c7n.resources package

Submodules

c7n.resources.account module

AWS Account as a custodian resource.

class c7n.resources.account.Account(ctx, data)[source]

Bases: c7n.manager.ResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_model()[source]
classmethod get_permissions()[source]
get_resources(resource_ids)[source]
class resource_type[source]

Bases: object

filter_name = None
id = u'account_id'
name = u'account_name'
resources()[source]
type = u'account'
class c7n.resources.account.AccountCredentialReport(data, manager=None)[source]

Bases: c7n.resources.iam.CredentialReport

process(resources, event=None)[source]
type = u'credential'
class c7n.resources.account.AccountPasswordPolicy(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

Check an account’s password policy.

Note that on top of the default password policy fields, we also add an extra key, PasswordPolicyConfigured which will be set to true or false to signify if the given account has attempted to set a policy at all.

Example:
policies:
  - name: password-policy-check
    resource: account
    region: us-east-1
    filters:
      - type: password-policy
        key: MinimumPasswordLength
        value: 10
        op: ge
      - type: password-policy
        key: RequireSymbols
        value: true
permissions = (u'iam:GetAccountPasswordPolicy',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'password-policy']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'password-policy'
class c7n.resources.account.CloudTrailEnabled(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Verify cloud trail enabled for this account per specifications.

Returns an annotated account resource if trail is not enabled.

Of particular note, the current-region option will evaluate whether cloudtrail is available in the current region, either as a multi region trail or as a trail with it as the home region.

Example:
policies:
  - name: account-cloudtrail-enabled
    resource: account
    region: us-east-1
    filters:
      - type: check-cloudtrail
        global-events: true
        multi-region: true
        running: true
permissions = (u'cloudtrail:DescribeTrails', u'cloudtrail:GetTrailStatus')
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'kms': {u'type': u'boolean'}, u'current-region': {u'type': u'boolean'}, u'kms-key': {u'type': u'string'}, u'file-digest': {u'type': u'boolean'}, u'multi-region': {u'type': u'boolean'}, u'type': {u'enum': [u'check-cloudtrail']}, u'notifies': {u'type': u'boolean'}, u'global-events': {u'type': u'boolean'}, u'running': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'check-cloudtrail'
class c7n.resources.account.ConfigEnabled(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Is config service enabled for this account

Example:
policies:
  - name: account-check-config-services
    resource: account
    region: us-east-1
    filters:
      - type: check-config
        all-resources: true
        global-resources: true
        running: true
permissions = (u'config:DescribeDeliveryChannels', u'config:DescribeConfigurationRecorders', u'config:DescribeConfigurationRecorderStatus')
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'check-config']}, u'running': {u'type': u'boolean'}, u'all-resources': {u'type': u'boolean'}, u'global-resources': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'check-config'
class c7n.resources.account.EnableDataEvents(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Ensure all buckets in account are setup to log data events.

Note this works via a single trail for data events per (https://goo.gl/1ux7RG).

This trail should NOT be used for api management events, the configuration here is soley for data events. If directed to create a trail this will do so without management events.

Example:
policies:
  - name: s3-enable-data-events-logging
    resource: account
    actions:
     - type: enable-data-events
       data-trail:
         name: s3-events
         multi-region: us-east-1
add_data_trail(client, trail_cfg)[source]
get_permissions()[source]
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'enable-data-events']}, u'data-trail': {u'required': [u'name'], u'type': u'object', u'additionalProperties': False, u'properties': {u's3-prefix': {u'type': u'string'}, u'type': {u'enum': [u'ReadOnly', u'WriteOnly', u'All']}, u'create': {u'title': u'Should we create trail if needed for events?', u'type': u'boolean'}, u'multi-region': {u'title': u'If creating, use this region for all data trails', u'type': u'string'}, u'name': {u'title': u'The name of the event trail', u'type': u'string'}, u'topic': {u'title': u'If creating, the sns topic for the trail to send updates', u'type': u'string'}, u's3-bucket': {u'title': u'If creating, the bucket to store trail event data', u'type': u'string'}, u'key-id': {u'title': u'If creating, Enable kms on the trail', u'type': u'string'}}}}, u'required': [u'data-trail', u'type'], u'type': u'object'}
type = u'enable-data-events'
validate()[source]
class c7n.resources.account.EnableTrail(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Enables logging on the trail(s) named in the policy

Example:
policies:
  - name: trail-test
    description: Ensure CloudTrail logging is enabled
    resource: account
    actions:
      - type: enable-cloudtrail
        trail: mytrail
        bucket: trails
permissions = (u'cloudtrail:CreateTrail', u'cloudtrail:DescribeTrails', u'cloudtrail:GetTrailStatus', u'cloudtrail:StartLogging', u'cloudtrail:UpdateTrail', u's3:CreateBucket', u's3:GetBucketPolicy', u's3:PutBucketPolicy')
process(accounts)[source]

Create or enable CloudTrail

schema = {u'additionalProperties': False, u'properties': {u'file-digest': {u'type': u'boolean'}, u'notify': {u'type': u'string'}, u'bucket': {u'type': u'string'}, u'kms-key': {u'type': u'string'}, u'kms': {u'type': u'boolean'}, u'multi-region': {u'type': u'boolean'}, u'type': {u'enum': [u'enable-cloudtrail']}, u'global-events': {u'type': u'boolean'}, u'trail': {u'type': u'string'}, u'bucket-region': {u'type': u'string'}}, u'required': (u'bucket',), u'type': u'object'}
type = u'enable-cloudtrail'
class c7n.resources.account.HasVirtualMFA(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Is the account configured with a virtual MFA device?

Example:
policies:
    - name: account-with-virtual-mfa
      resource: account
      region: us-east-1
      filters:
        - type: has-virtual-mfa
          value: true
account_has_virtual_mfa(account)[source]
mfa_belongs_to_root_account(mfa)[source]
permissions = (u'iam:ListVirtualMFADevices',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'has-virtual-mfa']}, u'value': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'has-virtual-mfa'
class c7n.resources.account.IAMSummary(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

Return annotated account resource if iam summary filter matches.

Some use cases include, detecting root api keys or mfa usage.

Example iam summary wrt to matchable fields:

{
      "AccessKeysPerUserQuota": 2,
      "AccountAccessKeysPresent": 0,
      "AccountMFAEnabled": 1,
      "AccountSigningCertificatesPresent": 0,
      "AssumeRolePolicySizeQuota": 2048,
      "AttachedPoliciesPerGroupQuota": 10,
      "AttachedPoliciesPerRoleQuota": 10,
      "AttachedPoliciesPerUserQuota": 10,
      "GroupPolicySizeQuota": 5120,
      "Groups": 1,
      "GroupsPerUserQuota": 10,
      "GroupsQuota": 100,
      "InstanceProfiles": 0,
      "InstanceProfilesQuota": 100,
      "MFADevices": 3,
      "MFADevicesInUse": 2,
      "Policies": 3,
      "PoliciesQuota": 1000,
      "PolicySizeQuota": 5120,
      "PolicyVersionsInUse": 5,
      "PolicyVersionsInUseQuota": 10000,
      "Providers": 0,
      "RolePolicySizeQuota": 10240,
      "Roles": 4,
      "RolesQuota": 250,
      "ServerCertificates": 0,
      "ServerCertificatesQuota": 20,
      "SigningCertificatesPerUserQuota": 2,
      "UserPolicySizeQuota": 2048,
      "Users": 5,
      "UsersQuota": 5000,
      "VersionsPerPolicyQuota": 5,
  }

For example to determine if an account has either not been enabled with root mfa or has root api keys.

policies:
  - name: root-keys-or-no-mfa
    resource: account
    filters:
      - type: iam-summary
        key: AccountMFAEnabled
        value: true
        op: eq
        value_type: swap
permissions = (u'iam:GetAccountSummary',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'iam-summary']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'iam-summary'
class c7n.resources.account.RequestLimitIncrease(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

File support ticket to raise limit.

Example:
policies:
  - name: account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EBS
        limits:
          - Provisioned IOPS (SSD) storage (GiB)
        threshold: 60.5
    actions:
      - type: request-limit-increase
        notify: [email, email2]
        ## You can use one of either percent-increase or an amount-increase.
        percent-increase: 50
        message: "Please raise the below account limit(s); \n {limits}"
default_severity = u'normal'
default_subject = u'[Account:{account}]Raise the following limit(s) of {service} in {region}'
default_template = u'Please raise the below account limit(s); \n {limits}'
permissions = (u'support:CreateCase',)
process(resources)[source]
schema = {u'notify': {u'type': u'array'}, u'oneOf': [{u'required': [u'type', u'percent-increase']}, {u'required': [u'type', u'amount-increase']}], u'properties': {u'subject': {u'type': u'string'}, u'type': {u'enum': [u'request-limit-increase']}, u'message': {u'type': u'string'}, u'severity': {u'type': u'string', u'enum': [u'urgent', u'high', u'normal', u'low']}, u'amount-increase': {u'type': u'number', u'minimum': 1}, u'percent-increase': {u'type': u'number', u'minimum': 1}}, u'type': u'object'}
service_code_mapping = {u'AutoScaling': u'auto-scaling', u'CloudFormation': u'aws-cloudformation', u'EBS': u'amazon-elastic-block-store', u'EC2': u'amazon-elastic-compute-cloud-linux', u'ELB': u'elastic-load-balancing', u'IAM': u'aws-identity-and-access-management', u'RDS': u'amazon-relational-database-service-aurora', u'VPC': u'amazon-virtual-private-cloud'}
type = u'request-limit-increase'
class c7n.resources.account.ServiceLimit(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Check if account’s service limits are past a given threshold.

Supported limits are per trusted advisor, which is variable based on usage in the account and support level enabled on the account.

  • service: AutoScaling limit: Auto Scaling groups
  • service: AutoScaling limit: Launch configurations
  • service: EBS limit: Active snapshots
  • service: EBS limit: Active volumes
  • service: EBS limit: General Purpose (SSD) volume storage (GiB)
  • service: EBS limit: Magnetic volume storage (GiB)
  • service: EBS limit: Provisioned IOPS
  • service: EBS limit: Provisioned IOPS (SSD) storage (GiB)
  • service: EC2 limit: Elastic IP addresses (EIPs)

# Note this is extant for each active instance type in the account # however the total value is against sum of all instance types. # see issue https://github.com/capitalone/cloud-custodian/issues/516

  • service: EC2 limit: On-Demand instances - m3.medium
  • service: EC2 limit: Reserved Instances - purchase limit (monthly)
  • service: ELB limit: Active load balancers
  • service: IAM limit: Groups
  • service: IAM limit: Instance profiles
  • service: IAM limit: Roles
  • service: IAM limit: Server certificates
  • service: IAM limit: Users
  • service: RDS limit: DB instances
  • service: RDS limit: DB parameter groups
  • service: RDS limit: DB security groups
  • service: RDS limit: DB snapshots per user
  • service: RDS limit: Storage quota (GB)
  • service: RDS limit: Internet gateways
  • service: SES limit: Daily sending quota
  • service: VPC limit: VPCs
  • service: VPC limit: VPC Elastic IP addresses (EIPs)
Example:
policies:
  - name: account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EC2
        threshold: 1.0
  - name: specify-region-for-global-service
    region: us-east-1
    resource: account
    filters:
      - type: service-limit
        services:
          - IAM
        limits:
          - Roles
check_id = u'eW7HH0l7J9'
check_limit = (u'region', u'service', u'check', u'limit', u'extant', u'color')
global_services = set([u'IAM'])
permissions = (u'support:DescribeTrustedAdvisorCheckResult',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'service-limit']}, 'limits': {u'type': u'array', u'items': {u'type': u'string'}}, 'services': {u'type': u'array', u'items': {u'enum': [u'EC2', u'ELB', u'VPC', u'AutoScaling', u'RDS', u'EBS', u'SES', u'IAM']}}, 'threshold': {u'type': u'number'}, 'refresh_period': {u'type': u'integer'}}, u'required': [u'type'], u'type': u'object'}
type = u'service-limit'
validate()[source]
class c7n.resources.account.SetShieldAdvanced(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Enable/disable Shield Advanced on an account.

permissions = (u'shield:CreateSubscription', u'shield:DeleteSubscription')
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {'state': {u'type': u'boolean'}, u'type': {u'enum': [u'set-shield-advanced']}}, u'required': [u'type'], u'type': u'object'}
type = u'set-shield-advanced'
class c7n.resources.account.ShieldEnabled(data, manager=None)[source]

Bases: c7n.filters.core.Filter

permissions = (u'shield:DescribeSubscription',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {'state': {u'type': u'boolean'}, u'type': {u'enum': [u'shield-enabled']}}, u'required': [u'type'], u'type': u'object'}
type = u'shield-enabled'
c7n.resources.account.cloudtrail_policy(original, bucket_name, account_id)[source]

add CloudTrail permissions to an S3 policy, preserving existing

c7n.resources.account.get_account(session_factory, config)[source]

c7n.resources.acm module

class c7n.resources.acm.Certificate(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::ACM::Certificate'
date = u'CreatedAt'
detail_spec = (u'describe_certificate', u'CertificateArn', u'CertificateArn', u'Certificate')
dimension = None
enum_spec = (u'list_certificates', u'CertificateSummaryList', None)
filter_name = None
id = u'CertificateArn'
name = u'DomainName'
service = u'acm'
type = u'acm-certificate'

c7n.resources.ami module

class c7n.resources.ami.AMI(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'CreationDate'
detail_spec = None
dimension = None
enum_spec = (u'describe_images', u'Images', None)
filter_name = u'ImageIds'
filter_type = u'list'
id = u'ImageId'
name = u'Name'
service = u'ec2'
type = u'image'
resources(query=None)[source]
type = u'ami'
class c7n.resources.ami.AmiCrossAccountFilter(data, manager=None)[source]

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = (u'ec2:DescribeImageAttribute',)
process(resources, event=None)[source]
process_resource_set(client, accounts, resource_set)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'cross-account']}, 'whitelist': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}}, u'required': [u'type'], u'type': u'object'}
type = u'cross-account'
class c7n.resources.ami.Copy(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to copy AMIs with optional encryption

This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.

Example:
policies:
  - name: ami-ensure-encrypted
    resource: ami
    filters:
      - not:
        - type: encrypted
    actions:
      - type: copy
        encrypt: true
        key-id: 00000000-0000-0000-0000-000000000000
permissions = (u'ec2:CopyImage',)
process(images)[source]
schema = {u'additionalProperties': False, u'properties': {u'description': {u'type': u'string'}, u'encrypt': {u'type': u'boolean'}, u'type': {u'enum': [u'copy']}, u'name': {u'type': u'string'}, u'region': {u'type': u'string'}, u'key-id': {u'type': u'string'}}, u'type': u'object'}
type = u'copy'
class c7n.resources.ami.Deregister(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to deregister AMI

To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)

Example:
policies:
  - name: ami-deregister-old
    resource: ami
    filters:
      - type: image-age
        days: 90
    actions:
      - deregister
permissions = (u'ec2:DeregisterImage',)
process(images)[source]
process_image(image)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'deregister']}}, u'required': [u'type'], u'type': u'object'}
type = u'deregister'
class c7n.resources.ami.ImageAgeFilter(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter

Filters images based on the age (in days)

Example:
policies:
  - name: ami-remove-launch-permissions
    resource: ami
    filters:
      - type: image-age
        days: 30
date_attribute = u'CreationDate'
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'image-age']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number', u'minimum': 0}}, u'required': [u'type'], u'type': u'object'}
type = u'image-age'
class c7n.resources.ami.ImageUnusedFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filters images based on usage

true: image has no instances spawned from it false: image has instances spawned from it

Example:
policies:
  - name: ami-unused
    resource: ami
    filters:
      - type: unused
        value: true
get_permissions()[source]
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'unused']}, 'value': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'unused'
class c7n.resources.ami.RemoveLaunchPermissions(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to remove the ability to launch an instance from an AMI

This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it

Example:
policies:
  - name: ami-remove-launch-permissions
    resource: ami
    filters:
      - type: image-age
        days: 60
    actions:
      - remove-launch-permissions
permissions = (u'ec2:ResetImageAttribute',)
process(images)[source]
process_image(image)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'remove-launch-permissions']}}, u'required': [u'type'], u'type': u'object'}
type = u'remove-launch-permissions'

c7n.resources.apigw module

class c7n.resources.apigw.DescribeRestResource(manager)[source]

Bases: c7n.query.ChildDescribeSource

augment(resources)[source]
get_query()[source]
type = u'describe-rest-resource'
class c7n.resources.apigw.DescribeRestStage(manager)[source]

Bases: c7n.query.ChildDescribeSource

augment(resources)[source]
get_query()[source]
type = u'describe-rest-stage'
class c7n.resources.apigw.FilterRestMethod(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

Filter rest resources based on a key value for the rest method of the api

Example:
policies:
  - name: api-without-key-required
    resource: rest-resource
    filters:
      - type: rest-method
        key: apiKeyRequired
        value: false
permissions = (u'apigateway:GET',)
process(resources, event=None)[source]
process_task_set(client, task_set)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'rest-method']}, 'method': {u'type': u'string', u'enum': [u'all', u'ANY', u'PUT', u'GET', u'POST', u'DELETE', u'OPTIONS', u'HEAD', u'PATCH']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'rest-method'
class c7n.resources.apigw.RestAPI(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'createdDate'
dimension = u'GatewayName'
enum_spec = (u'get_rest_apis', u'items', None)
filter_name = None
id = u'id'
name = u'name'
service = u'apigateway'
type = u'restapis'
type = u'rest-api'
class c7n.resources.apigw.RestAccount(ctx, data)[source]

Bases: c7n.manager.ResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_model()[source]
classmethod get_permissions()[source]
get_resources(resource_ids)[source]
class resource_type[source]

Bases: object

dimensions = None
id = u'account_id'
name = u'account_id'
service = u'apigateway'
resources()[source]
type = u'rest-account'
class c7n.resources.apigw.RestResource(data, options)[source]

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.ActionRegistry object>
child_source = u'describe-rest-resource'
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'get_resources', u'items', None)
id = u'id'
name = u'path'
parent_spec = (u'rest-api', u'restApiId', None)
service = u'apigateway'
type = u'rest-resource'
class c7n.resources.apigw.RestStage(data, options)[source]

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.ActionRegistry object>
child_source = u'describe-rest-stage'
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'createdDate'
dimension = None
enum_spec = (u'get_stages', u'item', None)
id = u'stageName'
name = u'stageName'
parent_spec = (u'rest-api', u'restApiId', None)
service = u'apigateway'
type = u'rest-stage'
class c7n.resources.apigw.UpdateAccount(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Update the cloudwatch role associated to a rest account

Example:
policies:
  - name: correct-rest-account-log-role
    resource: rest-account
    filters:
      - cloudwatchRoleArn: arn:aws:iam::000000000000:role/GatewayLogger
    actions:
      - type: update
        patch:
          - op: replace
            path: /cloudwatchRoleArn
            value: arn:aws:iam::000000000000:role/BetterGatewayLogger
permissions = (u'apigateway:PATCH',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'update']}, 'patch': {u'type': u'array', u'items': {u'required': [u'op', u'path'], u'type': u'object', u'additonalProperties': False, u'properties': {u'value': {u'type': u'string'}, u'op': {u'enum': [u'add', u'remove', u'update', u'copy', u'replace', u'test']}, u'from': {u'type': u'string'}, u'path': {u'type': u'string'}}}}}, u'required': [u'patch', u'type'], u'type': u'object'}
type = u'update'
class c7n.resources.apigw.UpdateRestMethod(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Change or remove api method behaviors based on key value

Example:
permissions = (u'apigateway:GET',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'update-method']}, 'patch': {u'type': u'array', u'items': {u'required': [u'op', u'path'], u'type': u'object', u'additonalProperties': False, u'properties': {u'value': {u'type': u'string'}, u'op': {u'enum': [u'add', u'remove', u'update', u'copy', u'replace', u'test']}, u'from': {u'type': u'string'}, u'path': {u'type': u'string'}}}}}, u'required': [u'patch', u'type'], u'type': u'object'}
type = u'update-method'
validate()[source]
class c7n.resources.apigw.UpdateStage(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Update/remove values of an api stage

Example:
policies:
  - name: disable-stage-caching
    resource: rest-stage
    filters:
      - methodSettings."*/*".cachingEnabled: true
    actions:
      - type: update
        patch:
          - op: replace
            path: /*/*/caching/enabled
            value: 'false'
permissions = (u'apigateway:PATCH',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'update']}, 'patch': {u'type': u'array', u'items': {u'required': [u'op', u'path'], u'type': u'object', u'additonalProperties': False, u'properties': {u'value': {u'type': u'string'}, u'op': {u'enum': [u'add', u'remove', u'update', u'copy', u'replace', u'test']}, u'from': {u'type': u'string'}, u'path': {u'type': u'string'}}}}}, u'required': [u'patch', u'type'], u'type': u'object'}
type = u'update'

c7n.resources.appelb module

Application Load Balancers

class c7n.resources.appelb.AppELB(data, options)[source]

Bases: c7n.query.QueryResourceManager

Resource manager for v2 ELBs (AKA ALBs).

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_arn(r)[source]
classmethod get_permissions()[source]
get_source(source_type)[source]
class resource_type[source]

Bases: object

config_type = u'AWS::ElasticLoadBalancingV2::LoadBalancer'
date = u'CreatedTime'
dimension = None
enum_spec = (u'describe_load_balancers', u'LoadBalancers', None)
filter_name = None
filter_type = None
id = u'LoadBalancerArn'
name = u'LoadBalancerName'
service = u'elbv2'
type = u'loadbalancer/app'
static retry(func, *args, **kw)
type = u'app-elb'
class c7n.resources.appelb.AppELBAttributeFilterBase[source]

Bases: object

Mixin base class for filters that query LB attributes.

initialize(albs)[source]
class c7n.resources.appelb.AppELBDefaultVpcFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.DefaultVpcBase

Filter all ELB that exist within the default vpc

Example:
policies:
  - name: appelb-in-default-vpc
    resource: app-elb
    filters:
      - default-vpc
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'default-vpc']}}, u'required': [u'type'], u'type': u'object'}
type = u'default-vpc'
class c7n.resources.appelb.AppELBDeleteAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete an ELB

To avoid unwanted deletions of ELB, it is recommended to apply a filter to the rule

Example:
policies:
  - name: appelb-delete-failed-elb
    resource: app-elb
    filters:
      - State: failed
    actions:
      - delete
permissions = (u'elasticloadbalancing:DeleteLoadBalancer', u'elasticloadbalancing:ModifyLoadBalancerAttributes')
process(load_balancers)[source]
process_alb(alb)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}, 'force': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.appelb.AppELBHealthCheckProtocolMismatchFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter, c7n.resources.appelb.AppELBTargetGroupFilterBase

Filter AppELBs with mismatched health check protocols

A mismatched health check protocol is where the protocol on the target group does not match the load balancer health check protocol

Example:
policies:
  - name: appelb-healthcheck-mismatch
    resource: app-elb
    filters:
      - healthcheck-protocol-mismatch
permissions = (u'elasticloadbalancing:DescribeTargetGroups',)
process(albs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'healthcheck-protocol-mismatch']}}, u'required': [u'type'], u'type': u'object'}
type = u'healthcheck-protocol-mismatch'
class c7n.resources.appelb.AppELBListenerFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter, c7n.resources.appelb.AppELBListenerFilterBase

Filter ALB based on matching listener attributes

Adding the matched flag will filter on previously matched listeners

Example:
policies:
  - name: app-elb-invalid-ciphers
    resource: app-elb
    filters:
      - type: listener
        key: Protocol
        value: HTTPS
      - type: listener
        key: SslPolicy
        value: ['ELBSecurityPolicy-TLS-1-1-2017-01','ELBSecurityPolicy-TLS-1-2-2017-01']
        op: ni
        matched: true
    actions:
      - type: modify-listener
        sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
permissions = (u'elasticloadbalancing:DescribeLoadBalancerAttributes',)
process(albs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, 'matched': {u'type': u'boolean'}, u'type': {u'enum': [u'listener']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'listener'
validate()[source]
class c7n.resources.appelb.AppELBListenerFilterBase[source]

Bases: object

Mixin base class for filters that query LB listeners.

initialize(albs)[source]
permissions = (u'elasticloadbalancing:DescribeListeners',)
class c7n.resources.appelb.AppELBMarkForOpAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagDelayedAction

Action to create a delayed action on an ELB to start at a later date

Example:
policies:
  - name: appelb-failed-mark-for-op
    resource: app-elb
    filters:
      - "tag:custodian_elb_cleanup": absent
      - State: failed
    actions:
      - type: mark-for-op
        tag: custodian_elb_cleanup
        msg: "AppElb failed: {op}@{action_date}"
        op: delete
        days: 1
batch_size = 1
permissions = (u'elasticloadbalancing:AddTags',)
process_resource_set(resource_set, ts)[source]
type = u'mark-for-op'
class c7n.resources.appelb.AppELBModifyListenerPolicy(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to modify the policy for an App ELB

Example:
policies:
  - name: appelb-modify-listener
    resource: app-elb
    filters:
      - type: listener
        key: Protocol
        value: HTTP
    actions:
      - type: modify-listener
        protocol: HTTPS
        sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
        certificate: "arn:aws:acm:region:123456789012:certificate/12345678-                    1234-1234-1234-123456789012"
permissions = (u'elasticloadbalancing:ModifyListener',)
process(load_balancers)[source]
process_alb(alb, args)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'modify-listener']}, 'sslpolicy': {u'type': u'string'}, 'certificate': {u'type': u'string'}, 'port': {u'type': u'integer'}, 'protocol': {u'enum': [u'HTTP', u'HTTPS']}}, u'required': [u'type'], u'type': u'object'}
type = u'modify-listener'
validate()[source]
class c7n.resources.appelb.AppELBRemoveTagAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Action to remove tag/tags from an ELB

Example:
policies:
  - name: appelb-delete-expired-tag
    resource: app-elb
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: remove-tag
        tags: ["ExpiredTag"]
batch_size = 1
permissions = (u'elasticloadbalancing:RemoveTags',)
process_resource_set(resource_set, tag_keys)[source]
type = u'remove-tag'
class c7n.resources.appelb.AppELBTagAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Action to create tag/tags on an ELB

Example:
policies:
  - name: appelb-create-required-tag
    resource: app-elb
    filters:
      - "tag:RequiredTag": absent
    actions:
      - type: tag
        key: RequiredTag
        value: RequiredValue
batch_size = 1
permissions = (u'elasticloadbalancing:AddTags',)
process_resource_set(resource_set, ts)[source]
type = u'tag'
class c7n.resources.appelb.AppELBTargetGroup(data, options)[source]

Bases: c7n.query.QueryResourceManager

Resource manager for v2 ELB target groups.

action_registry = <c7n.actions.ActionRegistry object>
augment(target_groups)[source]
filter_registry = <c7n.filters.core.FilterRegistry object>
classmethod get_permissions()[source]
class resource_type[source]

Bases: object

date = None
dimension = None
enum_spec = (u'describe_target_groups', u'TargetGroups', None)
filter_name = None
filter_type = None
id = u'TargetGroupArn'
name = u'TargetGroupName'
service = u'elbv2'
type = u'app-elb-target-group'
static retry(func, *args, **kw)
type = u'app-elb-target-group'
class c7n.resources.appelb.AppELBTargetGroupDefaultVpcFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.DefaultVpcBase

Filter all application elb target groups within the default vpc

Example:
policies:
  - name: appelb-targetgroups-default-vpc
    resource: app-elb-target-group
    filters:
      - default-vpc
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'default-vpc']}}, u'required': [u'type'], u'type': u'object'}
type = u'default-vpc'
class c7n.resources.appelb.AppELBTargetGroupDeleteAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete ELB target group

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any app elb target groups.

Example:
policies:
  - name: appelb-targetgroups-delete-unused
    resource: app-elb-target-group
    filters:
      - "tag:SomeTag": absent
    actions:
      - delete
permissions = (u'elasticloadbalancing:DeleteTargetGroup',)
process(target_group)[source]
process_targetgroup(target_group)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.appelb.AppELBTargetGroupFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter, c7n.resources.appelb.AppELBTargetGroupFilterBase

Filter ALB based on matching target group value

permissions = (u'elasticloadbalancing:DescribeTargetGroups',)
process(albs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'target-group']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'target-group'
class c7n.resources.appelb.AppELBTargetGroupFilterBase[source]

Bases: object

Mixin base class for filters that query LB target groups.

initialize(albs)[source]
class c7n.resources.appelb.AppELBTargetGroupMarkForOpAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagDelayedAction

Action to specify a delayed action on an ELB target group

batch_size = 1
permissions = (u'elasticloadbalancing:AddTags',)
process_resource_set(resource_set, ts)[source]
type = u'mark-for-op'
class c7n.resources.appelb.AppELBTargetGroupRemoveTagAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Action to remove tag/tags from ELB target group

Example:
policies:
  - name: appelb-targetgroup-remove-expired-tag
    resource: app-elb-target-group
    filters:
      - "tag:ExpiredTag": present
    actions:
      - type: remove-tag
        tags: ["ExpiredTag"]
batch_size = 1
permissions = (u'elasticloadbalancing:RemoveTags',)
process_resource_set(resource_set, tag_keys)[source]
type = u'remove-tag'
class c7n.resources.appelb.AppELBTargetGroupTagAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Action to create tag/tags on an ELB target group

Example:
policies:
  - name: appelb-targetgroup-add-required-tag
    resource: app-elb-target-group
    filters:
      - "tag:RequiredTag": absent
    actions:
      - type: tag
        key: RequiredTag
        value: RequiredValue
batch_size = 1
permissions = (u'elasticloadbalancing:AddTags',)
process_resource_set(resource_set, ts)[source]
type = u'tag'
class c7n.resources.appelb.AppElbMetrics(data, manager=None)[source]

Bases: c7n.filters.metrics.MetricsFilter

Filter app load balancer by metric values.

See available metrics here: https://goo.gl/TLQ9Fr Custodian defaults to specifying dimensions for the app elb only. Target Group dimension not supported atm.

get_dimensions(resource)[source]
type = u'metrics'
class c7n.resources.appelb.ConfigAppElb(manager)[source]

Bases: c7n.query.ConfigSource

load_resource(item)[source]
class c7n.resources.appelb.DescribeAppElb(manager)[source]

Bases: c7n.query.DescribeSource

augment(albs)[source]
class c7n.resources.appelb.IsLoggingFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter, c7n.resources.appelb.AppELBAttributeFilterBase

Matches AppELBs that are logging to S3.
bucket and prefix are optional
Example:
policies:
    - name: alb-is-logging-test
      resource: app-elb
      filters:
        - type: is-logging

    - name: alb-is-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-logging
          bucket: prodlogs
          prefix: alblogs
permissions = (u'elasticloadbalancing:DescribeLoadBalancerAttributes',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'is-logging']}, 'prefix': {u'type': u'string'}, 'bucket': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'is-logging'
class c7n.resources.appelb.IsNotLoggingFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter, c7n.resources.appelb.AppELBAttributeFilterBase

Matches AppELBs that are NOT logging to S3.
or do not match the optional bucket and/or prefix.
Example:
policies:
    - name: alb-is-not-logging-test
      resource: app-elb
      filters:
        - type: is-not-logging

    - name: alb-is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs
permissions = (u'elasticloadbalancing:DescribeLoadBalancerAttributes',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'is-not-logging']}, 'prefix': {u'type': u'string'}, 'bucket': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'is-not-logging'
class c7n.resources.appelb.SecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = u'SecurityGroups[]'
type = u'security-group'
class c7n.resources.appelb.SetS3Logging(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to enable/disable S3 logging for an application loadbalancer.

Example:
policies:
  - name: elbv2-test
    resource: app-elb
    filters:
      - type: value
        key: Attributes."access_logs.s3.enabled"
        value: False
    actions:
      - type: enable-s3-logging
        bucket: elbv2logtest
        prefix: dahlogs
permissions = (u'elasticloadbalancing:ModifyLoadBalancerAttributes',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {'state': {u'enum': [u'enabled', u'disabled']}, u'type': {u'enum': [u'set-s3-logging']}, 'prefix': {u'type': u'string'}, 'bucket': {u'type': u'string'}}, u'required': (u'state',), u'type': u'object'}
type = u'set-s3-logging'
validate()[source]
class c7n.resources.appelb.SetWaf(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Enable/Disable waf protection on applicable resource.

permissions = (u'waf-regional:AssociateWebACL', u'waf-regional:ListWebACLs')
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'state': {u'type': u'boolean'}, u'type': {u'enum': [u'set-waf']}, u'web-acl': {u'type': u'string'}}, u'required': [u'web-acl', u'type'], u'type': u'object'}
type = u'set-waf'
validate()[source]
class c7n.resources.appelb.SubnetFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = u'AvailabilityZones[].SubnetId'
type = u'subnet'
class c7n.resources.appelb.WafEnabled(data, manager=None)[source]

Bases: c7n.filters.core.Filter

permissions = (u'waf-regional:ListResourcesForWebACL', u'waf-regional:ListWebACLs')
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'state': {u'type': u'boolean'}, u'type': {u'enum': [u'waf-enabled']}, u'web-acl': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'waf-enabled'

c7n.resources.asg module

class c7n.resources.asg.ASG(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::AutoScaling::AutoScalingGroup'
date = u'CreatedTime'
default_report_fields = (u'AutoScalingGroupName', u'CreatedTime', u'LaunchConfigurationName', u'count:Instances', u'DesiredCapacity', u'HealthCheckType', u'list:LoadBalancerNames')
dimension = u'AutoScalingGroupName'
enum_spec = (u'describe_auto_scaling_groups', u'AutoScalingGroups', None)
filter_name = u'AutoScalingGroupNames'
filter_type = u'list'
id = u'AutoScalingGroupName'
name = u'AutoScalingGroupName'
service = u'autoscaling'
type = u'autoScalingGroup'
static retry(func, *args, **kw)
type = u'asg'
class c7n.resources.asg.CapacityDelta(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filter returns ASG that have less instances than desired or required

Example:
policies:
  - name: asg-capacity-delta
    resource: asg
    filters:
      - capacity-delta
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'capacity-delta']}}, u'required': [u'type'], u'type': u'object'}
type = u'capacity-delta'
class c7n.resources.asg.ConfigValidFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter, c7n.resources.asg.LaunchConfigFilterBase

get_appelb_target_groups()[source]
get_asg_errors(asg)[source]
get_elbs()[source]
get_images()[source]
get_key_pairs()[source]
get_permissions()[source]
get_security_groups()[source]
get_snapshots()[source]
get_subnets()[source]
initialize(asgs)[source]
process(asgs, event=None)[source]
validate()[source]
class c7n.resources.asg.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete an ASG

The ‘force’ parameter is needed when deleting an ASG that has instances attached to it.

Example:
policies:
  - name: asg-unencrypted
    resource: asg
    filters:
      - type: not-encrypted
        exclude_image: true
    actions:
      - type: delete
        force: true
permissions = (u'autoscaling:DeleteAutoScalingGroup',)
process(asgs)[source]
process_asg(*args, **kw)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}, 'force': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.asg.DescribeLaunchConfig(manager)[source]

Bases: c7n.query.DescribeSource

augment(resources)[source]
class c7n.resources.asg.GroupTagTrim(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagTrim

Action to trim the number of tags to avoid hitting tag limits

Example:
policies:
  - name: asg-tag-trim
    resource: asg
    filters:
      - type: tag-count
        count: 10
    actions:
      - type: tag-trim
        space: 1
        preserve:
          - OwnerName
          - OwnerContact
max_tag_count = 10
permissions = (u'autoscaling:DeleteTags',)
process_tag_removal(resource, candidates)[source]
type = u'tag-trim'
class c7n.resources.asg.ImageAgeFilter(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter, c7n.resources.asg.LaunchConfigFilterBase

Filter asg by image age (in days).

Example:
policies:
  - name: asg-older-image
    resource: asg
    filters:
      - type: image-age
        days: 90
        op: ge
date_attribute = u'CreationDate'
get_resource_date(i)[source]
initialize(asgs)[source]
permissions = (u'ec2:DescribeImages', u'autoscaling:DescribeLaunchConfigurations')
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'image-age']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'image-age'
class c7n.resources.asg.ImageFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter, c7n.resources.asg.LaunchConfigFilterBase

Filter asg by image

Example:
policies:
  - name: non-windows-asg
    resource: asg
    filters:
      - type: image
        key: Platform
        value: Windows
        op: ne
initialize(asgs)[source]
permissions = (u'ec2:DescribeImages', u'autoscaling:DescribeLaunchConfigurations')
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'image']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'image'
class c7n.resources.asg.InvalidConfigFilter(data, manager=None)[source]

Bases: c7n.resources.asg.ConfigValidFilter

Filter autoscale groups to find those that are structurally invalid.

Structurally invalid means that the auto scale group will not be able to launch an instance succesfully as the configuration has

  • invalid subnets
  • invalid security groups
  • invalid key pair name
  • invalid launch config volume snapshots
  • invalid amis
  • invalid health check elb (slower)

Internally this tries to reuse other resource managers for better cache utilization.

Example:
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'invalid']}}, u'required': [u'type'], u'type': u'object'}
type = u'invalid'
class c7n.resources.asg.LaunchConfig(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_source(source_type)[source]
class resource_type[source]

Bases: object

config_type = u'AWS::AutoScaling::LaunchConfiguration'
date = u'CreatedTime'
dimension = None
enum_spec = (u'describe_launch_configurations', u'LaunchConfigurations', None)
filter_name = u'LaunchConfigurationNames'
filter_type = u'list'
id = u'LaunchConfigurationName'
name = u'LaunchConfigurationName'
service = u'autoscaling'
type = u'launchConfiguration'
static retry(func, *args, **kw)
type = u'launch-config'
class c7n.resources.asg.LaunchConfigAge(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter

Filter ASG launch configuration by age (in days)

Example:
policies:
  - name: asg-launch-config-old
    resource: launch-config
    filters:
      - type: age
        days: 90
        op: ge
date_attribute = u'CreatedTime'
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'age']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'age'
class c7n.resources.asg.LaunchConfigDelete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Filters all unused launch configurations

Example:
policies:
  - name: asg-unused-launch-config-delete
    resource: launch-config
    filters:
      - unused
    actions:
      - delete
permissions = (u'autoscaling:DeleteLaunchConfiguration',)
process(configs)[source]
process_config(*args, **kw)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.asg.LaunchConfigFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter, c7n.resources.asg.LaunchConfigFilterBase

Filter asg by launch config attributes.

Example:
policies:
  - name: launch-configs-with-public-address
    resource: asg
    filters:
      - type: launch-config
        key: AssociatePublicIpAddress
        value: true
permissions = (u'autoscaling:DescribeLaunchConfigurations',)
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'launch-config']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'launch-config'
class c7n.resources.asg.LaunchConfigFilterBase[source]

Bases: object

Mixin base class for querying asg launch configs.

configs = None
initialize(asgs)[source]

Get launch configs for the set of asgs

permissions = (u'autoscaling:DescribeLaunchConfigurations',)
class c7n.resources.asg.MarkForOp(data=None, manager=None, log_dir=None)[source]

Bases: c7n.resources.asg.Tag

Action to create a delayed action for a later date

Example:
policies:
  - name: asg-suspend-schedule
    resource: asg
    filters:
      - type: value
        key: MinSize
        value: 2
    actions:
      - type: mark-for-op
        tag: custodian_suspend
        message: "Suspending: {op}@{action_date}"
        op: suspend
        days: 7
default_template = u'AutoScaleGroup does not meet org policy: {op}@{action_date}'
process(asgs)[source]
schema = {u'additionalProperties': False, u'properties': {'key': {u'type': u'string'}, u'type': {u'enum': [u'mark-for-op']}, 'message': {u'type': u'string'}, 'op': {u'enum': [u'suspend', u'resume', u'delete']}, 'days': {u'type': u'number', u'minimum': 0}, 'tag': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'mark-for-op'
class c7n.resources.asg.NotEncryptedFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter, c7n.resources.asg.LaunchConfigFilterBase

Check if an ASG is configured to have unencrypted volumes.

Checks both the ami snapshots and the launch configuration.

Example:
policies:
  - name: asg-unencrypted
    resource: asg
    filters:
      - type: not-encrypted
        exclude_image: true
static get_bad_snapshot(e)[source]

Handle various client side errors when describing snapshots

get_snapshots(ec2, snap_ids)[source]

get snapshots corresponding to id, but tolerant of invalid id’s.

get_unencrypted_configs(ec2)[source]

retrieve configs that have unencrypted ebs voluems referenced.

get_unencrypted_images(ec2)[source]

retrieve images which have unencrypted snapshots referenced.

images = None
initialize(asgs)[source]
permissions = (u'ec2:DescribeImages', u'ec2:DescribeSnapshots', u'autoscaling:DescribeLaunchConfigurations')
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'not-encrypted']}, 'exclude_image': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'not-encrypted'
unencrypted_configs = None
unencrypted_images = None
class c7n.resources.asg.PropagateTags(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Propagate tags to an asg instances.

In AWS changing an asg tag does not propagate to instances.

This action exists to do that, and can also trim older tags not present on the asg anymore that are present on instances.

Example:
policies:
  - name: asg-propagate-required
    resource: asg
    filters:
      - "tag:OwnerName": present
    actions:
      - type: propagate-tags
        tags:
          - OwnerName
get_instance_map(asgs)[source]
permissions = (u'ec2:DeleteTags', u'ec2:CreateTags')
process(asgs)[source]
process_asg(asg)[source]
prune_instance_tags(client, asg, tag_set, instances)[source]

Remove tags present on all asg instances which are not present on the asg.

schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'propagate-tags']}, 'trim': {u'type': u'boolean'}, 'tags': {u'type': u'array', u'items': {u'type': u'string'}}}, u'required': [u'type'], u'type': u'object'}
type = u'propagate-tags'
validate()[source]
class c7n.resources.asg.PropagatedTagFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filter ASG based on propagated tags

This filter is designed to find all autoscaling groups that have a list of tag keys (provided) that are set to propagate to new instances. Using this will allow for easy validation of asg tag sets are in place across an account for compliance.

Example:
permissions = (u'autoscaling:DescribeLaunchConfigurations', u'autoscaling:DescribeAutoScalingGroups')
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'progagated-tags']}, 'match': {u'type': u'boolean'}, 'propagate': {u'type': u'boolean'}, 'keys': {u'type': u'array', u'items': {u'type': u'string'}}}, u'required': [u'type'], u'type': u'object'}
type = u'progagated-tags'
class c7n.resources.asg.RemoveTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to remove tag/tags from an ASG

Example:
policies:
  - name: asg-remove-unnecessary-tags
    resource: asg
    filters:
      - "tag:UnnecessaryTag": present
    actions:
      - type: remove-tag
        key: UnnecessaryTag
batch_size = 1
permissions = (u'autoscaling:DeleteTags',)
process(asgs)[source]
process_asg_set(asgs, key)[source]
schema = {u'additionalProperties': False, u'properties': {'key': {u'type': u'string'}, u'type': {u'enum': [u'remove-tag', u'untag', u'unmark']}}, u'required': [u'type'], u'type': u'object'}
type = u'remove-tag'
class c7n.resources.asg.RenameTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Rename a tag on an AutoScaleGroup.

Example:
policies:
  - name: asg-rename-owner-tag
    resource: asg
    filters:
      - "tag:OwnerNames": present
    actions:
      - type: rename-tag
        propagate: true
        source: OwnerNames
        dest: OwnerName
get_permissions()[source]
process(asgs)[source]
process_asg(asg)[source]

Move source tag to destination tag.

Check tag count on asg Create new tag tag Delete old tag Check tag count on instance Create new tag Delete old tag

propagate_instance_tag(source, destination_tag, asg)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'rename-tag']}, 'source': {u'type': u'string'}, 'propagate': {u'type': u'boolean'}, 'dest': {u'type': u'string'}}, u'required': [u'source', u'dest', u'type'], u'type': u'object'}
type = u'rename-tag'
class c7n.resources.asg.Resize(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to resize the min/max/desired instances in an ASG

There are several ways to use this action:

  1. set min/desired to current running instances
policies:
  - name: asg-resize
    resource: asg
    filters:
      - capacity-delta
    actions:
      - type: resize
        desired-size: "current"
  1. apply a fixed resize of min, max or desired, optionally saving the previous values to a named tag (for restoring later):
policies:
  - name: offhours-asg-off
    resource: asg
    filters:
      - type: offhour
        offhour: 19
        default_tz: bst
    actions:
      - type: resize
        min-size: 0
        desired-size: 0
        save-options-tag: OffHoursPrevious
  1. restore previous values for min/max/desired from a tag:
policies:
  - name: offhours-asg-on
    resource: asg
    filters:
      - type: onhour
        onhour: 8
        default_tz: bst
    actions:
      - type: resize
        restore-options-tag: OffHoursPrevious
permissions = (u'autoscaling:UpdateAutoScalingGroup', u'autoscaling:CreateOrUpdateTags')
process(asgs)[source]
schema = {u'additionalProperties': False, u'properties': {u'desired_size': {u'anyOf': [{u'enum': [u'current']}, {u'type': u'integer', u'minimum': 0}]}, u'type': {u'enum': [u'resize']}, u'max-size': {u'type': u'integer', u'minimum': 0}, u'desired-size': {u'anyOf': [{u'enum': [u'current']}, {u'type': u'integer', u'minimum': 0}]}, u'save-options-tag': {u'type': u'string'}, u'min-size': {u'type': u'integer', u'minimum': 0}, u'restore-options-tag': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'resize'
validate()[source]
class c7n.resources.asg.Resume(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Resume a suspended autoscale group and its instances

Parameter ‘delay’ is the amount of time (in seconds) to wait between resuming each instance within the ASG (default value: 30)

Example:
policies:
  - name: asg-resume-processes
    resource: asg
    filters:
      - "tag:Resume": present
    actions:
      - type: resume
        delay: 300
permissions = (u'autoscaling:ResumeProcesses', u'ec2:StartInstances')
process(asgs)[source]
resume_asg(asg)[source]

Resume asg processes.

resume_asg_instances(asg)[source]

Resume asg instances.

schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'resume']}, 'delay': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'resume'
class c7n.resources.asg.SecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter, c7n.resources.asg.LaunchConfigFilterBase

RelatedIdsExpression = u''
get_permissions()[source]
process(asgs, event=None)[source]
type = u'security-group'
class c7n.resources.asg.SubnetFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = u''
type = u'subnet'
class c7n.resources.asg.Suspend(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to suspend ASG processes and instances

AWS ASG suspend/resume and process docs https://goo.gl/XYtKQ8

Example:
policies:
  - name: asg-suspend-processes
    resource: asg
    filters:
      - "tag:SuspendTag": present
    actions:
      - type: suspend
ASG_PROCESSES = set([u'Launch', u'AddToLoadBalancer', u'AlarmNotification', u'HealthCheck', u'ReplaceUnhealthy', u'Terminate', u'ScheduledActions', u'AZRebalance'])
permissions = (u'autoscaling:SuspendProcesses', u'ec2:StopInstances')
process(asgs)[source]
process_asg(asg)[source]

Multistep process to stop an asg aprori of setup

  • suspend processes
  • stop instances
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'suspend']}, 'exclude': {u'title': u'ASG Processes to not suspend', u'type': u'array', u'items': {u'enum': [u'Launch', u'Terminate', u'HealthCheck', u'ReplaceUnhealthy', u'AZRebalance', u'AlarmNotification', u'ScheduledActions', u'AddToLoadBalancer']}}}, u'required': [u'type'], u'type': u'object'}
type = u'suspend'
class c7n.resources.asg.Tag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to add a tag to an ASG

The propagate parameter can be used to specify that the tag being added will need to be propagated down to each ASG instance associated or simply to the ASG itself.

Example:
policies:
  - name: asg-add-owner-tag
    resource: asg
    filters:
      - "tag:OwnerName": absent
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName
        propagate: true
batch_size = 1
permissions = (u'autoscaling:CreateOrUpdateTags',)
process(asgs)[source]
process_asg_set(asgs, key, value)[source]
schema = {u'additionalProperties': False, u'properties': {'key': {u'type': u'string'}, u'type': {u'enum': [u'tag', u'mark']}, 'value': {u'type': u'string'}, 'propagate': {u'type': u'boolean'}, 'msg': {u'type': u'string'}, 'tag': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
tag(asgs, key, value)[source]
type = u'tag'
class c7n.resources.asg.UnusedLaunchConfig(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filters all launch configurations that are not in use but exist

Example:
policies:
  - name: asg-unused-launch-config
    resource: launch-config
    filters:
      - unused
get_permissions()[source]
process(configs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'unused']}}, u'required': [u'type'], u'type': u'object'}
type = u'unused'
class c7n.resources.asg.ValidConfigFilter(data, manager=None)[source]

Bases: c7n.resources.asg.ConfigValidFilter

Filters autoscale groups to find those that are structurally valid.

This operates as the inverse of the invalid filter for multi-step workflows.

See details on the invalid filter for a list of checks made.

Example:
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'valid']}}, u'required': [u'type'], u'type': u'object'}
type = u'valid'
class c7n.resources.asg.VpcIdFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

Filters ASG based on the VpcId

This filter is available as a ValueFilter as the vpc-id is not natively associated to the results from describing the autoscaling groups.

Example:
policies:
  - name: asg-vpc-xyz
    resource: asg
    filters:
      - type: vpc-id
        value: vpc-12ab34cd
permissions = (u'ec2:DescribeSubnets',)
process(asgs, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'type': {u'enum': [u'vpc-id']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'vpc-id'

c7n.resources.aws module

class c7n.resources.aws.AWS[source]

Bases: object

get_session_factory(options)[source]
initialize(options)[source]
initialize_policies(policy_collection, options)[source]

Return a set of policies targetted to the given regions.

Supports symbolic regions like ‘all’. This will automatically filter out policies if their being targetted to a region that does not support the service. Global services will target a single region (us-east-1 if only all specified, else first region in the list).

Note for region partitions (govcloud and china) an explicit region from the partition must be passed in.

resource_prefix = 'aws'
resources = <c7n.registry.PluginRegistry object>
type = 'aws'
c7n.resources.aws.get_service_region_map(regions, resource_types)[source]

c7n.resources.awslambda module

class c7n.resources.awslambda.AWSLambda(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
generate_arn

Generates generic arn if ID is not already arn format.

get_source(source_type)[source]
class resource_type[source]

Bases: object

config_type = u'AWS::Lambda::Function'
date = u'LastModified'
dimension = u'FunctionName'
enum_spec = (u'list_functions', u'Functions', None)
filter_name = None
id = u'FunctionName'
name = u'FunctionName'
service = u'lambda'
type = u'function'
static retry(func, *args, **kw)
type = u'lambda'
class c7n.resources.awslambda.ConfigLambda(manager)[source]

Bases: c7n.query.ConfigSource

load_resource(item)[source]
class c7n.resources.awslambda.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Delete a lambda function (including aliases and older versions).

Example:
policies:
  - name: lambda-delete-dotnet-functions
    resource: lambda
    filters:
      - Runtime: dotnetcore1.0
    actions:
      - delete
permissions = (u'lambda:DeleteFunction',)
process(functions)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.awslambda.DescribeLambda(manager)[source]

Bases: c7n.query.DescribeSource

augment(resources)[source]
class c7n.resources.awslambda.LambdaCrossAccountAccessFilter(data, manager=None)[source]

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filters lambda functions with cross-account permissions

The whitelist parameter can be used to prevent certain accounts from being included in the results (essentially stating that these accounts permissions are allowed to exist)

This can be useful when combining this filter with the delete action.

Example:
policies:
  - name: lambda-cross-account
    resource: lambda
    filters:
      - type: cross-account
        whitelist:
          - 'IAM-Policy-Cross-Account-Access'
permissions = (u'lambda:GetPolicy',)
policy_attribute = u'c7n:Policy'
process(resources, event=None)[source]
type = u'cross-account'
class c7n.resources.awslambda.LambdaEventSource(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

annotation_key = u'c7n:EventSources'
permissions = (u'lambda:GetPolicy',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'event-source']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'event-source'
class c7n.resources.awslambda.RemovePolicyStatement(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.RemovePolicyBase

Action to remove policy/permission statements from lambda functions.

Example:
policies:
  - name: lambda-remove-cross-accounts
    resource: lambda
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched
permissions = (u'lambda:GetPolicy', u'lambda:RemovePermission')
process(resources)[source]
process_resource(client, resource)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'remove-statements']}, 'statement_ids': {u'oneOf': [{u'enum': [u'matched']}, {u'type': u'array', u'items': {u'type': u'string'}}]}}, u'required': [u'statement_ids', u'type'], u'type': u'object'}
type = u'remove-statements'
class c7n.resources.awslambda.RemoveTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Action to remove tag(s) from Lambda Function(s)

Example:
policies:
  - name: lambda-remove-old-tag
    resource: lambda
    filters:
      - "tag:OldTagKey": present
    actions:
      - type: remove-tag
        tags: [OldTagKey1, OldTagKey2]
permissions = (u'lambda:UntagResource',)
process_resource_set(functions, tag_keys)[source]
type = u'remove-tag'
class c7n.resources.awslambda.ReservedConcurrency(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

annotation_key = u'c7n:FunctionInfo'
permissions = (u'lambda:GetFunction',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'reserved-concurrency']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'reserved-concurrency'
validate()[source]
value_key = u'"c7n:FunctionInfo".Concurrency.ReservedConcurrentExecutions'
class c7n.resources.awslambda.SecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = u'VpcConfig.SecurityGroupIds[]'
type = u'security-group'
class c7n.resources.awslambda.SetConcurrency(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Set lambda function concurrency to the desired level.

Can be used to set the reserved function concurrency to an exact value, to delete reserved concurrency, or to set the value to an attribute of the resource.

permissions = (u'lambda:DeleteFunctionConcurrency', u'lambda:PutFunctionConcurrency')
process(functions)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'set-concurrency']}, u'expr': {u'type': u'boolean'}, u'value': {u'oneOf': [{u'type': u'string'}, {u'type': u'integer'}, {u'type': u'null'}]}}, u'required': (u'value',), u'type': u'object'}
type = u'set-concurrency'
validate()[source]
class c7n.resources.awslambda.SubnetFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = u'VpcConfig.SubnetIds[]'
type = u'subnet'
class c7n.resources.awslambda.Tag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Action to add tag(s) to Lambda Function(s)

Example:
policies:
  - name: lambda-add-owner-tag
    resource: lambda
    filters:
      - "tag:OwnerName": missing
    actions:
      - type: tag
        key: OwnerName
        value: OwnerName
permissions = (u'lambda:TagResource',)
process_resource_set(functions, tags)[source]
type = u'tag'
class c7n.resources.awslambda.TagDelayedAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example:
policies:
  - name: lambda-delete-unused
    resource: lambda
    filters:
      - "tag:custodian_cleanup": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Unused lambda"
        op: delete
        days: 7
permissions = (u'lambda:TagResource',)
process_resource_set(functions, tags)[source]
type = u'mark-for-op'
c7n.resources.awslambda.tag_function(session_factory, functions, tags, log)[source]

c7n.resources.batch module

class c7n.resources.batch.ComputeEnvironment(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'describe_compute_environments', u'computeEnvironments', None)
filter_name = u'computeEnvironments'
filter_type = u'list'
id = u'computeEnvironmentName'
name = u'computeEnvironmentName'
service = u'batch'
type = u'batch-compute'
class c7n.resources.batch.DeleteComputeEnvironment(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.batch.StateTransitionFilter

Delete an AWS batch compute environment

Example:
delete_environment(r)[source]
permissions = (u'batch:DeleteComputeEnvironment',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
valid_origin_states = (u'DISABLED',)
valid_origin_status = (u'VALID', u'INVALID')
class c7n.resources.batch.JobDefinition(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'describe_job_definitions', u'jobDefinitions', None)
filter_name = u'jobDefinitions'
filter_type = u'list'
id = u'jobDefinitionName'
name = u'jobDefinitionName'
service = u'batch'
type = u'batch-definition'
class c7n.resources.batch.StateTransitionFilter[source]

Bases: object

Filter resources by state.

Try to simplify construction for policy authors by automatically filtering elements (filters or actions) to the resource states they are valid for.

filter_resource_state(resources, key, states=None)[source]
valid_origin_states = ()
class c7n.resources.batch.UpdateComputeEnvironment(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.batch.StateTransitionFilter

Updates an AWS batch compute environment

Example:
permissions = (u'batch:UpdateComputeEnvironment',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'state': {u'type': u'string', u'enum': [u'ENABLED', u'DISABLED']}, u'computeResources': {u'type': u'object', u'additionalProperties': False, u'properties': {u'minvCpus': {u'type': u'integer'}, u'maxvCpus': {u'type': u'integer'}, u'desiredvCpus': {u'type': u'integer'}}}, u'type': {u'enum': [u'update-environment']}, u'serviceRole': {u'type': u'string'}, u'computeEnvironment': {u'type': u'string'}}, u'type': u'object'}
type = u'update-environment'
valid_origin_status = (u'VALID', u'INVALID')

c7n.resources.cfn module

class c7n.resources.cfn.CloudFormation(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::CloudFormation::Stack'
date = u'CreationTime'
dimension = None
enum_spec = (u'describe_stacks', u'Stacks[]', None)
filter_name = u'StackName'
filter_type = u'scalar'
id = u'StackName'
name = u'StackName'
service = u'cloudformation'
type = u'stack'
type = u'cfn'
class c7n.resources.cfn.CloudFormationAddTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Action to tag a cloudformation stack

Example:
permissions = (u'cloudformation:UpdateStack',)
process_resource_set(stacks, tags)[source]
type = u'tag'
class c7n.resources.cfn.CloudFormationRemoveTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Action to remove tags from a cloudformation stack

Example:
process_resource_set(stacks, keys)[source]
type = u'remove-tag'
class c7n.resources.cfn.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete cloudformation stacks

It is recommended to use a filter to avoid unwanted deletion of stacks

Example:
policies:
  - name: cloudformation-delete-failed-stacks
    resource: cfn
    filters:
      - StackStatus: ROLLBACK_COMPLETE
    actions:
      - delete
permissions = (u'cloudformation:DeleteStack',)
process(stacks)[source]
process_stacks(stack)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.cfn.SetProtection(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to disable termination protection

It is recommended to use a filter to avoid unwanted deletion of stacks

Example:
policies:
  - name: cloudformation-disable-protection
    resource: cfn
    filters:
      - StackStatus: CREATE_COMPLETE
    actions:
      - type: set-protection
        state: False
permissions = (u'cloudformation:UpdateStack',)
process(stacks)[source]
process_stacks(client, stack)[source]
schema = {u'additionalProperties': False, u'properties': {'state': {u'type': u'boolean', u'default': False}, u'type': {u'enum': [u'set-protection']}}, u'required': [u'type'], u'type': u'object'}
type = u'set-protection'

c7n.resources.cloudfront module

class c7n.resources.cloudfront.DescribeDistribution(manager)[source]

Bases: c7n.query.DescribeSource

augment(resources)[source]
class c7n.resources.cloudfront.DescribeStreamingDistribution(manager)[source]

Bases: c7n.query.DescribeSource

augment(resources)[source]
class c7n.resources.cloudfront.Distribution(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
generate_arn

Generates generic arn if ID is not already arn format.

get_arn(r)[source]
get_source(source_type)[source]
class resource_type[source]

Bases: object

config_type = u'AWS::CloudFront::Distribution'
date = u'LastModifiedTime'
dimension = u'DistributionId'
enum_spec = (u'list_distributions', u'DistributionList.Items', None)
filter_name = None
id = u'Id'
name = u'DomainName'
service = u'cloudfront'
type = u'distribution'
universal_taggable = True
type = u'distribution'
class c7n.resources.cloudfront.DistributionDisableAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to disable a Distribution

Example:
policies:
  - name: distribution-delete
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: disable
permissions = (u'distribution:GetDistributionConfig', u'distribution:UpdateDistribution')
process(distributions)[source]
process_distribution(distribution)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'disable']}}, u'required': [u'type'], u'type': u'object'}
type = u'disable'
class c7n.resources.cloudfront.DistributionMetrics(data, manager=None)[source]

Bases: c7n.filters.metrics.MetricsFilter

Filter cloudfront distributions based on metric values

Example:
policies:
  - name: cloudfront-distribution-errors
    resource: distribution
    filters:
      - type: metrics
        name: Requests
        value: 3
        op: ge
get_dimensions(resource)[source]
type = u'metrics'
class c7n.resources.cloudfront.DistributionSSLAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to set mandatory https-only on a Distribution

Example:
policies:
  - name: distribution-set-ssl
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: set-ssl
        ViewerProtocolPolicy: https-only
permissions = (u'distribution:GetDistributionConfig', u'distribution:UpdateDistribution')
process(distributions)[source]
process_distribution(distribution)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'set-protocols']}, u'OriginSslProtocols': {u'type': u'array', u'items': {u'enum': [u'SSLv3', u'TLSv1', u'TLSv1.1', u'TLSv1.2']}}, u'OriginProtocolPolicy': {u'enum': [u'http-only', u'match-viewer', u'https-only']}, u'ViewerProtocolPolicy': {u'enum': [u'allow-all', u'https-only', u'redirect-to-https']}}, u'type': u'object'}
type = u'set-protocols'
class c7n.resources.cloudfront.IsWafEnabled(data, manager=None)[source]

Bases: c7n.filters.core.Filter

permissions = (u'waf:ListWebACLs',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'state': {u'type': u'boolean'}, u'type': {u'enum': [u'waf-enabled']}, u'web-acl': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'waf-enabled'
class c7n.resources.cloudfront.SetWaf(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

permissions = (u'cloudfront:UpdateDistribution', u'waf:ListWebACLs')
process(resources)[source]
static retry(func, *args, **kw)
schema = {u'additionalProperties': False, u'properties': {u'state': {u'type': u'boolean'}, u'type': {u'enum': [u'set-waf']}, u'web-acl': {u'type': u'string'}, u'force': {u'type': u'boolean'}}, u'required': [u'web-acl', u'type'], u'type': u'object'}
type = u'set-waf'
class c7n.resources.cloudfront.StreamingDistribution(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
generate_arn

Generates generic arn if ID is not already arn format.

get_arn(r)[source]
get_source(source_type)[source]
class resource_type[source]

Bases: object

config_type = u'AWS::CloudFront::StreamingDistribution'
date = u'LastModifiedTime'
dimension = u'DistributionId'
enum_spec = (u'list_streaming_distributions', u'StreamingDistributionList.Items', None)
filter_name = None
id = u'Id'
name = u'DomainName'
service = u'cloudfront'
type = u'streaming-distribution'
universal_taggable = True
type = u'streaming-distribution'
class c7n.resources.cloudfront.StreamingDistributionDisableAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to disable a Streaming Distribution

Example:
policies:
  - name: streaming-distribution-delete
    resource: streaming-distribution
    filters:
      - type: value
        key: S3Origin.OriginAccessIdentity
        value: ''
    actions:
      - type: disable
permissions = (u'streaming-distribution:GetStreamingDistributionConfig', u'streaming-distribution:UpdateStreamingDistribution')
process(distributions)[source]
process_distribution(distribution)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'disable']}}, u'required': [u'type'], u'type': u'object'}
type = u'disable'

c7n.resources.cloudsearch module

class c7n.resources.cloudsearch.CloudSearch(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = u'DomainName'
enum_spec = (u'describe_domains', u'DomainStatusList', None)
filter_name = u'DomainNames'
filter_type = u'list'
id = u'DomainName'
name = u'DomainName'
service = u'cloudsearch'
type = u'cloudsearch'
class c7n.resources.cloudsearch.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

permissions = (u'cloudsearch:DeleteDomain',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'

c7n.resources.cloudtrail module

class c7n.resources.cloudtrail.CloudTrail(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::CloudTrail::Trail'
dimension = None
enum_spec = (u'describe_trails', u'trailList', None)
filter_name = u'trailNameList'
filter_type = u'list'
id = u'TrailArn'
name = u'Name'
service = u'cloudtrail'
type = u'cloudtrail'

c7n.resources.code module

class c7n.resources.code.BuildSecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = u'vpcConfig.securityGroupIds[]'
class c7n.resources.code.BuildSubnetFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = u'vpcConfig.subnets[]'
class c7n.resources.code.CodeBuildProject(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

batch_detail_spec = (u'batch_get_projects', u'names', None, u'projects')
config_type = u'AWS::CodeBuild::Project'
date = u'created'
dimension = None
enum_spec = (u'list_projects', u'projects', None)
filter_name = None
id = u'project'
name = u'project'
service = u'codebuild'
type = u'codebuild'
class c7n.resources.code.CodeDeployPipeline(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'created'
detail_spec = (u'get_pipeline', u'name', u'name', u'pipeline')
dimension = None
enum_spec = (u'list_pipelines', u'pipelines', None)
filter_name = None
id = u'name'
name = u'name'
service = u'codepipeline'
static retry(func, *args, **kw)
type = u'codepipeline'
class c7n.resources.code.CodeRepository(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

batch_detail_spec = (u'batch_get_repositories', u'repositoryNames', u'repositoryName', u'repositories')
date = u'creationDate'
dimension = None
enum_spec = (u'list_repositories', u'repositories', None)
filter_name = None
id = u'repositoryId'
name = u'repositoryName'
service = u'codecommit'
static retry(func, *args, **kw)
type = u'codecommit'
class c7n.resources.code.DeleteProject(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete code build

It is recommended to use a filter to avoid unwanted deletion of builds

Example:
policies:
  - name: codebuild-delete
    resource: codebuild
    actions:
      - delete
permissions = (u'codebuild:DeleteProject',)
process(projects)[source]
process_project(project)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.code.DeleteRepository(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete code commit

It is recommended to use a filter to avoid unwanted deletion of repos

Example:
policies:
  - name: codecommit-delete
    resource: codecommit
    actions:
      - delete
permissions = (u'codecommit:DeleteRepository',)
process(repositories)[source]
process_repository(repository)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'

c7n.resources.cognito module

class c7n.resources.cognito.CognitoIdentityPool(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

detail_spec = (u'describe_identity_pool', u'IdentityPoolId', u'IdentityPoolId', None)
dimension = None
enum_spec = (u'list_identity_pools', u'IdentityPools', {u'MaxResults': 60})
filter_name = None
id = u'IdentityPoolId'
name = u'IdentityPoolName'
service = u'cognito-identity'
type = u'identity-pool'
class c7n.resources.cognito.CognitoUserPool(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

detail_spec = (u'describe_user_pool', u'UserPoolId', u'Id', u'UserPool')
dimension = None
enum_spec = (u'list_user_pools', u'UserPools', {u'MaxResults': 60})
filter_name = None
id = u'Id'
name = u'Name'
service = u'cognito-idp'
type = u'user-pool'
class c7n.resources.cognito.DeleteIdentityPool(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete cognito identity pool

It is recommended to use a filter to avoid unwanted deletion of pools

Example:
policies:
  - name: identity-pool-delete
    resource: identity-pool
    actions:
      - delete
permissions = (u'cognito-identity:DeleteIdentityPool',)
process(pools)[source]
process_pool(pool)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.cognito.DeleteUserPool(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete cognito user pool

It is recommended to use a filter to avoid unwanted deletion of pools

Example:
policies:
  - name: user-pool-delete
    resource: user-pool
    actions:
      - delete
permissions = (u'cognito-idp:DeleteUserPool',)
process(pools)[source]
process_pool(pool)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'

c7n.resources.config module

class c7n.resources.config.ConfigRule(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'describe_config_rules', u'ConfigRules', None)
filter_name = u'ConfigRuleNames'
filter_type = u'list'
id = u'ConfigRuleName'
name = u'ConfigRuleName'
service = u'config'
type = u'config-rule'
class c7n.resources.config.DeleteRule(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

permissions = (u'config:DeleteConfigRule',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.config.RuleStatus(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

annotate = False
permissions = (u'config:DescribeConfigRuleEvaluationStatus',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'status']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'status'

c7n.resources.cw module

class c7n.resources.cw.Alarm(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::CloudWatch::Alarm'
date = u'AlarmConfigurationUpdatedTimestamp'
dimension = None
enum_spec = (u'describe_alarms', u'MetricAlarms', None)
filter_name = u'AlarmNames'
filter_type = u'list'
id = u'AlarmArn'
name = u'AlarmName'
service = u'cloudwatch'
type = u'alarm'
static retry(func, *args, **kw)
type = u'alarm'
class c7n.resources.cw.AlarmDelete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Delete a cloudwatch alarm.

Example:
policies:
  - name: cloudwatch-delete-stale-alarms
    resource: alarm
    filters:
      - type: value
        value_type: age
        key: StateUpdatedTimestamp
        value: 30
        op: ge
      - StateValue: INSUFFICIENT_DATA
    actions:
      - delete
permissions = (u'cloudwatch:DeleteAlarms',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.cw.CrossAccountFilter(data, manager=None)[source]

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = (u'events:ListTargetsByRule',)
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'cross-account']}, 'whitelist': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}}, u'required': [u'type'], u'type': u'object'}
type = u'cross-account'
class c7n.resources.cw.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Example:
policies:
  - name: cloudwatch-delete-stale-log-group
    resource: log-group
    filters:
      - type: last-write
        days: 182.5
    actions:
      - delete
permissions = (u'logs:DeleteLogGroup',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.cw.DeleteTarget(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

permissions = (u'events:RemoveTargets',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.cw.EventRule(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = u'RuleName'
enum_spec = (u'list_rules', u'Rules', None)
filer_type = u'scalar'
filter_name = u'NamePrefix'
id = u'Name'
name = u'Name'
service = u'events'
type = u'event-rule'
type = u'event-rule'
class c7n.resources.cw.EventRuleTarget(data, options)[source]

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'list_targets_by_rule', u'Targets', None)
filter_name = None
filter_type = None
id = u'Id'
name = u'Id'
parent_spec = (u'event-rule', u'Rule', True)
service = u'events'
type = u'event-rule-target'
type = u'event-rule-target'
class c7n.resources.cw.LastWriteDays(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filters CloudWatch log groups by last write

Example:
policies:
  - name: cloudwatch-stale-groups
    resource: log-group
    filters:
      - type: last-write
        days: 60
permissions = (u'logs:DescribeLogStreams',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'last-write']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'last-write'
class c7n.resources.cw.LogCrossAccountFilter(data, manager=None)[source]

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = (u'logs:DescribeSubscriptionFilters',)
process(resources, event=None)[source]
process_resource_set(client, accounts, resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'cross-account']}, 'whitelist': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}}, u'required': [u'type'], u'type': u'object'}
type = u'cross-account'
class c7n.resources.cw.LogGroup(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'creationTime'
dimension = u'LogGroupName'
enum_spec = (u'describe_log_groups', u'logGroups', None)
filter_name = u'logGroupNamePrefix'
filter_type = u'scalar'
id = u'arn'
name = u'logGroupName'
service = u'logs'
type = u'log-group'
type = u'log-group'
class c7n.resources.cw.Retention(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to set the retention period (in days) for CloudWatch log groups

Example:
policies:
  - name: cloudwatch-set-log-group-retention
    resource: log-group
    actions:
      - type: retention
        days: 200
permissions = (u'logs:PutRetentionPolicy',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'retention']}, 'days': {u'type': u'integer'}}, u'required': [u'type'], u'type': u'object'}
type = u'retention'

c7n.resources.datapipeline module

Data Pipeline

class c7n.resources.datapipeline.DataPipeline(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
augment(resources)[source]
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

batch_detail_spec = (u'describe_pipeline', u'pipelineIds', u'id', u'pipelineDescriptionList')
date = None
dimension = u'name'
enum_spec = (u'list_pipelines', u'pipelineIdList', None)
filter_name = None
id = u'id'
name = u'name'
service = u'datapipeline'
type = u'dataPipeline'
static retry(func, *args, **kw)
type = u'datapipeline'
class c7n.resources.datapipeline.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Action to delete DataPipeline

It is recommended to use a filter to avoid unwanted deletion of DataPipeline

Example:
policies:
  - name: datapipeline-delete
    resource: datapipeline
    actions:
      - delete
permissions = (u'datapipeline:DeletePipeline',)
process(pipelines)[source]
process_pipeline(pipeline)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.datapipeline.MarkForOpPipeline(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example:
policies:
  - name: pipeline-delete-unused
    resource: datapipeline
    filters:
      - "tag:custodian_cleanup": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Unused data pipeline: {op}@{action_date}"
        op: delete
        days: 7
permissions = (u'datapipeline:AddTags',)
process_resource_set(pipelines, tags)[source]
type = u'mark-for-op'
class c7n.resources.datapipeline.TagPipeline(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Action to create tag(s) on a pipeline

Example:
policies:
  - name: tag-pipeline
    resource: datapipeline
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value
permissions = (u'datapipeline:AddTags',)
process_resource_set(pipelines, tags)[source]
type = u'tag'
class c7n.resources.datapipeline.UntagPipeline(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on a pipeline

Example:
policies:
  - name: pipeline-remove-tag
    resource: datapipeline
    filters:
      - "tag:OutdatedTag": present
    actions:
      - type: remove-tag
        tags: ["OutdatedTag"]
permissions = (u'datapipeline:RemoveTags',)
process_resource_set(pipelines, tags)[source]
type = u'remove-tag'

c7n.resources.directconnect module

class c7n.resources.directconnect.DirectConnect(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'describe_connections', u'connections', None)
filter_name = u'connectionId'
id = u'connectionId'
name = u'connectionName'
service = u'directconnect'
type = u'directconnect'

c7n.resources.directory module

class c7n.resources.directory.CloudDirectory(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'list_directories', u'Directories', None)
filter_name = None
id = u'DirectoryArn'
name = u'Name'
service = u'clouddirectory'
type = u'cloud-directory'
class c7n.resources.directory.Directory(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
augment(directories)[source]
filter_registry = <c7n.filters.core.FilterRegistry object>
permissions = (u'ds:ListTagsForResource',)
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'describe_directories', u'DirectoryDescriptions', None)
filter_name = u'DirectoryIds'
filter_type = u'list'
id = u'DirectoryId'
name = u'Name'
service = u'ds'
type = u'directory'
class c7n.resources.directory.DirectoryRemoveTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Remove tags from a directory

Example:
permissions = (u'ds:RemoveTagsFromResource',)
process_resource_set(directories, tags)[source]
type = u'remove-tag'
class c7n.resources.directory.DirectorySecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = u'VpcSettings.SecurityGroupId'
type = u'security-group'
class c7n.resources.directory.DirectorySubnetFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = u'VpcSettings.SubnetIds'
type = u'subnet'
class c7n.resources.directory.DirectoryTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Add tags to a directory

Example:
permissions = (u'ds:AddTagToResource',)
process_resource_set(directories, tags)[source]
type = u'tag'

c7n.resources.dms module

class c7n.resources.dms.DeleteDmsEndpoint(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Delete a DMS endpoint

Example:
permissions = ('dms:DeleteEndpoint',)
process(endpoints)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': ['delete']}}, u'required': [u'type'], u'type': u'object'}
type = 'delete'
class c7n.resources.dms.DmsEndpoints(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = None
detail_spec = None
dimension = None
enum_spec = ('describe_endpoints', 'Endpoints', None)
filter_name = None
id = 'EndpointArn'
name = 'EndpointIdentifier'
service = 'dms'
type = 'dms-endpoint'
class c7n.resources.dms.InstanceDelete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

permissions = ('dms:DeleteReplicationInstance',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': ['delete']}}, u'required': [u'type'], u'type': u'object'}
type = 'delete'
class c7n.resources.dms.InstanceDescribe(manager)[source]

Bases: c7n.query.DescribeSource

augment(resources)[source]
get_resources(resource_ids)[source]
process_resource_set(client, resources)[source]
class c7n.resources.dms.InstanceMarkForOp(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagDelayedAction

Tag a replication instance for action at a later time

Example:
policies:
    - name: delete-single-az-dms
      resource: dms-instance
      filters:
        - MultiAZ: False
      actions:
        - type: mark-for-op
          tag: custodian_dms_cleanup
          op: delete
          days: 7
permissions = ('dms:AddTagsToResource',)
process_resource_set(resources, tags)[source]
type = 'mark-for-op'
class c7n.resources.dms.InstanceRemoveTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Remove tag(s) from a replication instance

Example:
policies:
    - name: delete-single-az-dms
      resource: dms-instance
      filters:
        - "tag:InvalidTag": present
      actions:
        - type: remove-tag
          tags: ["InvalidTag"]
permissions = ('dms:RemoveTagsFromResource',)
process_resource_set(resources, tags)[source]
type = 'remove-tag'
class c7n.resources.dms.InstanceTag(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Add tag(s) to a replication instance

Example:
policies:
    - name: tag-dms-required
      resource: dms-instance
      filters:
        - "tag:RequireTag": absent
      actions:
        - type: tag
          key: RequiredTag
          value: RequiredTagValue
permissions = ('dms:AddTagsToResource',)
process_resource_set(resources, tags)[source]
type = 'tag'
class c7n.resources.dms.ModifyDmsEndpoint(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Modify the attributes of a DMS endpoint

Example:

AWS ModifyEndpoint Documentation: https://goo.gl/eDFfuf

permissions = ('dms:ModifyEndpoint',)
process(endpoints)[source]
schema = {'additionalProperties': False, 'properties': {'CertificateArn': {'type': 'string'}, 'Username': {'type': 'string'}, 'Port': {'type': 'integer', 'maximum': 65536, 'minimum': 1}, 'Password': {'type': 'string'}, 'EngineName': {'enum': ['mysql', 'oracle', 'postgres', 'mariadb', 'aurora', 'redshift', 'S3', 'sybase', 'dynamodb', 'mongodb', 'sqlserver']}, 'MongoDbSettings': {'type': 'object', 'additionalProperties': False, 'properties': {'ServerName': {'type': 'string'}, 'AuthMechanism': {'type': 'string', 'enum': ['default', 'mongodb_cr', 'scram_sha_1']}, 'Port': {'type': 'integer', 'maximum': 65535, 'minimum': 1}, 'AuthSource': {'type': 'string'}, 'ExtractDocId': {'type': 'string'}, 'DatabaseName': {'type': 'string'}, 'Username': {'type': 'string'}, 'NestingLevel': {'type': 'string', 'enum': ['NONE', 'none', 'ONE', 'one']}, 'DocsToInvestigate': {'type': 'integer', 'minimum': 1}, 'Password': {'type': 'string'}}}, 'S3Settings': {'type': 'object', 'additionalProperties': False, 'properties': {'CompressionType': {'type': 'string', 'enum': ['none', 'gzip']}, 'BucketFolder': {'type': 'string'}, 'CsvDelimiter': {'type': 'string'}, 'CsvRowDelimiter': {'type': 'string'}, 'ServiceAccessRoleArn': {'type': 'string'}, 'ExternalTableDefinition': {'type': 'string'}, 'BucketName': {'type': 'string'}}}, 'ServerName': {'type': 'string'}, 'ExtraConnectionAttributes': {'type': 'string'}, 'type': {'enum': ['modify-endpoint']}, 'EndpointIdentifier': {'type': 'string'}, 'DatabaseName': {'type': 'string'}, 'DynamoDbSettings': {'required': ['ServiceAccessRoleArn'], 'type': 'object', 'additionalProperties': False, 'properties': {'ServiceAccessRoleArn': {'type': 'string'}}}, 'SslMode': {'type': 'string', 'enum': ['none', 'require', 'verify-ca', 'verify-full']}}, 'type': 'object'}
type = 'modify-endpoint'
class c7n.resources.dms.ModifyReplicationInstance(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Modify replication instance(s) to apply new settings

Example:

AWS ModifyReplicationInstance Documentation: https://goo.gl/ePye9N

permissions = ('dms:ModifyReplicationInstance',)
process(resources)[source]
schema = {'additionalProperties': False, 'properties': {'ReplicationInstanceIdentifier': {'type': 'string'}, 'MultiAZ': {'type': 'boolean'}, 'ApplyImmediately': {'type': 'boolean'}, 'AutoMinorVersionUpgrade': {'type': 'boolean'}, 'AllowMajorVersionUpgrade': {'type': 'boolean'}, 'PreferredMaintenanceWindow': {'type': 'string'}, 'EngineVersion': {'type': 'string'}, 'AllocatedStorage': {'type': 'integer'}, 'ReplicationInstanceArn': {'type': 'string'}, 'ReplicationInstanceClass': {'type': 'string'}, 'VpcSecurityGroupIds': {'type': 'array', 'items': {'type': 'string'}}, 'type': {'enum': ['modify-instance']}}, 'type': 'object'}
type = 'modify-instance'
class c7n.resources.dms.ReplicationInstance(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
filters = <c7n.filters.core.FilterRegistry object>
get_arns(resources)[source]
get_source(source_type)[source]
get_tags(resources)[source]
class resource_type[source]

Bases: object

date = 'InstanceCreateTime'
dimension = None
enum_spec = ('describe_replication_instances', 'ReplicationInstances', None)
filter_name = None
filter_type = None
id = 'ReplicationInstanceIdentifier'
name = 'ReplicationInstanceIdentifier'
service = 'dms'
type = 'rep'
static retry(func, *args, **kw)
type = 'dms-instance'
class c7n.resources.dms.SecurityGroup(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = 'VpcSecurityGroups[].VpcSecurityGroupId'
type = 'security-group'
class c7n.resources.dms.Subnet(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = 'ReplicationSubnetGroup.Subnets[].SubnetIdentifier'
type = 'subnet'

c7n.resources.dynamodb module

class c7n.resources.dynamodb.Backup(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::DynamoDB::Table'
date = u'BackupCreationDateTime'
detail_spec = None
dimension = u'TableName'
enum_spec = (u'list_backups', u'BackupSummaries', None)
filter_name = None
id = u'Table'
name = u'TableName'
service = u'dynamodb'
type = u'table'
type = u'dynamodb-backup'
class c7n.resources.dynamodb.CreateBackup(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.dynamodb.StatusFilter

Creates a manual backup of a DynamoDB table. Use of the optional
prefix flag will attach a user specified prefix. Otherwise, the backup prefix will default to ‘Backup’.
Example:
policies:
  - name: dynamodb-create-backup
    resource: dynamodb-table
    actions:
      - type: backup
        prefix: custom
permissions = (u'dynamodb:CreateBackup',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'backup']}, 'prefix': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'backup'
valid_status = (u'ACTIVE',)
class c7n.resources.dynamodb.DeleteBackup(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.dynamodb.StatusFilter

Deletes backups of a DynamoDB table

Example:
policies:
  - name: dynamodb-delete-backup
    resource: dynamodb-backup
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - type: delete
permissions = (u'dynamodb:DeleteBackup',)
process(backups)[source]
process_dynamodb_backups(table_set, c)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
valid_status = (u'AVAILABLE',)
class c7n.resources.dynamodb.DeleteTable(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.dynamodb.StatusFilter

Action to delete dynamodb tables

Example:
policies:
  - name: delete-empty-tables
    resource: dynamodb-table
    filters:
      - TableSizeBytes: 0
    actions:
      - delete
delete_table(table_set)[source]
permissions = (u'dynamodb:DeleteTable',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
valid_status = (u'ACTIVE',)
class c7n.resources.dynamodb.DescribeTable(manager)[source]

Bases: c7n.query.DescribeSource

augment(tables)[source]
class c7n.resources.dynamodb.SetStream(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.dynamodb.StatusFilter

Action to enable/disable streams on table.

Example:
policies:
  - name: stream-update
    resource: dynamodb-table
    filters:
      - TableName: 'test'
      - TableStatus: 'ACTIVE'
    actions:
      - type: set-stream
        state: True
        stream_view_type: 'NEW_IMAGE'
permissions = (u'dynamodb:UpdateTable',)
process(tables)[source]
schema = {u'additionalProperties': False, u'properties': {'state': {u'type': u'boolean'}, u'type': {u'enum': [u'set-stream']}, 'stream_view_type': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'set-stream'
valid_status = (u'ACTIVE',)
class c7n.resources.dynamodb.StatusFilter[source]

Bases: object

Filter tables by status

filter_backup_state(tables, states=None)[source]
filter_table_state(tables, states=None)[source]
valid_states = ()
class c7n.resources.dynamodb.Stream(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'CreationDateTime'
detail_spec = (u'describe_stream', u'StreamArn', u'StreamArn', u'StreamDescription')
dimension = u'TableName'
enum_spec = (u'list_streams', u'Streams', None)
filter_name = None
id = u'StreamArn'
name = u'TableName'
service = u'dynamodbstreams'
type = u'dynamodb-stream'
class c7n.resources.dynamodb.Table(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_source(source_type)[source]
permissions = u'dynamodb:ListTagsOfResource'
class resource_type[source]

Bases: object

config_type = u'AWS::DynamoDB::Table'
date = u'CreationDateTime'
detail_spec = (u'describe_table', u'TableName', None, u'Table')
dimension = u'TableName'
enum_spec = (u'list_tables', u'TableNames', None)
filter_name = None
id = u'TableName'
name = u'TableName'
service = u'dynamodb'
type = u'table'
static retry(func, *args, **kw)
type = u'dynamodb-table'
class c7n.resources.dynamodb.TagDelayedAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.TagDelayedAction

Action to specify an action to occur at a later date

Example:
policies:
  - name: dynamo-mark-tag-compliance
    resource: dynamodb-table
    filters:
      - "tag:custodian_cleanup": absent
      - "tag:OwnerName": absent
    actions:
      - type: mark-for-op
        tag: custodian_cleanup
        msg: "Cluster does not have valid OwnerName tag: {op}@{action_date}"
        op: delete
        days: 7
batch_size = 1
permission = (u'dynamodb:TagResource',)
process_resource_set(tables, tags)[source]
type = u'mark-for-op'
class c7n.resources.dynamodb.TagTable(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.Tag

Action to create tag(s) on a resource

Example:
policies:
  - name: dynamodb-tag-table
    resource: dynamodb-table
    filters:
      - "tag:target-tag": absent
    actions:
      - type: tag
        key: target-tag
        value: target-tag-value
batch_size = 1
permissions = (u'dynamodb:TagResource',)
process_resource_set(tables, tags)[source]
type = u'tag'
class c7n.resources.dynamodb.UntagTable(data=None, manager=None, log_dir=None)[source]

Bases: c7n.tags.RemoveTag

Action to remove tag(s) on a resource

Example:
policies:
  - name: dynamodb-remove-tag
    resource: dynamodb-table
    filters:
      - "tag:OutdatedTag": present
    actions:
      - type: remove-tag
        tags: ["OutdatedTag"]
batch_size = 5
concurrency = 2
permissions = (u'dynamodb:UntagResource',)
process_resource_set(tables, tag_keys)[source]
type = u'remove-tag'

c7n.resources.ebs module

class c7n.resources.ebs.AttachedInstanceFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

Filter volumes based on filtering on their attached instance

Example:
policies:
  - name: instance-ebs-volumes
    resource: ebs
    filters:
      - instance
get_instance_mapping(resources)[source]
get_permissions()[source]
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'instance']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'instance'
class c7n.resources.ebs.CopyInstanceTags(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Copy instance tags to its attached volume.

Useful for cost allocation to ebs volumes and tracking usage info for volumes.

Mostly useful for volumes not set to delete on termination, which are otherwise candidates for garbage collection, copying the instance tags gives us more semantic information to determine if their useful, as well letting us know the last time the volume was actually used.

Example:
policies:
  - name: ebs-copy-instance-tags
    resource: ebs
    filters:
      - type: value
        key: "Attachments[0].Device"
        value: not-null
    actions:
      - type: copy-instance-tags
        tags:
          - Name
get_permissions()[source]
get_volume_tags(volume, instance, attachment)[source]
initialize(volumes)[source]
process(volumes)[source]
process_instance_set(client, instance_ids)[source]
process_instance_volumes(client, instance, volumes)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'copy-instance-tags']}, 'tags': {u'type': u'array', u'items': {u'type': u'string'}}}, u'required': [u'type'], u'type': u'object'}
type = u'copy-instance-tags'
class c7n.resources.ebs.CopySnapshot(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Copy a snapshot across regions

http://goo.gl/CP3dq

Example:
policies:
  - name: copy-snapshot-east-west
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: le
    actions:
      - type: copy
        target_region: us-west-2
        target_key: target_kms_key
        encrypted: true
permissions = (u'ec2:CreateTags', u'ec2:CopySnapshot', u'ec2:DescribeSnapshots')
process(resources)[source]
process_resource_set(*args, **kw)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'copy']}, 'target_key': {u'type': u'string'}, 'target_region': {u'type': u'string'}, 'encrypted': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'copy'
validate()[source]
class c7n.resources.ebs.CreateSnapshot(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Snapshot an EBS volume

Example:
policies:
  - name: snapshot-volumes
    resource: ebs
    filters:
      - Attachments: []
      - State: available
    actions:
      - snapshot
permissions = (u'ec2:CreateSnapshot',)
process(volumes)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'snapshot']}}, u'required': [u'type'], u'type': u'object'}
type = u'snapshot'
class c7n.resources.ebs.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Delete an ebs volume.

If the force boolean is true, we will detach an attached volume from an instance. Note this cannot be done for running instance root volumes.

Example:
policies:
  - name: delete-unattached-volumes
    resource: ebs
    filters:
      - Attachments: []
      - State: available
    actions:
      - delete
permissions = (u'ec2:DetachVolume', u'ec2:DeleteVolume', u'ec2:DescribeVolumes')
process(volumes)[source]
process_volume(client, volume)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}, 'force': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.ebs.EBS(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

config_type = u'AWS::EC2::Volume'
date = u'createTime'
default_report_fields = (u'VolumeId', u'Attachments[0].InstanceId', u'Size', u'VolumeType', u'KmsKeyId')
dimension = u'VolumeId'
enum_spec = (u'describe_volumes', u'Volumes', None)
filter_name = u'VolumeIds'
filter_type = u'list'
id = u'VolumeId'
metrics_namespace = u'AWS/EBS'
name = u'VolumeId'
service = u'ec2'
type = u'volume'
type = u'ebs'
class c7n.resources.ebs.EncryptInstanceVolumes(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Encrypt extant volumes attached to an instance

  • Requires instance restart
  • Not suitable for autoscale groups.

Multistep process:

  • Stop instance (if running)
  • For each volume
    • Create snapshot
    • Wait on snapshot creation
    • Copy Snapshot to create encrypted snapshot
    • Wait on snapshot creation
    • Create encrypted volume from snapshot
    • Wait on volume creation
    • Delete transient snapshots
    • Detach Unencrypted Volume
    • Attach Encrypted Volume
    • Set DeleteOnTermination instance attribute equal to source volume
  • For each volume
    • Delete unencrypted volume
  • Start Instance (if originally running)
  • For each newly encrypted volume
    • Delete transient tags
Example:
policies:
  - name: encrypt-unencrypted-ebs
    resource: ebs
    filters:
      - Encrypted: false
    actions:
      - type: encrypt-instance-volumes
        key: alias/encrypted
create_encrypted_volume(ec2, v, key_id, instance_id)[source]
get_encryption_key()[source]
permissions = (u'ec2:CopySnapshot', u'ec2:CreateSnapshot', u'ec2:CreateVolume', u'ec2:DescribeInstances', u'ec2:DescribeSnapshots', u'ec2:DescribeVolumes', u'ec2:StopInstances', u'ec2:StartInstances', u'ec2:ModifyInstanceAttribute', u'ec2:DeleteTags')
process(volumes)[source]
process_volume(client, instance_id, vol_set)[source]

Encrypt attached unencrypted ebs volumes

vol_set corresponds to all the unencrypted volumes on a given instance.

schema = {u'additionalProperties': False, u'properties': {'key': {u'type': u'string'}, u'type': {u'enum': [u'encrypt-instance-volumes']}, 'delay': {u'type': u'number'}, 'verbose': {u'type': u'boolean'}}, u'required': [u'key', u'type'], u'type': u'object'}
stop_instance(client, instance_id)[source]
type = u'encrypt-instance-volumes'
validate()[source]
wait_on_resource(*args, **kw)[source]
class c7n.resources.ebs.FaultTolerantSnapshots(data, manager=None)[source]

Bases: c7n.filters.core.Filter

This filter will return any EBS volume that does/does not have a snapshot within the last 7 days. ‘Fault-Tolerance’ in this instance means that, in the event of a failure, the volume can be restored from a snapshot with (reasonable) data loss

  • name: ebs-volume-tolerance
  • resource: ebs
  • filters: [{
    ‘type’: ‘fault-tolerant’, ‘tolerant’: True}]
check_id = u'H7IgTzjTYb'
permissions = (u'support:RefreshTrustedAdvisorCheck', u'support:DescribeTrustedAdvisorCheckResult')
process(resources, event=None)[source]
pull_check_results()[source]
schema = {u'additionalProperties': False, u'properties': {'tolerant': {u'type': u'boolean'}, u'type': {u'enum': [u'fault-tolerant']}}, u'required': [u'type'], u'type': u'object'}
type = u'fault-tolerant'
class c7n.resources.ebs.HealthFilter(data, manager=None)[source]

Bases: c7n.filters.health.HealthEventFilter

load_resource(config, rid)[source]
permissions = (u'health:DescribeEvents', u'health:DescribeAffectedEntities', u'health:DescribeEventDetails', u'config:GetResourceConfigHistory')
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {'statuses': {u'type': u'array', u'items': {u'type': u'string', u'enum': [u'open', u'upcoming', u'closed']}}, u'type': {u'enum': [u'health-event']}, 'types': {u'type': u'array', u'items': {u'type': u'string', u'enum': [u'AWS_EBS_DEGRADED_EBS_VOLUME_PERFORMANCE', u'AWS_EBS_VOLUME_LOST']}}}, u'required': [u'type'], u'type': u'object'}
type = u'health-event'
class c7n.resources.ebs.KmsKeyAlias(data, manager=None)[source]

Bases: c7n.resources.kms.ResourceKmsKeyAlias

process(resources, event=None)[source]
type = u'kms-alias'
class c7n.resources.ebs.ModifyVolume(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Modify an ebs volume online.

Note this action requires use of modifyable filter

Intro Blog & Use Cases - https://goo.gl/E3u4Ue Docs - https://goo.gl/DJM4T0 Considerations - https://goo.gl/CBhfqV

Example:Find under utilized provisioned iops volumes older than a week and change their type.
policies:
 - name: ebs-remove-piops
   resource: ebs
   filters:
    - type: value
      key: CreateDate
      value_type: age
      value: 7
      op: greater-than
    - VolumeType: io1
    - type: metrics
      name: VolumeConsumedReadWriteOps
      statistics: Maximum
      value: 100
      op: less-than
      days: 7
    - modifyable
   actions:
    - type: modify
      volume-type: gp1

iops-percent and size-percent can be used to modify respectively iops on io1 volumes and volume size.

When converting to io1, iops-percent is used to set the iops allocation for the new volume against the extant value for the old volume.

Example:Double storage and quadruple iops for all io1 volumes.
policies:
 - name: ebs-remove-piops
   resource: ebs
   filters:
     - VolumeType: io1
     - modifyable
   actions:
     - type: modify
       size-percent: 200
       iops-percent: 400

Note resizing down aka shrinking requires OS and FS support and potentially additional preparation, else data-loss may occur. To prevent accidents, shrinking must be explicitly enabled by also setting shrink: true on the action.

permissions = (u'ec2:ModifyVolumeAttribute',)
process(resources)[source]
process_resource_set(client, resource_set)[source]
schema = {u'additionalProperties': False, u'properties': {u'iops-percent': {u'type': u'number'}, u'type': {u'enum': [u'modify']}, u'shrink': False, u'volume-type': {u'enum': [u'io1', u'gp2', u'st1', u'sc1']}, u'size-percent': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'modify'
validate()[source]
class c7n.resources.ebs.ModifyableVolume(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Check if an ebs volume is modifyable online.

Considerations - https://goo.gl/CBhfqV

Consideration Summary
  • only current instance types are supported (one exception m3.medium) Current Generation Instances (2017-2) https://goo.gl/iuNjPZ
  • older magnetic volume types are not supported
  • shrinking volumes is not supported
  • must wait at least 6hrs between modifications to the same volume.
  • volumes must have been attached after nov 1st, 2016.

See custodian schema ebs.actions.modify for examples.

older_generation = set([u'm3.xlarge', u'cc2.8xlarge', u'm1.xlarge', u'm3.large', u'hi1.4xlarge', u'm1.large', u'm3.2xlarge', u't1.micro', u'm2.xlarge', u'c1.medium', u'm2.4xlarge', u'cr1.8xlarge', u'm1.small', u'm2.2xlarge', u'hs1.8xlarge', u'c1.xlarge', u'm1.medium', u'cg1.4xlarge'])
permissions = (u'ec2:DescribeInstances',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'modifyable']}}, u'required': [u'type'], u'type': u'object'}
type = u'modifyable'
class c7n.resources.ebs.Snapshot(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

date = u'StartTime'
default_report_fields = (u'SnapshotId', u'VolumeId', u'tag:InstanceId', u'VolumeSize', u'StartTime', u'State')
detail_spec = None
dimension = None
enum_spec = (u'describe_snapshots', u'Snapshots', None)
filter_name = u'SnapshotIds'
filter_type = u'list'
id = u'SnapshotId'
name = u'SnapshotId'
service = u'ec2'
type = u'snapshot'
resources(query=None)[source]
type = u'ebs-snapshot'
class c7n.resources.ebs.SnapshotAge(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter

EBS Snapshot Age Filter

Filters an EBS snapshot based on the age of the snapshot (in days)

Example:
policies:
  - name: ebs-snapshots-week-old
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: ge
date_attribute = u'StartTime'
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'age']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'age'
class c7n.resources.ebs.SnapshotCrossAccountAccess(data, manager=None)[source]

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

permissions = (u'ec2:DescribeSnapshotAttribute',)
process(resources, event=None)[source]
process_resource_set(client, resource_set)[source]
type = u'cross-account'
class c7n.resources.ebs.SnapshotDelete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Deletes EBS snapshots

Example:
policies:
  - name: delete-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
permissions = (u'ec2:DeleteSnapshot',)
process(snapshots)[source]
process_snapshot_set(*args, **kw)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}, u'skip-ami-snapshots': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.ebs.SnapshotSkipAmiSnapshots(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filter to remove snapshots of AMIs from results

This filter is ‘true’ by default.

Example:

implicit with no parameters, ‘true’ by default

policies:
  - name: delete-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - skip-ami-snapshots
Example:

explicit with parameter

policies:
  - name: delete-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - type: skip-ami-snapshots
        value: false
get_permissions()[source]
process(snapshots, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'skip-ami-snapshots']}, 'value': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'skip-ami-snapshots'
validate()[source]

c7n.resources.ec2 module

class c7n.resources.ec2.AttachedVolume(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

EC2 instances with EBS backed volume

Filters EC2 instances with EBS backed storage devices (non ephemeral)

Example:
policies:
  - name: ec2-encrypted-ebs-volumes
    resource: ec2
    filters:
      - type: ebs
        key: Encrypted
        value: true
get_permissions()[source]
get_volume_mapping(resources)[source]
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'skip-devices': {u'type': u'array', u'items': {u'type': u'string'}}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'ebs']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'operator': {u'enum': [u'and', u'or']}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'ebs'
class c7n.resources.ec2.AutorecoverAlarm(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

Adds a cloudwatch metric alarm to recover an EC2 instance.

This action takes effect on instances that are NOT part of an ASG.

Example:
policies:
  - name: ec2-autorecover-alarm
    resource: ec2
    filters:
      - singleton
  actions:
    - autorecover-alarm

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

filter_asg_membership = <c7n.filters.core.ValueFilter object>
permissions = (u'ec2:DescribeInstanceStatus', u'ec2:RecoverInstances', u'ec2:DescribeInstanceRecoveryAttribute')
process(instances)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'autorecover-alarm']}}, u'required': [u'type'], u'type': u'object'}
type = u'autorecover-alarm'
valid_origin_states = (u'running', u'stopped', u'pending', u'stopping')
class c7n.resources.ec2.DefaultVpc(data, manager=None)[source]

Bases: c7n.filters.vpc.DefaultVpcBase

Matches if an ec2 database is in the default vpc

schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'default-vpc']}}, u'required': [u'type'], u'type': u'object'}
type = u'default-vpc'
class c7n.resources.ec2.DescribeEC2(manager)[source]

Bases: c7n.query.DescribeSource

augment(resources)[source]

EC2 API and AWOL Tags

While ec2 api generally returns tags when doing describe_x on for various resources, it may also silently fail to do so unless a tag is used as a filter.

See footnote on http://goo.gl/YozD9Q for official documentation.

Apriori we may be using custodian to ensure tags (including name), so there isn’t a good default to ensure that we will always get tags from describe_x calls.

class c7n.resources.ec2.DisableApiTermination(data, manager=None)[source]

Bases: c7n.filters.core.Filter

EC2 instances with disableApiTermination attribute set

Filters EC2 instances with disableApiTermination attribute set to true.

Example:
policies:
  - name: termination-protection-enabled
    resource: ec2
    filters:
      - type: termination-protected
Example:
policies:
  - name: termination-protection-NOT-enabled
    resource: ec2
    filters:
      - not:
        - type: termination-protected
get_permissions()[source]
is_termination_protection_enabled(client, inst)[source]
permissions = (u'ec2:DescribeInstanceAttribute',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'termination-protected']}}, u'required': [u'type'], u'type': u'object'}
type = u'termination-protected'
class c7n.resources.ec2.EC2(ctx, data)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_source(source_type)[source]
permissions = (u'ec2:DescribeTags',)
resource_query()[source]
class resource_type[source]

Bases: object

config_type = u'AWS::EC2::Instance'
date = u'LaunchTime'
default_report_fields = (u'CustodianDate', u'InstanceId', u'tag:Name', u'InstanceType', u'LaunchTime', u'VpcId', u'PrivateIpAddress')
detail_spec = None
dimension = u'InstanceId'
enum_spec = (u'describe_instances', u'Reservations[].Instances[]', None)
filter_name = u'InstanceIds'
filter_type = u'list'
id = u'InstanceId'
name = u'PublicDnsName'
service = u'ec2'
shape = u'Instance'
type = u'instance'
resources(query=None)[source]
type = u'ec2'
class c7n.resources.ec2.EC2ModifyVpcSecurityGroups(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.ModifyVpcSecurityGroupsAction

Modify security groups on an instance.

permissions = (u'ec2:ModifyNetworkInterfaceAttribute',)
process(instances)[source]
type = u'modify-security-groups'
class c7n.resources.ec2.EphemeralInstanceFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

EC2 instances with ephemeral storage

Filters EC2 instances that have ephemeral storage (an instance-store backed root device)

Example:
policies:
  - name: ec2-ephemeral-instances
    resource: ec2
    filters:
      - type: ephemeral

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

static is_ephemeral(i)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'ephemeral']}}, u'required': [u'type'], u'type': u'object'}
type = u'ephemeral'
class c7n.resources.ec2.ImageAge(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter, c7n.resources.ec2.InstanceImageBase

EC2 AMI age filter

Filters EC2 instances based on the age of their AMI image (in days)

Example:
policies:
  - name: ec2-ancient-ami
    resource: ec2
    filters:
      - type: image-age
        op: ge
        days: 90
date_attribute = u'CreationDate'
get_permissions()[source]
get_resource_date(i)[source]
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'image-age']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'image-age'
class c7n.resources.ec2.InstanceAgeFilter(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter

Filters instances based on their age (in days)

Example:
policies:
  - name: ec2-30-days-plus
    resource: ec2
    filters:
      - type: instance-age
        op: ge
        days: 30
date_attribute = u'LaunchTime'
ebs_key_func = <operator.itemgetter object>
get_resource_date(i)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'instance-age']}, 'days': {u'type': u'number'}, 'minutes': {u'type': u'number'}, 'hours': {u'type': u'number'}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'instance-age'
class c7n.resources.ec2.InstanceAttribute(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

EC2 Instance Value FIlter on a given instance attribute.

Filters EC2 Instances with the given instance attribute

Example:
policies:
  - name: ec2-unoptimized-ebs
    resource: ec2
    filters:
      - type: instance-attribute
        attribute: ebsOptimized
        key: "Value"
        value: false
get_instance_attribute(resources, attribute)[source]
get_permissions()[source]
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, 'attribute': {u'enum': (u'instanceType', u'kernel', u'ramdisk', u'userData', u'disableApiTermination', u'instanceInitiatedShutdownBehavior', u'rootDeviceName', u'blockDeviceMapping', u'productCodes', u'sourceDestCheck', u'groupSet', u'ebsOptimized', u'sriovNetSupport', u'enaSupport')}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'instance-attribute']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': (u'attribute',), u'type': u'object'}
type = u'instance-attribute'
valid_attrs = (u'instanceType', u'kernel', u'ramdisk', u'userData', u'disableApiTermination', u'instanceInitiatedShutdownBehavior', u'rootDeviceName', u'blockDeviceMapping', u'productCodes', u'sourceDestCheck', u'groupSet', u'ebsOptimized', u'sriovNetSupport', u'enaSupport')
class c7n.resources.ec2.InstanceImage(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter, c7n.resources.ec2.InstanceImageBase

get_permissions()[source]
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'image']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'image'
class c7n.resources.ec2.InstanceImageBase[source]

Bases: object

get_base_image_mapping()[source]
get_instance_image(instance)[source]
get_local_image_mapping(image_ids)[source]
prefetch_instance_images(instances)[source]
class c7n.resources.ec2.InstanceOffHour(data, manager=None)[source]

Bases: c7n.filters.offhours.OffHour, c7n.resources.ec2.StateTransitionFilter

Custodian OffHour filter

Filters running EC2 instances with the intent to stop at a given hour of the day. A list of days to excluded can be included as a list of strings with the format YYYY-MM-DD. Alternatively, the list (using the same syntax) can be taken from a specified url.

Example:
policies:
  - name: offhour-evening-stop
    resource: ec2
    filters:
      - type: offhour
        tag: custodian_downtime
        default_tz: et
        offhour: 20
    actions:
      - stop

  - name: offhour-evening-stop-skip-holidays
    resource: ec2
    filters:
      - type: offhour
        tag: custodian_downtime
        default_tz: et
        offhour: 20
        skip-days: ['2017-12-25']
    actions:
      - stop

  - name: offhour-evening-stop-skip-holidays-from
    resource: ec2
    filters:
      - type: offhour
        tag: custodian_downtime
        default_tz: et
        offhour: 20
        skip-days-from:
          expr: 0
          format: csv
          url: 's3://location/holidays.csv'
    actions:
      - stop
process(resources, event=None)[source]
type = u'offhour'
valid_origin_states = (u'running',)
class c7n.resources.ec2.InstanceOnHour(data, manager=None)[source]

Bases: c7n.filters.offhours.OnHour, c7n.resources.ec2.StateTransitionFilter

Custodian OnHour filter

Filters stopped EC2 instances with the intent to start at a given hour of the day. A list of days to excluded can be included as a list of strings with the format YYYY-MM-DD. Alternatively, the list (using the same syntax) can be taken from a specified url.

Example:
policies:
  - name: onhour-morning-start
    resource: ec2
    filters:
      - type: onhour
        tag: custodian_downtime
        default_tz: et
        onhour: 6
    actions:
      - start

  - name: onhour-morning-start-skip-holidays
    resource: ec2
    filters:
      - type: onhour
        tag: custodian_downtime
        default_tz: et
        onhour: 6
        skip-days: ['2017-12-25']
    actions:
      - start

  - name: onhour-morning-start-skip-holidays-from
    resource: ec2
    filters:
      - type: onhour
        tag: custodian_downtime
        default_tz: et
        onhour: 6
        skip-days-from:
          expr: 0
          format: csv
          url: 's3://location/holidays.csv'
    actions:
      - start
process(resources, event=None)[source]
type = u'onhour'
valid_origin_states = (u'stopped',)
class c7n.resources.ec2.PropagateSpotTags(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Propagate Tags that are set at Spot Request level to EC2 instances.

Example:
MAX_TAG_COUNT = 50
permissions = (u'ec2:DescribeInstances', u'ec2:DescribeSpotInstanceRequests', u'ec2:DescribeTags', u'ec2:CreateTags')
process(instances)[source]
process_request_instances(client, request, instances)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'propagate-spot-tags']}, u'only_tags': {u'type': u'array', u'items': {u'type': u'string'}}}, u'required': [u'type'], u'type': u'object'}
type = u'propagate-spot-tags'
class c7n.resources.ec2.QueryFilter(data)[source]

Bases: object

classmethod parse(data)[source]
query()[source]
validate()[source]
class c7n.resources.ec2.Reboot(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

reboots a previously running EC2 instance.

Example:
policies:
  - name: ec2-reboot-instances
    resource: ec2
    query:
      - instance-state-name: running
    actions:
      - reboot

http://docs.aws.amazon.com/cli/latest/reference/ec2/reboot-instances.html

batch_size = 10
exception = None
permissions = (u'ec2:RebootInstances',)
process(instances)[source]
process_instance_set(client, instances)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'reboot']}}, u'required': [u'type'], u'type': u'object'}
type = u'reboot'
valid_origin_states = (u'running',)
class c7n.resources.ec2.Resize(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

Change an instance’s size.

An instance can only be resized when its stopped, this action can optionally restart an instance if needed to effect the instance type change. Instances are always left in the run state they were found in.

There are a few caveats to be aware of, instance resizing needs to maintain compatibility for architecture, virtualization type hvm/pv, and ebs optimization at minimum.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html

get_permissions()[source]
process(resources)[source]
process_resource_set(instance_set)[source]
schema = {u'additionalProperties': False, u'properties': {u'restart': {u'type': u'boolean'}, u'type': {u'enum': [u'resize']}, u'type-map': {u'type': u'object'}, u'default': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'resize'
valid_origin_states = (u'running', u'stopped')
class c7n.resources.ec2.SecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SecurityGroupFilter

RelatedIdsExpression = u'SecurityGroups[].GroupId'
type = u'security-group'
class c7n.resources.ec2.SetInstanceProfile(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

Sets (or removes) the instance profile for a running EC2 instance.

Example:
policies:
  - name: set-default-instance-profile
    resource: ec2
    filters:
      - IamInstanceProfile: absent
    actions:
      - type: set-instance-profile
        name: default

https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html

permissions = (u'ec2:AssociateIamInstanceProfile', u'ec2:DisassociateIamInstanceProfile', u'iam:PassRole')
process(instances)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'set-instance-profile']}, u'name': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'set-instance-profile'
valid_origin_states = (u'running', u'pending')
class c7n.resources.ec2.SingletonFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter, c7n.resources.ec2.StateTransitionFilter

EC2 instances without autoscaling or a recover alarm

Filters EC2 instances that are not members of an autoscaling group and do not have Cloudwatch recover alarms.

Example:
policies:
  - name: ec2-recover-instances
    resource: ec2
    filters:
      - singleton
    actions:
      - type: tag
        key: problem
        value: instance is not resilient

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

has_recover_alarm(i)[source]
in_asg = <c7n.filters.core.ValueFilter object>
permissions = (u'cloudwatch:DescribeAlarmsForMetric',)
process(instances, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'singleton']}}, u'required': [u'type'], u'type': u'object'}
type = u'singleton'
valid_origin_states = (u'running', u'stopped', u'pending', u'stopping')
class c7n.resources.ec2.Snapshot(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Snapshots volumes attached to an EC2 instance

Example:
policies:
  - name: ec2-snapshots
    resource: ec2
  actions:
    - type: snapshot
      copy-tags:
        - Name
get_snapshot_tags(resource, block_device)[source]
permissions = (u'ec2:CreateSnapshot', u'ec2:CreateTags')
process(resources)[source]
process_volume_set(client, resource)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'snapshot']}, u'copy-tags': {u'type': u'array', u'items': {u'type': u'string'}}}, u'required': [u'type'], u'type': u'object'}
type = u'snapshot'
class c7n.resources.ec2.Start(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

Starts a previously stopped EC2 instance.

Example:
policies:
  - name: ec2-start-stopped-instances
    resource: ec2
    query:
      - instance-state-name: stopped
    actions:
      - start

http://docs.aws.amazon.com/cli/latest/reference/ec2/start-instances.html

batch_size = 10
exception = None
permissions = (u'ec2:StartInstances',)
process(instances)[source]
process_instance_set(client, instances, itype, izone)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'start']}}, u'required': [u'type'], u'type': u'object'}
type = u'start'
valid_origin_states = (u'stopped',)
class c7n.resources.ec2.StateTransitionAge(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter

Age an instance has been in the given state.

policies:
  - name: ec2-state-running-7-days
    resource: ec2
    filters:
      - type: state-age
        op: ge
        days: 7
RE_PARSE_AGE = <_sre.SRE_Pattern object>
date_attribute = u'dummy'
get_resource_date(i)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'state-age']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'state-age'
class c7n.resources.ec2.StateTransitionFilter[source]

Bases: object

Filter instances by state.

Try to simplify construction for policy authors by automatically filtering elements (filters or actions) to the instances states they are valid for.

For more details see http://goo.gl/TZH9Q5

filter_instance_state(instances, states=None)[source]
valid_origin_states = ()
class c7n.resources.ec2.Stop(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

Stops a running EC2 instances

Example:
policies:
  - name: ec2-stop-running-instances
    resource: ec2
    query:
      - instance-state-name: running
    actions:
      - stop
get_permissions()[source]
process(instances)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'stop']}, u'terminate-ephemeral': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
split_on_storage(instances)[source]
type = u'stop'
valid_origin_states = (u'running',)
class c7n.resources.ec2.SubnetFilter(data, manager=None)[source]

Bases: c7n.filters.vpc.SubnetFilter

RelatedIdsExpression = u'SubnetId'
type = u'subnet'
class c7n.resources.ec2.Terminate(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action, c7n.resources.ec2.StateTransitionFilter

Terminate a set of instances.

While ec2 offers a bulk delete api, any given instance can be configured with api deletion termination protection, so we can’t use the bulk call reliabily, we need to process the instances individually. Additionally If we’re configured with ‘force’ then we’ll turn off instance termination protection.

Example:
policies:
  - name: ec2-process-termination
    resource: ec2
    filters:
      - type: marked-for-op
        op: terminate
    actions:
      - terminate
disable_deletion_protection(client, instances)[source]
get_permissions()[source]
process(instances)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'terminate']}, 'force': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
type = u'terminate'
valid_origin_states = (u'running', u'stopped', u'pending', u'stopping')
class c7n.resources.ec2.UpTimeFilter(data, manager=None)[source]

Bases: c7n.filters.core.AgeFilter

date_attribute = u'LaunchTime'
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'instance-uptime']}, 'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, 'days': {u'type': u'number'}}, u'required': [u'type'], u'type': u'object'}
type = u'instance-uptime'

c7n.resources.ecr module

class c7n.resources.ecr.ECR(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'describe_repositories', u'repositories', None)
filter_name = u'repositoryNames'
filter_type = u'list'
id = u'repositoryArn'
name = u'repositoryName'
service = u'ecr'
type = u'ecr'
class c7n.resources.ecr.ECRCrossAccountAccessFilter(data, manager=None)[source]

Bases: c7n.filters.iamaccess.CrossAccountAccessFilter

Filters all EC2 Container Registries (ECR) with cross-account access

Example:
policies:
  - name: ecr-cross-account
    resource: ecr
    filters:
      - type: cross-account
        whitelist_from:
          expr: "accounts.*.accountNumber"
          url: *accounts_url
permissions = (u'ecr:GetRepositoryPolicy',)
process(resources, event=None)[source]
type = u'cross-account'
class c7n.resources.ecr.RemovePolicyStatement(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.RemovePolicyBase

Action to remove policy statements from ECR

Example:
policies:
  - name: ecr-remove-cross-accounts
    resource: ecr
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched
permissions = (u'ecr:SetRepositoryPolicy', u'ecr:GetRepositoryPolicy')
process(resources)[source]
process_resource(client, resource)[source]
type = u'remove-statements'

c7n.resources.ecs module

class c7n.resources.ecs.ContainerInstance(data, options)[source]

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.ActionRegistry object>
chunk_size = 100
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'list_container_instances', u'containerInstanceArns', None)
id = u'containerInstance'
name = u'containerInstance'
parent_spec = (u'ecs', u'cluster', None)
service = u'ecs'
source_type
type = u'ecs-container-instance'
class c7n.resources.ecs.DeleteService(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Delete service(s).

permissions = (u'ecs:DeleteService',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.ecs.DeleteTaskDefinition(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Delete/DeRegister a task definition.

The definition will be marked as InActive. Currently running services and task can still reference, new services & tasks can’t.

permissions = (u'ecs:DeregisterTaskDefinition',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
class c7n.resources.ecs.ECSCluster(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

batch_detail_spec = (u'describe_clusters', u'clusters', None, u'clusters')
dimension = None
enum_spec = (u'list_clusters', u'clusterArns', None)
filter_name = None
id = u'clusterArn'
name = u'clusterName'
service = u'ecs'
type = u'ecs'
class c7n.resources.ecs.ECSClusterResourceDescribeSource(manager)[source]

Bases: c7n.query.ChildDescribeSource

augment(resources)[source]
class c7n.resources.ecs.ECSContainerInstanceDescribeSource(manager)[source]

Bases: c7n.resources.ecs.ECSClusterResourceDescribeSource

process_cluster_resources(client, cluster_id, container_instances)[source]
type = u'describe-ecs-container-instance'
class c7n.resources.ecs.ECSMetrics(data, manager=None)[source]

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)[source]
type = u'metrics'
class c7n.resources.ecs.ECSServiceDescribeSource(manager)[source]

Bases: c7n.resources.ecs.ECSClusterResourceDescribeSource

process_cluster_resources(client, cluster_id, services)[source]
type = u'describe-ecs-service'
class c7n.resources.ecs.ECSTaskDescribeSource(manager)[source]

Bases: c7n.resources.ecs.ECSClusterResourceDescribeSource

process_cluster_resources(client, cluster_id, tasks)[source]
type = u'describe-ecs-task'
class c7n.resources.ecs.Service(data, options)[source]

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.ActionRegistry object>
chunk_size = 10
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'list_services', u'serviceArns', None)
id = u'serviceArn'
name = u'serviceName'
parent_spec = (u'ecs', u'cluster', None)
service = u'ecs'
source_type
type = u'ecs-service'
class c7n.resources.ecs.ServiceMetrics(data, manager=None)[source]

Bases: c7n.filters.metrics.MetricsFilter

get_dimensions(resource)[source]
type = u'metrics'
class c7n.resources.ecs.ServiceTaskFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

permissions = (u'ecs:DescribeTaskDefinition', u'ecs:ListTaskDefinitions')
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'task-definition']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'task-definition'
class c7n.resources.ecs.SetState(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Updates a container instance to either ACTIVE or DRAINING

Example:
policies:
    - name: drain-container-instances
      resource: ecs-container-instance
      actions:
        - type: set-state
          state: DRAINING
permissions = (u'ecs:UpdateContainerInstancesState',)
process(resources)[source]
process_cluster(cluster, c_instances)[source]
schema = {u'additionalProperties': False, u'properties': {'state': {u'type': u'string', u'enum': [u'DRAINING', u'ACTIVE']}, u'type': {u'enum': [u'set-state']}}, u'required': [u'type'], u'type': u'object'}
type = u'set-state'
class c7n.resources.ecs.StopTask(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Stop/Delete a currently running task.

permissions = (u'ecs:StopTask',)
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'stop']}, 'reason': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
type = u'stop'
class c7n.resources.ecs.Task(data, options)[source]

Bases: c7n.query.ChildResourceManager

action_registry = <c7n.actions.ActionRegistry object>
chunk_size = 100
filter_registry = <c7n.filters.core.FilterRegistry object>
class resource_type[source]

Bases: object

dimension = None
enum_spec = (u'list_tasks', u'taskArns', None)
id = u'taskArn'
name = u'taskArn'
parent_spec = (u'ecs', u'cluster', None)
service = u'ecs'
source_type
type = u'ecs-task'
class c7n.resources.ecs.TaskDefinition(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_resources(ids, cache=True)[source]
class resource_type[source]

Bases: object

detail_spec = (u'describe_task_definition', u'taskDefinition', None, u'taskDefinition')
dimension = None
enum_spec = (u'list_task_definitions', u'taskDefinitionArns', None)
filter_name = None
filter_type = None
id = u'taskDefinitionArn'
name = u'taskDefinitionArn'
service = u'ecs'
type = u'ecs-task-definition'
class c7n.resources.ecs.UpdateAgent(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

Updates the agent on a container instance

permissions = (u'ecs:UpdateContainerAgent',)
process(resources)[source]
process_instance(cluster, instance)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'update-agent']}}, u'required': [u'type'], u'type': u'object'}
type = u'update-agent'

c7n.resources.efs module

class c7n.resources.efs.Delete(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

permissions = (u'efs:DescribeMountTargets', u'efs:DeleteMountTargets', u'efs:DeleteFileSystem')
process(resources)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'delete']}}, u'required': [u'type'], u'type': u'object'}
type = u'delete'
unmount_filesystems(resources)[source]
class c7n.resources.efs.ElasticFileSystem(data, options)[source]

Bases: c7n.query.QueryResourceManager

action_registry = <c7n.actions.ActionRegistry object>
augment(resources)[source]
filter_registry = <c7n.filters.core.FilterRegistry object>
generate_arn