aws - ebs-snapshot - set-permissions action (#6203)

c7n/resources/ebs.py

@@ -513,6 +513,95 @@ def process_resource_set(self, resource_set):
                 "Cross region copy complete %s", ",".join(copy_ids))
 
 
+@Snapshot.action_registry.register('set-permissions')
+class SetPermissions(BaseAction):
+    """Action to set permissions for creating volumes from a snapshot
+
+    Use the 'add' and 'remove' parameters to control which accounts to
+    add or remove respectively.  The default is to remove any create
+    volume permissions granted to other AWS accounts.
+
+    Combining this action with the 'cross-account' filter allows you
+    greater control over which accounts will be removed, e.g. using a
+    whitelist:
+
+    :example:
+
+    .. code-block:: yaml
+
+            policies:
+              - name: ebs-dont-share-cross-account
+                resource: ebs-snapshot
+                filters:
+                  - type: cross-account
+                    whitelist:
+                    - '112233445566'
+                actions:
+                  - type: set-permissions
+                    remove: matched
+    """
+    schema = type_schema(
+        'set-permissions',
+        remove={
+            'oneOf': [
+                {'enum': ['matched']},
+                {'type': 'array', 'items': {
+                    'type': 'string', 'minLength': 12, 'maxLength': 12}},
+            ]},
+        add={
+            'type': 'array', 'items': {
+                'type': 'string', 'minLength': 12, 'maxLength': 12}},
+    )
+
+    permissions = ('ec2:ModifySnapshotAttribute',)
+
+    def validate(self):
+        if self.data.get('remove') == 'matched':
+            found = False
+            for f in self.manager.iter_filters():
+                if isinstance(f, SnapshotCrossAccountAccess):
+                    found = True
+                    break
+            if not found:
+                raise PolicyValidationError(
+                    "policy:%s filter:%s with matched requires cross-account filter" % (
+                        self.manager.ctx.policy.name, self.type))
+
+    def process(self, snapshots):
+        client = local_session(self.manager.session_factory).client('ec2')
+        for i in snapshots:
+            self.process_image(client, i)
+
+    def process_image(self, client, snapshot):
+        add_accounts = self.data.get('add', [])
+        remove_accounts = self.data.get('remove', [])
+        if not add_accounts and not remove_accounts:
+            return client.reset_snapshot_attribute(
+                SnapshotId=snapshot['SnapshotId'], Attribute="createVolumePermission")
+        if remove_accounts == 'matched':
+            remove_accounts = snapshot.get(
+                'c7n:' + SnapshotCrossAccountAccess.annotation_key)
+
+        remove = []
+        remove.extend([{'UserId': a} for a in remove_accounts if a != 'all'])
+        if 'all' in remove_accounts:
+            remove.append({'Group': 'all'})
+            remove_accounts.remove('all')
+
+        add = [{'UserId': a} for a in add_accounts]
+
+        if remove:
+            client.modify_snapshot_attribute(
+                SnapshotId=snapshot['SnapshotId'],
+                CreateVolumePermission={'Remove': remove},
+                OperationType='remove')
+        if add:
+            client.modify_snapshot_attribute(
+                SnapshotId=snapshot['SnapshotId'],
+                CreateVolumePermission={'Add': add},
+                OperationType='add')
+
+
 @resources.register('ebs')
 class EBS(QueryResourceManager):
 

tests/data/placebo/test_ebs_snapshot_set_permissions_add/ec2.DescribeSnapshotAttribute_1.json

@@ -0,0 +1,12 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "UserId": "665544332211"
+            }
+        ],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_add/ec2.DescribeSnapshotAttribute_2.json

@@ -0,0 +1,12 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "UserId": "112233445566"
+            }
+        ],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_add/ec2.DescribeSnapshots_1.json

@@ -0,0 +1,28 @@
+{
+    "status_code": 200,
+    "data": {
+        "Snapshots": [
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "644160558196",
+                "Progress": "100%",
+                "SnapshotId": "snap-0ac64f0a1f16af706",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2020,
+                    "month": 10,
+                    "day": 14,
+                    "hour": 21,
+                    "minute": 8,
+                    "second": 19,
+                    "microsecond": 177000
+                },
+                "State": "completed",
+                "VolumeId": "vol-0309e0368c8e7c1b0",
+                "VolumeSize": 8
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_add/ec2.ModifySnapshotAttribute_1.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_add/ec2.ModifySnapshotAttribute_2.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_matched/ec2.DescribeSnapshotAttribute_1.json

@@ -0,0 +1,15 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "UserId": "112233445566"
+            },
+            {
+                "UserId": "665544332211"
+            }
+        ],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_matched/ec2.DescribeSnapshotAttribute_2.json

@@ -0,0 +1,12 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "UserId": "112233445566"
+            }
+        ],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_matched/ec2.DescribeSnapshots_1.json

@@ -0,0 +1,28 @@
+{
+    "status_code": 200,
+    "data": {
+        "Snapshots": [
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "644160558196",
+                "Progress": "100%",
+                "SnapshotId": "snap-0ac64f0a1f16af706",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2020,
+                    "month": 10,
+                    "day": 14,
+                    "hour": 21,
+                    "minute": 8,
+                    "second": 19,
+                    "microsecond": 177000
+                },
+                "State": "completed",
+                "VolumeId": "vol-0309e0368c8e7c1b0",
+                "VolumeSize": 8
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_matched/ec2.ModifySnapshotAttribute_1.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_reset/ec2.DescribeSnapshotAttribute_1.json

@@ -0,0 +1,15 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "UserId": "112233445566"
+            },
+            {
+                "UserId": "665544332211"
+            }
+        ],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_reset/ec2.DescribeSnapshotAttribute_2.json

@@ -0,0 +1,8 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_reset/ec2.DescribeSnapshots_1.json

@@ -0,0 +1,28 @@
+{
+    "status_code": 200,
+    "data": {
+        "Snapshots": [
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "644160558196",
+                "Progress": "100%",
+                "SnapshotId": "snap-0ac64f0a1f16af706",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2020,
+                    "month": 10,
+                    "day": 14,
+                    "hour": 21,
+                    "minute": 8,
+                    "second": 19,
+                    "microsecond": 177000
+                },
+                "State": "completed",
+                "VolumeId": "vol-0309e0368c8e7c1b0",
+                "VolumeSize": 8
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_ebs_snapshot_set_permissions_reset/ec2.ResetSnapshotAttribute_1.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}