library
turbot/aws_thrifty
- Correct DynamoDB table with stale data
- Correct EBS snapshots exceeding max age
- Correct EBS volumes attached to stopped instances
- Correct EBS volumes exceeding max size
- Correct EBS volumes if unattached
- Correct EBS volumes using gp2
- Correct EBS volumes using io1
- Correct EBS volumes with low IOPS
- Correct EBS volumes with low usage
- Correct EC2 application load balancers if unused
- Correct EC2 classic load balancers if unused
- Correct EC2 gateway load balancers if unused
- Correct EC2 instances exceeding max age
- Correct EC2 instances large
- Correct EC2 instances of older generation
- Correct EC2 instances without graviton
- Correct EC2 network load balancers if unused
- Correct EKS node groups without graviton
- Correct Elasticache clusters exceeding max age
- Correct EMR Clusters idle 30 mins
- Correct Lambda functions without graviton
- Correct one DynamoDB table with stale data
- Correct one EBS snapshot exceeding max age
- Correct one EBS volume attached to stopped instance
- Correct one EBS volume exceeding max size
- Correct one EBS volume if unattached
- Correct one EBS volume using gp2
- Correct one EBS volume using io1
- Correct one EBS volume with low IOPS
- Correct one EBS volume with low usage
- Correct one EC2 application load balancer if unused
- Correct one EC2 classic load balancer if unused
- Correct one EC2 gateway load balancer if unused
- Correct one EC2 instance exceeding max age
- Correct one EC2 instance large
- Correct one EC2 instance of older generation
- Correct one EC2 instance without graviton
- Correct one EC2 network load balancer if unused
- Correct one EKS node group without graviton
- Correct one Elasticache cluster exceeding max age
- Correct one EMR Cluster idle 30 mins
- Correct one Lambda function without graviton
- Correct one RDS DB instance exceeding max age
- Correct one RDS DB instance of older generation
- Correct one RDS DB instance with low connection count
- Correct one RDS DB instance without graviton processor
- Correct one Route53 health check if unused
- Correct one Route53 record with lower TTL
- Correct one S3 bucket without lifecycle policy
- Correct one SecretsManager secret if unused
- Correct one VPC EIP if unattached
- Correct one VPC NAT gateway if unused
- Correct RDS DB instances exceeding max age
- Correct RDS DB instances of older generation
- Correct RDS DB instances with low connection count
- Correct RDS DB instances without graviton processor
- Correct Route53 health checks if unused
- Correct Route53 records with lower TTL
- Correct S3 buckets without lifecycle policy
- Correct SecretsManager secrets if unused
- Correct VPC EIPs if unattached
- Correct VPC NAT gateways if unused
- Detect & correct DynamoDB tables with stale data
- Detect & correct EBS snapshots exceeding max age
- Detect & correct EBS volumes attached to stopped instances
- Detect & correct EBS volumes exceeding max size
- Detect & correct EBS volumes if unattached
- Detect & correct EBS volumes using gp2
- Detect & correct EBS volumes using io1
- Detect & correct EBS volumes with low IOPS
- Detect & correct EBS volumes with low usage
- Detect & correct EC2 application load balancers if unused
- Detect & correct EC2 classic load balancers if unused
- Detect & correct EC2 gateway load balancers if unused
- Detect & correct EC2 instances exceeding max age
- Detect & correct EC2 instances large
- Detect & correct EC2 instances of older generation
- Detect & correct EC2 instances without graviton
- Detect & correct EC2 network load balancers if unused
- Detect & correct EKS node groups without graviton
- Detect & correct Elasticache clusters exceeding max age
- Detect & correct EMR Clusters idle 30 mins
- Detect & correct Lambda functions without graviton
- Detect & correct RDS DB instances exceeding max age
- Detect & correct RDS DB instances of older generation
- Detect & correct RDS DB instances with low connection count
- Detect & correct RDS DB instances without graviton processor
- Detect & correct Route53 health checks if unused
- Detect & correct Route53 records with lower TTL
- Detect & correct S3 buckets without lifecycle policy
- Detect & correct SecretsManager secrets if unused
- Detect & correct VPC EIPs if unattached
- Detect & correct VPC NAT gateways if unused
- Snapshot & Delete EBS Volume
Get Involved
Version
Detect & correct S3 buckets without lifecycle policy
Overview
S3 Buckets without a lifecycle policy will not move objects between storage layers or expire objects, causing them to remain in their initial tier perpetually, this is inefficient and can be costly.
This pipeline detects S3 buckets which do not have a lifecycle policy attached and then either sends a notification or attempts to perform a predefined corrective action.
Getting Started
This control will work out-of-the-box with some sensible defaults (configurable via variables).
Note: You should review the variable
s3_buckets_without_lifecycle_policy_default_policyto ensure this meets your requirements prior to using theapply_policyaction.
You should be able to simply run the following command in your terminal:
flowpipe pipeline run detect_and_correct_s3_buckets_without_lifecycle_policyBy default, Flowpipe runs in wizard mode and prompts directly in the terminal for a decision on the action(s) to take for each detected resource.
However, you can run Flowpipe in server mode with external integrations, allowing it to prompt for input via http, slack, teams, etc.
Alternatively, you can choose to configure and run in other modes:
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run aws_thrifty.pipeline.detect_and_correct_s3_buckets_without_lifecycle_policyUse this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = aws_thrifty.pipeline.detect_and_correct_s3_buckets_without_lifecycle_policy }Params
| Name | Type | Required | Description | Default |
|---|---|---|---|---|
| database | string | Yes | Database connection string. | postgres://steampipe@localhost:9193/steampipe |
| policy | string | Yes | Lifecycle policy to apply to the S3 bucket, if 'apply' is the chosen response. | {
"Rules": [
{
"ID": "Transition to STANDARD_IA after 90 days",
"Status": "Enabled",
"Filter": {},
"Transitions": [
{
"Days": 90,
"StorageClass": "STANDARD_IA"
}
]
},
{
"ID": "Transition to GLACIER after 180 days",
"Status": "Enabled",
"Filter": {},
"Transitions": [
{
"Days": 180,
"StorageClass": "GLACIER"
}
]
},
{
"ID": "Transition to DEEP_ARCHIVE after 365 days",
"Status": "Enabled",
"Filter": {},
"Transitions": [
{
"Days": 365,
"StorageClass": "DEEP_ARCHIVE"
}
]
}
]
}
|
| notifier | string | Yes | The name of the notifier to use for sending notification messages. | default |
| notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
| approvers | list of string | Yes | List of notifiers to be used for obtaining action/approval decisions. | |
| default_action | string | Yes | The default action to use for the detected item, used if no input is provided. | notify |
| enabled_actions | list of string | Yes | The list of enabled actions to provide to approvers for selection. | |
Outputs
This pipeline has no outputs.
Tags
category = Cost
class = managed
plugin = aws
service = AWS/S3
type = featured