0

I have a use case where I'd like to find AWS AMIs that have been shared with a particular account, using a periodically-run Lambda function, created by Cloud Custodian.

To test this, I created two AMIs: one private/unshared, one shared with a known account. When I run the Lambda function, I get the message Filtered from 2 to 2 ami, i.e. the filter I used has not worked in a manner I would like - I would have expected it to filter from 2 to 1 AMI.

Here's the filter I'm using (I've put in a generic number for the account here):

        filters:
          - type: image
            key: LaunchPermissions[0].UserId
            value: "123456789012"

I have used different variations for the key, but in each case the AMI I would like the policy filter to find is not found. I used https://jmespath.org to check the path against the below JSON, which seems to return what I want:

{
    "ImageId": "ami-1234567890",
    "LaunchPermissions": [
        {
            "UserId": "123456789012"
        }
    ]
}

I'm sure I'm not addressing the image attribute correctly, but I just can't seem to figure out which JMESPath will give me the account ID string.

Can anyone give me a pointer here, please?

Conor
  • 1

1 Answers1

0

This sort of policy usually takes advantage of the cross-account filter which checks AMI launch permissions.

Basic usage will match any AMI shared across accounts:

policies:
  - name: ami-cross-account
    resource: ami
    filters:
      - type: cross-account

And you can skip known accounts:

policies:
  - name: ami-cross-account
    resource: ami
    filters:
      - type: cross-account
        whitelist:
          - 111111111111
          - 222222222222

Checking for permissions granted to only a specific account is less straightforward. The cross-account filter doesn't natively support that case, but without that filter the ami resource won't include launch permission details. You would need to combine filters instead, for example:

policies:
  - name: ami-cross-account
    resource: ami
    filters:
      - type: cross-account
      - type: value
        key: '"c7n:LaunchPermissions"[].UserId'
        value:
          - "123456789012"
        value_type: swap
        op: intersect

So you have some options, but using the cross-account filter on its own is recommended if it can address your needs.

ajk
  • 4,473
  • 2
  • 19
  • 24