Cloud Shield
Introduction
Generic Filters
Value Filter
Special Values
Comparison Operators
Logical Operators
List Operators
Pattern Matching Operators
Value Type Transformations
Additional JMESPath Functions
Value Regex
Value From
Value Path
List Item Filter
Example 1: AWS ECS Task Definitions
Example 2: S3 Lifecycle Rules
Event Filter
Reduce Filter
Grouping resources
Sorting resources
Selecting resources
Combining resource groups
Attributes
Examples
Generic Actions
Webhook Action
Advanced Usage
Running against multiple regions
Reporting against multiple regions
Conditional Policy Execution
Limiting how many resources CloudShield affects
Adding custom fields to reports
Example tag compliance policy
AWS
Getting Started
Write your first policy
Run your policy
A 2nd Example Policy
Example Policies
Account - Login From Invalid IP Address
Account - Detect Root Logins
Account - Service Limit
AMI - Stop EC2 using Unapproved AMIs
AutoScaling Group - Verify ASGs have valid configurations
AMI - ASG Garbage Collector
ASG - Offhours Support
Block New Resources In Non-Standard Regions
DMS - DB Migration Service Endpoint - Enforce SSL
EBS - Garbage Collect Unattached Volumes
EBS - Create and Manage Snapshots
EBS - Delete Unencrypted
EC2 - auto-tag aws userName on resources
EC2 - Modify Instance Metadata Options
Examples:
EC2 - Offhours Support
EC2 - Old Instance Report
EC2 - Power On For Scheduled Patching
EC2 - Terminate Unpatchable Instances
EIP - Garbage Collect Unattached Elastic IPs
ELB - Delete New Internet-Facing ELBs
ELB - Delete Unused Elastic Load Balancers
ELB - SSL Blacklist
ELB - SSL Whitelist
IAM - Manage Whether A Specific IAM Policy is Attached to Roles
Lambda - Notify On Lambda Errors
Example offhours policy
Resource Scheduling Offhours
Features
Policy Configuration
Tag Based Configuration
ScheduleParser Time Specifications
Policy examples
Resume During Offhours
ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions
Public Holidays
RDS - Delete Unused Databases With No Connections
RDS - Terminate Unencrypted Public Instances
S3 - Configure New Buckets Settings and Standards
S3 - Block Public S3 Object ACLs
S3 - Encryption
Enable Bucket Encryption
Remediate Existing
Options
Remediate Incoming
Options
Bucket Policy
S3 - Global Grants
S3 - Add lifecycle policy on bucket delete
SageMaker Notebook - Delete Public or Unencrypted
Security Groups - add permission
Security Groups - Detect and Remediate Violations
Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)
Add or Change Tag Values
Report on Tag Compliance
Enforce Tag Compliance - EC2
Enforce Tag Compliance - AutoScaling Groups
VPC - Flow Log Configuration Check
VPC - Notify On Invalid External Peering Connections
AWS Reference
AWS Execution Modes
pull
asg-instance-state
cloudtrail
config-poll-rule
config-rule
ec2-instance-state
guard-duty
hub-finding
hub-finding
periodic
phd
pull
schedule
AWS Common Actions
auto-tag-user
copy-related-tag
invoke-lambda
invoke-sfn
mark-for-op
modify-ecr-policy
modify-policy
modify-security-groups
normalize-tag
notify
post-finding
post-item
put-metric
remove-tag
rename-tag
tag
tag-trim
webhook
AWS Common Filters
alarm
api-cache
bedrock-model-invocation-logging
bucket-replication
check-permissions
client-properties
config-compliance
configuration
connection-aliases
cost-optimization
domain-options
ec2-metadata-defaults
engine
event
finding
flow-logs
gateway-route
health-event
iam-analyzer
image
instance-attribute
intelligent-tiering
list-item
lock-configuration
logging
logging-config
login-profile
marked-for-op
metrics
network-location
offhour
onhour
ops-item
org-unit
ownership
policy
reduce
route
router
safety-rule
security-group
service
service-instance
ses-agg-send-stats
shield-metrics
snapshots
subnet
subscription-filter
tag-count
trust
usage
usage-metric
value
vpc
waf-enabled
wafv2-enabled
accessanalyzer resources
aws.access-analyzer-finding
Filters
Actions
account resources
aws.account
Filters
Actions
acm resources
aws.acm-certificate
Filters
Actions
apigateway resources
aws.apigw-domain-name
Filters
Actions
aws.rest-account
Filters
Actions
aws.rest-api
Filters
Actions
aws.rest-client-certificate
Filters
Actions
aws.rest-resource
Filters
Actions
aws.rest-stage
Filters
Actions
aws.rest-vpclink
Filters
Actions
apigatewayv2 resources
aws.apigwv2
Filters
Actions
aws.apigwv2-stage
Filters
Actions
appflow resources
aws.app-flow
Filters
Actions
appmesh resources
aws.appmesh-mesh
Filters
Actions
aws.appmesh-virtualgateway
Filters
Actions
aws.appmesh-virtualnode
Filters
Actions
appstream resources
aws.appstream-fleet
Filters
Actions
aws.appstream-stack
Filters
Actions
appsync resources
aws.graphql-api
Filters
Actions
athena resources
aws.athena-capacity-reservation
Filters
Actions
aws.athena-data-catalog
Filters
Actions
aws.athena-named-query
Filters
Actions
aws.athena-work-group
Filters
Actions
autoscaling resources
aws.asg
Filters
Actions
aws.launch-config
Filters
Actions
aws.scaling-policy
Filters
Actions
backup resources
aws.backup-plan
Filters
Actions
aws.backup-vault
Filters
Actions
batch resources
aws.batch-compute
Filters
Actions
aws.batch-definition
Filters
Actions
aws.batch-queue
Filters
Actions
bedrock resources
aws.bedrock-custom-model
Filters
Actions
aws.bedrock-customization-job
Filters
Actions
bedrock-agent resources
aws.bedrock-agent
Filters
Actions
aws.bedrock-knowledge-base
Filters
Actions
budgets resources
aws.budget
Filters
Actions
clouddirectory resources
aws.cloud-directory
Filters
Actions
cloudformation resources
aws.cfn
Filters
Actions
cloudfront resources
aws.distribution
Filters
Actions
aws.origin-access-control
Filters
Actions
aws.streaming-distribution
Filters
Actions
cloudhsm resources
aws.hsm
Filters
Actions
aws.hsm-client
Filters
Actions
aws.hsm-hapg
Filters
Actions
cloudhsmv2 resources
aws.cloudhsm-backup
Filters
Actions
aws.cloudhsm-cluster
Filters
Actions
cloudsearch resources
aws.cloudsearch
Filters
Actions
cloudtrail resources
aws.cloudtrail
Filters
Actions
cloudwatch resources
aws.alarm
Filters
Actions
aws.cloudwatch-dashboard
Filters
Actions
aws.composite-alarm
Filters
Actions
aws.insight-rule
Filters
Actions
codeartifact resources
aws.artifact-domain
Filters
Actions
aws.artifact-repo
Filters
Actions
codebuild resources
aws.codebuild
Filters
Actions
aws.codebuild-credential
Filters
Actions
codecommit resources
aws.codecommit
Filters
Actions
codedeploy resources
aws.codedeploy-app
Filters
Actions
aws.codedeploy-deployment
Filters
Actions
aws.codedeploy-group
Filters
Actions
codepipeline resources
aws.codepipeline
Filters
Actions
cognito-identity resources
aws.identity-pool
Filters
Actions
cognito-idp resources
aws.user-pool
Filters
Actions
config resources
aws.config-recorder
Filters
Actions
aws.config-rule
Filters
Actions
connect resources
aws.connect-instance
Filters
Actions
connectcampaigns resources
aws.connect-campaign
Filters
Actions
datapipeline resources
aws.datapipeline
Filters
Actions
datasync resources
aws.datasync-agent
Filters
Actions
aws.datasync-task
Filters
Actions
dax resources
aws.dax
Filters
Actions
devicefarm resources
aws.devicefarm-project
Filters
Actions
directconnect resources
aws.directconnect
Filters
Actions
discovery resources
aws.appdiscovery-agent
Filters
Actions
dlm resources
aws.dlm-policy
Filters
Actions
dms resources
aws.dms-endpoint
Filters
Actions
aws.dms-instance
Filters
Actions
aws.dms-replication-task
Filters
Actions
ds resources
aws.directory
Filters
Actions
dynamodb resources
aws.dynamodb-backup
Filters
Actions
aws.dynamodb-table
Filters
Actions
dynamodbstreams resources
aws.dynamodb-stream
Filters
Actions
ec2 resources
aws.ami
Filters
Actions
aws.customer-gateway
Filters
Actions
aws.ebs
Filters
Actions
aws.ebs-snapshot
Filters
Actions
aws.ec2
Filters
Actions
aws.ec2-capacity-reservation
Filters
Actions
aws.ec2-host
Filters
Actions
aws.ec2-reserved
Filters
Actions
aws.ec2-spot-fleet-request
Filters
Actions
aws.elastic-ip
Filters
Actions
aws.eni
Filters
Actions
aws.flow-log
Filters
Actions
aws.internet-gateway
Filters
Actions
aws.key-pair
Filters
Actions
aws.launch-template-version
Filters
Actions
aws.mirror-session
Filters
Actions
aws.mirror-target
Filters
Actions
aws.nat-gateway
Filters
Actions
aws.network-acl
Filters
Actions
aws.peering-connection
Filters
Actions
aws.prefix-list
Filters
Actions
aws.route-table
Filters
Actions
aws.security-group
Filters
Actions
aws.subnet
Filters
Actions
aws.transit-attachment
Filters
Actions
aws.transit-gateway
Filters
Actions
aws.vpc
Filters
Actions
aws.vpc-endpoint
Filters
Actions
aws.vpn-connection
Filters
Actions
aws.vpn-gateway
Filters
Actions
ecr resources
aws.ecr
Filters
Actions
aws.ecr-image
Filters
Actions
ecs resources
aws.ecs
Filters
Actions
aws.ecs-container-instance
Filters
Actions
aws.ecs-service
Filters
Actions
aws.ecs-task
Filters
Actions
aws.ecs-task-definition
Filters
Actions
efs resources
aws.efs
Filters
Actions
aws.efs-mount-target
Filters
Actions
eks resources
aws.eks
Filters
Actions
aws.eks-nodegroup
Filters
Actions
elasticache resources
aws.cache-cluster
Filters
Actions
aws.cache-snapshot
Filters
Actions
aws.cache-subnet-group
Filters
Actions
aws.elasticache-group
Filters
Actions
aws.elasticache-user
Filters
Actions
elasticbeanstalk resources
aws.elasticbeanstalk
Filters
Actions
aws.elasticbeanstalk-environment
Filters
Actions
elb resources
aws.elb
Filters
Actions
elbv2 resources
aws.app-elb
Filters
Actions
aws.app-elb-target-group
Filters
Actions
emr resources
aws.emr
Filters
Actions
aws.emr-security-configuration
Filters
Actions
emr-serverless resources
aws.emr-serverless-app
Filters
Actions
es resources
aws.elasticsearch
Filters
Actions
aws.elasticsearch-reserved
Filters
Actions
events resources
aws.event-bus
Filters
Actions
aws.event-rule
Filters
Actions
aws.event-rule-target
Filters
Actions
firehose resources
aws.firehose
Filters
Actions
fis resources
aws.fis-experiment
Filters
Actions
aws.fis-template
Filters
Actions
fsx resources
aws.fsx
Filters
Actions
aws.fsx-backup
Filters
Actions
gamelift resources
aws.gamelift-build
Filters
Actions
aws.gamelift-fleet
Filters
Actions
glacier resources
aws.glacier
Filters
Actions
globalaccelerator resources
aws.globalaccelerator
Filters
Actions
glue resources
aws.glue-catalog
Filters
Actions
aws.glue-classifier
Filters
Actions
aws.glue-connection
Filters
Actions
aws.glue-crawler
Filters
Actions
aws.glue-database
Filters
Actions
aws.glue-dev-endpoint
Filters
Actions
aws.glue-job
Filters
Actions
aws.glue-ml-transform
Filters
Actions
aws.glue-security-configuration
Filters
Actions
aws.glue-table
Filters
Actions
aws.glue-trigger
Filters
Actions
aws.glue-workflow
Filters
Actions
guardduty resources
aws.guardduty-finding
Filters
Actions
health resources
aws.health-event
Filters
Actions
iam resources
aws.iam-certificate
Filters
Actions
aws.iam-group
Filters
Actions
aws.iam-oidc-provider
Filters
Actions
aws.iam-policy
Filters
Actions
aws.iam-profile
Filters
Actions
aws.iam-role
Filters
Actions
aws.iam-saml-provider
Filters
Actions
aws.iam-user
Filters
Actions
inspector2 resources
aws.inspector2-finding
Filters
Actions
iot resources
aws.iot
Filters
Actions
kafka resources
aws.kafka
Filters
Actions
aws.kafka-config
Filters
Actions
kendra resources
aws.kendra
Filters
Actions
kinesis resources
aws.kinesis
Filters
Actions
kinesisanalytics resources
aws.kinesis-analytics
Filters
Actions
kinesisanalyticsv2 resources
aws.kinesis-analyticsv2
Filters
Actions
kinesisvideo resources
aws.kinesis-video
Filters
Actions
kms resources
aws.kms
Filters
Actions
aws.kms-key
Filters
Actions
lakeformation resources
aws.datalake-location
Filters
Actions
lambda resources
aws.lambda
Filters
Actions
aws.lambda-layer
Filters
Actions
lex-models resources
aws.lex-bot
Filters
Actions
lexv2-models resources
aws.lexv2-bot
Filters
Actions
lightsail resources
aws.lightsail-db
Filters
Actions
aws.lightsail-elb
Filters
Actions
aws.lightsail-instance
Filters
Actions
logs resources
aws.log-destination
Filters
Actions
aws.log-group
Filters
Actions
aws.log-metric
Filters
Actions
machinelearning resources
aws.ml-model
Filters
Actions
memorydb resources
aws.memorydb
Filters
Actions
aws.memorydb-acl
Filters
Actions
aws.memorydb-snapshot
Filters
Actions
aws.memorydb-subnet-group
Filters
Actions
aws.memorydb-user
Filters
Actions
mq resources
aws.message-broker
Filters
Actions
aws.message-config
Filters
Actions
mwaa resources
aws.airflow
Filters
Actions
network-firewall resources
aws.firewall
Filters
Actions
networkmanager resources
aws.networkmanager-core
Filters
Actions
aws.networkmanager-device
Filters
Actions
aws.networkmanager-global
Filters
Actions
aws.networkmanager-link
Filters
Actions
aws.networkmanager-site
Filters
Actions
opensearchserverless resources
aws.opensearch-serverless
Filters
Actions
opsworks resources
aws.opswork-stack
Filters
Actions
opsworkscm resources
aws.opswork-cm
Filters
Actions
organizations resources
aws.org-account
Filters
Actions
aws.org-policy
Filters
Actions
aws.org-unit
Filters
Actions
osis resources
aws.opensearch-ingestion
Filters
Actions
pinpoint resources
aws.pinpoint-app
Filters
Actions
qldb resources
aws.qldb
Filters
Actions
quicksight resources
aws.quicksight-account
Filters
Actions
aws.quicksight-group
Filters
Actions
aws.quicksight-user
Filters
Actions
rds resources
aws.rds
Filters
Actions
aws.rds-cluster
Filters
Actions
aws.rds-cluster-param-group
Filters
Actions
aws.rds-cluster-snapshot
Filters
Actions
aws.rds-param-group
Filters
Actions
aws.rds-proxy
Filters
Actions
aws.rds-reserved
Filters
Actions
aws.rds-snapshot
Filters
Actions
aws.rds-subnet-group
Filters
Actions
aws.rds-subscription
Filters
Actions
redshift resources
aws.redshift
Filters
Actions
aws.redshift-reserved
Filters
Actions
aws.redshift-snapshot
Filters
Actions
aws.redshift-subnet-group
Filters
Actions
route53 resources
aws.healthcheck
Filters
Actions
aws.hostedzone
Filters
Actions
aws.rrset
Filters
Actions
route53-recovery-control-config resources
aws.recovery-cluster
Filters
Actions
aws.recovery-control-panel
Filters
Actions
route53-recovery-readiness resources
aws.readiness-check
Filters
Actions
route53domains resources
aws.r53domain
Filters
Actions
route53resolver resources
aws.resolver-logs
Filters
Actions
s3 resources
aws.s3
Filters
Actions
aws.s3-directory
Filters
Actions
s3control resources
aws.s3-access-point
Filters
Actions
aws.s3-access-point-multi
Filters
Actions
aws.s3-storage-lens
Filters
Actions
sagemaker resources
aws.sagemaker-auto-ml-job
Filters
Actions
aws.sagemaker-cluster
Filters
Actions
aws.sagemaker-compilation-job
Filters
Actions
aws.sagemaker-data-quality-job-definition
Filters
Actions
aws.sagemaker-domain
Filters
Actions
aws.sagemaker-endpoint
Filters
Actions
aws.sagemaker-endpoint-config
Filters
Actions
aws.sagemaker-hyperparameter-tuning-job
Filters
Actions
aws.sagemaker-job
Filters
Actions
aws.sagemaker-model
Filters
Actions
aws.sagemaker-model-bias-job-definition
Filters
Actions
aws.sagemaker-model-explainability-job-definition
Filters
Actions
aws.sagemaker-model-quality-job-definition
Filters
Actions
aws.sagemaker-notebook
Filters
Actions
aws.sagemaker-processing-job
Filters
Actions
aws.sagemaker-transform-job
Filters
Actions
sdb resources
aws.simpledb
Filters
Actions
secretsmanager resources
aws.secrets-manager
Filters
Actions
securityhub resources
aws.securityhub-finding
Filters
Actions
serverlessrepo resources
aws.serverless-app
Filters
Actions
service-quotas resources
aws.service-quota
Filters
Actions
aws.service-quota-request
Filters
Actions
servicecatalog resources
aws.catalog-portfolio
Filters
Actions
aws.catalog-product
Filters
Actions
servicediscovery resources
aws.servicediscovery-namespace
Filters
Actions
ses resources
aws.ses-configuration-set
Filters
Actions
aws.ses-receipt-rule-set
Filters
Actions
sesv2 resources
aws.ses-configuration-set-v2
Filters
Actions
aws.ses-email-identity
Filters
Actions
shield resources
aws.shield-attack
Filters
Actions
aws.shield-protection
Filters
Actions
snowball resources
aws.snowball
Filters
Actions
aws.snowball-cluster
Filters
Actions
sns resources
aws.sns
Filters
Actions
aws.sns-subscription
Filters
Actions
sqs resources
aws.sqs
Filters
Actions
ssm resources
aws.ops-item
Filters
Actions
aws.ssm-activation
Filters
Actions
aws.ssm-data-sync
Filters
Actions
aws.ssm-document
Filters
Actions
aws.ssm-managed-instance
Filters
Actions
aws.ssm-parameter
Filters
Actions
aws.ssm-patch-group
Filters
Actions
aws.ssm-session-manager
Filters
Actions
stepfunctions resources
aws.sfn-activity
Filters
Actions
aws.step-machine
Filters
Actions
storagegateway resources
aws.storage-gateway
Filters
Actions
support resources
aws.advisor-check
Filters
Actions
aws.support-case
Filters
Actions
swf resources
aws.swf-domain
Filters
Actions
timestream-influxdb resources
aws.timestream-influxdb
Filters
Actions
timestream-write resources
aws.timestream-database
Filters
Actions
aws.timestream-table
Filters
Actions
transfer resources
aws.transfer-server
Filters
Actions
aws.transfer-user
Filters
Actions
waf resources
aws.waf
Filters
Actions
waf-regional resources
aws.waf-regional
Filters
Actions
wafv2 resources
aws.wafv2
Filters
Actions
workspaces resources
aws.workspaces
Filters
Actions
aws.workspaces-bundle
Filters
Actions
aws.workspaces-directory
Filters
Actions
aws.workspaces-image
Filters
Actions
workspaces-web resources
aws.workspaces-web
Filters
Actions
xray resources
aws.xray-group
Filters
Actions
aws.xray-rule
Filters
Actions
Azure
Getting Started
Write your first policy
Run your policy
(Optional) Run your policy with Azure Monitoring
View policy results
CloudShield Report
Next Steps
Examples
General
Monitor - Filter resources by metrics from Azure Monitor
Resource Groups - Delayed operations
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Resource Groups - Remove empty Resource Groups
Tags - Add tag to Virtual Machines
Tags - Automatically tag the creator of a resource or resource group
Tags - Remove tag From Virtual Machines
Tags - Trim tags From Virtual Machines
Resource Group - Generate a Teams Message on Create
Compute
App Services - Filter By CORS Configuration
App Service - Resize All Application Service Plans
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Tags - Add tag to Virtual Machines
Tags - Remove tag From Virtual Machines
Tags - Trim tags From Virtual Machines
Virtual Machines - Find Stopped Virtual Machines
Virtual Machines - Find Virtual Machines with public IP address
Storage and Databases
Cosmos DB Collections - Resize Throughput with On/Off Hours
SQL - Find databases with specific retention options
SQL - Update SQL Database retention policies
SQL - Find all SQL Databases with Premium SKU
Storage - Add storage firewall rules
Storage - Block public access
Storage - Monitor newly created Containers for public access
Identity
Tags - Automatically tag the creator of a resource or resource group
Networking
Firewall - Update CosmosDB Rules
Firewall - Filter Storage Accounts By Rules
Load Balancer - Filter load balancer by front end public ip
Network Security Groups - Deny access to Network Security Group
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Routes - Find route tables with a specific subnet
Storage - Add storage firewall rules
Storage - Block public access
Virtual Machines - Find Virtual Machines with public IP address
Notifications
Email - Use Azure Logic Apps to notify users of policy violations
Create and configure Azure Logic App
Author Cloud Shield policy
Test the policy
Email - Send Users an Email
Resource Group - Generate a Teams Message on Create
Azure Reference
Azure Execution Modes
pull
azure-event-grid
azure-periodic
container-event
container-periodic
Azure Common Actions
auto-tag-date
auto-tag-user
delete
lock
logic-app
mark-for-op
notify
tag
tag-trim
untag
webhook
Azure Common Filters
auditing
auditing-policies
authentication
azure-ad-administrators
backup-status
blob-services
certificates
compute-instances
configuration
configuration-parameter
cost
diagnostic-settings
effective-route-table
event
failover-group
firewall
firewall-policy
firewall-rules
flow-logs
instance-view
jit-policy-port
list-item
management-policy-rules
marked-for-op
metric
offer
offhour
onhour
parent
policy-compliant
reduce
resource-lock
security-alert-policies
security-alert-policy
server-configuration
server-configurations
server-parameter
session-host-vm
storage-diagnostic-settings
value
variable
vm-extensions
vulnerability-assessment
webapp
AI + Machine Learning resources
azure.cognitiveservice
Filters
Actions
azure.databricks
Filters
Actions
azure.search
Filters
Actions
Active Directory resources
azure.roleassignment
Filters
Actions
azure.roledefinition
Filters
Actions
Alerts Management resources
azure.alert-logs
Filters
Actions
Analytics resources
azure.datafactory
Filters
Actions
azure.datalake-analytics
Filters
Actions
azure.hdinsight
Filters
Actions
azure.kusto
Filters
Actions
azure.synapse
Filters
Actions
Backup and Recovery resources
azure.recovery-services
Filters
Actions
Compute resources
azure.aks
Filters
Actions
azure.app-insights
Filters
Actions
azure.app-service-environment
Filters
Actions
azure.appserviceplan
Filters
Actions
azure.bastion-host
Filters
Actions
azure.batch
Filters
Actions
azure.host-pool
Filters
Actions
azure.image
Filters
Actions
azure.logic-app-workflow
Filters
Actions
azure.open-shift
Filters
Actions
azure.service-fabric-cluster
Filters
Actions
azure.service-fabric-cluster-managed
Filters
Actions
azure.session-host
Filters
Actions
azure.spring-app
Filters
Actions
azure.spring-service-instance
Filters
Actions
azure.vm
Filters
Actions
azure.vmss
Filters
Actions
azure.webapp
Filters
Actions
Containers resources
azure.aks
Filters
Actions
azure.container-group
Filters
Actions
azure.container-registry
Filters
Actions
azure.containerservice
Filters
Actions
azure.open-shift
Filters
Actions
Cost resources
azure.cost-management-export
Filters
Actions
Databases resources
azure.cosmosdb
Filters
Actions
azure.cosmosdb-collection
Filters
Actions
azure.cosmosdb-database
Filters
Actions
azure.mariadb
Filters
Actions
azure.mariadb-server
Filters
Actions
azure.mysql
Filters
Actions
azure.mysql-flexibleserver
Filters
Actions
azure.postgresql-database
Filters
Actions
azure.postgresql-server
Filters
Actions
azure.redis
Filters
Actions
azure.sql-database
Filters
Actions
azure.sql-server
Filters
Actions
Events resources
azure.event-grid-domain
Filters
Actions
azure.event-grid-topic
Filters
Actions
azure.eventhub
Filters
Actions
azure.eventsubscription
Filters
Actions
azure.servicebus-namespace
Filters
Actions
azure.servicebus-namespace-authrules
Filters
Actions
azure.servicebus-namespace-networkrules
Filters
Actions
Generic resources
azure.armresource
Filters
Actions
azure.policyassignments
Filters
Actions
Integration resources
azure.api-management
Filters
Actions
azure.app-configuration
Filters
Actions
azure.automation-account
Filters
Actions
Internet Of Things resources
azure.iothub
Filters
Actions
ML resources
azure.machine-learning-workspace
Filters
Actions
Media resources
azure.afd-custom-domain
Filters
Actions
azure.afd-endpoint
Filters
Actions
azure.cdn-custom-domain
Filters
Actions
azure.cdn-endpoint
Filters
Actions
azure.cdnprofile
Filters
Actions
Monitoring resources
azure.monitor-log-profile
Filters
Actions
Network resources
azure.application-gateway
Filters
Actions
azure.front-door
Filters
Actions
azure.front-door-policy
Filters
Actions
azure.networkwatcher
Filters
Actions
azure.stream-job
Filters
Actions
azure.traffic-manager-profile
Filters
Actions
azure.waf
Filters
Actions
Networking resources
azure.dnszone
Filters
Actions
azure.loadbalancer
Filters
Actions
azure.networkinterface
Filters
Actions
azure.networksecuritygroup
Filters
Actions
azure.publicip
Filters
Actions
azure.recordset
Filters
Actions
azure.routetable
Filters
Actions
azure.signalr
Filters
Actions
azure.vnet
Filters
Actions
Resource Group resources
azure.resourcegroup
Filters
Actions
Security resources
azure.advisor-recommendation
Filters
Actions
azure.defender-alert
Filters
Actions
azure.defender-assessment
Filters
Actions
azure.defender-autoprovisioning
Filters
Actions
azure.defender-contact
Filters
Actions
azure.defender-jit-policy
Filters
Actions
azure.defender-pricing
Filters
Actions
azure.defender-setting
Filters
Actions
azure.keyvault
Filters
Actions
azure.keyvault-certificate
Filters
Actions
azure.keyvault-key
Filters
Actions
azure.keyvault-secret
Filters
Actions
Storage resources
azure.datalake
Filters
Actions
azure.disk
Filters
Actions
azure.snapshot
Filters
Actions
azure.storage
Filters
Actions
azure.storage-container
Filters
Actions
Subscription resources
azure.policyassignments
Filters
Actions
azure.resourcegroup
Filters
Actions
azure.subscription
Filters
Actions
Web resources
azure.app-service-environment
Filters
Actions
azure.appserviceplan
Filters
Actions
azure.webapp
Filters
Actions
GCP
Examples
App Engine - Check if an SSL Certificate is About to Expire
App Engine - Check if a blacklisted domain is still in use
App Engine - Check if a Firewall Rule is in Place
Dataflow - Check for Hanged Jobs
Deployment Manager - Find expired deployments
DNS - Notify if DNS Managed Zone has no DNSSEC
DNS - Notify if Logging is Disabled in DNS Policy
Compute Engine - Enforce minimal CPU utilization target for autoscalers
Compute Engine - Delete Instance Templates with Wrong Settings
Key Management System - Audit Crypto Key protection level
Load Balancer - Delete backend buckets
Load Balancer - Network Tiers
Load Balancer - SSL Policies - Delete policies by TLS version
Pub/Sub - Early Detection of Obsolete Snapshots
Pub/Sub - Audit Subscriptions to Match Requirements
Spanner - Drop Databases
Spanner - Reduce Count of Instance Nodes
Spanner - Set IAM Policies
Cloud SQL - List Unsucessful Backups Older Than N Days
Cloud SQL - Check Regions of Instances and Their State
Cloud SQL - Notify on Certificates Which Are About to Expire
Cloud SQL - Check Users
Policies
Generic Actions
Notify
Load Balancer
GCP Reference
GCP Execution Modes
pull
gcp-audit
gcp-periodic
gcp-scc
GCP Common Actions
notify
post-finding
set-iam-policy
webhook
GCP Common Filters
access-approval
alerts
bucket
compute-meta
effective-firewall
essential-contacts
event
firewall
list-item
offhour
onhour
org-policy
recommend
records-sets
reduce
scc-findings
server-config
value
apikeys resources
gcp.api-key
Filters
Actions
appengine resources
gcp.app-engine
Filters
Actions
gcp.app-engine-certificate
Filters
Actions
gcp.app-engine-domain
Filters
Actions
gcp.app-engine-domain-mapping
Filters
Actions
gcp.app-engine-firewall-ingress-rule
Filters
Actions
gcp.app-engine-service
Filters
Actions
gcp.app-engine-service-version
Filters
Actions
artifactregistry resources
gcp.artifact-repository
Filters
Actions
bigquery resources
gcp.bq-dataset
Filters
Actions
gcp.bq-job
Filters
Actions
gcp.bq-table
Filters
Actions
bigtableadmin resources
gcp.bigtable-instance
Filters
Actions
gcp.bigtable-instance-cluster
Filters
Actions
gcp.bigtable-instance-cluster-backup
Filters
Actions
gcp.bigtable-instance-table
Filters
Actions
cloudbilling resources
gcp.cloudbilling-account
Filters
Actions
cloudbuild resources
gcp.build
Filters
Actions
cloudfunctions resources
gcp.function
Filters
Actions
cloudkms resources
gcp.kms-cryptokey
Filters
Actions
gcp.kms-cryptokey-version
Filters
Actions
gcp.kms-keyring
Filters
Actions
gcp.kms-location
Filters
Actions
cloudresourcemanager resources
gcp.folder
Filters
Actions
gcp.organization
Filters
Actions
gcp.project
Filters
Actions
compute resources
gcp.armor-policy
Filters
Actions
gcp.autoscaler
Filters
Actions
gcp.compute-project
Filters
Actions
gcp.disk
Filters
Actions
gcp.firewall
Filters
Actions
gcp.image
Filters
Actions
gcp.instance
Filters
Actions
gcp.instance-group-manager
Filters
Actions
gcp.instance-template
Filters
Actions
gcp.interconnect
Filters
Actions
gcp.interconnect-attachment
Filters
Actions
gcp.loadbalancer-address
Filters
Actions
gcp.loadbalancer-backend-bucket
Filters
Actions
gcp.loadbalancer-backend-service
Filters
Actions
gcp.loadbalancer-forwarding-rule
Filters
Actions
gcp.loadbalancer-global-address
Filters
Actions
gcp.loadbalancer-global-forwarding-rule
Filters
Actions
gcp.loadbalancer-health-check
Filters
Actions
gcp.loadbalancer-http-health-check
Filters
Actions
gcp.loadbalancer-https-health-check
Filters
Actions
gcp.loadbalancer-ssl-certificate
Filters
Actions
gcp.loadbalancer-ssl-policy
Filters
Actions
gcp.loadbalancer-target-http-proxy
Filters
Actions
gcp.loadbalancer-target-https-proxy
Filters
Actions
gcp.loadbalancer-target-instance
Filters
Actions
gcp.loadbalancer-target-pool
Filters
Actions
gcp.loadbalancer-target-ssl-proxy
Filters
Actions
gcp.loadbalancer-target-tcp-proxy
Filters
Actions
gcp.loadbalancer-url-map
Filters
Actions
gcp.route
Filters
Actions
gcp.router
Filters
Actions
gcp.snapshot
Filters
Actions
gcp.subnet
Filters
Actions
gcp.vpc
Filters
Actions
gcp.zone
Filters
Actions
container resources
gcp.gke-cluster
Filters
Actions
gcp.gke-nodepool
Filters
Actions
dataflow resources
gcp.dataflow-job
Filters
Actions
datafusion resources
gcp.datafusion-instance
Filters
Actions
dataproc resources
gcp.dataproc-clusters
Filters
Actions
deploymentmanager resources
gcp.dm-deployment
Filters
Actions
dns resources
gcp.dns-managed-zone
Filters
Actions
gcp.dns-policy
Filters
Actions
iam resources
gcp.iam-role
Filters
Actions
gcp.project-role
Filters
Actions
gcp.service-account
Filters
Actions
gcp.service-account-key
Filters
Actions
logging resources
gcp.log-exclusion
Filters
Actions
gcp.log-project-metric
Filters
Actions
gcp.log-project-sink
Filters
Actions
ml resources
gcp.ml-job
Filters
Actions
gcp.ml-model
Filters
Actions
notebooks resources
gcp.notebook
Filters
Actions
osconfig resources
gcp.patch-deployment
Filters
Actions
pubsub resources
gcp.pubsub-snapshot
Filters
Actions
gcp.pubsub-subscription
Filters
Actions
gcp.pubsub-topic
Filters
Actions
redis resources
gcp.redis
Filters
Actions
regions resources
gcp.region
Filters
Actions
run resources
gcp.cloud-run-job
Filters
Actions
gcp.cloud-run-revision
Filters
Actions
gcp.cloud-run-service
Filters
Actions
secretmanager resources
gcp.secret
Filters
Actions
serviceusage resources
gcp.service
Filters
Actions
sourcerepo resources
gcp.sourcerepo
Filters
Actions
spanner resources
gcp.spanner-backup
Filters
Actions
gcp.spanner-database-instance
Filters
Actions
gcp.spanner-instance
Filters
Actions
sqladmin resources
gcp.sql-backup-run
Filters
Actions
gcp.sql-instance
Filters
Actions
gcp.sql-ssl-cert
Filters
Actions
gcp.sql-user
Filters
Actions
storage resources
gcp.bucket
Filters
Actions
Billable Cloud Resources Index
AWS Resources
Azure Resources
GCP Resources
Cloud Shield
Introduction
Generic Filters
Value Filter
Special Values
Comparison Operators
Logical Operators
List Operators
Pattern Matching Operators
Value Type Transformations
Additional JMESPath Functions
Value Regex
Value From
Value Path
List Item Filter
Example 1: AWS ECS Task Definitions
Example 2: S3 Lifecycle Rules
Event Filter
Reduce Filter
Grouping resources
Sorting resources
Selecting resources
Combining resource groups
Attributes
Examples
Generic Actions
Webhook Action
Advanced Usage
Running against multiple regions
Reporting against multiple regions
Conditional Policy Execution
Limiting how many resources CloudShield affects
Adding custom fields to reports
Example tag compliance policy
AWS
Getting Started
Write your first policy
Run your policy
A 2nd Example Policy
Example Policies
Account - Login From Invalid IP Address
Account - Detect Root Logins
Account - Service Limit
AMI - Stop EC2 using Unapproved AMIs
AutoScaling Group - Verify ASGs have valid configurations
AMI - ASG Garbage Collector
ASG - Offhours Support
Block New Resources In Non-Standard Regions
DMS - DB Migration Service Endpoint - Enforce SSL
EBS - Garbage Collect Unattached Volumes
EBS - Create and Manage Snapshots
EBS - Delete Unencrypted
EC2 - auto-tag aws userName on resources
EC2 - Modify Instance Metadata Options
Examples:
EC2 - Offhours Support
EC2 - Old Instance Report
EC2 - Power On For Scheduled Patching
EC2 - Terminate Unpatchable Instances
EIP - Garbage Collect Unattached Elastic IPs
ELB - Delete New Internet-Facing ELBs
ELB - Delete Unused Elastic Load Balancers
ELB - SSL Blacklist
ELB - SSL Whitelist
IAM - Manage Whether A Specific IAM Policy is Attached to Roles
Lambda - Notify On Lambda Errors
Example offhours policy
Resource Scheduling Offhours
Features
Policy Configuration
Tag Based Configuration
ScheduleParser Time Specifications
Policy examples
Resume During Offhours
ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions
Public Holidays
RDS - Delete Unused Databases With No Connections
RDS - Terminate Unencrypted Public Instances
S3 - Configure New Buckets Settings and Standards
S3 - Block Public S3 Object ACLs
S3 - Encryption
Enable Bucket Encryption
Remediate Existing
Options
Remediate Incoming
Options
Bucket Policy
S3 - Global Grants
S3 - Add lifecycle policy on bucket delete
SageMaker Notebook - Delete Public or Unencrypted
Security Groups - add permission
Security Groups - Detect and Remediate Violations
Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)
Add or Change Tag Values
Report on Tag Compliance
Enforce Tag Compliance - EC2
Enforce Tag Compliance - AutoScaling Groups
VPC - Flow Log Configuration Check
VPC - Notify On Invalid External Peering Connections
AWS Reference
AWS Execution Modes
pull
asg-instance-state
cloudtrail
config-poll-rule
config-rule
ec2-instance-state
guard-duty
hub-finding
hub-finding
periodic
phd
pull
schedule
AWS Common Actions
auto-tag-user
copy-related-tag
invoke-lambda
invoke-sfn
mark-for-op
modify-ecr-policy
modify-policy
modify-security-groups
normalize-tag
notify
post-finding
post-item
put-metric
remove-tag
rename-tag
tag
tag-trim
webhook
AWS Common Filters
alarm
api-cache
bedrock-model-invocation-logging
bucket-replication
check-permissions
client-properties
config-compliance
configuration
connection-aliases
cost-optimization
domain-options
ec2-metadata-defaults
engine
event
finding
flow-logs
gateway-route
health-event
iam-analyzer
image
instance-attribute
intelligent-tiering
list-item
lock-configuration
logging
logging-config
login-profile
marked-for-op
metrics
network-location
offhour
onhour
ops-item
org-unit
ownership
policy
reduce
route
router
safety-rule
security-group
service
service-instance
ses-agg-send-stats
shield-metrics
snapshots
subnet
subscription-filter
tag-count
trust
usage
usage-metric
value
vpc
waf-enabled
wafv2-enabled
accessanalyzer resources
aws.access-analyzer-finding
Filters
Actions
account resources
aws.account
Filters
Actions
acm resources
aws.acm-certificate
Filters
Actions
apigateway resources
aws.apigw-domain-name
Filters
Actions
aws.rest-account
Filters
Actions
aws.rest-api
Filters
Actions
aws.rest-client-certificate
Filters
Actions
aws.rest-resource
Filters
Actions
aws.rest-stage
Filters
Actions
aws.rest-vpclink
Filters
Actions
apigatewayv2 resources
aws.apigwv2
Filters
Actions
aws.apigwv2-stage
Filters
Actions
appflow resources
aws.app-flow
Filters
Actions
appmesh resources
aws.appmesh-mesh
Filters
Actions
aws.appmesh-virtualgateway
Filters
Actions
aws.appmesh-virtualnode
Filters
Actions
appstream resources
aws.appstream-fleet
Filters
Actions
aws.appstream-stack
Filters
Actions
appsync resources
aws.graphql-api
Filters
Actions
athena resources
aws.athena-capacity-reservation
Filters
Actions
aws.athena-data-catalog
Filters
Actions
aws.athena-named-query
Filters
Actions
aws.athena-work-group
Filters
Actions
autoscaling resources
aws.asg
Filters
Actions
aws.launch-config
Filters
Actions
aws.scaling-policy
Filters
Actions
backup resources
aws.backup-plan
Filters
Actions
aws.backup-vault
Filters
Actions
batch resources
aws.batch-compute
Filters
Actions
aws.batch-definition
Filters
Actions
aws.batch-queue
Filters
Actions
bedrock resources
aws.bedrock-custom-model
Filters
Actions
aws.bedrock-customization-job
Filters
Actions
bedrock-agent resources
aws.bedrock-agent
Filters
Actions
aws.bedrock-knowledge-base
Filters
Actions
budgets resources
aws.budget
Filters
Actions
clouddirectory resources
aws.cloud-directory
Filters
Actions
cloudformation resources
aws.cfn
Filters
Actions
cloudfront resources
aws.distribution
Filters
Actions
aws.origin-access-control
Filters
Actions
aws.streaming-distribution
Filters
Actions
cloudhsm resources
aws.hsm
Filters
Actions
aws.hsm-client
Filters
Actions
aws.hsm-hapg
Filters
Actions
cloudhsmv2 resources
aws.cloudhsm-backup
Filters
Actions
aws.cloudhsm-cluster
Filters
Actions
cloudsearch resources
aws.cloudsearch
Filters
Actions
cloudtrail resources
aws.cloudtrail
Filters
Actions
cloudwatch resources
aws.alarm
Filters
Actions
aws.cloudwatch-dashboard
Filters
Actions
aws.composite-alarm
Filters
Actions
aws.insight-rule
Filters
Actions
codeartifact resources
aws.artifact-domain
Filters
Actions
aws.artifact-repo
Filters
Actions
codebuild resources
aws.codebuild
Filters
Actions
aws.codebuild-credential
Filters
Actions
codecommit resources
aws.codecommit
Filters
Actions
codedeploy resources
aws.codedeploy-app
Filters
Actions
aws.codedeploy-deployment
Filters
Actions
aws.codedeploy-group
Filters
Actions
codepipeline resources
aws.codepipeline
Filters
Actions
cognito-identity resources
aws.identity-pool
Filters
Actions
cognito-idp resources
aws.user-pool
Filters
Actions
config resources
aws.config-recorder
Filters
Actions
aws.config-rule
Filters
Actions
connect resources
aws.connect-instance
Filters
Actions
connectcampaigns resources
aws.connect-campaign
Filters
Actions
datapipeline resources
aws.datapipeline
Filters
Actions
datasync resources
aws.datasync-agent
Filters
Actions
aws.datasync-task
Filters
Actions
dax resources
aws.dax
Filters
Actions
devicefarm resources
aws.devicefarm-project
Filters
Actions
directconnect resources
aws.directconnect
Filters
Actions
discovery resources
aws.appdiscovery-agent
Filters
Actions
dlm resources
aws.dlm-policy
Filters
Actions
dms resources
aws.dms-endpoint
Filters
Actions
aws.dms-instance
Filters
Actions
aws.dms-replication-task
Filters
Actions
ds resources
aws.directory
Filters
Actions
dynamodb resources
aws.dynamodb-backup
Filters
Actions
aws.dynamodb-table
Filters
Actions
dynamodbstreams resources
aws.dynamodb-stream
Filters
Actions
ec2 resources
aws.ami
Filters
Actions
aws.customer-gateway
Filters
Actions
aws.ebs
Filters
Actions
aws.ebs-snapshot
Filters
Actions
aws.ec2
Filters
Actions
aws.ec2-capacity-reservation
Filters
Actions
aws.ec2-host
Filters
Actions
aws.ec2-reserved
Filters
Actions
aws.ec2-spot-fleet-request
Filters
Actions
aws.elastic-ip
Filters
Actions
aws.eni
Filters
Actions
aws.flow-log
Filters
Actions
aws.internet-gateway
Filters
Actions
aws.key-pair
Filters
Actions
aws.launch-template-version
Filters
Actions
aws.mirror-session
Filters
Actions
aws.mirror-target
Filters
Actions
aws.nat-gateway
Filters
Actions
aws.network-acl
Filters
Actions
aws.peering-connection
Filters
Actions
aws.prefix-list
Filters
Actions
aws.route-table
Filters
Actions
aws.security-group
Filters
Actions
aws.subnet
Filters
Actions
aws.transit-attachment
Filters
Actions
aws.transit-gateway
Filters
Actions
aws.vpc
Filters
Actions
aws.vpc-endpoint
Filters
Actions
aws.vpn-connection
Filters
Actions
aws.vpn-gateway
Filters
Actions
ecr resources
aws.ecr
Filters
Actions
aws.ecr-image
Filters
Actions
ecs resources
aws.ecs
Filters
Actions
aws.ecs-container-instance
Filters
Actions
aws.ecs-service
Filters
Actions
aws.ecs-task
Filters
Actions
aws.ecs-task-definition
Filters
Actions
efs resources
aws.efs
Filters
Actions
aws.efs-mount-target
Filters
Actions
eks resources
aws.eks
Filters
Actions
aws.eks-nodegroup
Filters
Actions
elasticache resources
aws.cache-cluster
Filters
Actions
aws.cache-snapshot
Filters
Actions
aws.cache-subnet-group
Filters
Actions
aws.elasticache-group
Filters
Actions
aws.elasticache-user
Filters
Actions
elasticbeanstalk resources
aws.elasticbeanstalk
Filters
Actions
aws.elasticbeanstalk-environment
Filters
Actions
elb resources
aws.elb
Filters
Actions
elbv2 resources
aws.app-elb
Filters
Actions
aws.app-elb-target-group
Filters
Actions
emr resources
aws.emr
Filters
Actions
aws.emr-security-configuration
Filters
Actions
emr-serverless resources
aws.emr-serverless-app
Filters
Actions
es resources
aws.elasticsearch
Filters
Actions
aws.elasticsearch-reserved
Filters
Actions
events resources
aws.event-bus
Filters
Actions
aws.event-rule
Filters
Actions
aws.event-rule-target
Filters
Actions
firehose resources
aws.firehose
Filters
Actions
fis resources
aws.fis-experiment
Filters
Actions
aws.fis-template
Filters
Actions
fsx resources
aws.fsx
Filters
Actions
aws.fsx-backup
Filters
Actions
gamelift resources
aws.gamelift-build
Filters
Actions
aws.gamelift-fleet
Filters
Actions
glacier resources
aws.glacier
Filters
Actions
globalaccelerator resources
aws.globalaccelerator
Filters
Actions
glue resources
aws.glue-catalog
Filters
Actions
aws.glue-classifier
Filters
Actions
aws.glue-connection
Filters
Actions
aws.glue-crawler
Filters
Actions
aws.glue-database
Filters
Actions
aws.glue-dev-endpoint
Filters
Actions
aws.glue-job
Filters
Actions
aws.glue-ml-transform
Filters
Actions
aws.glue-security-configuration
Filters
Actions
aws.glue-table
Filters
Actions
aws.glue-trigger
Filters
Actions
aws.glue-workflow
Filters
Actions
guardduty resources
aws.guardduty-finding
Filters
Actions
health resources
aws.health-event
Filters
Actions
iam resources
aws.iam-certificate
Filters
Actions
aws.iam-group
Filters
Actions
aws.iam-oidc-provider
Filters
Actions
aws.iam-policy
Filters
Actions
aws.iam-profile
Filters
Actions
aws.iam-role
Filters
Actions
aws.iam-saml-provider
Filters
Actions
aws.iam-user
Filters
Actions
inspector2 resources
aws.inspector2-finding
Filters
Actions
iot resources
aws.iot
Filters
Actions
kafka resources
aws.kafka
Filters
Actions
aws.kafka-config
Filters
Actions
kendra resources
aws.kendra
Filters
Actions
kinesis resources
aws.kinesis
Filters
Actions
kinesisanalytics resources
aws.kinesis-analytics
Filters
Actions
kinesisanalyticsv2 resources
aws.kinesis-analyticsv2
Filters
Actions
kinesisvideo resources
aws.kinesis-video
Filters
Actions
kms resources
aws.kms
Filters
Actions
aws.kms-key
Filters
Actions
lakeformation resources
aws.datalake-location
Filters
Actions
lambda resources
aws.lambda
Filters
Actions
aws.lambda-layer
Filters
Actions
lex-models resources
aws.lex-bot
Filters
Actions
lexv2-models resources
aws.lexv2-bot
Filters
Actions
lightsail resources
aws.lightsail-db
Filters
Actions
aws.lightsail-elb
Filters
Actions
aws.lightsail-instance
Filters
Actions
logs resources
aws.log-destination
Filters
Actions
aws.log-group
Filters
Actions
aws.log-metric
Filters
Actions
machinelearning resources
aws.ml-model
Filters
Actions
memorydb resources
aws.memorydb
Filters
Actions
aws.memorydb-acl
Filters
Actions
aws.memorydb-snapshot
Filters
Actions
aws.memorydb-subnet-group
Filters
Actions
aws.memorydb-user
Filters
Actions
mq resources
aws.message-broker
Filters
Actions
aws.message-config
Filters
Actions
mwaa resources
aws.airflow
Filters
Actions
network-firewall resources
aws.firewall
Filters
Actions
networkmanager resources
aws.networkmanager-core
Filters
Actions
aws.networkmanager-device
Filters
Actions
aws.networkmanager-global
Filters
Actions
aws.networkmanager-link
Filters
Actions
aws.networkmanager-site
Filters
Actions
opensearchserverless resources
aws.opensearch-serverless
Filters
Actions
opsworks resources
aws.opswork-stack
Filters
Actions
opsworkscm resources
aws.opswork-cm
Filters
Actions
organizations resources
aws.org-account
Filters
Actions
aws.org-policy
Filters
Actions
aws.org-unit
Filters
Actions
osis resources
aws.opensearch-ingestion
Filters
Actions
pinpoint resources
aws.pinpoint-app
Filters
Actions
qldb resources
aws.qldb
Filters
Actions
quicksight resources
aws.quicksight-account
Filters
Actions
aws.quicksight-group
Filters
Actions
aws.quicksight-user
Filters
Actions
rds resources
aws.rds
Filters
Actions
aws.rds-cluster
Filters
Actions
aws.rds-cluster-param-group
Filters
Actions
aws.rds-cluster-snapshot
Filters
Actions
aws.rds-param-group
Filters
Actions
aws.rds-proxy
Filters
Actions
aws.rds-reserved
Filters
Actions
aws.rds-snapshot
Filters
Actions
aws.rds-subnet-group
Filters
Actions
aws.rds-subscription
Filters
Actions
redshift resources
aws.redshift
Filters
Actions
aws.redshift-reserved
Filters
Actions
aws.redshift-snapshot
Filters
Actions
aws.redshift-subnet-group
Filters
Actions
route53 resources
aws.healthcheck
Filters
Actions
aws.hostedzone
Filters
Actions
aws.rrset
Filters
Actions
route53-recovery-control-config resources
aws.recovery-cluster
Filters
Actions
aws.recovery-control-panel
Filters
Actions
route53-recovery-readiness resources
aws.readiness-check
Filters
Actions
route53domains resources
aws.r53domain
Filters
Actions
route53resolver resources
aws.resolver-logs
Filters
Actions
s3 resources
aws.s3
Filters
Actions
aws.s3-directory
Filters
Actions
s3control resources
aws.s3-access-point
Filters
Actions
aws.s3-access-point-multi
Filters
Actions
aws.s3-storage-lens
Filters
Actions
sagemaker resources
aws.sagemaker-auto-ml-job
Filters
Actions
aws.sagemaker-cluster
Filters
Actions
aws.sagemaker-compilation-job
Filters
Actions
aws.sagemaker-data-quality-job-definition
Filters
Actions
aws.sagemaker-domain
Filters
Actions
aws.sagemaker-endpoint
Filters
Actions
aws.sagemaker-endpoint-config
Filters
Actions
aws.sagemaker-hyperparameter-tuning-job
Filters
Actions
aws.sagemaker-job
Filters
Actions
aws.sagemaker-model
Filters
Actions
aws.sagemaker-model-bias-job-definition
Filters
Actions
aws.sagemaker-model-explainability-job-definition
Filters
Actions
aws.sagemaker-model-quality-job-definition
Filters
Actions
aws.sagemaker-notebook
Filters
Actions
aws.sagemaker-processing-job
Filters
Actions
aws.sagemaker-transform-job
Filters
Actions
sdb resources
aws.simpledb
Filters
Actions
secretsmanager resources
aws.secrets-manager
Filters
Actions
securityhub resources
aws.securityhub-finding
Filters
Actions
serverlessrepo resources
aws.serverless-app
Filters
Actions
service-quotas resources
aws.service-quota
Filters
Actions
aws.service-quota-request
Filters
Actions
servicecatalog resources
aws.catalog-portfolio
Filters
Actions
aws.catalog-product
Filters
Actions
servicediscovery resources
aws.servicediscovery-namespace
Filters
Actions
ses resources
aws.ses-configuration-set
Filters
Actions
aws.ses-receipt-rule-set
Filters
Actions
sesv2 resources
aws.ses-configuration-set-v2
Filters
Actions
aws.ses-email-identity
Filters
Actions
shield resources
aws.shield-attack
Filters
Actions
aws.shield-protection
Filters
Actions
snowball resources
aws.snowball
Filters
Actions
aws.snowball-cluster
Filters
Actions
sns resources
aws.sns
Filters
Actions
aws.sns-subscription
Filters
Actions
sqs resources
aws.sqs
Filters
Actions
ssm resources
aws.ops-item
Filters
Actions
aws.ssm-activation
Filters
Actions
aws.ssm-data-sync
Filters
Actions
aws.ssm-document
Filters
Actions
aws.ssm-managed-instance
Filters
Actions
aws.ssm-parameter
Filters
Actions
aws.ssm-patch-group
Filters
Actions
aws.ssm-session-manager
Filters
Actions
stepfunctions resources
aws.sfn-activity
Filters
Actions
aws.step-machine
Filters
Actions
storagegateway resources
aws.storage-gateway
Filters
Actions
support resources
aws.advisor-check
Filters
Actions
aws.support-case
Filters
Actions
swf resources
aws.swf-domain
Filters
Actions
timestream-influxdb resources
aws.timestream-influxdb
Filters
Actions
timestream-write resources
aws.timestream-database
Filters
Actions
aws.timestream-table
Filters
Actions
transfer resources
aws.transfer-server
Filters
Actions
aws.transfer-user
Filters
Actions
waf resources
aws.waf
Filters
Actions
waf-regional resources
aws.waf-regional
Filters
Actions
wafv2 resources
aws.wafv2
Filters
Actions
workspaces resources
aws.workspaces
Filters
Actions
aws.workspaces-bundle
Filters
Actions
aws.workspaces-directory
Filters
Actions
aws.workspaces-image
Filters
Actions
workspaces-web resources
aws.workspaces-web
Filters
Actions
xray resources
aws.xray-group
Filters
Actions
aws.xray-rule
Filters
Actions
Azure
Getting Started
Write your first policy
Run your policy
(Optional) Run your policy with Azure Monitoring
View policy results
CloudShield Report
Next Steps
Examples
General
Monitor - Filter resources by metrics from Azure Monitor
Resource Groups - Delayed operations
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Resource Groups - Remove empty Resource Groups
Tags - Add tag to Virtual Machines
Tags - Automatically tag the creator of a resource or resource group
Tags - Remove tag From Virtual Machines
Tags - Trim tags From Virtual Machines
Resource Group - Generate a Teams Message on Create
Compute
App Services - Filter By CORS Configuration
App Service - Resize All Application Service Plans
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Tags - Add tag to Virtual Machines
Tags - Remove tag From Virtual Machines
Tags - Trim tags From Virtual Machines
Virtual Machines - Find Stopped Virtual Machines
Virtual Machines - Find Virtual Machines with public IP address
Storage and Databases
Cosmos DB Collections - Resize Throughput with On/Off Hours
SQL - Find databases with specific retention options
SQL - Update SQL Database retention policies
SQL - Find all SQL Databases with Premium SKU
Storage - Add storage firewall rules
Storage - Block public access
Storage - Monitor newly created Containers for public access
Identity
Tags - Automatically tag the creator of a resource or resource group
Networking
Firewall - Update CosmosDB Rules
Firewall - Filter Storage Accounts By Rules
Load Balancer - Filter load balancer by front end public ip
Network Security Groups - Deny access to Network Security Group
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Routes - Find route tables with a specific subnet
Storage - Add storage firewall rules
Storage - Block public access
Virtual Machines - Find Virtual Machines with public IP address
Notifications
Email - Use Azure Logic Apps to notify users of policy violations
Create and configure Azure Logic App
Author Cloud Shield policy
Test the policy
Email - Send Users an Email
Resource Group - Generate a Teams Message on Create
Azure Reference
Azure Execution Modes
pull
azure-event-grid
azure-periodic
container-event
container-periodic
Azure Common Actions
auto-tag-date
auto-tag-user
delete
lock
logic-app
mark-for-op
notify
tag
tag-trim
untag
webhook
Azure Common Filters
auditing
auditing-policies
authentication
azure-ad-administrators
backup-status
blob-services
certificates
compute-instances
configuration
configuration-parameter
cost
diagnostic-settings
effective-route-table
event
failover-group
firewall
firewall-policy
firewall-rules
flow-logs
instance-view
jit-policy-port
list-item
management-policy-rules
marked-for-op
metric
offer
offhour
onhour
parent
policy-compliant
reduce
resource-lock
security-alert-policies
security-alert-policy
server-configuration
server-configurations
server-parameter
session-host-vm
storage-diagnostic-settings
value
variable
vm-extensions
vulnerability-assessment
webapp
AI + Machine Learning resources
azure.cognitiveservice
Filters
Actions
azure.databricks
Filters
Actions
azure.search
Filters
Actions
Active Directory resources
azure.roleassignment
Filters
Actions
azure.roledefinition
Filters
Actions
Alerts Management resources
azure.alert-logs
Filters
Actions
Analytics resources
azure.datafactory
Filters
Actions
azure.datalake-analytics
Filters
Actions
azure.hdinsight
Filters
Actions
azure.kusto
Filters
Actions
azure.synapse
Filters
Actions
Backup and Recovery resources
azure.recovery-services
Filters
Actions
Compute resources
azure.aks
Filters
Actions
azure.app-insights
Filters
Actions
azure.app-service-environment
Filters
Actions
azure.appserviceplan
Filters
Actions
azure.bastion-host
Filters
Actions
azure.batch
Filters
Actions
azure.host-pool
Filters
Actions
azure.image
Filters
Actions
azure.logic-app-workflow
Filters
Actions
azure.open-shift
Filters
Actions
azure.service-fabric-cluster
Filters
Actions
azure.service-fabric-cluster-managed
Filters
Actions
azure.session-host
Filters
Actions
azure.spring-app
Filters
Actions
azure.spring-service-instance
Filters
Actions
azure.vm
Filters
Actions
azure.vmss
Filters
Actions
azure.webapp
Filters
Actions
Containers resources
azure.aks
Filters
Actions
azure.container-group
Filters
Actions
azure.container-registry
Filters
Actions
azure.containerservice
Filters
Actions
azure.open-shift
Filters
Actions
Cost resources
azure.cost-management-export
Filters
Actions
Databases resources
azure.cosmosdb
Filters
Actions
azure.cosmosdb-collection
Filters
Actions
azure.cosmosdb-database
Filters
Actions
azure.mariadb
Filters
Actions
azure.mariadb-server
Filters
Actions
azure.mysql
Filters
Actions
azure.mysql-flexibleserver
Filters
Actions
azure.postgresql-database
Filters
Actions
azure.postgresql-server
Filters
Actions
azure.redis
Filters
Actions
azure.sql-database
Filters
Actions
azure.sql-server
Filters
Actions
Events resources
azure.event-grid-domain
Filters
Actions
azure.event-grid-topic
Filters
Actions
azure.eventhub
Filters
Actions
azure.eventsubscription
Filters
Actions
azure.servicebus-namespace
Filters
Actions
azure.servicebus-namespace-authrules
Filters
Actions
azure.servicebus-namespace-networkrules
Filters
Actions
Generic resources
azure.armresource
Filters
Actions
azure.policyassignments
Filters
Actions
Integration resources
azure.api-management
Filters
Actions
azure.app-configuration
Filters
Actions
azure.automation-account
Filters
Actions
Internet Of Things resources
azure.iothub
Filters
Actions
ML resources
azure.machine-learning-workspace
Filters
Actions
Media resources
azure.afd-custom-domain
Filters
Actions
azure.afd-endpoint
Filters
Actions
azure.cdn-custom-domain
Filters
Actions
azure.cdn-endpoint
Filters
Actions
azure.cdnprofile
Filters
Actions
Monitoring resources
azure.monitor-log-profile
Filters
Actions
Network resources
azure.application-gateway
Filters
Actions
azure.front-door
Filters
Actions
azure.front-door-policy
Filters
Actions
azure.networkwatcher
Filters
Actions
azure.stream-job
Filters
Actions
azure.traffic-manager-profile
Filters
Actions
azure.waf
Filters
Actions
Networking resources
azure.dnszone
Filters
Actions
azure.loadbalancer
Filters
Actions
azure.networkinterface
Filters
Actions
azure.networksecuritygroup
Filters
Actions
azure.publicip
Filters
Actions
azure.recordset
Filters
Actions
azure.routetable
Filters
Actions
azure.signalr
Filters
Actions
azure.vnet
Filters
Actions
Resource Group resources
azure.resourcegroup
Filters
Actions
Security resources
azure.advisor-recommendation
Filters
Actions
azure.defender-alert
Filters
Actions
azure.defender-assessment
Filters
Actions
azure.defender-autoprovisioning
Filters
Actions
azure.defender-contact
Filters
Actions
azure.defender-jit-policy
Filters
Actions
azure.defender-pricing
Filters
Actions
azure.defender-setting
Filters
Actions
azure.keyvault
Filters
Actions
azure.keyvault-certificate
Filters
Actions
azure.keyvault-key
Filters
Actions
azure.keyvault-secret
Filters
Actions
Storage resources
azure.datalake
Filters
Actions
azure.disk
Filters
Actions
azure.snapshot
Filters
Actions
azure.storage
Filters
Actions
azure.storage-container
Filters
Actions
Subscription resources
azure.policyassignments
Filters
Actions
azure.resourcegroup
Filters
Actions
azure.subscription
Filters
Actions
Web resources
azure.app-service-environment
Filters
Actions
azure.appserviceplan
Filters
Actions
azure.webapp
Filters
Actions
GCP
Examples
App Engine - Check if an SSL Certificate is About to Expire
App Engine - Check if a blacklisted domain is still in use
App Engine - Check if a Firewall Rule is in Place
Dataflow - Check for Hanged Jobs
Deployment Manager - Find expired deployments
DNS - Notify if DNS Managed Zone has no DNSSEC
DNS - Notify if Logging is Disabled in DNS Policy
Compute Engine - Enforce minimal CPU utilization target for autoscalers
Compute Engine - Delete Instance Templates with Wrong Settings
Key Management System - Audit Crypto Key protection level
Load Balancer - Delete backend buckets
Load Balancer - Network Tiers
Load Balancer - SSL Policies - Delete policies by TLS version
Pub/Sub - Early Detection of Obsolete Snapshots
Pub/Sub - Audit Subscriptions to Match Requirements
Spanner - Drop Databases
Spanner - Reduce Count of Instance Nodes
Spanner - Set IAM Policies
Cloud SQL - List Unsucessful Backups Older Than N Days
Cloud SQL - Check Regions of Instances and Their State
Cloud SQL - Notify on Certificates Which Are About to Expire
Cloud SQL - Check Users
Policies
Generic Actions
Notify
Load Balancer
GCP Reference
GCP Execution Modes
pull
gcp-audit
gcp-periodic
gcp-scc
GCP Common Actions
notify
post-finding
set-iam-policy
webhook
GCP Common Filters
access-approval
alerts
bucket
compute-meta
effective-firewall
essential-contacts
event
firewall
list-item
offhour
onhour
org-policy
recommend
records-sets
reduce
scc-findings
server-config
value
apikeys resources
gcp.api-key
Filters
Actions
appengine resources
gcp.app-engine
Filters
Actions
gcp.app-engine-certificate
Filters
Actions
gcp.app-engine-domain
Filters
Actions
gcp.app-engine-domain-mapping
Filters
Actions
gcp.app-engine-firewall-ingress-rule
Filters
Actions
gcp.app-engine-service
Filters
Actions
gcp.app-engine-service-version
Filters
Actions
artifactregistry resources
gcp.artifact-repository
Filters
Actions
bigquery resources
gcp.bq-dataset
Filters
Actions
gcp.bq-job
Filters
Actions
gcp.bq-table
Filters
Actions
bigtableadmin resources
gcp.bigtable-instance
Filters
Actions
gcp.bigtable-instance-cluster
Filters
Actions
gcp.bigtable-instance-cluster-backup
Filters
Actions
gcp.bigtable-instance-table
Filters
Actions
cloudbilling resources
gcp.cloudbilling-account
Filters
Actions
cloudbuild resources
gcp.build
Filters
Actions
cloudfunctions resources
gcp.function
Filters
Actions
cloudkms resources
gcp.kms-cryptokey
Filters
Actions
gcp.kms-cryptokey-version
Filters
Actions
gcp.kms-keyring
Filters
Actions
gcp.kms-location
Filters
Actions
cloudresourcemanager resources
gcp.folder
Filters
Actions
gcp.organization
Filters
Actions
gcp.project
Filters
Actions
compute resources
gcp.armor-policy
Filters
Actions
gcp.autoscaler
Filters
Actions
gcp.compute-project
Filters
Actions
gcp.disk
Filters
Actions
gcp.firewall
Filters
Actions
gcp.image
Filters
Actions
gcp.instance
Filters
Actions
gcp.instance-group-manager
Filters
Actions
gcp.instance-template
Filters
Actions
gcp.interconnect
Filters
Actions
gcp.interconnect-attachment
Filters
Actions
gcp.loadbalancer-address
Filters
Actions
gcp.loadbalancer-backend-bucket
Filters
Actions
gcp.loadbalancer-backend-service
Filters
Actions
gcp.loadbalancer-forwarding-rule
Filters
Actions
gcp.loadbalancer-global-address
Filters
Actions
gcp.loadbalancer-global-forwarding-rule
Filters
Actions
gcp.loadbalancer-health-check
Filters
Actions
gcp.loadbalancer-http-health-check
Filters
Actions
gcp.loadbalancer-https-health-check
Filters
Actions
gcp.loadbalancer-ssl-certificate
Filters
Actions
gcp.loadbalancer-ssl-policy
Filters
Actions
gcp.loadbalancer-target-http-proxy
Filters
Actions
gcp.loadbalancer-target-https-proxy
Filters
Actions
gcp.loadbalancer-target-instance
Filters
Actions
gcp.loadbalancer-target-pool
Filters
Actions
gcp.loadbalancer-target-ssl-proxy
Filters
Actions
gcp.loadbalancer-target-tcp-proxy
Filters
Actions
gcp.loadbalancer-url-map
Filters
Actions
gcp.route
Filters
Actions
gcp.router
Filters
Actions
gcp.snapshot
Filters
Actions
gcp.subnet
Filters
Actions
gcp.vpc
Filters
Actions
gcp.zone
Filters
Actions
container resources
gcp.gke-cluster
Filters
Actions
gcp.gke-nodepool
Filters
Actions
dataflow resources
gcp.dataflow-job
Filters
Actions
datafusion resources
gcp.datafusion-instance
Filters
Actions
dataproc resources
gcp.dataproc-clusters
Filters
Actions
deploymentmanager resources
gcp.dm-deployment
Filters
Actions
dns resources
gcp.dns-managed-zone
Filters
Actions
gcp.dns-policy
Filters
Actions
iam resources
gcp.iam-role
Filters
Actions
gcp.project-role
Filters
Actions
gcp.service-account
Filters
Actions
gcp.service-account-key
Filters
Actions
logging resources
gcp.log-exclusion
Filters
Actions
gcp.log-project-metric
Filters
Actions
gcp.log-project-sink
Filters
Actions
ml resources
gcp.ml-job
Filters
Actions
gcp.ml-model
Filters
Actions
notebooks resources
gcp.notebook
Filters
Actions
osconfig resources
gcp.patch-deployment
Filters
Actions
pubsub resources
gcp.pubsub-snapshot
Filters
Actions
gcp.pubsub-subscription
Filters
Actions
gcp.pubsub-topic
Filters
Actions
redis resources
gcp.redis
Filters
Actions
regions resources
gcp.region
Filters
Actions
run resources
gcp.cloud-run-job
Filters
Actions
gcp.cloud-run-revision
Filters
Actions
gcp.cloud-run-service
Filters
Actions
secretmanager resources
gcp.secret
Filters
Actions
serviceusage resources
gcp.service
Filters
Actions
sourcerepo resources
gcp.sourcerepo
Filters
Actions
spanner resources
gcp.spanner-backup
Filters
Actions
gcp.spanner-database-instance
Filters
Actions
gcp.spanner-instance
Filters
Actions
sqladmin resources
gcp.sql-backup-run
Filters
Actions
gcp.sql-instance
Filters
Actions
gcp.sql-ssl-cert
Filters
Actions
gcp.sql-user
Filters
Actions
storage resources
gcp.bucket
Filters
Actions
account resources
aws.account