProperties': False, 'properties': {'delete-instances': {'type': 'boolean'}, 'skip-snapshot': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.rdscluster.ModifyDbCluster(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Modifies an RDS instance based on specified parameter using ModifyDbInstance.

‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.

Example

policies:
  - name: disable-db-cluster-deletion-protection
    resource: rds-cluster
    filters:
      - DeletionProtection: true
      - PubliclyAccessible: true
    actions:
      - type: modify-db-cluster
        attributes:
            CopyTagsToSnapshot: true
            DeletionProtection: false

permissions = ('rds:ModifyDBCluster',)

process(clusters)

schema = {'additionalProperties': False, 'properties': {'attributes': {'type': 'object'}, 'type': {'enum': ['modify-db-cluster']}}, 'required': ('attributes',), 'type': 'object'}

shape = 'ModifyDBClusterMessage'

type = 'modify-db-cluster'

validate()

class c7n.resources.rdscluster.RDSCluster(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for RDS clusters.

action_registry = <c7n.actions.core.ActionRegistry object>

augment(dbs)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

class resource_type

Bases: object

date = None

dimension = 'DBClusterIdentifier'

enum_spec = ('describe_db_clusters', 'DBClusters', None)

filter_name = None

filter_type = None

id = 'DBClusterIdentifier'

name = 'DBClusterIdentifier'

service = 'rds'

type = 'cluster'

static retry(func, *args, **kw)

type = 'rds-cluster'

class c7n.resources.rdscluster.RDSClusterSnapshot(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for RDS cluster snapshots.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'SnapshotCreateTime'

dimension = None

enum_spec = ('describe_db_cluster_snapshots', 'DBClusterSnapshots', None)

filter_name = None

filter_type = None

id = 'DBClusterSnapshotIdentifier'

name = 'DBClusterSnapshotIdentifier'

service = 'rds'

type = 'rds-cluster-snapshot'

type = 'rds-cluster-snapshot'

class c7n.resources.rdscluster.RDSClusterSnapshotDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete rds cluster snapshots

To prevent unwanted deletion of rds cluster snapshots, it is recommended to apply a filter to the rule

Example

policies:
  - name: rds-cluster-snapshots-expired-delete
    resource: rds-cluster-snapshot
    filters:
      - type: age
        days: 30
        op: gt
    actions:
      - delete

permissions = ('rds:DeleteDBClusterSnapshot',)

process(snapshots)

process_snapshot_set(client, snapshots_set)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.rdscluster.RDSSnapshotAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filters rds cluster snapshots based on age (in days)

Example

policies:
  - name: rds-cluster-snapshots-expired
    resource: rds-cluster-snapshot
    filters:
      - type: age
        days: 30
        op: gt

date_attribute = 'SnapshotCreateTime'

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['age']}}, 'required': ['type'], 'type': 'object'}

type = 'age'

class c7n.resources.rdscluster.RemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Removes a tag or set of tags from RDS clusters

Example

policies:
  - name: rds-unmark-cluster
    resource: rds-cluster
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: unmark
        tags: ["ExpiredTag"]

batch_size = 5

concurrency = 2

permissions = ('rds:RemoveTagsFromResource',)

process_resource_set(client, dbs, tag_keys)

type = 'remove-tag'

class c7n.resources.rdscluster.RetentionWindow(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set the retention period on rds cluster snapshots, enforce (min, max, exact) sets retention days occordingly.

Example

policies:
  - name: rds-cluster-backup-retention
    resource: rds-cluster
    filters:
      - type: value
        key: BackupRetentionPeriod
        value: 21
        op: ne
    actions:
      - type: retention
        days: 21
        enforce: min

date_attribute = 'BackupRetentionPeriod'

permissions = ('rds:ModifyDBCluster',)

process(clusters)

process_snapshot_retention(client, cluster)

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'enforce': {'enum': ['min', 'max', 'exact'], 'type': 'string'}, 'type': {'enum': ['retention']}}, 'required': ['type'], 'type': 'object'}

set_retention_window(client, cluster, retention)

type = 'retention'

class c7n.resources.rdscluster.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcSecurityGroups[].VpcSecurityGroupId'

type = 'security-group'

class c7n.resources.rdscluster.Snapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to create a snapshot of a rds cluster

Example

policies:
  - name: rds-cluster-snapshot
    resource: rds-cluster
    actions:
      - snapshot

permissions = ('rds:CreateDBClusterSnapshot',)

process(clusters)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['snapshot']}}, 'required': ['type'], 'type': 'object'}

type = 'snapshot'

class c7n.resources.rdscluster.Start(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Start a stopped db cluster

permissions = ('rds:StartDBCluster',)

process(clusters)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['start']}}, 'required': ['type'], 'type': 'object'}

type = 'start'

class c7n.resources.rdscluster.Stop(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Stop a running db cluster

permissions = ('rds:StopDBCluster',)

process(clusters)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

class c7n.resources.rdscluster.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = ''

get_permissions()

get_related_ids(resources)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'subnet'

class c7n.resources.rdscluster.Tag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Mark/tag a RDS cluster with a key/value

Example

policies:
  - name: rds-cluster-owner-tag
    resource: rds-cluster
    filters:
      - "tag:OwnerName": absent
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName

batch_size = 5

concurrency = 2

permissions = ('rds:AddTagsToResource',)

process_resource_set(client, dbs, ts)

type = 'tag'

class c7n.resources.rdscluster.TagDelayedAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Mark a RDS cluster for specific custodian action

Example

policies:
  - name: mark-for-delete
    resource: rds-cluster
    filters:
      - type: value
        key: default-vpc
        value: True
    actions:
      - type: mark-for-op
        op: delete
        days: 7

type = 'mark-for-op'

c7n.resources.rdsparamgroup module

class c7n.resources.rdsparamgroup.Copy(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

process(param_groups)

schema = {'additionalProperties': False, 'properties': {'description': {'type': 'string'}, 'name': {'type': 'string'}, 'type': {'enum': ['copy']}}, 'required': ['name', 'type'], 'type': 'object'}

class c7n.resources.rdsparamgroup.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

process(param_groups)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

class c7n.resources.rdsparamgroup.Modify(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

process(param_groups)

schema = {'additionalProperties': False, 'properties': {'params': {'items': {'apply-method': {'enum': ['immediate', 'pending-reboot'], 'type': 'string'}, 'name': {'type': 'string'}, 'required': ['name', 'value'], 'type': 'object', 'value': {'type': 'string'}}, 'type': 'array'}, 'type': {'enum': ['modify']}}, 'required': ['params', 'type'], 'type': 'object'}

class c7n.resources.rdsparamgroup.PGClusterCopy(data=None, manager=None, log_dir=None)

Bases: c7n.resources.rdsparamgroup.PGClusterMixin, c7n.resources.rdsparamgroup.Copy

Action to copy an RDS cluster parameter group.

Example

policies:
  - name: rds-cluster-param-group-copy
    resource: rds-cluster-param-group
    filters:
      - DBClusterParameterGroupName: original_cluster_pg_name
    actions:
      - type: copy
        name: copy_name

do_copy(client, name, copy_name, desc)

permissions = ('rds:CopyDBClusterParameterGroup',)

type = 'copy'

class c7n.resources.rdsparamgroup.PGClusterDelete(data=None, manager=None, log_dir=None)

Bases: c7n.resources.rdsparamgroup.PGClusterMixin, c7n.resources.rdsparamgroup.Delete

Action to delete an RDS cluster parameter group

Example

policies:
  - name: rds-cluster-param-group-delete
    resource: rds-cluster-param-group
    filters:
      - DBClusterParameterGroupName: cluster_pg_name
    actions:
      - type: delete

do_delete(client, name)

permissions = ('rds:DeleteDBClusterParameterGroup',)

type = 'delete'

class c7n.resources.rdsparamgroup.PGClusterMixin

Bases: object

get_pg_name(pg)

class c7n.resources.rdsparamgroup.PGClusterModify(data=None, manager=None, log_dir=None)

Bases: c7n.resources.rdsparamgroup.PGClusterMixin, c7n.resources.rdsparamgroup.Modify

Action to modify an RDS cluster parameter group

Example

policies:
  - name: rds-cluster-param-group-modify
    resource: rds-cluster-param-group
    filters:
      - DBClusterParameterGroupName: cluster_pg_name
    actions:
      - type: modify
        params:
        - name: lower_case_table_names
          value: "1"
        - name: master_verify_checksum
          value: "1"

do_modify(client, name, params)

get_current_params(client, name)

permissions = ('rds:DescribeDBClusterParameters', 'rds:ModifyDBClusterParameterGroup')

type = 'modify'

class c7n.resources.rdsparamgroup.PGCopy(data=None, manager=None, log_dir=None)

Bases: c7n.resources.rdsparamgroup.PGMixin, c7n.resources.rdsparamgroup.Copy

Action to copy an RDS parameter group.

Example

policies:
  - name: rds-param-group-copy
    resource: rds-param-group
    filters:
      - DBParameterGroupName: original_pg_name
    actions:
      - type: copy
        name: copy_name

do_copy(client, name, copy_name, desc)

permissions = ('rds:CopyDBParameterGroup',)

type = 'copy'

class c7n.resources.rdsparamgroup.PGDelete(data=None, manager=None, log_dir=None)

Bases: c7n.resources.rdsparamgroup.PGMixin, c7n.resources.rdsparamgroup.Delete

Action to delete an RDS parameter group

Example

policies:
  - name: rds-param-group-delete
    resource: rds-param-group
    filters:
      - DBParameterGroupName: pg_name
    actions:
      - type: delete

do_delete(client, name)

permissions = ('rds:DeleteDBParameterGroup',)

type = 'delete'

class c7n.resources.rdsparamgroup.PGMixin

Bases: object

get_pg_name(pg)

class c7n.resources.rdsparamgroup.PGModify(data=None, manager=None, log_dir=None)

Bases: c7n.resources.rdsparamgroup.PGMixin, c7n.resources.rdsparamgroup.Modify

Action to modify an RDS parameter group

Example

policies:
  - name: rds-param-group-modify
    resource: rds-param-group
    filters:
      - DBParameterGroupName: pg_name
    actions:
      - type: modify
        params:
        - name: autocommit
          value: "1"
        - name: max_connections
          value: "100"

do_modify(client, name, params)

get_current_params(client, name)

permissions = ('rds:DescribeDBParameters', 'rds:ModifyDBParameterGroup')

type = 'modify'

class c7n.resources.rdsparamgroup.RDSClusterParamGroup(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for RDS cluster parameter groups.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = 'DBClusterParameterGroupName'

enum_spec = ('describe_db_cluster_parameter_groups', 'DBClusterParameterGroups', None)

filter_name = None

filter_type = None

id = 'DBClusterParameterGroupName'

name = 'DBClusterParameterGroupName'

service = 'rds'

type = 'cluster-pg'

type = 'rds-cluster-param-group'

class c7n.resources.rdsparamgroup.RDSParamGroup(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for RDS parameter groups.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = 'DBParameterGroupName'

enum_spec = ('describe_db_parameter_groups', 'DBParameterGroups', None)

filter_name = None

filter_type = None

id = 'DBParameterGroupName'

name = 'DBParameterGroupName'

service = 'rds'

type = 'pg'

type = 'rds-param-group'

c7n.resources.redshift module

class c7n.resources.redshift.DefaultVpc(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Matches if an redshift database is in the default vpc

Example

policies:
  - name: redshift-default-vpc
    resource: redshift
    filters:
      - default-vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.redshift.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete a redshift cluster

To prevent unwanted deletion of redshift clusters, it is recommended to apply a filter to the rule

Example

policies:
  - name: redshift-no-ssl
    resource: redshift
    filters:
      - type: param
        key: require_ssl
        value: false
        op: eq
    actions:
      - type: delete

permissions = ('redshift:DeleteCluster',)

process(clusters)

process_db_set(db_set)

schema = {'additionalProperties': False, 'properties': {'skip-snapshot': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.redshift.EnhancedVpcRoutine(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to enable enhanced vpc routing on a redshift cluster

More: https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html

Example

policies:
  - name: redshift-enable-enhanced-routing
    resource: redshift
    filters:
      - type: value
        key: EnhancedVpcRouting
        value: false
        op: eq
    actions:
      - type: enable-vpc-routing
        value: true

permissions = ('redshift:ModifyCluster',)

process(clusters)

process_vpc_routing(cluster)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['enable-vpc-routing']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'enable-vpc-routing'

class c7n.resources.redshift.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

Example

policies:
    - name: redshift-kms-key-filters
      resource: redshift
      filters:
        - type: kms-key
          key: c7n:AliasName
          value: "^(alias/aws/)"
          op: regex

RelatedIdsExpression = 'KmsKeyId'

type = 'kms-key'

class c7n.resources.redshift.Parameter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter redshift clusters based on parameter values

Example

policies:
  - name: redshift-no-ssl
    resource: redshift
    filters:
      - type: param
        key: require_ssl
        value: false
        op: eq

group_params = ()

permissions = ('redshift:DescribeClusterParameters',)

process(clusters, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['param']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'param'

class c7n.resources.redshift.Redshift(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

permissions = ('iam:ListRoles',)

class resource_type

Bases: object

config_type = 'AWS::Redshift::Cluster'

date = 'ClusterCreateTime'

detail_spec = None

dimension = 'ClusterIdentifier'

enum_spec = ('describe_clusters', 'Clusters', None)

filter_name = 'ClusterIdentifier'

filter_type = 'scalar'

id = 'ClusterIdentifier'

name = 'ClusterIdentifier'

service = 'redshift'

type = 'cluster'

static retry(func, *args, **kw)

type = 'redshift'

class c7n.resources.redshift.RedshiftModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

Modify security groups on a Redshift cluster

permissions = ('redshift:ModifyCluster',)

process(clusters)

type = 'modify-security-groups'

class c7n.resources.redshift.RedshiftSetPublicAccess(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set the ‘PubliclyAccessible’ setting on a redshift cluster

Example

policies:
    - name: redshift-set-public-access
      resource: redshift
      filters:
        - PubliclyAccessible: true
      actions:
        - type: set-public-access
          state: false

permissions = ('redshift:ModifyCluster',)

process(clusters)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['set-public-access']}}, 'required': ['type'], 'type': 'object'}

set_access(c)

type = 'set-public-access'

class c7n.resources.redshift.RedshiftSnapshot(data, options)

Bases: c7n.query.QueryResourceManager

Resource manager for Redshift snapshots.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

class resource_type

Bases: object

config_type = 'AWS::Redshift::ClusterSnapshot'

date = 'SnapshotCreateTime'

dimension = None

enum_spec = ('describe_cluster_snapshots', 'Snapshots', None)

filter_name = None

filter_type = None

id = 'SnapshotIdentifier'

name = 'SnapshotIdentifier'

service = 'redshift'

type = 'redshift-snapshot'

type = 'redshift-snapshot'

class c7n.resources.redshift.RedshiftSnapshotAge(data, manager=None)

Bases: c7n.filters.core.AgeFilter

Filters redshift snapshots based on age (in days)

Example

policies:
  - name: redshift-old-snapshots
    resource: redshift-snapshot
    filters:
      - type: age
        days: 21
        op: gt

date_attribute = 'SnapshotCreateTime'

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['age']}}, 'required': ['type'], 'type': 'object'}

type = 'age'

class c7n.resources.redshift.RedshiftSnapshotCrossAccount(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filter all accounts that allow access to non-whitelisted accounts

permissions = ('redshift:DescribeClusterSnapshots',)

process(snapshots, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

class c7n.resources.redshift.RedshiftSnapshotDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Filters redshift snapshots based on age (in days)

Example

policies:
  - name: redshift-delete-old-snapshots
    resource: redshift-snapshot
    filters:
      - type: age
        days: 21
        op: gt
    actions:
      - delete

permissions = ('redshift:DeleteClusterSnapshot',)

process(snapshots)

process_snapshot_set(snapshots_set)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.redshift.RedshiftSnapshotRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag/tags from a redshift snapshot

Example

policies:
  - name: redshift-remove-tags
    resource: redshift-snapshot
    filters:
      - "tag:UnusedTag1": present
    actions:
      - type: remove-tag
        tags: ["UnusedTag1"]

batch_size = 5

concurrency = 2

permissions = ('redshift:DeleteTags',)

process_resource_set(client, resources, tag_keys)

type = 'unmark'

class c7n.resources.redshift.RedshiftSnapshotRevokeAccess(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Revokes ability of accounts to restore a snapshot

Example

permissions = ('redshift:RevokeSnapshotAccess',)

process(snapshots)

process_snapshot_set(client, snapshot_set)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['revoke-access']}}, 'required': ['type'], 'type': 'object'}

type = 'revoke-access'

validate()

class c7n.resources.redshift.RedshiftSnapshotTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to add tag/tags to a redshift snapshot

Example

policies:
  - name: redshift-required-tags
    resource: redshift-snapshot
    filters:
      - "tag:RequiredTag1": absent
    actions:
      - type: tag
        key: RequiredTag1
        value: RequiredValue1

batch_size = 5

concurrency = 2

permissions = ('redshift:CreateTags',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.redshift.RedshiftSnapshotTagDelayedAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to create a delayed actions to be performed on a redshift snapshot

Example

policies:
  - name: redshift-snapshot-expiring
    resource: redshift-snapshot
    filters:
      - "tag:custodian_cleanup": absent
      - type: age
        days: 14
        op: eq
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Snapshot expiring: {op}@{action_date}"
        op: delete
        days: 7

type = 'mark-for-op'

class c7n.resources.redshift.RedshiftSubnetGroup(data, options)

Bases: c7n.query.QueryResourceManager

Redshift subnet group.

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::Redshift::ClusterSubnetGroup'

date = None

dimension = None

enum_spec = ('describe_cluster_subnet_groups', 'ClusterSubnetGroups', None)

filter_name = 'ClusterSubnetGroupName'

filter_type = 'scalar'

id = 'ClusterSubnetGroupName'

name = 'ClusterSubnetGroupName'

service = 'redshift'

type = 'redshift-subnet-group'

type = 'redshift-subnet-group'

class c7n.resources.redshift.RemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag/tags from a redshift cluster

Example

policies:
  - name: redshift-remove-tag
    resource: redshift
    filters:
      - "tag:RedshiftTag": present
    actions:
      - type: remove-tag
        tags: ["RedshiftTags"]

batch_size = 5

concurrency = 2

permissions = ('redshift:DeleteTags',)

process_resource_set(client, resources, tag_keys)

type = 'unmark'

class c7n.resources.redshift.RetentionWindow(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set the snapshot retention period (in days)

Example

policies:
  - name: redshift-snapshot-retention
    resource: redshift
    filters:
      - type: value
        key: AutomatedSnapshotRetentionPeriod
        value: 21
        op: ne
    actions:
      - type: retention
        days: 21

date_attribute = 'AutomatedSnapshotRetentionPeriod'

permissions = ('redshift:ModifyCluster',)

process(clusters)

process_snapshot_retention(cluster)

schema = {'additionalProperties': False, 'properties': {'days': {'type': 'number'}, 'type': {'enum': ['retention']}}, 'required': ['type'], 'type': 'object'}

set_retention_window(cluster, retention)

type = 'retention'

class c7n.resources.redshift.SecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcSecurityGroups[].VpcSecurityGroupId'

type = 'security-group'

class c7n.resources.redshift.Snapshot(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to take a snapshot of a redshift cluster

Example

policies:
  - name: redshift-snapshot
    resource: redshift
    filters:
      - type: value
        key: ClusterStatus
        value: available
        op: eq
    actions:
      - snapshot

permissions = ('redshift:CreateClusterSnapshot',)

process(clusters)

process_cluster_snapshot(client, cluster)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['snapshot']}}, 'required': ['type'], 'type': 'object'}

type = 'snapshot'

class c7n.resources.redshift.SubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = ''

get_permissions()

get_related_ids(resources)

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'subnet'

class c7n.resources.redshift.Tag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to add tag/tags to a redshift cluster

Example

policies:
  - name: redshift-tag
    resource: redshift
    filters:
      - "tag:RedshiftTag": absent
    actions:
      - type: tag
        key: RedshiftTag
        value: "Redshift Tag Value"

batch_size = 5

concurrency = 2

permissions = ('redshift:CreateTags',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.redshift.TagDelayedAction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to create an action to be performed at a later time

Example

policies:
  - name: redshift-terminate-unencrypted
    resource: redshift
    filters:
      - "tag:custodian_cleanup": absent
      - type: value
        key: Encrypted
        value: false
        op: eq
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        op: delete
        days: 5
        msg: "Unencrypted Redshift cluster: {op}@{action_date}"

type = 'mark-for-op'

class c7n.resources.redshift.TagTrim(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagTrim

Action to remove tags from a redshift cluster

This can be used to prevent reaching the ceiling limit of tags on a resource

Example

policies:
  - name: redshift-tag-trim
    resource: redshift
    filters:
      - type: value
        key: "length(Tags)"
        op: ge
        value: 10
    actions:
      - type: tag-trim
        space: 1
        preserve:
          - RequiredTag1
          - RequiredTag2

max_tag_count = 10

permissions = ('redshift:DeleteTags',)

process_tag_removal(client, resource, candidates)

type = 'tag-trim'

c7n.resources.route53 module

class c7n.resources.route53.HealthCheck(data, options)

Bases: c7n.resources.route53.Route53Base, c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('list_health_checks', 'HealthChecks', None)

filter_name = None

id = 'Id'

name = 'Id'

service = 'route53'

type = 'healthcheck'

universal_taggable = True

type = 'healthcheck'

class c7n.resources.route53.HostedZone(data, options)

Bases: c7n.resources.route53.Route53Base, c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_arns(resource_set)

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('list_hosted_zones', 'HostedZones', None)

filter_name = None

global_resource = True

id = 'Id'

name = 'Name'

service = 'route53'

type = 'hostedzone'

universal_taggable = True

type = 'hostedzone'

class c7n.resources.route53.IsQueryLoggingEnabled(data, manager=None)

Bases: c7n.filters.core.Filter

permissions = ('route53:GetQueryLoggingConfig', 'route53:GetHostedZone')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['query-logging-enabled']}}, 'required': ['type'], 'type': 'object'}

type = 'query-logging-enabled'

class c7n.resources.route53.ResourceRecordSet(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('list_resource_record_sets', 'ResourceRecordSets', None)

filter_name = None

id = 'Name'

name = 'Name'

parent_spec = ('hostedzone', 'HostedZoneId', None)

service = 'route53'

type = 'rrset'

type = 'rrset'

class c7n.resources.route53.Route53Base

Bases: object

augment(resources)

generate_arn

get_arn(r)

permissions = ('route53:ListTagsForResources',)

static retry(func, *args, **kw)

class c7n.resources.route53.Route53Domain(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(domains)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('route53domains:ListTagsForDomain',)

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('list_domains', 'Domains', None)

filter_name = None

id = 'DomainName'

name = 'DomainName'

service = 'route53domains'

type = 'r53domain'

type = 'r53domain'

class c7n.resources.route53.Route53DomainAddTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Adds tags to a route53 domain

Example

permissions = ('route53domains:UpdateTagsForDomain',)

process_resource_set(client, domains, tags)

type = 'tag'

class c7n.resources.route53.Route53DomainRemoveTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tags from a route53 domain

Example

permissions = ('route53domains:DeleteTagsForDomain',)

process_resource_set(client, domains, keys)

type = 'remove-tag'

class c7n.resources.route53.SetQueryLogging(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enables query logging on a hosted zone.

By default this enables a log group per route53 domain, alternatively a log group name can be specified for a unified log across domains.

Note this only applicable to public route53 domains, and log groups must be created in us-east-1 region.

This action can optionally setup the resource permissions needed for route53 to log to cloud watch logs via set-permissions: true, else the cloud watch logs resource policy would need to be set separately.

Its recommended to use a separate custodian policy on the log groups to set the log retention period for the zone logs. See custodian schema aws.log-group.actions.set-retention

Example

check_route53_permissions(client, group_names)

ensure_log_groups(group_names)

ensure_route53_permissions(client, group_names)

get_permissions()

get_zone_log_name(zone)

permissions = ('route53:GetQueryLoggingConfig', 'route53:CreateQueryLoggingConfig', 'route53:DeleteQueryLoggingConfig', 'logs:DescribeLogGroups', 'logs:CreateLogGroups', 'logs:GetResourcePolicy', 'logs:PutResourcePolicy')

process(resources)

schema = {'additionalProperties': False, 'properties': {'log-group': {'default': 'auto', 'type': 'string'}, 'log-group-prefix': {'default': '/aws/route53', 'type': 'string'}, 'set-permissions': {'type': 'boolean'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['set-query-logging']}}, 'required': ['type'], 'type': 'object'}

statement = {'Action': ['logs:PutLogEvents', 'logs:CreateLogStream'], 'Effect': 'Allow', 'Principal': {'Service': ['route53.amazonaws.com']}, 'Resource': None, 'Sid': 'Route53LogsToCloudWatchLogs'}

type = 'set-query-logging'

validate()

c7n.resources.route53.get_logging_config_paginator(client)

c7n.resources.s3 module

S3 Resource Manager

Filters:

The generic Values filters (jmespath) expression and Or filter are available with all resources, including buckets, we include several additonal bucket data (Tags, Replication, Acl, Policy) as keys within a bucket representation.

Actions:

encrypt-keys

Scan all keys in a bucket and optionally encrypt them in place.

global-grants

Check bucket acls for global grants

encryption-policy

Attach an encryption required policy to a bucket, this will break applications that are not using encryption, including aws log delivery.

class c7n.resources.s3.AttachLambdaEncrypt(data=None, manager=None)

Bases: c7n.resources.s3.BucketActionBase

Action attaches lambda encryption policy to S3 bucket

supports attachment via lambda bucket notification or sns notification to invoke lambda. a special topic value of default will utilize an extant notification or create one matching the bucket name.

example

policies:
  - name: attach-lambda-encrypt
    resource: s3
    filters:
      - type: missing-policy-statement
    actions:
      - type: attach-encrypt
        role: arn:aws:iam::123456789012:role/my-role

permissions = ('s3:PutBucketNotification', 's3:GetBucketNotification', 'lambda:*')

process(buckets)

process_bucket(func, bucket, topic, account_id, session_factory)

schema = {'additionalProperties': False, 'properties': {'role': {'type': 'string'}, 'tags': {'type': 'object'}, 'topic': {'type': 'string'}, 'type': {'enum': ['attach-encrypt']}}, 'required': ['type'], 'type': 'object'}

type = 'attach-encrypt'

validate()

class c7n.resources.s3.BucketActionBase(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

get_permissions()

get_std_format_args(bucket)

process(buckets)

class c7n.resources.s3.BucketEncryption(data, manager=None)

Bases: c7n.resources.s3.KMSKeyResolverMixin, c7n.filters.core.Filter

Filters for S3 buckets that have bucket-encryption

:example

policies:
  - name: s3-bucket-encryption-AES256
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: AES256
  - name: s3-bucket-encryption-KMS
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: aws:kms
        key: alias/some/alias/key
  - name: s3-bucket-encryption-off
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: False

filter_bucket(b, sse)

permissions = ('s3:GetBucketEncryption', 's3:DescribeKey')

process(buckets, event=None)

Bulk process resources and return filtered set.

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'crypto': {'enum': ['AES256', 'aws:kms'], 'type': 'string'}, 'key': {'type': 'string'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['bucket-encryption']}}, 'required': ['type'], 'type': 'object'}

type = 'bucket-encryption'

class c7n.resources.s3.BucketFilterBase(data, manager=None)

Bases: c7n.filters.core.Filter

get_std_format_args(bucket)

class c7n.resources.s3.BucketFinding(data=None, manager=None, log_dir=None)

Bases: c7n.actions.securityhub.PostFinding

format_resource(r)

type = 'post-finding'

class c7n.resources.s3.BucketNotificationFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter based on bucket notification configuration.

Example

policies:
  - name: delete-incorrect-notification
    resource: s3
    filters:
      - type: bucket-notification
        kind: lambda
        key: Id
        value: "IncorrectLambda"
        op: eq
    actions:
      - type: delete-bucket-notification
        statement_ids: matched

FIELDS = {'lambda': 'LambdaFunctionConfigurations', 'sns': 'TopicConfigurations', 'sqs': 'QueueConfigurations'}

annotation_key = 'c7n:MatchedNotificationConfigurationIds'

permissions = ('s3:GetBucketNotification',)

process(buckets, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'kind': {'enum': ['lambda', 'sns', 'sqs'], 'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['bucket-notification']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['kind', 'type'], 'type': 'object'}

type = 'bucket-notification'

class c7n.resources.s3.BucketScanLog(log_dir, name)

Bases: object

Offload remediated key ids to a disk file in batches

A bucket keyspace is effectively infinite, we need to store partial results out of memory, this class provides for a json log on disk with partial write support.

json output format:

• [list_of_serialized_keys],

• [] # Empty list of keys at end when we close the buffer

add(keys)

path

class c7n.resources.s3.BucketTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tags on a S3 bucket

Example

policies:
  - name: s3-tag-region
    resource: s3
    region: us-east-1
    filters:
      - "tag:RegionName": absent
    actions:
      - type: tag
        key: RegionName
        value: us-east-1

process_resource_set(client, resource_set, tags)

type = 'tag'

class c7n.resources.s3.ConfigS3(manager)

Bases: c7n.query.ConfigSource

GRANTEE_MAP = {'AllUsers': 'http://acs.amazonaws.com/groups/global/AllUsers', 'AuthenticatedUsers': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers', 'LogDelivery': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}

NotifyTypeMap = {'CloudFunctionConfiguration': 'LambdaFunctionConfigurations', 'LambdaConfiguration': 'LambdaFunctionConfigurations', 'QueueConfiguration': 'QueueConfigurations', 'TopicConfiguration': 'TopicConfigurations'}

PERMISSION_MAP = {'FullControl': 'FULL_CONTROL', 'Read': 'READ', 'ReadAcp': 'READ_ACP', 'Write': 'WRITE', 'WriteAcp': 'WRITE_ACP'}

convertLifePredicate(p)

handle_AccessControlList(resource, item_value)

handle_BucketAccelerateConfiguration(resource, item_value)

handle_BucketLifecycleConfiguration(resource, item_value)

handle_BucketLoggingConfiguration(resource, item_value)

handle_BucketNotificationConfiguration(resource, item_value)

handle_BucketPolicy(resource, item_value)

handle_BucketReplicationConfiguration(resource, item_value)

handle_BucketTaggingConfiguration(resource, item_value)

handle_BucketVersioningConfiguration(resource, item_value)

handle_BucketWebsiteConfiguration(resource, item_value)

load_resource(item)

class c7n.resources.s3.DataEvents(data, manager=None)

Bases: c7n.filters.core.Filter

get_event_buckets(session, trails)

Return a mapping of bucket name to cloudtrail.

For wildcard trails the bucket name is ‘’.

permissions = ('cloudtrail:DescribeTrails', 'cloudtrail:GetEventSelectors')

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'enum': ['present', 'absent']}, 'type': {'enum': ['data-events']}}, 'required': ['type'], 'type': 'object'}

type = 'data-events'

class c7n.resources.s3.DeleteBucket(data, manager=None)

Bases: c7n.resources.s3.ScanBucket

Action deletes a S3 bucket

Example

policies:
  - name: delete-unencrypted-buckets
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
    actions:
      - type: delete
        remove-contents: true

bucket_ops = {'standard': {'contents_key': ['Contents'], 'iterator': 'list_objects', 'key_processor': 'process_key'}, 'versioned': {'contents_key': ['Versions', 'DeleteMarkers'], 'iterator': 'list_object_versions', 'key_processor': 'process_version'}}

delete_bucket(b)

empty_buckets(buckets)

permissions = ('s3:*',)

process(buckets)

process_chunk(batch, bucket)

process_delete_enablement(b)

Prep a bucket for deletion.

Clear out any pending multi-part uploads.

Disable versioning on the bucket, so deletes don’t generate fresh deletion markers.

schema = {'additionalProperties': False, 'properties': {'remove-contents': {'type': 'boolean'}, 'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.s3.DeleteBucketNotification(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Action to delete S3 bucket notification configurations

permissions = ('s3:PutBucketNotification',)

process_bucket(bucket)

schema = {'additionalProperties': False, 'properties': {'statement_ids': {'oneOf': [{'enum': ['matched']}, {'type': 'array', 'items': {'type': 'string'}}]}, 'type': {'enum': ['delete-bucket-notification']}}, 'required': ['statement_ids', 'type'], 'type': 'object'}

type = 'delete-bucket-notification'

class c7n.resources.s3.DeleteGlobalGrants(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Deletes global grants associated to a S3 bucket

Example

policies:
  - name: s3-delete-global-grants
    resource: s3
    filters:
      - type: global-grants
    actions:
      - delete-global-grants

permissions = ('s3:PutBucketAcl',)

process(buckets)

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'grantees': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['delete-global-grants']}}, 'required': ['type'], 'type': 'object'}

type = 'delete-global-grants'

class c7n.resources.s3.DescribeS3(manager)

Bases: c7n.query.DescribeSource

augment(buckets)

get_resources(bucket_names)

class c7n.resources.s3.EncryptExtantKeys(data, manager=None)

Bases: c7n.resources.s3.ScanBucket

Action to encrypt unencrypted S3 objects

Example

policies:
  - name: s3-encrypt-objects
    resource: s3
    actions:
      - type: encrypt-keys
        crypto: aws:kms
        key-id: 9c3983be-c6cf-11e6-9d9d-cec0c932ce01

get_permissions()

metrics = [('Total Keys', {'Scope': 'Account'}), ('Unencrypted', {'Scope': 'Account'})]

permissions = ('s3:GetObject', 's3:PutObject', 's3:DeleteObjectVersion', 's3:RestoreObject', 's3:ListBucket')

process(buckets)

process_chunk(batch, bucket)

process_key(s3, key, bucket_name, info=None)

process_large_file(s3, bucket_name, key, info, params)

For objects over 5gb, use multipart upload to copy

process_version(s3, key, bucket_name)

schema = {'additionalProperties': False, 'dependencies': {'key-id': {'properties': {'crypto': {'pattern': 'aws:kms'}}, 'required': ['crypto']}}, 'properties': {'crypto': {'enum': ['AES256', 'aws:kms']}, 'glacier': {'type': 'boolean'}, 'key-id': {'type': 'string'}, 'large': {'type': 'boolean'}, 'report-only': {'type': 'boolean'}, 'type': {'enum': ['encrypt-keys']}}, 'type': 'object'}

type = 'encrypt-keys'

class c7n.resources.s3.EncryptionEnabledFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Find buckets with missing encryption policy statements.

Example

policies:
  - name: s3-bucket-not-encrypted
    resource: s3
    filters:
      - type: no-encryption-statement

get_permissions()

process(buckets, event=None)

Bulk process resources and return filtered set.

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['no-encryption-statement']}}, 'required': ['type'], 'type': 'object'}

type = 'no-encryption-statement'

class c7n.resources.s3.EncryptionRequiredPolicy(data=None, manager=None)

Bases: c7n.resources.s3.BucketActionBase

Action to apply an encryption policy to S3 buckets

Example

policies:
  - name: s3-enforce-encryption
    resource: s3
    mode:
      type: cloudtrail
      events:
        - CreateBucket
    actions:
      - encryption-policy

permissions = ('s3:GetBucketPolicy', 's3:PutBucketPolicy')

process(buckets)

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['encryption-policy']}}, 'required': ['type'], 'type': 'object'}

type = 'encryption-policy'

class c7n.resources.s3.GlobalGrantsFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filters for all S3 buckets that have global-grants

Example

policies:
  - name: s3-delete-global-grants
    resource: s3
    filters:
      - type: global-grants
    actions:
      - delete-global-grants

AUTH_ALL = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'

GLOBAL_ALL = 'http://acs.amazonaws.com/groups/global/AllUsers'

process(buckets, event=None)

Bulk process resources and return filtered set.

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'allow_website': {'type': 'boolean'}, 'operator': {'enum': ['or', 'and'], 'type': 'string'}, 'permissions': {'items': {'enum': ['READ', 'WRITE', 'WRITE_ACP', 'READ_ACP', 'FULL_CONTROL'], 'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['global-grants']}}, 'required': ['type'], 'type': 'object'}

type = 'global-grants'

class c7n.resources.s3.HasStatementFilter(data, manager=None)

Bases: c7n.resources.s3.BucketFilterBase

Find buckets with set of policy statements.

Example

policies:
  - name: s3-bucket-has-statement
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequiredEncryptedPutObject


policies:
  - name: s3-public-policy
    resource: s3
    filters:
      - type: has-statement
        statements:
          - Effect: Allow
            Action: 's3:*'
            Principal: '*'

process(buckets, event=None)

Bulk process resources and return filtered set.

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'statement_ids': {'items': {'type': 'string'}, 'type': 'array'}, 'statements': {'items': {'properties': {'Action': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'Condition': {'type': 'object'}, 'Effect': {'enum': ['Allow', 'Deny'], 'type': 'string'}, 'NotAction': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'NotPrincipal': {'anyOf': [{'type': 'object'}, {'type': 'array'}]}, 'NotResource': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'Principal': {'anyOf': [{'type': 'string'}, {'type': 'object'}, {'type': 'array'}]}, 'Resource': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'Sid': {'type': 'string'}}, 'required': ['Effect'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['has-statement']}}, 'required': ['type'], 'type': 'object'}

type = 'has-statement'

class c7n.resources.s3.Inventory(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter inventories for a bucket

permissions = ('s3:GetInventoryConfiguration',)

process(buckets, event=None)

Bulk process resources and return filtered set.

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['inventory']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'inventory'

class c7n.resources.s3.KMSKeyResolverMixin(data, manager=None)

Bases: object

Builds a dictionary of region specific ARNs

get_key(bucket)

resolve_keys(buckets)

class c7n.resources.s3.Lifecycle(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Action applies a lifecycle policy to versioned S3 buckets

The schema to supply to the rule follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.put_bucket_lifecycle_configuration

To delete a lifecycle rule, supply Status=absent

Example

policies:
  - name: s3-apply-lifecycle
    resource: s3
    actions:
      - type: configure-lifecycle
        rules:
          - ID: my-lifecycle-id
            Status: Enabled
            Prefix: foo/
            Transitions:
              - Days: 60
                StorageClass: GLACIER

permissions = ('s3:GetLifecycleConfiguration', 's3:PutLifecycleConfiguration')

process(buckets)

process_bucket(bucket)

schema = {'additionalProperties': False, 'properties': {'rules': {'items': {'additionalProperties': False, 'properties': {'AbortIncompleteMultipartUpload': {'additionalProperties': False, 'properties': {'DaysAfterInitiation': {'type': 'integer'}}, 'type': 'object'}, 'Expiration': {'additionalProperties': False, 'properties': {'Date': {'type': 'string'}, 'Days': {'type': 'integer'}, 'ExpiredObjectDeleteMarker': {'type': 'boolean'}}, 'type': 'object'}, 'Filter': {'additionalProperties': False, 'maxProperties': 1, 'minProperties': 1, 'properties': {'And': {'additionalProperties': False, 'properties': {'Prefix': {'type': 'string'}, 'Tags': {'items': {'additionalProperties': False, 'properties': {'Key': {'type': 'string'}, 'Value': {'type': 'string'}}, 'required': ['Key', 'Value'], 'type': 'object'}, 'type': 'array'}}, 'type': 'object'}, 'Prefix': {'type': 'string'}, 'Tag': {'additionalProperties': False, 'properties': {'Key': {'type': 'string'}, 'Value': {'type': 'string'}}, 'required': ['Key', 'Value'], 'type': 'object'}}, 'type': 'object'}, 'ID': {'type': 'string'}, 'NoncurrentVersionExpiration': {'additionalProperties': False, 'properties': {'NoncurrentDays': {'type': 'integer'}}, 'type': 'object'}, 'NoncurrentVersionTransitions': {'items': {'additionalProperties': False, 'properties': {'NoncurrentDays': {'type': 'integer'}, 'StorageClass': {'type': 'string'}}, 'type': 'object'}, 'type': 'array'}, 'Prefix': {'type': 'string'}, 'Status': {'enum': ['Enabled', 'Disabled', 'absent']}, 'Transitions': {'items': {'additionalProperties': False, 'properties': {'Date': {'type': 'string'}, 'Days': {'type': 'integer'}, 'StorageClass': {'type': 'string'}}, 'type': 'object'}, 'type': 'array'}}, 'required': ['ID', 'Status'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['configure-lifecycle']}}, 'required': ['type'], 'type': 'object'}

type = 'configure-lifecycle'

class c7n.resources.s3.LogTarget(data, manager=None)

Bases: c7n.filters.core.Filter

Filter and return buckets are log destinations.

Not suitable for use in lambda on large accounts, This is a api heavy process to detect scan all possible log sources.

Sources:

• elb (Access Log)

• s3 (Access Log)

• cfn (Template writes)

• cloudtrail

Example

policies:
  - name: s3-log-bucket
    resource: s3
    filters:
      - type: is-log-target

get_cloud_trail_locations(buckets)

get_elb_bucket_locations()

get_permissions()

static get_s3_bucket_locations(buckets, self_log=False)

return (bucket_name, prefix) for all s3 logging targets

process(buckets, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'self': {'type': 'boolean'}, 'services': {'items': {'enum': ['s3', 'elb', 'cloudtrail']}, 'type': 'array'}, 'type': {'enum': ['is-log-target']}, 'value': {'type': 'boolean'}}, 'required': ['type'], 'type': 'object'}

type = 'is-log-target'

class c7n.resources.s3.MarkBucketForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action schedules custodian to perform an action at a certain date

Example

policies:
  - name: s3-encrypt
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
    actions:
      - type: mark-for-op
        op: attach-encrypt
        days: 7

schema = {'additionalProperties': False, 'properties': {'days': {'exclusiveMinimum': False, 'minimum': 0, 'type': 'integer'}, 'hours': {'exclusiveMinimum': False, 'minimum': 0, 'type': 'integer'}, 'msg': {'type': 'string'}, 'op': {'type': 'string'}, 'tag': {'type': 'string'}, 'type': {'enum': ['mark-for-op']}, 'tz': {'type': 'string'}}, 'required': ['type'], 'type': 'object'}

type = 'mark-for-op'

class c7n.resources.s3.MissingPolicyStatementFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Find buckets missing a set of named policy statements.

Example

policies:
  - name: s3-bucket-missing-statement
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject

schema = {'additionalProperties': False, 'properties': {'statement_ids': {'items': {'type': 'string'}, 'type': 'array'}, 'type': {'enum': ['missing-policy-statement', 'missing-statement']}}, 'required': ['type'], 'type': 'object'}

type = 'missing-statement'

class c7n.resources.s3.NoOp(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

permissions = ('s3:ListAllMyBuckets',)

process(buckets)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['no-op']}}, 'required': ['type'], 'type': 'object'}

type = 'no-op'

class c7n.resources.s3.RemoveBucketTag(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Removes tag/tags from a S3 object

Example

policies:
  - name: s3-remove-owner-tag
    resource: s3
    filters:
      - "tag:BucketOwner": present
    actions:
      - type: remove-tag
        tags: ['BucketOwner']

process_resource_set(client, resource_set, tags)

type = 'unmark'

class c7n.resources.s3.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy statements from S3 buckets

Example

policies:
  - name: s3-remove-encrypt-put
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequireEncryptedPutObject
    actions:
      - type: remove-statements
        statement_ids:
          - RequiredEncryptedPutObject

permissions = ('s3:PutBucketPolicy', 's3:DeleteBucketPolicy')

process(buckets)

process_bucket(bucket)

type = 'remove-statements'

class c7n.resources.s3.RemoveWebsiteHosting(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Action that removes website hosting configuration.

permissions = ('s3:DeleteBucketWebsite',)

process(buckets)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['remove-website-hosting']}}, 'required': ['type'], 'type': 'object'}

type = 'remove-website-hosting'

class c7n.resources.s3.S3(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

classmethod get_permissions()

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::S3::Bucket'

date = 'CreationDate'

detail_spec = ('list_objects', 'Bucket', 'Contents[]')

dimension = 'BucketName'

enum_spec = ('list_buckets', 'Buckets[]', None)

filter_name = None

id = 'Name'

name = 'Name'

service = 's3'

type = 'bucket'

type = 's3'

class c7n.resources.s3.S3CrossAccountFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filters cross-account access to S3 buckets

Example

policies:
  - name: s3-acl
    resource: s3
    region: us-east-1
    filters:
      - type: cross-account

get_accounts()

add in elb access by default

ELB Accounts by region

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html

Redshift Accounts by region

https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#rs-db-auditing-cloud-trail-rs-acct-ids

Cloudtrail Accounts by region

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html

permissions = ('s3:GetBucketPolicy',)

type = 'cross-account'

class c7n.resources.s3.S3Metrics(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

S3 CW Metrics need special handling for attribute/dimension mismatch, and additional required dimension.

get_dimensions(resource)

type = 'metrics'

class c7n.resources.s3.ScanBucket(data, manager=None)

Bases: c7n.resources.s3.BucketActionBase

bucket_ops = {'standard': {'contents_key': ['Contents'], 'iterator': 'list_objects', 'key_processor': 'process_key'}, 'versioned': {'contents_key': ['Versions'], 'iterator': 'list_object_versions', 'key_processor': 'process_version'}}

get_bucket_op(b, op_name)

get_bucket_style(b)

get_keys(b, key_set)

permissions = ('s3:ListBucket',)

process(buckets)

process_bucket(b)

process_chunk(batch, bucket)

process_key(s3, key, bucket_name, info=None)

process_version(s3, bucket, key)

write_denied_buckets_file()

class c7n.resources.s3.SetBucketEncryption(data, manager=None)

Bases: c7n.resources.s3.KMSKeyResolverMixin, c7n.resources.s3.BucketActionBase

Action enables default encryption on S3 buckets

enabled: boolean Optional: Defaults to True crypto: aws:kms | AES256` Optional: Defaults to AES256 key: arn, alias, or kms id key

Example

policies:
  - name: s3-enable-default-encryption-kms
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: 1234abcd-12ab-34cd-56ef-1234567890ab

  - name: s3-enable-default-encryption-kms-alias
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: alias/some/alias/key

  - name: s3-enable-default-encryption-aes256
    resource: s3
    actions:
      - type: set-bucket-encryption
      # crypto: AES256 <----- optional (AES256 by default)
      # enabled: true <------ optional (true by default)

  - name: s3-disable-default-encryption
    resource: s3
    actions:
      - type: set-bucket-encryption
        enabled: false

permissions = ('s3:PutEncryptionConfiguration', 's3:GetEncryptionConfiguration', 'kms:ListAliases', 's3:DescribeKey')

process(buckets)

process_bucket(bucket)

schema = {'additionalProperties': False, 'dependencies': {'key': {'properties': {'crypto': {'pattern': 'aws:kms'}}, 'required': ['crypto']}}, 'properties': {'crypto': {'enum': ['aws:kms', 'AES256']}, 'enabled': {'type': 'boolean'}, 'key': {'type': 'string'}, 'type': {'enum': ['set-bucket-encryption']}}, 'type': 'object'}

type = 'set-bucket-encryption'

class c7n.resources.s3.SetInventory(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Configure bucket inventories for an s3 bucket.

get_inventory_delta(client, inventory, b)

permissions = ('s3:PutInventoryConfiguration', 's3:GetInventoryConfiguration')

process(buckets)

process_bucket(b)

schema = {'additionalProperties': False, 'properties': {'destination': {'description': 'Name of destination bucket', 'type': 'string'}, 'encryption': {'enum': ['SSES3', 'SSEKMS']}, 'fields': {'items': {'enum': ['Size', 'LastModifiedDate', 'StorageClass', 'ETag', 'IsMultipartUploaded', 'ReplicationStatus', 'EncryptionStatus']}, 'type': 'array'}, 'key_id': {'description': 'Optional Customer KMS KeyId for SSE-KMS', 'type': 'string'}, 'name': {'description': 'Name of inventory', 'type': 'string'}, 'prefix': {'description': 'Destination prefix', 'type': 'string'}, 'schedule': {'enum': ['Daily', 'Weekly']}, 'state': {'enum': ['enabled', 'disabled', 'absent']}, 'type': {'enum': ['set-inventory']}, 'versions': {'enum': ['All', 'Current']}}, 'required': ['name', 'destination', 'type'], 'type': 'object'}

type = 'set-inventory'

class c7n.resources.s3.SetPolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Action to add or update policy statements to S3 buckets

Example

policies:
  - name: force-s3-https
    resource: s3
    actions:
      - type: set-statements
        statements:
          - Sid: "DenyHttp"
            Effect: "Deny"
            Action: "s3:GetObject"
            Principal:
              AWS: "*"
            Resource: "arn:aws:s3:::{bucket_name}/*"
            Condition:
              Bool:
                "aws:SecureTransport": false

permissions = ('s3:PutBucketPolicy',)

process_bucket(bucket)

schema = {'additionalProperties': False, 'properties': {'statements': {'items': {'oneOf': [{'required': ['Principal', 'Action', 'Resource']}, {'required': ['NotPrincipal', 'Action', 'Resource']}, {'required': ['Principal', 'NotAction', 'Resource']}, {'required': ['NotPrincipal', 'NotAction', 'Resource']}, {'required': ['Principal', 'Action', 'NotResource']}, {'required': ['NotPrincipal', 'Action', 'NotResource']}, {'required': ['Principal', 'NotAction', 'NotResource']}, {'required': ['NotPrincipal', 'NotAction', 'NotResource']}], 'properties': {'Action': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'Condition': {'type': 'object'}, 'Effect': {'enum': ['Allow', 'Deny'], 'type': 'string'}, 'NotAction': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'NotPrincipal': {'anyOf': [{'type': 'object'}, {'type': 'array'}]}, 'NotResource': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'Principal': {'anyOf': [{'type': 'string'}, {'type': 'object'}, {'type': 'array'}]}, 'Resource': {'anyOf': [{'type': 'string'}, {'type': 'array'}]}, 'Sid': {'type': 'string'}}, 'required': ['Sid', 'Effect'], 'type': 'object'}, 'type': 'array'}, 'type': {'enum': ['set-statements']}}, 'required': ['type'], 'type': 'object'}

type = 'set-statements'

class c7n.resources.s3.ToggleLogging(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Action to enable/disable logging on a S3 bucket.

Target bucket ACL must allow for WRITE and READ_ACP Permissions Not specifying a target_prefix will default to the current bucket name. https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-programming.html

Example

policies:
  - name: s3-enable-logging
    resource: s3
    filters:
      - "tag:Testing": present
    actions:
      - type: toggle-logging
        target_bucket: log-bucket
        target_prefix: logs123

permissions = ('s3:PutBucketLogging', 'iam:ListAccountAliases')

process(resources)

schema = {'additionalProperties': False, 'properties': {'enabled': {'type': 'boolean'}, 'target_bucket': {'type': 'string'}, 'target_prefix': {'type': 'string'}, 'type': {'enum': ['toggle-logging']}}, 'required': ['type'], 'type': 'object'}

type = 'toggle-logging'

validate()

class c7n.resources.s3.ToggleVersioning(data=None, manager=None, log_dir=None)

Bases: c7n.resources.s3.BucketActionBase

Action to enable/suspend versioning on a S3 bucket

Note versioning can never be disabled only suspended.

Example

policies:
  - name: s3-enable-versioning
    resource: s3
    filters:
      - or:
        - type: value
          key: Versioning.Status
          value: Suspended
        - type: value
          key: Versioning.Status
          value: absent
    actions:
      - type: toggle-versioning
        enabled: true

permissions = ('s3:PutBucketVersioning',)

process(resources)

process_versioning(resource, state)

schema = {'additionalProperties': False, 'properties': {'enabled': {'type': 'boolean'}, 'type': {'enum': ['toggle-versioning']}}, 'required': ['type'], 'type': 'object'}

type = 'toggle-versioning'

c7n.resources.s3.assemble_bucket(item)

Assemble a document representing all the config state around a bucket.

TODO: Refactor this, the logic here feels quite muddled.

c7n.resources.s3.bucket_client(session, b, kms=False)

c7n.resources.s3.get_region(b)

Tries to get the bucket region from Location.LocationConstraint

Special cases:

LocationConstraint EU defaults to eu-west-1 LocationConstraint null defaults to us-east-1

Args:

b (object): A bucket object

Returns:

string: an aws region string

c7n.resources.s3.modify_bucket_tags(session_factory, buckets, add_tags=(), remove_tags=())

c7n.resources.s3.restore_complete(restore)

c7n.resources.sagemaker module

class c7n.resources.sagemaker.DeleteModel(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.sagemaker.StateTransitionFilter

Deletes sagemaker-model(s)

Example

permissions = ('sagemaker:DeleteModel',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.sagemaker.DeleteNotebookInstance(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.sagemaker.StateTransitionFilter

Deletes sagemaker-notebook(s)

Example

permissions = ('sagemaker:DeleteNotebookInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

valid_origin_states = ('Stopped', 'Failed')

class c7n.resources.sagemaker.MarkNotebookInstanceForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Mark SageMaker resources for deferred action (notebook-instance, endpoint, endpoint-config)

Example

policies:
  - name: sagemaker-notebook-invalid-tag-stop
    resource: sagemaker-notebook
    filters:
      - "tag:InvalidTag": present
    actions:
      - type: mark-for-op
        op: stop
        days: 1

  - name: sagemaker-endpoint-failure-delete
    resource: sagemaker-endpoint
    filters:
      - 'EndpointStatus': 'Failed'
    actions:
      - type: mark-for-op
        op: delete
        days: 1

  - name: sagemaker-endpoint-config-invalid-size-delete
    resource: sagemaker-notebook
    filters:
      - type: value
      - key: ProductionVariants[].InstanceType
      - value: 'ml.m4.10xlarge'
      - op: contains
    actions:
      - type: mark-for-op
        op: delete
        days: 1

type = 'mark-for-op'

class c7n.resources.sagemaker.Model(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sagemaker:ListTags',)

class resource_type

Bases: object

arn = 'ModelArn'

date = 'CreationTime'

detail_spec = ('describe_model', 'ModelName', 'ModelName', None)

dimension = None

enum_spec = ('list_models', 'Models', None)

filter_name = None

id = 'ModelArn'

name = 'ModelName'

service = 'sagemaker'

type = 'sagemaker-model'

class c7n.resources.sagemaker.NotebookInstance(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sagemaker:ListTags',)

class resource_type

Bases: object

arn = 'NotebookInstanceArn'

date = 'CreationTime'

detail_spec = ('describe_notebook_instance', 'NotebookInstanceName', 'NotebookInstanceName', None)

dimension = None

enum_spec = ('list_notebook_instances', 'NotebookInstances', None)

filter_name = None

id = 'NotebookInstanceArn'

name = 'NotebookInstanceName'

service = 'sagemaker'

type = 'sagemaker-notebook'

class c7n.resources.sagemaker.NotebookSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'SecurityGroups[]'

type = 'security-group'

class c7n.resources.sagemaker.NotebookSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'SubnetId'

type = 'subnet'

class c7n.resources.sagemaker.QueryFilter(data)

Bases: object

JOB_FILTERS = ('StatusEquals', 'NameContains')

classmethod parse(data)

query()

validate()

class c7n.resources.sagemaker.RemoveTagNotebookInstance(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Remove tag(s) from SageMaker resources (notebook-instance, endpoint, endpoint-config)

Example

policies:
  - name: sagemaker-notebook-remove-tag
    resource: sagemaker-notebook
    filters:
      - "tag:BadTag": present
    actions:
      - type: remove-tag
        tags: ["BadTag"]

  - name: sagemaker-endpoint-remove-tag
    resource: sagemaker-endpoint
    filters:
      - "tag:expired-tag": present
    actions:
      - type: remove-tag
        tags: ["expired-tag"]

  - name: sagemaker-endpoint-config-remove-tag
    resource: sagemaker-endpoint-config
    filters:
      - "tag:expired-tag": present
    actions:
      - type: remove-tag
        tags: ["expired-tag"]

  - name: sagemaker-job-remove-tag
    resource: sagemaker-job
    filters:
      - "tag:expired-tag": present
    actions:
      - type: remove-tag
        tags: ["expired-tag"]

permissions = ('sagemaker:DeleteTags',)

process_resource_set(client, resources, keys)

type = 'remove-tag'

class c7n.resources.sagemaker.SagemakerEndpoint(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(endpoints)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sagemaker:ListTags',)

class resource_type

Bases: object

arn = 'EndpointArn'

date = 'CreationTime'

detail_spec = ('describe_endpoint', 'EndpointName', 'EndpointName', None)

dimension = None

enum_spec = ('list_endpoints', 'Endpoints', None)

filter_name = None

id = 'EndpointArn'

name = 'EndpointName'

service = 'sagemaker'

type = 'sagemaker-endpoint'

class c7n.resources.sagemaker.SagemakerEndpointConfig(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(endpoints)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sagemaker:ListTags',)

class resource_type

Bases: object

arn = 'EndpointConfigArn'

date = 'CreationTime'

detail_spec = ('describe_endpoint_config', 'EndpointConfigName', 'EndpointConfigName', None)

dimension = None

enum_spec = ('list_endpoint_configs', 'EndpointConfigs', None)

filter_name = None

id = 'EndpointConfigArn'

name = 'EndpointConfigName'

service = 'sagemaker'

type = 'sagemaker-endpoint-config'

class c7n.resources.sagemaker.SagemakerEndpointConfigDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a SageMaker endpoint

Example

permissions = ('sagemaker:DeleteEndpointConfig',)

process(endpoints)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.sagemaker.SagemakerEndpointDelete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Delete a SageMaker endpoint

Example

permissions = ('sagemaker:DeleteEndpoint', 'sagemaker:DeleteEndpointConfig')

process(endpoints)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.sagemaker.SagemakerJob(ctx, data)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(jobs)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sagemaker:ListTrainingJobs', 'sagemaker:DescribeTrainingJobs', 'sagemaker:ListTags')

class resource_type

Bases: object

arn = 'TrainingJobArn'

date = 'CreationTime'

detail_spec = ('describe_training_job', 'TrainingJobName', 'TrainingJobName', None)

dimension = None

enum_spec = ('list_training_jobs', 'TrainingJobSummaries', None)

filter_name = None

id = 'TrainingJobArn'

name = 'TrainingJobName'

service = 'sagemaker'

resources(query=None)

type = 'sagemaker-job'

class c7n.resources.sagemaker.SagemakerJobStop(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Stops a SageMaker job

Example

policies:
  - name: stop-ml-job
    resource: sagemaker-job
    filters:
      - TrainingJobName: ml-job-10
    actions:
      - stop

permissions = ('sagemaker:StopTrainingJob',)

process(jobs)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

class c7n.resources.sagemaker.SagemakerTransformJob(ctx, data)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(jobs)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sagemaker:ListTransformJobs', 'sagemaker:DescribeTransformJobs', 'sagemaker:ListTags')

class resource_type

Bases: object

arn = 'TransformJobArn'

date = 'CreationTime'

detail_spec = ('describe_transform_job', 'TransformJobName', 'TransformJobName', None)

dimension = None

enum_spec = ('list_transform_jobs', 'TransformJobSummaries', None)

filter_name = 'TransformJobArn'

id = 'TransformJobArn'

name = 'TransformJobName'

service = 'sagemaker'

type = 'None'

resources(query=None)

type = 'sagemaker-transform-job'

class c7n.resources.sagemaker.SagemakerTransformJobStop(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Stops a SageMaker Transform job

Example

policies:
  - name: stop-ml-job
    resource: sagemaker-transform-job
    filters:
      - TransformJobName: ml-job-10
    actions:
      - stop

permissions = ('sagemaker:StopTransformJob',)

process(jobs)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

class c7n.resources.sagemaker.StartNotebookInstance(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.sagemaker.StateTransitionFilter

Start sagemaker-notebook(s)

Example

permissions = ('sagemaker:StartNotebookInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['start']}}, 'required': ['type'], 'type': 'object'}

type = 'start'

valid_origin_states = ('Stopped',)

class c7n.resources.sagemaker.StateTransitionFilter

Bases: object

Filter instances by state.

Try to simplify construction for policy authors by automatically filtering elements (filters or actions) to the instances states they are valid for.

filter_instance_state(instances, states=None)

valid_origin_states = ()

class c7n.resources.sagemaker.StopNotebookInstance(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action, c7n.resources.sagemaker.StateTransitionFilter

Stop sagemaker-notebook(s)

Example

permissions = ('sagemaker:StopNotebookInstance',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stop']}}, 'required': ['type'], 'type': 'object'}

type = 'stop'

valid_origin_states = ('InService',)

class c7n.resources.sagemaker.TagNotebookInstance(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a SageMaker resource (notebook-instance, endpoint, endpoint-config)

Example

policies:
  - name: tag-sagemaker-notebook
    resource: sagemaker-notebook
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-value

  - name: tag-sagemaker-endpoint
    resource: sagemaker-endpoint
    filters:
        - "tag:required-tag": absent
    actions:
      - type: tag
        key: required-tag
        value: required-value

  - name: tag-sagemaker-endpoint-config
    resource: sagemaker-endpoint-config
    filters:
        - "tag:required-tag": absent
    actions:
      - type: tag
        key: required-tag
        value: required-value

  - name: tag-sagemaker-job
    resource: sagemaker-job
    filters:
        - "tag:required-tag": absent
    actions:
      - type: tag
        key: required-tag
        value: required-value

permissions = ('sagemaker:AddTags',)

process_resource_set(client, resources, tags)

type = 'tag'

c7n.resources.secretsmanager module

class c7n.resources.secretsmanager.CrossAccountAccessFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

get_resource_policy(r)

permissions = ('secretsmanager:GetResourcePolicy',)

policy_annotation = 'c7n:AccessPolicy'

process(resources, event=None)

Bulk process resources and return filtered set.

type = 'cross-account'

class c7n.resources.secretsmanager.MarkSecretForOp(data=None, manager=None, log_dir=None)

Bases: c7n.tags.TagDelayedAction

Action to mark a Secret resource for deferred action :example:

policies:
    - name: mark-secret-for-delete
      resource: secrets-manager
      actions:
        - type: mark-for-op
          op: tag
          days: 1

type = 'mark-for-op'

class c7n.resources.secretsmanager.RemoveTagSecretsManagerResource(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on a Secret resource

Example

policies:
    - name: untag-secret
      resource: secrets-manager
      actions:
        - type: remove-tag
          tags: ['tag-to-be-removed']

permissions = ('secretsmanager:UntagResource',)

process_resource_set(client, resources, keys)

type = 'remove-tag'

class c7n.resources.secretsmanager.SecretsManager(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('secretsmanager:ListSecretVersionIds',)

class resource_type

Bases: object

arn = 'ARN'

detail_spec = ('describe_secret', 'SecretId', 'ARN', None)

dimension = None

enum_spec = ('list_secrets', 'SecretList', None)

filter_name = None

id = 'ARN'

name = 'Name'

service = 'secretsmanager'

type = 'secrets-manager'

class c7n.resources.secretsmanager.TagSecretsManagerResource(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a Secret resource

Example

policies:
    - name: tag-secret
      resource: secrets-manager
      actions:
        - type: tag
          key: tag-key
          value: tag-value

permissions = ('secretsmanager:TagResource',)

process_resource_set(client, resources, new_tags)

type = 'tag'

c7n.resources.sfn module

class c7n.resources.sfn.StepFunction(data, options)

Bases: c7n.query.QueryResourceManager

AWS Step Functions State Machine

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'stateMachineArn'

date = 'creationDate'

detail_spec = ('describe_state_machine', 'stateMachineArn', 'stateMachineArn', None)

dimension = None

enum_spec = ('list_state_machines', 'stateMachines', None)

filter_name = None

id = 'stateMachineArn'

name = 'name'

service = 'stepfunctions'

type = 'step-machine'

class c7n.resources.sfn.TagStepFunction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.Tag

Action to create tag(s) on a step function

Example

policies:
  - name: tag-step-function
    resource: step-machine
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value

permissions = ('stepfunctions:TagResource',)

process_resource_set(client, resources, tags)

type = 'tag'

class c7n.resources.sfn.UnTagStepFunction(data=None, manager=None, log_dir=None)

Bases: c7n.tags.RemoveTag

Action to create tag(s) on a step function

Example

policies:
  - name: step-function-remove-tag
    resource: step-machine
    actions:
      - type: remove-tag
        tags: ["test"]

permissions = ('stepfunctions:UntagResource',)

process_resource_set(client, resources, tag_keys)

type = 'remove-tag'

c7n.resources.shield module

class c7n.resources.shield.IsShieldProtected(data, manager=None)

Bases: c7n.filters.core.Filter

permissions = ('shield:ListProtections',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'type': {'enum': ['shield-enabled']}}, 'required': ['type'], 'type': 'object'}

type = 'shield-enabled'

class c7n.resources.shield.SetShieldProtection(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

clear_stale(client, protections)

permissions = ('shield:CreateProtection', 'shield:ListProtections')

process(resources)

schema = {'additionalProperties': False, 'properties': {'state': {'type': 'boolean'}, 'sync': {'type': 'boolean'}, 'type': {'enum': ['set-shield']}}, 'required': ['type'], 'type': 'object'}

type = 'set-shield'

class c7n.resources.shield.ShieldAttack(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

date = 'StartTime'

detail_spec = ('describe_attack', 'AttackId', 'AttackId', 'Attack')

dimension = None

enum_spec = ('list_attacks', 'Attacks', None)

filter_name = 'ResourceArns'

filter_type = 'list'

id = 'AttackId'

name = 'AttackId'

service = 'shield'

type = 'shield-attack'

class c7n.resources.shield.ShieldProtection(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

dimension = None

enum_spec = ('list_protections', 'Protections', None)

filter_name = None

id = 'Id'

name = 'Name'

service = 'shield'

type = 'shield-protection'

c7n.resources.shield.get_protections_paginator(client)

c7n.resources.shield.get_type_protections(client, model)

c7n.resources.simpledb module

class c7n.resources.simpledb.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('sdb:DeleteDomain',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.simpledb.SimpleDB(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('sdb:DomainMetadata',)

class resource_type

Bases: object

dimension = None

enum_spec = ('list_domains', 'DomainNames', None)

filter_name = None

id = 'DomainName'

name = 'DomainName'

service = 'sdb'

type = 'domain'

type = 'simpledb'

c7n.resources.snowball module

class c7n.resources.snowball.Snowball(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

date = 'CreationDate'

detail_spec = ('describe_job', 'JobId', 'JobId', 'JobMetadata')

dimension = None

enum_spec = ('list_jobs', 'JobListEntries', None)

filter_name = None

id = 'JobId'

name = 'Description'

service = 'snowball'

type = 'snowball'

class c7n.resources.snowball.SnowballCluster(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

date = 'CreationDate'

detail_spec = ('describe_cluster', 'ClusterId', 'ClusterId', 'ClusterMetadata')

dimension = None

enum_spec = ('list_clusters', 'ClusterListEntries', None)

filter_name = None

id = 'ClusterId'

name = 'Description'

service = 'snowball'

type = 'snowball-cluster'

c7n.resources.sns module

class c7n.resources.sns.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

RelatedIdsExpression = 'KmsMasterKeyId'

type = 'kms-key'

class c7n.resources.sns.ModifyPolicyStatement(data=None, manager=None)

Bases: c7n.actions.policy.ModifyPolicyBase

Action to modify policy statements from SNS

Example

policies:
   - name: sns-cross-account
     resource: sns
     filters:
       - type: cross-account
     actions:
       - type: modify-policy
         add-statements: [{
             "Sid": "ReplaceWithMe",
             "Effect": "Allow",
             "Principal": "*",
             "Action": ["SNS:GetTopicAttributes"],
             "Resource": topic_arn,
                 }]
         remove-statements: '*'

permissions = ('sns:SetTopicAttributes', 'sns:GetTopicAttributes')

process(resources)

type = 'modify-policy'

class c7n.resources.sns.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy statements from SNS

Example

policies:
   - name: sns-cross-account
     resource: sns
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched

permissions = ('sns:SetTopicAttributes', 'sns:GetTopicAttributes')

process(resources)

process_resource(client, resource)

type = 'remove-statements'

class c7n.resources.sns.SNS(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

default_report_fields = ('TopicArn', 'DisplayName', 'SubscriptionsConfirmed', 'SubscriptionsPending', 'SubscriptionsDeleted')

detail_spec = ('get_topic_attributes', 'TopicArn', 'TopicArn', 'Attributes')

dimension = 'TopicName'

enum_spec = ('list_topics', 'Topics', None)

filter_name = None

filter_type = None

id = 'TopicArn'

name = 'DisplayName'

service = 'sns'

type = 'topic'

type = 'sns'

class c7n.resources.sns.SNSCrossAccount(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filter to return all SNS topics with cross account access permissions

The whitelist parameter will omit the accounts that match from the return

Example

checker_factory

alias of SNSPolicyChecker

get_endpoints()

get_protocols()

permissions = ('sns:GetTopicAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'actions': {'items': {'type': 'string'}, 'type': 'array'}, 'everyone_only': {'type': 'boolean'}, 'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_conditions': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_endpoints': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_endpoints_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}, 'whitelist_from': {'ref': '#/definitions/filters_common/value_from'}, 'whitelist_orgids': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_orgids_from': {'ref': '#/definitions/filters_common/value_from'}, 'whitelist_protocols': {'items': {'enum': ('http', 'https', 'email', 'email-json', 'sms', 'sqs', 'application', 'lambda'), 'type': 'string'}, 'type': 'array'}, 'whitelist_protocols_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}, 'whitelist_vpc': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_vpc_from': {'ref': '#/definitions/filters_common/value_from'}, 'whitelist_vpce': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_vpce_from': {'ref': '#/definitions/filters_common/value_from'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

valid_protocols = ('http', 'https', 'email', 'email-json', 'sms', 'sqs', 'application', 'lambda')

class c7n.resources.sns.SNSPolicyChecker(checker_config)

Bases: c7n.filters.iamaccess.PolicyChecker

allowed_endpoints

allowed_protocols

handle_sns_endpoint(s, c)

handle_sns_protocol(s, c)

class c7n.resources.sns.SetEncryption(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Set Encryption on SNS Topics

By default if no key is specified, alias/aws/sns is used

key can either be a KMS key ARN, key id, or an alias

Example

policies:
    - name: set-sns-topic-encryption
      resource: sns
      actions:
        - type: set-encryption
          key: alias/cmk/key
          enabled: True

    - name: set-sns-topic-encryption-with-id
      resource: sns
      actions:
        - type: set-encryption
          key: abcdefgh-1234-1234-1234-123456789012
          enabled: True

    - name: set-sns-topic-encryption-with-arn
      resource: sns
      actions:
        - type: set-encryption
          key: arn:aws:kms:us-west-1:123456789012:key/abcdefgh-1234-1234-1234-123456789012
          enabled: True

permissions = ('sns:SetTopicAttributes', 'kms:DescribeKey')

process(resources)

schema = {'additionalProperties': False, 'properties': {'enabled': {'type': 'boolean'}, 'key': {'type': 'string'}, 'type': {'enum': ['set-encryption']}}, 'required': ['type'], 'type': 'object'}

type = 'set-encryption'

c7n.resources.sqs module

class c7n.resources.sqs.DeleteSqsQueue(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete a SQS queue

To prevent unwanted deletion of SQS queues, it is recommended to include a filter

Example

policies:
  - name: sqs-delete
    resource: sqs
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: delete

permissions = ('sqs:DeleteQueue',)

process(queues)

process_queue(client, queue)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.sqs.KmsFilter(data, manager=None)

Bases: c7n.filters.kms.KmsRelatedFilter

Filter a resource by its associcated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’ The KmsMasterId returned for SQS sometimes has the alias name directly in the value.

Example

policies:
    - name: efs-kms-key-filters
      resource: efs
      filters:
        - or:
          - type: value
            key: KmsMasterKeyId
            value: "^(alias/aws/)"
            op: regex
          - type: kms-key
            key: c7n:AliasName
            value: "^(alias/aws/)"
            op: regex

RelatedIdsExpression = 'KmsMasterKeyId'

type = 'kms-key'

class c7n.resources.sqs.MetricsFilter(data, manager=None)

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)

type = 'metrics'

class c7n.resources.sqs.RemovePolicyStatement(data=None, manager=None, log_dir=None)

Bases: c7n.actions.policy.RemovePolicyBase

Action to remove policy statements from SQS

Example

policies:
   - name: sqs-cross-account
     resource: sqs
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched

permissions = ('sqs:GetQueueAttributes', 'sqs:RemovePermission')

process(resources)

process_resource(client, resource)

type = 'remove-statements'

class c7n.resources.sqs.SQS(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

subclasses may want to augment resources with additional information.

ie. we want tags by default (rds, elb), and policy, location, acl for s3 buckets.

filter_registry = <c7n.filters.core.FilterRegistry object>

get_permissions()

get_resources(ids, cache=True)

Retrieve a set of resources by id.

class resource_type

Bases: object

arn = 'QueueArn'

date = 'CreatedTimestamp'

default_report_fields = ('QueueArn', 'CreatedTimestamp', 'ApproximateNumberOfMessages')

detail_spec = ('get_queue_attributes', 'QueueUrl', None, 'Attributes')

dimension = 'QueueName'

enum_spec = ('list_queues', 'QueueUrls', None)

filter_name = 'QueueNamePrefix'

filter_type = 'scalar'

id = 'QueueUrl'

name = 'QueueUrl'

service = 'sqs'

type = None

type = 'sqs'

class c7n.resources.sqs.SQSCrossAccount(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filter SQS queues which have cross account permissions

Example

policies:
  - name: sqs-cross-account
    resource: sqs
    filters:
      - type: cross-account

permissions = ('sqs:GetQueueAttributes',)

type = 'cross-account'

class c7n.resources.sqs.SetEncryption(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set encryption key on SQS queue

Example

policies:
  - name: sqs-set-encrypt
    resource: sqs
    filters:
      - KmsMasterKeyId: absent
    actions:
      - type: set-encryption
        key: "<alias of kms key>"

permissions = ('sqs:SetQueueAttributes',)

process(queues)

process_queue(client, queue, key_id)

schema = {'additionalProperties': False, 'properties': {'key': {'type': 'string'}, 'type': {'enum': ['set-encryption']}}, 'required': ('key',), 'type': 'object'}

type = 'set-encryption'

class c7n.resources.sqs.SetRetentionPeriod(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to set the retention period on an SQS queue (in seconds)

Example

policies:
  - name: sqs-reduce-long-retention-period
    resource: sqs
    filters:
      - type: value
        key: MessageRetentionPeriod
        value_type: integer
        value: 345600
        op: ge
    actions:
      - type: set-retention-period
        period: 86400

permissions = ('sqs:SetQueueAttributes',)

process(queues)

schema = {'additionalProperties': False, 'properties': {'period': {'maximum': 1209600, 'minimum': 60, 'type': 'integer'}, 'type': {'enum': ['set-retention-period']}}, 'required': ['type'], 'type': 'object'}

type = 'set-retention-period'

c7n.resources.ssm module

class c7n.resources.ssm.DeleteSSMActivation(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('ssm:DeleteActivation',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.ssm.ManagedInstance(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('ssm:DescribeInstanceInformation',)

class resource_type

Bases: object

date = 'RegistrationDate'

dimension = None

enum_spec = ('describe_instance_information', 'InstanceInformationList', None)

filter_name = None

id = 'InstanceId'

name = 'Name'

service = 'ssm'

type = 'managed-instance'

type = 'ssm-managed-instance'

class c7n.resources.ssm.SSMActivation(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('ssm:DescribeActivations',)

class resource_type

Bases: object

arn = False

date = 'CreatedDate'

dimension = None

enum_spec = ('describe_activations', 'ActivationList', None)

filter_name = None

id = 'ActivationId'

name = 'Description'

service = 'ssm'

type = 'ssm-activation'

class c7n.resources.ssm.SSMParameter(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

permissions = ('ssm:GetParameters', 'ssm:DescribeParameters')

class resource_type

Bases: object

dimension = None

enum_spec = ('describe_parameters', 'Parameters', None)

filter_name = None

id = 'Name'

name = 'Name'

service = 'ssm'

type = 'parameter'

universal_taggable = True

static retry(func, *args, **kw)

type = 'ssm-parameter'

class c7n.resources.ssm.SendCommand(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Run an SSM Automation Document on an instance.

Example

Find ubuntu 18.04 instances are active with ssm.

policies:
  - name: ec2-osquery-install
    resource: ec2
    filters:
      - type: ssm
        key: PingStatus
        value: Online
      - type: ssm
        key: PlatformName
        value: Ubuntu
      - type: ssm
        key: PlatformVersion
        value: 18.04
    actions:
      - type: send-command
        command:
          DocumentName: AWS-RunShellScript
          Parameters:
            commands:
              - wget https://pkg.osquery.io/deb/osquery_3.3.0_1.linux.amd64.deb
              - dpkg -i osquery_3.3.0_1.linux.amd64.deb

annotation = 'c7n:SendCommand'

permissions = ('ssm:SendCommand',)

process(resources)

process_resource_set(client, resources)

schema = {'additionalProperties': False, 'properties': {'command': {'type': 'object'}, 'type': {'enum': ['send-command']}}, 'required': ('command',), 'type': 'object'}

shape = 'SendCommandRequest'

type = 'send-command'

validate()

c7n.resources.storagegw module

class c7n.resources.storagegw.StorageGateway(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'GatewayARN'

dimension = None

enum_spec = ('list_gateways', 'Gateways', None)

filter_name = None

id = 'GatewayARN'

name = 'GatewayName'

service = 'storagegateway'

type = 'storage-gateway'

c7n.resources.support module

class c7n.resources.support.SupportCase(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

date = 'timeCreated'

dimension = None

enum_spec = ('describe_cases', 'cases', None)

filter_name = 'caseIdList'

filter_type = 'list'

id = 'caseId'

name = 'displayId'

service = 'support'

type = 'support-case'

c7n.resources.vpc module

class c7n.resources.vpc.AclAwsS3Cidrs(data, manager=None)

Bases: c7n.filters.core.Filter

Filter network acls by those that allow access to s3 cidrs.

Defaults to filtering those nacls that do not allow s3 communication.

Example

Find all nacls that do not allow communication with s3.

policies:
  - name: s3-not-allowed-nacl
    resource: network-acl
    filters:
      - s3-cidr

permissions = ('ec2:DescribePrefixLists',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'egress': {'default': True, 'type': 'boolean'}, 'ingress': {'default': True, 'type': 'boolean'}, 'present': {'default': False, 'type': 'boolean'}, 'type': {'enum': ['s3-cidr']}}, 'required': ['type'], 'type': 'object'}

type = 's3-cidr'

class c7n.resources.vpc.AclSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

Filter network acls by the attributes of their attached subnets.

Example

policies:
  - name: subnet-acl
    resource: network-acl
    filters:
      - type: subnet
        key: "tag:Location"
        value: Public

RelatedIdsExpression = 'Associations[].SubnetId'

type = 'subnet'

class c7n.resources.vpc.AddressRelease(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to release elastic IP address(es)

Use the force option to cause any attached elastic IPs to also be released. Otherwise, only unattached elastic IPs will be released.

Example

policies:
  - name: release-network-addr
    resource: network-addr
    filters:
      - AllocationId: ...
    actions:
      - type: release
        force: True

permissions = ('ec2:ReleaseAddress', 'ec2:DisassociateAddress')

process(network_addrs)

process_attached(client, associated_addrs)

schema = {'additionalProperties': False, 'properties': {'force': {'type': 'boolean'}, 'type': {'enum': ['release']}}, 'required': ['type'], 'type': 'object'}

type = 'release'

class c7n.resources.vpc.AttributesFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filters VPCs based on their DNS attributes

Example

policies:
  - name: dns-hostname-enabled
    resource: vpc
    filters:
      - type: vpc-attributes
        dnshostnames: True

permissions = ('ec2:DescribeVpcAttributes',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'dnshostnames': {'type': 'boolean'}, 'dnssupport': {'type': 'boolean'}, 'type': {'enum': ['vpc-attributes']}}, 'required': ['type'], 'type': 'object'}

type = 'vpc-attributes'

class c7n.resources.vpc.ConfigSG(manager)

Bases: c7n.query.ConfigSource

load_resource(item)

class c7n.resources.vpc.CreateFlowLogs(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Create flow logs for a network resource

Example

RESOURCE_ALIAS = {'eni': 'NetworkInterface', 'subnet': 'Subnet', 'vpc': 'VPC'}

delete_flow_logs(client, rids)

permissions = ('ec2:CreateFlowLogs',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'DeliverLogsPermissionArn': {'type': 'string'}, 'LogDestination': {'type': 'string'}, 'LogDestinationType': {'enum': ['s3', 'cloud-watch-logs']}, 'LogGroupName': {'type': 'string'}, 'TrafficType': {'enum': ['ACCEPT', 'REJECT', 'ALL'], 'type': 'string'}, 'state': {'type': 'boolean'}, 'type': {'enum': ['set-flow-log']}}, 'type': 'object'}

type = 'set-flow-log'

validate()

class c7n.resources.vpc.CrossAccountPeer(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = ('ec2:DescribeVpcPeeringConnections',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['cross-account']}, 'whitelist': {'items': {'type': 'string'}, 'type': 'array'}, 'whitelist_from': {'additionalProperties': 'False', 'properties': {'expr': {'oneOf': [{'type': 'integer'}, {'type': 'string'}]}, 'format': {'enum': ['csv', 'json', 'txt', 'csv2dict']}, 'url': {'type': 'string'}}, 'required': ['url'], 'type': 'object'}}, 'required': ['type'], 'type': 'object'}

type = 'cross-account'

class c7n.resources.vpc.CustomerGateway(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

detail_spec = None

dimension = None

enum_spec = ('describe_customer_gateways', 'CustomerGateways', None)

filter_name = 'CustomerGatewayIds'

filter_type = 'list'

id = 'CustomerGatewayId'

id_prefix = 'cgw-'

name = 'CustomerGatewayId'

service = 'ec2'

type = 'customer-gateway'

type = 'customer-gateway'

class c7n.resources.vpc.Delete(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to delete security group(s)

It is recommended to apply a filter to the delete policy to avoid the deletion of all security groups returned.

Example

policies:
  - name: security-groups-unused-delete
    resource: security-group
    filters:
      - type: unused
    actions:
      - delete

permissions = ('ec2:DeleteSecurityGroup',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.vpc.DeleteNATGateway(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

permissions = ('ec2:DeleteNatGateway',)

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['delete']}}, 'required': ['type'], 'type': 'object'}

type = 'delete'

class c7n.resources.vpc.DescribeENI(manager)

Bases: c7n.query.DescribeSource

augment(resources)

class c7n.resources.vpc.DhcpOptionsFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Filter VPCs based on their dhcp options

example

if an option value is specified as a list, then all elements must be present. if an option value is specified as a string, then that string must be present.

vpcs not matching a given option value can be found via specifying a present: false parameter.

option_keys = ('domain-name', 'domain-name-servers', 'ntp-servers')

permissions = ('ec2:DescribeDhcpOptions',)

process(resources, event=None)

Bulk process resources and return filtered set.

process_vpc(vpc, dhcp)

schema = {'additionalProperties': False, 'properties': {'domain-name': {'oneOf': [{'type': 'array', 'items': {'type': 'string'}}, {'type': 'string'}]}, 'domain-name-servers': {'oneOf': [{'type': 'array', 'items': {'type': 'string'}}, {'type': 'string'}]}, 'ntp-servers': {'oneOf': [{'type': 'array', 'items': {'type': 'string'}}, {'type': 'string'}]}, 'present': {'type': 'boolean'}, 'type': {'enum': ['dhcp-options']}}, 'required': ['type'], 'type': 'object'}

type = 'dhcp-options'

validate()

validate filter config, return validation error or self

class c7n.resources.vpc.EndpointCrossAccountFilter(data, manager=None)

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

annotation_key = 'c7n:CrossAccountViolations'

permissions = ('ec2:DescribeVpcEndpoints',)

policy_attribute = 'PolicyDocument'

type = 'cross-account'

class c7n.resources.vpc.EndpointSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'Groups[].GroupId'

type = 'security-group'

class c7n.resources.vpc.EndpointSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'SubnetIds[]'

type = 'subnet'

class c7n.resources.vpc.EndpointVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpression = 'VpcId'

type = 'vpc'

class c7n.resources.vpc.FlowLogFilter(data, manager=None)

Bases: c7n.filters.core.Filter

Are flow logs enabled on the resource.

ie to find all vpcs with flows logs disabled we can do this

Example

policies:
  - name: flow-logs-enabled
    resource: vpc
    filters:
      - flow-logs

or to find all vpcs with flow logs but that don’t match a particular configuration.

Example

policies:
  - name: flow-mis-configured
    resource: vpc
    filters:
      - not:
        - type: flow-logs
          enabled: true
          set-op: or
          op: equal
          # equality operator applies to following keys
          traffic-type: all
          status: active
          log-group: vpc-logs

permissions = ('ec2:DescribeFlowLogs',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'deliver-status': {'enum': ['success', 'failure']}, 'destination': {'type': 'string'}, 'destination-type': {'enum': ['s3', 'cloud-watch-logs']}, 'enabled': {'default': False, 'type': 'boolean'}, 'log-group': {'type': 'string'}, 'op': {'default': 'equal', 'enum': ['equal', 'not-equal']}, 'set-op': {'default': 'or', 'enum': ['or', 'and']}, 'status': {'enum': ['active']}, 'traffic-type': {'enum': ['accept', 'reject', 'all']}, 'type': {'enum': ['flow-logs']}}, 'required': ['type'], 'type': 'object'}

type = 'flow-logs'

class c7n.resources.vpc.IPPermission(data, manager=None)

Bases: c7n.resources.vpc.SGPermission

ip_permissions_key = 'IpPermissions'

schema = {'properties': {'Ports': {'items': {'type': 'integer'}, 'type': 'array'}, 'SelfReference': {'type': 'boolean'}, 'match-operator': {'enum': ['or', 'and'], 'type': 'string'}, 'type': {'enum': ['ingress']}}, 'required': ['type'], 'type': 'object'}

type = 'ingress'

class c7n.resources.vpc.IPPermissionEgress(data, manager=None)

Bases: c7n.resources.vpc.SGPermission

ip_permissions_key = 'IpPermissionsEgress'

schema = {'properties': {'SelfReference': {'type': 'boolean'}, 'match-operator': {'enum': ['or', 'and'], 'type': 'string'}, 'type': {'enum': ['egress']}}, 'required': ['type'], 'type': 'object'}

type = 'egress'

class c7n.resources.vpc.InterfaceModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)

Bases: c7n.actions.network.ModifyVpcSecurityGroupsAction

Remove security groups from an interface.

Can target either physical groups as a list of group ids or symbolic groups like ‘matched’ or ‘all’. ‘matched’ uses the annotations of the ‘group’ interface filter.

Note an interface always gets at least one security group, so we also allow specification of an isolation/quarantine group that can be specified if there would otherwise be no groups.

Example

policies:
  - name: network-interface-remove-group
    resource: eni
    filters:
      - type: security-group
        match-resource: true
        key: FromPort
        value: 22
    actions:
      - type: modify-security-groups
        isolation-group: sg-01ab23c4
        add: []

permissions = ('ec2:ModifyNetworkInterfaceAttribute',)

process(resources)

type = 'modify-security-groups'

class c7n.resources.vpc.InterfaceSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.vpc.SecurityGroupFilter

Network interface security group filter

Example

policies:
  - name: network-interface-ssh
    resource: eni
    filters:
      - type: security-group
        match-resource: true
        key: FromPort
        value: 22

RelatedIdsExpression = 'Groups[].GroupId'

type = 'security-group'

class c7n.resources.vpc.InterfaceSubnetFilter(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

Network interface subnet filter

Example

policies:
  - name: network-interface-in-subnet
    resource: eni
    filters:
      - type: subnet
        key: CidrBlock
        value: 10.0.2.0/24

RelatedIdsExpression = 'SubnetId'

type = 'subnet'

class c7n.resources.vpc.InterfaceVpcFilter(data, manager=None)

Bases: c7n.filters.vpc.VpcFilter

RelatedIdsExpress = 'VpcId'

type = 'vpc'

class c7n.resources.vpc.InternetGateway(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::InternetGateway'

date = None

dimension = None

enum_spec = ('describe_internet_gateways', 'InternetGateways', None)

filter_name = 'InternetGatewayIds'

filter_type = 'list'

id = 'InternetGatewayId'

id_prefix = 'igw-'

name = 'InternetGatewayId'

service = 'ec2'

type = 'internet-gateway'

type = 'internet-gateway'

class c7n.resources.vpc.KeyPair(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

detail_spec = None

dimension = None

enum_spec = ('describe_key_pairs', 'KeyPairs', None)

filter_name = 'KeyNames'

id = 'KeyName'

name = 'KeyName'

service = 'ec2'

taggable = False

type = 'key-pair'

type = 'key-pair'

class c7n.resources.vpc.MissingRoute(data, manager=None)

Bases: c7n.filters.core.Filter

Return peers which are missing a route in route tables.

If the peering connection is between two vpcs in the same account, the connection is returned unless it is in present route tables in each vpc.

If the peering connection is between accounts, then the local vpc’s route table is checked.

permissions = ('ec2:DescribeRouteTables',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['missing-route']}}, 'required': ['type'], 'type': 'object'}

type = 'missing-route'

class c7n.resources.vpc.NATGateway(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'CreateTime'

dimension = None

enum_spec = ('describe_nat_gateways', 'NatGateways', None)

filter_name = 'NatGatewayIds'

filter_type = 'list'

id = 'NatGatewayId'

id_prefix = 'nat-'

name = 'NatGatewayId'

service = 'ec2'

type = 'nat-gateway'

type = 'nat-gateway'

class c7n.resources.vpc.NetworkAcl(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::NetworkAcl'

date = None

dimension = None

enum_spec = ('describe_network_acls', 'NetworkAcls', None)

filter_name = 'NetworkAclIds'

filter_type = 'list'

id = 'NetworkAclId'

id_prefix = 'acl-'

name = 'NetworkAclId'

service = 'ec2'

type = 'network-acl'

type = 'network-acl'

class c7n.resources.vpc.NetworkAddress(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::EIP'

date = None

dimension = None

enum_spec = ('describe_addresses', 'Addresses', None)

filter_name = 'PublicIps'

filter_type = 'list'

id = 'AllocationId'

name = 'PublicIp'

service = 'ec2'

type = 'eip-allocation'

type = 'network-addr'

class c7n.resources.vpc.NetworkInterface(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::EC2::NetworkInterface'

date = None

dimension = None

enum_spec = ('describe_network_interfaces', 'NetworkInterfaces', None)

filter_name = 'NetworkInterfaceIds'

filter_type = 'list'

id = 'NetworkInterfaceId'

id_prefix = 'eni-'

name = 'NetworkInterfaceId'

service = 'ec2'

type = 'eni'

type = 'eni'

class c7n.resources.vpc.PeeringConnection(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('describe_vpc_peering_connections', 'VpcPeeringConnections', None)

filter_name = 'VpcPeeringConnectionIds'

filter_type = 'list'

id = 'VpcPeeringConnectionId'

id_prefix = 'pcx-'

name = 'VpcPeeringConnectionId'

service = 'ec2'

type = 'vpc-peering-connection'

type = 'peering-connection'

class c7n.resources.vpc.RemovePermissions(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Action to remove ingress/egress rule(s) from a security group

Example

policies:
  - name: security-group-revoke-8080
    resource: security-group
    filters:
      - type: ingress
        IpProtocol: tcp
        Ports: [8080]
    actions:
      - type: remove-permissions
        ingress: matched

permissions = ('ec2:RevokeSecurityGroupIngress', 'ec2:RevokeSecurityGroupEgress')

process(resources)

schema = {'additionalProperties': False, 'properties': {'egress': {'enum': ['matched', 'all'], 'type': 'string'}, 'ingress': {'enum': ['matched', 'all'], 'type': 'string'}, 'type': {'enum': ['remove-permissions']}}, 'required': ['type'], 'type': 'object'}

type = 'remove-permissions'

class c7n.resources.vpc.Route(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter a route table by its routes’ attributes.

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['route']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'route'

class c7n.resources.vpc.RouteTable(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = None

dimension = None

enum_spec = ('describe_route_tables', 'RouteTables', None)

filter_name = 'RouteTableIds'

filter_type = 'list'

id = 'RouteTableId'

id_prefix = 'rtb-'

name = 'RouteTableId'

service = 'ec2'

type = 'route-table'

type = 'route-table'

class c7n.resources.vpc.SGDefaultVpc(data, manager=None)

Bases: c7n.filters.vpc.DefaultVpcBase

Filter that returns any security group that exists within the default vpc

Example

policies:
  - name: security-group-default-vpc
    resource: security-group
    filters:
      - default-vpc

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['default-vpc']}}, 'required': ['type'], 'type': 'object'}

type = 'default-vpc'

class c7n.resources.vpc.SGPermission(data, manager=None)

Bases: c7n.filters.core.Filter

Filter for verifying security group ingress and egress permissions

All attributes of a security group permission are available as value filters.

If multiple attributes are specified the permission must satisfy all of them. Note that within an attribute match against a list value of a permission we default to or.

If a group has any permissions that match all conditions, then it matches the filter.

Permissions that match on the group are annotated onto the group and can subsequently be used by the remove-permission action.

We have specialized handling for matching Ports in ingress/egress permission From/To range. The following example matches on ingress rules which allow for a range that includes all of the given ports.

- type: ingress
  Ports: [22, 443, 80]

As well for verifying that a rule only allows for a specific set of ports as in the following example. The delta between this and the previous example is that if the permission allows for any ports not specified here, then the rule will match. ie. OnlyPorts is a negative assertion match, it matches when a permission includes ports outside of the specified set.

- type: ingress
  OnlyPorts: [22]

For simplifying ipranges handling which is specified as a list on a rule we provide a Cidr key which can be used as a value type filter evaluated against each of the rules. If any iprange cidr match then the permission matches.

- type: ingress
  IpProtocol: -1
  FromPort: 445

We also have specialized handling for matching self-references in ingress/egress permissions. The following example matches on ingress rules which allow traffic its own same security group.

- type: ingress
  SelfReference: True

As well for assertions that a ingress/egress permission only matches a given set of ports, note OnlyPorts is an inverse match.

- type: egress
  OnlyPorts: [22, 443, 80]

- type: egress
  Cidr:
    value_type: cidr
    op: in
    value: x.y.z

Cidr can match ipv4 rules and CidrV6 can match ipv6 rules. In this example we are blocking global inbound connections to SSH or RDP.

- type: ingress
  Ports: [22, 3389]
  Cidr:
    value:
      - "0.0.0.0/0"
      - "::/0"
    op: in

attrs = {'Cidr', 'CidrV6', 'Description', 'FromPort', 'IpProtocol', 'IpRanges', 'OnlyPorts', 'Ports', 'PrefixListIds', 'SelfReference', 'ToPort', 'UserIdGroupPairs', 'match-operator'}

expand_permissions(permissions)

Expand each list of cidr, prefix list, user id group pair by port/protocol as an individual rule.

The console ux automatically expands them out as addition/removal is per this expansion, the describe calls automatically group them.

filter_attrs = {'Cidr', 'CidrV6', 'Description', 'OnlyPorts', 'Ports', 'SelfReference'}

perm_attrs = {'FromPort', 'IpProtocol', 'IpRanges', 'PrefixListIds', 'ToPort', 'UserIdGroupPairs'}

process(resources, event=None)

Bulk process resources and return filtered set.

process_cidrs(perm)

process_description(perm)

process_ports(perm)

process_self_reference(perm, sg_id)

validate()

validate filter config, return validation error or self

class c7n.resources.vpc.SGUsage(data, manager=None)

Bases: c7n.filters.core.Filter

filter_peered_refs(resources)

get_eni_sgs()

get_lambda_sgs()

get_launch_config_sgs()

get_permissions()

get_sg_refs()

scan_groups()

class c7n.resources.vpc.SecurityGroup(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

get_source(source_type)

class resource_type

Bases: object

config_type = 'AWS::EC2::SecurityGroup'

date = None

detail_spec = None

dimension = None

enum_spec = ('describe_security_groups', 'SecurityGroups', None)

filter_name = 'GroupIds'

filter_type = 'list'

id = 'GroupId'

id_prefix = 'sg-'

name = 'GroupId'

service = 'ec2'

type = 'security-group'

type = 'security-group'

class c7n.resources.vpc.SecurityGroupApplyPatch(data=None, manager=None, log_dir=None)

Bases: c7n.actions.core.Action

Modify a resource via application of a reverse delta.

permissions = ('ec2:AuthorizeSecurityGroupIngress', 'ec2:AuthorizeSecurityGroupEgress', 'ec2:RevokeSecurityGroupIngress', 'ec2:RevokeSecurityGroupEgress', 'ec2:CreateTags', 'ec2:DeleteTags')

process(resources)

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['patch']}}, 'required': ['type'], 'type': 'object'}

type = 'patch'

validate()

class c7n.resources.vpc.SecurityGroupDiff

Bases: object

Diff two versions of a security group

Immutable: GroupId, GroupName, Description, VpcId, OwnerId Mutable: Tags, Rules

RULE_ATTRS = (('PrefixListIds', 'PrefixListId'), ('UserIdGroupPairs', 'GroupId'), ('IpRanges', 'CidrIp'), ('Ipv6Ranges', 'CidrIpv6'))

compute_rule_hash(rule)

diff(source, target)

get_rule_delta(key, source, target)

get_tag_delta(source, target)

class c7n.resources.vpc.SecurityGroupDiffFilter(data, manager=None)

Bases: c7n.filters.revisions.Diff

diff(source, target)

type = 'diff'

class c7n.resources.vpc.SecurityGroupLockedFilter(data, manager=None)

Bases: c7n.filters.locked.Locked

get_parent_id(resource, account_id)

type = 'locked'

class c7n.resources.vpc.SecurityGroupPatch

Bases: object

RULE_TYPE_MAP = {'egress': ('IpPermissionsEgress', 'revoke_security_group_egress', 'authorize_security_group_egress'), 'ingress': ('IpPermissions', 'revoke_security_group_ingress', 'authorize_security_group_ingress')}

apply_delta(client, target, change_set)

process_rules(client, rule_type, group, delta)

process_tags(client, group, tag_delta)

static retry(func, *args, **kw)

class c7n.resources.vpc.Stale(data, manager=None)

Bases: c7n.filters.core.Filter

Filter to find security groups that contain stale references to other groups that are either no longer present or traverse a broken vpc peering connection. Note this applies to VPC Security groups only and will implicitly filter security groups.

AWS Docs:

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

Example

policies:
  - name: stale-security-groups
    resource: security-group
    filters:
      - stale

permissions = ('ec2:DescribeStaleSecurityGroups',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['stale']}}, 'required': ['type'], 'type': 'object'}

type = 'stale'

class c7n.resources.vpc.Subnet(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::Subnet'

date = None

dimension = None

enum_spec = ('describe_subnets', 'Subnets', None)

filter_name = 'SubnetIds'

filter_type = 'list'

id = 'SubnetId'

id_prefix = 'subnet-'

name = 'SubnetId'

service = 'ec2'

type = 'subnet'

type = 'subnet'

class c7n.resources.vpc.SubnetRoute(data, manager=None)

Bases: c7n.filters.vpc.SubnetFilter

Filter a route table by its associated subnet attributes.

RelatedIdsExpression = 'Associations[].SubnetId'

RelatedMapping = None

get_related(resources)

get_related_ids(resources)

type = 'subnet'

class c7n.resources.vpc.TransitAttachmentSource(manager)

Bases: c7n.query.ChildDescribeSource

resource_query_factory

alias of TransitGatewayAttachmentQuery

type = 'transit-attachment'

class c7n.resources.vpc.TransitGateway(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = 'TransitGatewayArn'

dimension = None

enum_spec = ('describe_transit_gateways', 'TransitGateways', None)

filter_name = 'TransitGatewayIds'

filter_type = 'list'

id = 'TransitGatewayId'

name = 'TransitGatewayId'

service = 'ec2'

type = 'transit-gateway'

class c7n.resources.vpc.TransitGatewayAttachment(data, options)

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

child_source = 'transit-attachment'

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

arn = False

dimension = None

enum_spec = ('describe_transit_gateway_attachments', 'TransitGatewayAttachments', None)

filter_name = None

filter_type = None

id = 'TransitGatewayAttachmentId'

name = 'TransitGatewayAttachmentId'

parent_spec = ('transit-gateway', 'transit-gateway-id', None)

service = 'ec2'

type = 'transit-attachment'

class c7n.resources.vpc.TransitGatewayAttachmentQuery(session_factory, manager)

Bases: c7n.query.ChildResourceQuery

get_parent_parameters(params, parent_id, parent_key)

class c7n.resources.vpc.UnusedSecurityGroup(data, manager=None)

Bases: c7n.resources.vpc.SGUsage

Filter to just vpc security groups that are not used.

We scan all extant enis in the vpc to get a baseline set of groups in use. Then augment with those referenced by launch configs, and lambdas as they may not have extant resources in the vpc at a given moment. We also find any security group with references from other security group either within the vpc or across peered connections.

Note this filter does not support classic security groups atm.

Example

policies:
  - name: security-groups-unused
    resource: security-group
    filters:
      - unused

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['unused']}}, 'required': ['type'], 'type': 'object'}

type = 'unused'

class c7n.resources.vpc.UsedSecurityGroup(data, manager=None)

Bases: c7n.resources.vpc.SGUsage

Filter to security groups that are used.

This operates as a complement to the unused filter for multi-step workflows.

Example

policies:
  - name: security-groups-in-use
    resource: security-group
    filters:
      - used

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['used']}}, 'required': ['type'], 'type': 'object'}

type = 'used'

class c7n.resources.vpc.VPNConnection(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::VPNConnection'

date = None

dimension = None

enum_spec = ('describe_vpn_connections', 'VpnConnections', None)

filter_name = 'VpnConnectionIds'

filter_type = 'list'

id = 'VpnConnectionId'

id_prefix = 'vpn-'

name = 'VpnConnectionId'

service = 'ec2'

type = 'vpc-connection'

type = 'vpn-connection'

class c7n.resources.vpc.VPNGateway(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::VPNGateway'

date = None

dimension = None

enum_spec = ('describe_vpn_gateways', 'VpnGateways', None)

filter_name = 'VpnGatewayIds'

filter_type = 'list'

id = 'VpnGatewayId'

id_prefix = 'vgw-'

name = 'VpnGatewayId'

service = 'ec2'

type = 'vpc-gateway'

type = 'vpn-gateway'

class c7n.resources.vpc.Vpc(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::EC2::VPC'

date = None

dimension = None

enum_spec = ('describe_vpcs', 'Vpcs', None)

filter_name = 'VpcIds'

filter_type = 'list'

id = 'VpcId'

id_prefix = 'vpc-'

name = 'VpcId'

service = 'ec2'

type = 'vpc'

type = 'vpc'

class c7n.resources.vpc.VpcEndpoint(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

date = 'CreationTimestamp'

dimension = None

enum_spec = ('describe_vpc_endpoints', 'VpcEndpoints', None)

filter_name = 'VpcEndpointIds'

filter_type = 'list'

id = 'VpcEndpointId'

id_prefix = 'vpce-'

name = 'VpcEndpointId'

service = 'ec2'

taggable = False

type = 'vpc-endpoint'

type = 'vpc-endpoint'

class c7n.resources.vpc.VpcInternetGatewayFilter(data, manager=None)

Bases: c7n.filters.related.RelatedResourceFilter

Filter VPCs based on Internet Gateway attributes

Example

policies:
  - name: gray-vpcs
    resource: vpc
    filters:
      - type: internet-gateway
        key: tag:Color
        value: Gray

AnnotationKey = 'MatchedVpcsIgws'

RelatedIdsExpression = '[InternetGateways][].InternetGatewayId'

RelatedResource = 'c7n.resources.vpc.InternetGateway'

get_related_ids(resources)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'match-resource': {'type': 'boolean'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'operator': {'enum': ['and', 'or']}, 'type': {'enum': ['internet-gateway']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'internet-gateway'

class c7n.resources.vpc.VpcNatGatewayFilter(data, manager=None)

Bases: c7n.filters.related.RelatedResourceFilter

Filter VPCs based on NAT Gateway attributes

Example

policies:
  - name: gray-vpcs
    resource: vpc
    filters:
      - type: nat-gateway
        key: tag:Color
        value: Gray

AnnotationKey = 'MatchedVpcsNatGateways'

RelatedIdsExpression = '[NatGateways][].NatGatewayId'

RelatedResource = 'c7n.resources.vpc.NATGateway'

get_related_ids(resources)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'match-resource': {'type': 'boolean'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'operator': {'enum': ['and', 'or']}, 'type': {'enum': ['nat-gateway']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'nat-gateway'

class c7n.resources.vpc.VpcSecurityGroupFilter(data, manager=None)

Bases: c7n.filters.related.RelatedResourceFilter

Filter VPCs based on Security Group attributes

Example

policies:
  - name: gray-vpcs
    resource: vpc
    filters:
      - type: security-group
        key: tag:Color
        value: Gray

AnnotationKey = 'matched-vpcs'

RelatedIdsExpression = '[SecurityGroups][].GroupId'

RelatedResource = 'c7n.resources.vpc.SecurityGroup'

get_related_ids(resources)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'match-resource': {'type': 'boolean'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'operator': {'enum': ['and', 'or']}, 'type': {'enum': ['security-group']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'security-group'

class c7n.resources.vpc.VpcSubnetFilter(data, manager=None)

Bases: c7n.filters.related.RelatedResourceFilter

Filter VPCs based on Subnet attributes

Example

policies:
  - name: gray-vpcs
    resource: vpc
    filters:
      - type: subnet
        key: tag:Color
        value: Gray

AnnotationKey = 'MatchedVpcsSubnets'

RelatedIdsExpression = '[Subnets][].SubnetId'

RelatedResource = 'c7n.resources.vpc.Subnet'

get_related_ids(resources)

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'match-resource': {'type': 'boolean'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'operator': {'enum': ['and', 'or']}, 'type': {'enum': ['subnet']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'subnet'

c7n.resources.waf module

class c7n.resources.waf.RegionalWAF(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::WAFRegional::WebACL'

detail_spec = ('get_web_acl', 'WebACLId', 'WebACLId', 'WebACL')

dimension = 'WebACL'

enum_spec = ('list_web_acls', 'WebACLs', None)

filter_name = None

id = 'WebACLId'

name = 'Name'

service = 'waf-regional'

type = 'webacl'

type = 'waf-regional'

class c7n.resources.waf.WAF(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

filter_registry = <c7n.filters.core.FilterRegistry object>

class resource_type

Bases: object

config_type = 'AWS::WAF::WebACL'

detail_spec = ('get_web_acl', 'WebACLId', 'WebACLId', 'WebACL')

dimension = 'WebACL'

enum_spec = ('list_web_acls', 'WebACLs', None)

filter_name = None

id = 'WebACLId'

name = 'Name'

service = 'waf'

type = 'webacl'

type = 'waf'

c7n.resources.workspaces module

class c7n.resources.workspaces.Workspace(data, options)

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>

augment(resources)

filter_registry = <c7n.filters.core.FilterRegistry object>

generate_arn

Generates generic arn if ID is not already arn format.

class resource_type

Bases: object

dimension = 'WorkspaceId'

enum_spec = ('describe_workspaces', 'Workspaces', None)

filter_name = None

id = 'WorkspaceId'

name = 'WorkspaceId'

service = 'workspaces'

type = 'workspace'

type = 'workspaces'

class c7n.resources.workspaces.WorkspaceConnectionStatusFilter(data, manager=None)

Bases: c7n.filters.core.ValueFilter

Filter Workspaces based on user connection information

Example

policies:

  - name: workspaces-abandoned
    resource: workspaces
    filters:
      - type: connection-status
        value_type: age
        key: LastKnownUserConnectionTimestamp
        op: ge
        value: 90

  - name: workspaces-expensive-zombies
    resource: workspaces
    filters:
      - "WorkspaceProperties.RunningMode": ALWAYS_ON
      - type: connection-status
        value_type: age
        key: LastKnownUserConnectionTimestamp
        op: ge
        value: 30

annotation_key = 'c7n:ConnectionStatus'

get_connection_status(client, workspace_ids)

get_resource_value(k, i)

permissions = ('workspaces:DescribeConnectionStatus',)

process(resources, event=None)

Bulk process resources and return filtered set.

schema = {'additionalProperties': False, 'properties': {'default': {'type': 'object'}, 'key': {'type': 'string'}, 'op': {'$ref': '#/definitions/filters_common/comparison_operators'}, 'type': {'enum': ['connection-status']}, 'value': {'$ref': '#/definitions/filters_common/value'}, 'value_from': {'$ref': '#/definitions/filters_common/value_from'}, 'value_type': {'$ref': '#/definitions/filters_common/value_types'}}, 'required': ['type'], 'type': 'object'}

type = 'connection-status'

Module contents

c7n.resources.load_resources()