aws.event-bus
Filters
cross-account
Check a resource’s embedded iam policy for cross account access.
Permissions - events:ListEventBuses
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
Permissions - config:GetResourceConfigHistory
kms-key
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
Actions
delete
Delete an event bus.
- example:
policies:
- name: cloudwatch-delete-event-bus
resource: aws.event-bus
filters:
- Name: test-event-bus
actions:
- delete
Permissions - events:DeleteEventBus
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
Permissions - tag:TagResources, tag:UntagResources