add everyone_only as a filter for EBS snapshots

cloud-custodian · May 10, 2023 · 3f81ebb · 3f81ebb
1 parent ef53a60
commit 3f81ebb
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/c7n/resources/ebs.py b/c7n/resources/ebs.py
@@ -238,12 +238,19 @@ def process(self, resources, event=None):
 
     def process_resource_set(self, client, resource_set):
         results = []
+        everyone_only = self.data.get('everyone_only', False)
         for r in resource_set:
             attrs = self.manager.retry(
                 client.describe_snapshot_attribute,
                 SnapshotId=r['SnapshotId'],
                 Attribute='createVolumePermission')['CreateVolumePermissions']
-            shared_accounts = {
+            shared_accounts = set()
+            if everyone_only:
+                for g in attrs:
+                    if g.get('Group') == 'all':
+                        shared_accounts = {g.get('Group')}
+            else:
+                shared_accounts = {
                 g.get('Group') or g.get('UserId') for g in attrs}
             delta_accounts = shared_accounts.difference(self.accounts)
             if delta_accounts:

diff --git a/tests/test_ebs.py b/tests/test_ebs.py
@@ -190,6 +190,32 @@ def test_snapshot_access(self):
             {"snap-7f9496cf": ["619193117841"], "snap-af0eb71b": ["all"]},
         )
 
+    def test_snapshot_access_everyone_only(self):
+        # pre conditions, 2 snapshots one shared to a separate account, and one
+        # shared publicly. 2 non matching volumes, one not shared, one shared
+        # explicitly to its own account.
+        self.patch(CopySnapshot, "executor_factory", MainThreadExecutor)
+        factory = self.replay_flight_data("test_ebs_cross_account")
+        p = self.load_policy(
+            {
+                "name": "snap-copy",
+                "resource": "ebs-snapshot",
+                "filters": [
+                    {
+                        "type": "cross-account",
+                        "everyone_only": True,
+                    },
+                ]
+            },
+            session_factory=factory,
+        )
+        resources = p.run()
+        self.assertEqual(len(resources), 1)
+        self.assertEqual(
+            {r["SnapshotId"]: r["c7n:CrossAccountViolations"] for r in resources},
+            {"snap-af0eb71b": ["all"]},
+        )
+
 
 class SnapshotDetachTest(BaseTest):