feat(rules): add AWS discovery cleanup rules (#62)

* feat(rules): add AWS discovery cleanup rules

* docs: format rule ids table

* fix(sdk): handle stopped EC2 GMT times and idle SageMaker endpoints

Author: dannysteenman

.changeset/bright-pears-burn.md

@@ -0,0 +1,5 @@
+---
+"@cloudburn/rules": minor
+---
+
+Add AWS discovery rules for stopped EC2 instances, old manual RDS snapshots, and idle SageMaker endpoints.

.changeset/silent-mice-share.md

@@ -0,0 +1,5 @@
+---
+"@cloudburn/sdk": minor
+---
+
+Add AWS discovery support for EC2 stop timestamps and SageMaker endpoint activity.

docs/architecture/sdk.md

@@ -83,7 +83,7 @@ Current live-discovery behavior:
 - Resource Explorer inventory failures and dataset loader failures are fatal. The SDK does not degrade to partial live results.
 - Missing Lambda `Architectures` values from AWS are normalized to `['x86_64']`, matching the AWS default architecture.
 - Lambda hydrators limit in-flight `GetFunctionConfiguration` calls per region to avoid API throttling in large accounts.
-- Live scans require Resource Explorer access plus narrow hydrator permissions such as `apigateway:GetStage`, `application-autoscaling:DescribeScalableTargets`, `application-autoscaling:DescribeScalingPolicies`, `ce:GetCostAndUsage`, `cloudfront:GetDistribution`, `cloudfront:ListDistributions`, `cloudtrail:DescribeTrails`, `cloudwatch:GetMetricData`, `dynamodb:DescribeTable`, `ecs:DescribeContainerInstances`, `ecs:DescribeServices`, `ec2:DescribeInstances`, `ec2:DescribeNatGateways`, `ec2:DescribeVolumes`, `eks:ListNodegroups`, `eks:DescribeNodegroup`, `lambda:GetFunctionConfiguration`, `rds:DescribeDBInstances`, `route53:ListHealthChecks`, `route53:ListHostedZones`, `route53:ListResourceRecordSets`, `s3:GetLifecycleConfiguration`, `s3:GetIntelligentTieringConfiguration`, `sagemaker:DescribeNotebookInstance`, and `secretsmanager:DescribeSecret`.
+- Live scans require Resource Explorer access plus narrow hydrator permissions such as `apigateway:GetStage`, `application-autoscaling:DescribeScalableTargets`, `application-autoscaling:DescribeScalingPolicies`, `ce:GetCostAndUsage`, `cloudfront:GetDistribution`, `cloudfront:ListDistributions`, `cloudtrail:DescribeTrails`, `cloudwatch:GetMetricData`, `dynamodb:DescribeTable`, `ecs:DescribeContainerInstances`, `ecs:DescribeServices`, `ec2:DescribeInstances`, `ec2:DescribeNatGateways`, `ec2:DescribeVolumes`, `eks:ListNodegroups`, `eks:DescribeNodegroup`, `lambda:GetFunctionConfiguration`, `rds:DescribeDBInstances`, `route53:ListHealthChecks`, `route53:ListHostedZones`, `route53:ListResourceRecordSets`, `s3:GetLifecycleConfiguration`, `s3:GetIntelligentTieringConfiguration`, `sagemaker:DescribeEndpoint`, `sagemaker:DescribeEndpointConfig`, `sagemaker:DescribeNotebookInstance`, and `secretsmanager:DescribeSecret`.
 
 ## Public Result Shape
 

docs/reference/rule-ids.md

@@ -9,6 +9,7 @@ import { ec2PreferredInstanceTypeRule } from './preferred-instance-types.js';
 import { ec2ReservedInstanceExpiringRule } from './reserved-instance-expiring.js';
 import { ec2ReservedInstanceRecentlyExpiredRule } from './reserved-instance-recently-expired.js';
 import { ec2S3InterfaceEndpointRule } from './s3-interface-endpoint.js';
+import { ec2StoppedInstanceRule } from './stopped-instance.js';
 import { ec2UnassociatedElasticIpRule } from './unassociated-elastic-ip.js';
 
 /** Aggregate AWS EC2 rule definitions. */
@@ -25,4 +26,5 @@ export const ec2Rules = [
   ec2DetailedMonitoringEnabledRule,
   ec2IdleNatGatewayRule,
   ec2ReservedInstanceRecentlyExpiredRule,
+  ec2StoppedInstanceRule,
 ];

packages/rules/src/aws/ec2/index.ts

@@ -0,0 +1,37 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-EC2-13';
+const RULE_SERVICE = 'ec2';
+const RULE_MESSAGE = 'Stopped EC2 instances with a parsed stop time older than 30 days should be reviewed for cleanup.';
+
+const DAY_MS = 24 * 60 * 60 * 1000;
+const STOPPED_INSTANCE_MAX_AGE_DAYS = 30;
+
+/** Flag stopped EC2 instances whose parsed stop time is older than 30 days. */
+export const ec2StoppedInstanceRule = createRule({
+  id: RULE_ID,
+  name: 'EC2 Instance Stopped',
+  description: 'Flag stopped EC2 instances whose parsed stop time is at least 30 days old.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['discovery'],
+  discoveryDependencies: ['aws-ec2-instances'],
+  evaluateLive: ({ resources }) => {
+    const cutoff = Date.now() - STOPPED_INSTANCE_MAX_AGE_DAYS * DAY_MS;
+    const findings = resources
+      .get('aws-ec2-instances')
+      .filter((instance) => {
+        if (instance.state !== 'stopped' || !instance.stoppedAt) {
+          return false;
+        }
+
+        const stoppedAt = Date.parse(instance.stoppedAt);
+
+        return Number.isFinite(stoppedAt) && stoppedAt <= cutoff;
+      })
+      .map((instance) => createFindingMatch(instance.instanceId, instance.region, instance.accountId));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'discovery', findings);
+  },
+});

packages/rules/src/aws/ec2/stopped-instance.ts

@@ -1,6 +1,7 @@
 import { rdsGravitonReviewRule } from './graviton-review.js';
 import { rdsIdleInstanceRule } from './idle-instance.js';
 import { rdsLowCpuUtilizationRule } from './low-cpu-utilization.js';
+import { rdsManualSnapshotMaxAgeRule } from './manual-snapshot-max-age.js';
 import { rdsPerformanceInsightsExtendedRetentionRule } from './performance-insights-extended-retention.js';
 import { rdsPreferredInstanceClassRule } from './preferred-instance-classes.js';
 import { rdsReservedCoverageRule } from './reserved-coverage.js';
@@ -20,4 +21,5 @@ export const rdsRules = [
   rdsUnusedSnapshotsRule,
   rdsPerformanceInsightsExtendedRetentionRule,
   rdsStoppedInstanceRule,
+  rdsManualSnapshotMaxAgeRule,
 ];

packages/rules/src/aws/rds/index.ts

@@ -0,0 +1,37 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-RDS-10';
+const RULE_SERVICE = 'rds';
+const RULE_MESSAGE = 'Manual RDS snapshots older than 90 days should be reviewed for cleanup.';
+
+const DAY_MS = 24 * 60 * 60 * 1000;
+const SNAPSHOT_MAX_AGE_DAYS = 90;
+
+/** Flag manual RDS snapshots older than 90 days. */
+export const rdsManualSnapshotMaxAgeRule = createRule({
+  id: RULE_ID,
+  name: 'RDS Manual Snapshot Max Age Exceeded',
+  description: 'Flag manual RDS snapshots older than 90 days.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['discovery'],
+  discoveryDependencies: ['aws-rds-snapshots'],
+  evaluateLive: ({ resources }) => {
+    const cutoff = Date.now() - SNAPSHOT_MAX_AGE_DAYS * DAY_MS;
+    const findings = resources
+      .get('aws-rds-snapshots')
+      .filter((snapshot) => {
+        if (snapshot.snapshotType !== 'manual' || !snapshot.snapshotCreateTime) {
+          return false;
+        }
+
+        const snapshotCreateTime = Date.parse(snapshot.snapshotCreateTime);
+
+        return Number.isFinite(snapshotCreateTime) && snapshotCreateTime <= cutoff;
+      })
+      .map((snapshot) => createFindingMatch(snapshot.dbSnapshotIdentifier, snapshot.region, snapshot.accountId));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'discovery', findings);
+  },
+});

packages/rules/src/aws/rds/manual-snapshot-max-age.ts

@@ -0,0 +1,42 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-SAGEMAKER-2';
+const RULE_SERVICE = 'sagemaker';
+const RULE_MESSAGE =
+  'SageMaker endpoints in service with zero invocations over 14 days should be reviewed for cleanup.';
+
+const DAY_MS = 24 * 60 * 60 * 1000;
+const ENDPOINT_IDLE_WINDOW_DAYS = 14;
+
+/** Flag SageMaker endpoints that are in service, old enough, and idle for 14 days. */
+export const sagemakerIdleEndpointRule = createRule({
+  id: RULE_ID,
+  name: 'SageMaker Endpoint Idle',
+  description: 'Flag SageMaker endpoints in service whose 14-day invocation total is zero.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['discovery'],
+  discoveryDependencies: ['aws-sagemaker-endpoint-activity'],
+  evaluateLive: ({ resources }) => {
+    const cutoff = Date.now() - ENDPOINT_IDLE_WINDOW_DAYS * DAY_MS;
+    const findings = resources
+      .get('aws-sagemaker-endpoint-activity')
+      .filter((endpoint) => {
+        if (
+          endpoint.endpointStatus !== 'InService' ||
+          endpoint.totalInvocationsLast14Days !== 0 ||
+          !endpoint.creationTime
+        ) {
+          return false;
+        }
+
+        const creationTime = Date.parse(endpoint.creationTime);
+
+        return Number.isFinite(creationTime) && creationTime <= cutoff;
+      })
+      .map((endpoint) => createFindingMatch(endpoint.endpointName, endpoint.region, endpoint.accountId));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'discovery', findings);
+  },
+});

packages/rules/src/aws/sagemaker/idle-endpoint.ts

@@ -1,4 +1,5 @@
+import { sagemakerIdleEndpointRule } from './idle-endpoint.js';
 import { sagemakerRunningNotebookInstanceRule } from './running-notebook-instance.js';
 
 /** Aggregate AWS SageMaker rule definitions. */
-export const sagemakerRules = [sagemakerRunningNotebookInstanceRule];
+export const sagemakerRules = [sagemakerRunningNotebookInstanceRule, sagemakerIdleEndpointRule];