Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
Hi,
I've deployed a Cloud Custodian policy across all the AWS environments to assess CIS benchmark compliance. All actions in the CC policy are set to notifying the event owner and the InfoSec team. Is there a way to use the email address verified in SES in a separate AWS account to be defined in the mailer.yml for all of the AWS environments?
Here's an example of the mailer.yml file:
queue_url: <SQS URL>
role: <IAM role ARN>
from_address: security@company.com
region: us-east-1
ses_region: us-west-2The aforementioned "from_address" in the mailer.yml file has already been verified in the root account of an AWS organization. I'd like to use the same email address to send emails in all of the AWS environments. I setup a sending authorization policy allowing the other AWS root accounts to have access to the identity "security@company.com". But I still see the error:
error: An error occurred (MessageRejected) when calling the SendRawEmail operation: Email address is not verified. The following identities failed the check in region US-EAST-1:Should the same "from_address" be individually verified in all the AWS accounts where c7n-mailer is deployed?
1 reply
1 reply
2 replies
Is custodian current (0.9.12, also branch 0.8) support for RDS offhour ? I try to reach out with issues:
- cloud-custodian/cloud-custodian#1310
- cloud-custodian/cloud-custodian#4674
- cloud-custodian/cloud-custodian#5194
after i try looking in rds.py code it just run register method that it differences from ec2.py that have decorator with function to handling the action, Is it correct? (i am new, for cloud custodian and does not understand code as well, sorry if i wrong)
Can't make filter offhour work for RDS event try to add tag (regard above issues). my policy that i try
policies:
- name: rds-offhour
resource: aws.rds-cluster
actions:
- stop
filters:
- type: offhour
default_tz: utc
weekends: true
offhour: 15
opt-out: true
- "tag:custodian_control": present
8 replies
2 replies
I am trying to make a auto tag system
mode:
type: cloudtrail
role: arn:aws:iam::{account_id}:role/custodian-lambda-role
events:
- CreateCluster
filters:
- tag:AutoTag_Creator: absent
actions:
- type: auto-tag-user
tag: AutoTag_CreatorIs there something that I am doing wrong because If i create an ecs it does not auto tag the user
4 replies
eee! hello frens!!!
took me a minute to muster up the courage to start talking in here, but here we go!
sooo i am trying to write a policy that filters on s3 buckets with a specific tag and then performs an action on them. have confirmed bucket is indeed tagged, however, upon execution of the policy, no resources are returned. can you help?
i'm a total n00b so i hella appreciate y'all's super smart and experienced brains!
6 replies
Do I have to duplicate the following for all resource types and all regions?
policies:
- name: tag-compliance
resource: ec2
mode:
type: cloudtrail
events:
- RunInstances
tags:
CreatorName: custodian
Project: Custodian
execution-options:
region: us-east-1
filters:
- tag:CreatorName: absent
actions:
- type: auto-tag-user
tag: CreatorNameI’m getting:
botocore.errorfactory.InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.
Hi there,
I am currently running a policy to disable unrotated keys and see the following output:
Which implies that the policy has run successfully. However, the key is not disabled - is this a known issue?
Policy is as follows:
policies:
- name: disable-unrotated-iam-keys
resource: iam-user
filters:
- type: credential
key: access_keys.active
value: true
- type: credential
key: access_keys.last_rotated
value_type: age
value: 90
op: gt
actions:
- type: remove-keys
matched: true
disable: trueThe policy is being run with administrator permissions.
17 replies
7 replies
hello everyone!
i am trying to create a policy in event mode. i would like to use the CreateBucket event to trigger my policy. this policy filters for unencrypted s3 buckets and takes the notify and tag actions
upon executing my policy, cloud custodian successfully provisioned the appropriate lambda function. i am using terraform to provision my test infrastructure and i have verified terraform apply was successful
however, the function does not seem to be triggering upon CreateBucket. i have reviewed the cloudtrail logs for s3 resources and have verified the event was created. however, the lambda logs reveal no invocation. i am assuming this is because GetLambdaFunctionRecommendations is returning a OptInRequiredException
my policy is here
policies:
- name: list-all-not-encrypted-s3-notify
resource: aws.s3
description: |
Lists all S3 Buckets that are not encrypted. Notifies resource owner of violation and required remediation.
comments: |
Lists all S3 Buckets that are not encrypted, notifies resource owner, tags for Deletion when `list-all-unecrypted-s3s-delete` is pulled.
mode:
mode:
type: cloudtrail
role: arn:aws:iam::<account>:role/service-role/lacosta-s3-lambda-role-5b9982tb
events:
- CreateBucket
filters:
- type: bucket-encryption
state: False
actions:
- type: tag
tags:
"tag:toDelete": "okay"
- type: notify
template: default
priority_header: 1
subject: "S3 Bucket - Unencrypted - [custodian {{ account }} - {{ region }}]"
violation_desc: |
Your S3 Bucket is not encrypted. You need to encrypt your S3 Bucket.
action_desc: |
"Notification"
to:
- liz@stacklet.io
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/<account>/lacosta-c7n-mailer-practice
region: us-east-1
11 replies
3 replies
1 reply
Billing and CostCenter, either of one tag have to exist, CostCenter tag exists with anyvalue it can skip the action, if the CostCenter not exist and Billing tag exists, it needs to be look for the specific value from the given values. It is working fine if my policy has CostCenter tag, but when I add the Billing tag it is able to create the lambda but when I trigger the lamda it is not filtering as expected. Any help on this is much appreciated. policies:
- name: tag-compliance-check
resource: ec2
description: Tag compliance check for EC2
filters:
- "tag:CostCenter": absent
- type: value
key: "tag:Billing"
op: not-in
value:
- 11111
- 22222
actions:
- stopDid anyone created the regular expression for the onhour and offhour values? If not following is the regex I created for offhour that might used for finding the valid tag values are added to the offhour tag values
off hour tag value
(off=\[\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\)(,\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\))*?\];tz=(cst|est|pst)$)|(^off=\[\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\)(,\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\))*?\]$)|(^off=\[\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\)\]$)|(^off=\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\)$)|(off=(\([M|T|W|H|F|S|U](-[M|T|W|H|F|S|U])?,([1]?[0-9]|2[0-3])\);tz=(cst|est|pst)$))
{
"kind": "sql#user",
"etag": "b94aa31d9797874a723fd7f8eacafe79566dd129cf72d4c32403d7b903b3da24",
"name": "root",
"host": "%",
"instance": "mysql-testest",
"project": "cc-devsecops",
"c7n:sql-instance": {
"kind": "sql#instance",
"state": "RUNNABLE",
"databaseVersion": "MYSQL_5_7",
"settings": {
"authorizedGaeApplications": [],
"tier": "db-f1-micro",
"kind": "sql#settings",
"availabilityType": "ZONAL",
"pricingPlan": "PER_USE",
"replicationType": "SYNCHRONOUS",
"activationPolicy": "ALWAYS",
"ipConfiguration": {
"authorizedNetworks": [],
"ipv4Enabled": true
},
"locationPreference": {
"zone": "us-central1-f",
"kind": "sql#locationPreference"
},
"databaseFlags": [
{
"name": "max_user_connections",
"value": "500"
}
],
"dataDiskType": "PD_SSD",
"maintenanceWindow": {
"kind": "sql#maintenanceWindow",
"hour": 0,
"day": 0
},
"backupConfiguration": {
"startTime": "04:00",
"kind": "sql#backupConfiguration",
"location": "us",
"backupRetentionSettings": {
"retentionUnit": "COUNT",
"retainedBackups": 7
},
"enabled": true,
"binaryLogEnabled": false,
"transactionLogRetentionDays": 7
},
"settingsVersion": "40",
"storageAutoResizeLimit": "0",
"storageAutoResize": true,
"dataDiskSizeGb": "10"
},
"etag": "1e9800e8af981c51405a251f4269d2a4d17c390fd449cef67b20b56d99ff9100",
"ipAddresses": [
{
"type": "PRIMARY",
"ipAddress": "34.72.17.151"
}
],
"serverCaCert": {
"kind": "sql#sslCert",
"certSerialNumber": "0",
"commonName": "C=US,O=Google\\, Inc,CN=Google Cloud SQL Server CA,dnQualifier=3f361884-7aa9-40fd-998f-d05116c63bac",
"sha1Fingerprint": "fe9330cb4f76341769f375d5bd6c47fff745b27e",
"instance": "mysql-testest",
"createTime": "2021-05-12T10:24:02.093Z",
"expirationTime": "2031-05-10T10:25:02.093Z"
},
"instanceType": "CLOUD_SQL_INSTANCE",
"project": "cc-devsecops",
"serviceAccountEmailAddress": "p532446579504-xddgls@gcp-sa-cloud-sql.iam.gserviceaccount.com",
"backendType": "SECOND_GEN",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-devsecops/instances/mysql-testest",
"connectionName": "cc-devsecops:us-central1:mysql-testest",
"name": "mysql-testest",
"region": "us-central1",
"gceZone": "us-central1-f"
}
}]How can I access resource.selfLink From the Json in webhook ?
Will resource.c7n:sql-instance.selfLink work ?
for example
- name: delete-iam-role
resource: aws.iam-role
filters:
- type: marked-for-op
tag: custodian_status
op: delete
actions:
- delete
force: truedoes not run
4 replies
Hello everybody,
I can see that you can filter by ssm status with something like this:
policies:
- name: ec2-ssm-check
resource: ec2
filters:
- type: ssm
key: PingStatus
value: OnlineMy question is - can you get a list of instances that aren't registered with ssm (for whatever reason - either a lack of ssm agent installed or missigng iam role)?
2 replies