Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 16:37
    h-dub synchronize #6300
  • 15:56
    h-dub synchronize #6308
  • 15:45
    kapilt labeled #6302
  • 14:39
    esaari1 synchronize #6310
  • 14:39
    esaari1 opened #6310
  • 14:39
    esaari1 review_requested #6310
  • 14:19

    kapilt on master

    aws - sqs - trigger paginated q… (compare)

  • 14:19
    kapilt closed #6303
  • 10:41
    llange labeled #6309
  • 10:41
    llange opened #6309
  • 09:24
    h-dub commented #5939
  • 09:03
  • Nov 22 23:35
    h-dub commented #6308
  • Nov 22 23:27
    h-dub synchronize #6308
  • Nov 22 22:06
    h-dub opened #6308
  • Nov 22 21:57
  • Nov 22 20:57
    h-dub commented #6129
  • Nov 22 16:48
    rams3sh commented #4834
  • Nov 22 11:34
    rams3sh commented #4834
deepthimm
@deepthimm
Hello,
I tried adding multiple email addresses (cc) as in the following example and the custodian is failing to send email to all of them. If I add just one, it works fine. Is there anything that I'm missing?
actions:
  - type: notify
    template: default.html
    priority_header: 1
    subject: "Root User Login Detected! - [custodian {{ account }} - {{ region }}]"
    violation_desc: "A User Has Logged Into the AWS Console With The Root User:"
    action_desc: |
        "Please investigate and if needed revoke the root users session along
        with any other restrictive actions if it's an unapproved root login"
    to:
      - CloudAdmins@Company.com
      - SecurityTeam@Company.com
5 replies
pentagonal-proboscis
@pentagonal-proboscis
Hello,
I am looking into using c7n to automatically remediate public RDS snapshots. I would essentially like to take an action on snapshots to set their sharing to - 'private'. Looking here - https://cloudcustodian.io/docs/aws/resources/rds-snapshot.html#actions I see no appropriate action? Is there another way to do this or is this a feature that could be added to c7n?
7 replies
Anthony Gruetzmacher
@agruetz
Anyone know where the documentation to run C7N in a centralized account is?
8 replies
laurenty
@laurenty_twitter
When setting tags for the Custodian lambdas is there a way to get the same tags applied to other related resources? e.g. EventBridge rules
1 reply
Fabiano Notari
@nano.notari_gitlab
Hello, I would like to know if there is a way to have a service dependency for a policy to be executed. Example, I want to check if there is an EFS vpc endpoint created, but only if there is an EFS created earlier.
satvan23
@satvan23
Guys. I see mark-for-op has minimum as 1 hour. Is there a feature which can do this in minutes ?
Jamison Roberts
@jtroberts83
@satvan23 have you tried passing in a float value for the hours parameter such as hours: 0.2 ?
Vishnu-Lakkimsetty-E3640
@Vishnu-Lakkimsetty-E3640

Hello,

I am looking into c7n mark-for-op action to automatically terminate/release/suspend a resource after 4 days. But I would like to exclude weekends and a few calendar holidays (calendar shared by the organization) out of these 4 days?

For example, if my organization has a holiday on upcoming Monday and I'm marking on any resource using the mark-for-op block on Thursday with 4 days' time, then the tag should consider Thursday, Friday, Tuesday, and Wednesday as 4 days but not upcoming Saturday, Sunday and Monday. Is there a way to mention in the action block to skip holidays(user-defined) and weekends?

5 replies
satvan23
@satvan23

@satvan23 have you tried passing in a float value for the hours parameter such as hours: 0.2 ?

Yes. This is what I get

~~Failed validating 'type' in schema[5]['properties']['hours']:
{'exclusiveMinimum': False, 'minimum': 0, 'type': 'integer'}

On instance['hours']:
0.25
2020-11-18 14:34:17,218: custodian.commands:ERROR ec2-create-tag-check
(custodian) [ccustodian@sandbox-c7n custodian]$
~~

satvan23
@satvan23

Guys. So, I have this policy. Will it work as intended. I want to notify/later terminate only for instances created after the c7n policy is in place not for ec2 instances created before.

https://gist.github.com/satvan23/e6f4db73bf5af36cfd7a8a0d13716f3c#file-c7n-tag-policy-yml

giany
@giany_gitlab
Hi,
Is there a way to push CC rules to specific OUs?
2 replies
Ryan Ash
@ryanash999
c7n-org has an option --policytags to limit the run to policies which match a tag. Is there an equivalent option with custodian run? I don't see one.
1 reply
tomarv2
@tomarv2
@jtroberts83 i am hitting the docker image limit, that was made recently, where do I make the change to read from local
rfoltak
@rfoltak
Need some help with a really simple GCP policy. It's pretty much straight from the examples in the docs:
4 replies
services.png
2020-11-18 19:38:59,551: custodian.output:ERROR Error while executing policy
Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/c7n/policy.py", line 316, in run
results = a.process(resources)
File "/usr/local/lib/python3.7/dist-packages/c7n_gcp/actions/core.py", line 65, in process
self.process_resource_set(client, model, resource_set)
File "/usr/local/lib/python3.7/dist-packages/c7n_gcp/actions/core.py", line 73, in process_resource_set
result = self.invoke_api(client, op_name, params)
File "/usr/local/lib/python3.7/dist-packages/c7n_gcp/actions/core.py", line 79, in invoke_api
return client.execute_command(op_name, params)
File "/usr/local/lib/python3.7/dist-packages/c7n_gcp/client.py", line 398, in execute_command
request = self._build_request(verb, verb_arguments)
File "/usr/local/lib/python3.7/dist-packages/c7n_gcp/client.py", line 345, in _build_request
method = getattr(self._component, verb)
AttributeError: 'Resource' object has no attribute 'disable'
I get a resource has no attribute disable, which it does support.
Moreover, if I run the gcloud services disable secretmanager.googleapis.com, it works fine.
I am trying to create a simple policy to prevent unauthorized GCP services from running
0.9.8
is the version of CC
Jamison Roberts
@jtroberts83
What version of c7n_gcp are you running?
rfoltak
@rfoltak
how can you tell? environment was built in the past week using latest packages
rfoltak
@rfoltak
The code snippet came from https://cloudcustodian.io/docs/gcp/resources/service.html with the mode removed as it is not relevant. Using a test service which is enabled and want to disable.
Found what you were looking for c7n_gcp-0.4.7.dist-info
r2690698
@r2690698
Hey folks, very new to custodian. Looking to see if it’s possible to create a policy that applies bucket level encryption (SSE ASE256) IF there is no default encryption is enabled, basically don’t want to override it if a bucket had KMS encryption already set as the default
2 replies
Ramprasath26
@Ramprasath26
Any way to identify S3 buckets and delete unused. I have a limit for creating S3 bucket, now it reaches 100 buckets cant create more than 100 buckets. Please suggest any method
3 replies
giany
@giany_gitlab
How do you guys push roles/policies needed by CC?
6 replies
theotherothermatt
@theotherothermatt
Hey all, quick question this time. I am using the notify action to email event-owner of a violation. We are seeing that if the guardrail is hit by an action started by a CFT, there is no event-owner passed to Custodian. Is there a better (more reliable?) way of getting the offender's name? Code I am using looks something like this:
    actions:
        - type: remove-permissions
          ingress: matched
        - type: notify
          template: default.html
          priority_header: 1
          subject: "Open Security Group Rule Created-[custodian {{ account }} - {{ region }}]"
          violation_desc: "Security Group(s) Which Had Rules Open To The World:"
          action_desc: |
              "Actions Taken:  The violating Security Group rule has been removed as it violates our
              company's Cloud Security Policy. If This Ingress Rule Is Required You May Contact The Security
              Team To Request An Exception."
          to:
              - leaders-engineering@ourdomain
              - event-owner
Fabiano Notari
@nano.notari_gitlab

Hello, I would like to know if there is a way to have a service dependency for a policy to be executed. Example, I want to check if there is an EFS vpc endpoint created, but only if there is an EFS created earlier.

This is my question, something like Terraform's "depend-ons". Which he only creates the resource when the resource on which he is dependent is created.

Cloud14
@AWSCloud21
Hey! Has anyone written an SNS topic policy which filters for action open to all “*” principals?
Jamison Roberts
@jtroberts83
@AWSCloud21 Look at the cross-account filter for SNS
pentagonal-proboscis
@pentagonal-proboscis
Hi all, I was looking at the s3 resource type https://cloudcustodian.io/docs/aws/resources/s3.html and am trying to understand if it is possible to filter by/return the storage class of each s3 bucket e.g. standard, glacier, infrequent access etc. Is this something anyone has experience with?
1 reply
Yathi
@yathi_naik_twitter
Does anybody know if there are cloud-custodian policies implementing AWS CIS benchmark v1.3. I tried my hand at writing some of them. But some of the checks require getting information from multiple resources like section 4 of AWS CIS v1.3.0 (for example: 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls).
Radha Krishna
@11Radha_twitter
i am using 2 accounts which are account A and account B...i have sqs queue(which has cross role) in account A...i ran the policy in the account B using the acoount B aws cli credentials...sqs queue was able to store the output from the policy which i ran in account B....now i want to run mailer.yml in account A to get the messages from the sqs and send it to an email...can anyone help how to do it?
Radha Krishna
@11Radha_twitter
is there a way to pass different aws credentials for running mailer.yml and for running policy execution?
giany
@giany_gitlab
What is the best way to handle errors? (e.g I'm using c7n-org to push rules to multiple accounts..but some accounts miss a role or some other issue. Does such error affect running the tool on other accounts?)
Michael Davis
@MichaelDavisTSN
I am getting logs written to directories under /tmp in addition to the S3 bucket I specify with -s for c7n-org runs (9.7 and 9.8). Individual directories are created under /tmp. The directories have random names with the "tmp" prefix. Is this an intermediate step (writing to /tmp) which is not getting cleaned up? @kapilt
16 replies
rajarshidas
@rajarshidas
Is there a way to call an API from cloud-custodian, e.g. using webhooks or otherwise and then perform an action e.g. stop, terminate based on the response from the API call?
5 replies
Michael Nguyen
@micnguyen266
Hello, I have this ASG policy that will tag with TagCompliant: yes if tags are correct.
My question is how can I modify the policy so that Cloud Custodian could tell the ASG to Tag new instances with TagCompliant: yes
Using version 0.9.4.0
- name: asg-tag-compliance
  resource: asg
  description: |
    Any ASG that is now tag compliant will now be marked with TagCompliant: yes.
  filters:
    - type: value
      key: tag:TagCompliant
      op: ni
      value: ['yes']
    - and: *tag-compliance-filters
  actions:
    - type: remove-tag
      tags: ['TagCompliant']
    - type: tag
      tag: TagCompliant
      value: "yes"
    - type: notify
      template: general_template.html
      priority_header: 1
      subject: "Tagging Report - {{ policy['resource'] }} is now tag compliant - [{{ account }} {{ account_id }} - {{ region }}]"
      violation_desc: |
        Any ASG that is now tag compliant will now be marked with TagCompliant: yes.
      action_desc: |
        ASG has been marked as tag compliant.
      to:
        - test@test.com
        - resource-owner
      transport:
        type: sqs
        queue: https://sqs.us-east-1.amazonaws.com/0123456789/cloud-custodian-mailer
2 replies
srikanthcs
@srikanthcs
Hi @kapilt , any eta on when this is going to prod. Thanks.
cloud-custodian/cloud-custodian#5065
2 replies
Ajay Misra
@ajmsra
Hi, @kapilt does the custodian support deleting old lambda versions? The use case is the total size of the lambda code in an account is fixed. To prevent us from running out of room due to old lambdas no longer in use, we can deploy a cloud custodian policy which will run once a day and remove all versions of every lambda that are more the 5 versions old (this number should be configurable) not including $LATEST or any version which has an alias pointing to it.
2 replies
I think this PR covers partially what I am looking for cloud-custodian/cloud-custodian#6007
Kristina Trump
@KristinaTrump_twitter
@kapilt , what is the format to give the tag filter in the account config file, I have given as follows , accounts:
  • account_id: "xxxxxxxxxx"
    name: xxxxxxxxxxxxxxxx
    regions: [us-east-1]
    role: xxxxxxxxxxxxx
    tags:
    • type: PROD , but it fails as "jsonschema.exceptions.ValidationError: {'type': 'PROD'} is not of type 'string'"
Jamison Roberts
@jtroberts83
@KristinaTrump_twitter pass it like this:
c7n-org run -s . -u mypolicyfile.yml -t type:Prod
- account_id: '<Account_Number>'
  name: <Account_Name>
  regions:
    - us-east-1
  role: arn:aws:iam::<Account_Number>:role/<Role_Name>
  tags:
    - type:Prod
Kristina Trump
@KristinaTrump_twitter

@KristinaTrump_twitter pass it like this:

c7n-org run -s . -u mypolicyfile.yml -t type:Prod

@jtroberts83 , Thanks I tried that , but it gives -> "jsonschema.exceptions.ValidationError: {'type': 'Prod'} is not of type 'string'

Failed validating 'type' in schema['properties']['accounts']['items']['properties']['tags']['items']:
{'type': 'string'}

On instance['accounts'][0]['tags'][0]:
{'type': 'Prod'}"

Jamison Roberts
@jtroberts83
That is exactly how I have my c7n-org accounts config.yml file setup so that should work for you. Make sure your indents are correct in the file
Remove the space between type: and Prod
Praveen M
@praveen8735
Does CC supports new S3 Intelligent-Tiering Archive Access Tiers?
S3 Intelligent-Tiering Adds Archive Access Tiers:
Two new archive access tiers designed for asynchronous access that are optimized for rare access at a very low cost: Archive Access tier and Deep Archive Access tier. You can opt-in to one or both archive access tiers and you can configure them at the bucket, prefix, or object tag level.