Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 04:47
    sdfengw commented #5166
  • 04:05
    logachev labeled #5171
  • 04:05
    logachev edited #5171
  • Dec 15 20:59
    logachev edited #5166
  • Dec 15 20:59
    logachev commented #5166
  • Dec 15 17:50
  • Dec 15 15:18
    kapilt closed #5172
  • Dec 15 14:34
    kapilt labeled #5167
  • Dec 15 14:34
    kapilt labeled #5167
  • Dec 15 14:34
    kapilt labeled #5172
  • Dec 15 14:33
    kapilt labeled #5170
  • Dec 15 14:33
    kapilt commented #5170
  • Dec 15 14:32
    kapilt commented #5170
  • Dec 15 14:32
    kapilt commented #5170
  • Dec 15 14:28
    kapilt labeled #5169
  • Dec 15 14:26
    kapilt labeled #5171
  • Dec 15 14:26
    kapilt commented #5171
  • Dec 15 14:16
    kapilt commented #5172
  • Dec 15 14:16
    kapilt commented #5166
  • Dec 15 04:43
    sdfengw edited #5172
lakshmi Pendyala
@lpendyala_gitlab
@kapilt , we have a condition to kill EC2 Instances launching with publicip in particular subnets. while doing the same with asg then we want to set asg size to 0, Is it possible with custodian ?
Kapil Thangavelu
@kapilt
@lpendyala_gitlab yes, subnet filter, resize asg, or just suspend it
@allisonis using the mailer is recommended for delivery to slack
@aakifshaikh value filter value_type: age assuming cert is available as an attribute off the gateway
lakshmi Pendyala
@lpendyala_gitlab
@kapilt Thank you Kapil will try and let you know
Kapil Thangavelu
@kapilt
@jlb-ts not related to that, its something dumb with boto3 freezing their dependencies because they couldn't bother to update their installer. 30k downstream projects affected. boto/botocore#1872
we've fixed it in trunk and our docker images are also fine, but we need to cut a new release
@prabin.pramanik_gitlab check your metric statistic
@satvan23 a custodian lambda or a random one off lambda? wrt to custodian lambdas, thats why its better to have them separate, because you have separate logs/metrics etc in terms of audit
@raaajit yes its possible
olsib
@olsib
@kapilt Is there a way to filter RDS instances on Certificate authority field? Need to grab ones that are using old ones & need rotation.
olsib
@olsib
ignore - found, filter on CACertificateIdentifier
Darrian
@rikkuness
hate to drop in here asking silly questions but I've been pulling my hair out trying to work this one out, all I want to do is remove a bucket policy statement that has 'Allow: *' but I can't get it to remove just the one statement, what am I doing wrong?
name: s3-deny-bucket-public-policy-realtime
resource: s3
mode:
  type: cloudtrail
  role: cloudcustodian-lambda
  member-role: arn:aws:iam::{account_id}:role/cloudcustodian
  events:
    - source: s3.amazonaws.com
      event: PutBucketPolicy
      ids: requestParameters.bucketName
filters:
  - type: has-statement
    statements:
      - Effect: Allow
        Principal: '*'
actions:
  - type: remove-statements
    statement_ids: matched
satvan23
@satvan23
Hello Guys. Question about a lambda generated by CC. I get notified by email correctly, but at the end of the email, there's a link "email us" and the reply address is custodian@domain.com. Where do I change this email address ? I checked config.json file but don't see it there.
lakshmi Pendyala
@lpendyala_gitlab
you can change it here msg-templates/default.html.j2
Fidel Rodriguez
@fidelito
Is anyone using or knows how replace an security-group cidr ? The remove-permission will just remove it but i would like it to be replaced
satvan23
@satvan23

you can change it here msg-templates/default.html.j2

@lpendyala_gitlab . Yep..thanks !

lakshmi Pendyala
@lpendyala_gitlab
@kapilt , Does Custodian c7n_mailer uses ses to send emails?
Kapil Thangavelu
@kapilt
It can use ses or smtp, for azure it also supports sendgrid
lakshmi Pendyala
@lpendyala_gitlab
Thank you Kapil... have one other questions . we have a scenario where a team is creating ec2 instances first and then they are creating tags. RunInstances and createTags are 2 different api calls. we wrote a policy when there is runInstances event... I'm not getting tags as they are creating later.. Is there a way we can describe the instance later that violated before to get the tags in the same policy.
lakshmi Pendyala
@lpendyala_gitlab
@kapilt till now we are not using c7n_mailer.. we have a centralized sqs queue, so we are sending all the violated resources to that queue, from that queue we are sending notifications only to the cloud team. But now we what to send notification to the resource owner before taking any actions. our company is not using ses/slack/datadog/splunk. Can someone suggest me a quick and easy solution for notification
chennarao
@uvemuch_gitlab
Can we trigger a lambda function by function Arn with cc policy ?
tomarv2
@tomarv2
@uvemuch_gitlab yes
Kapil Thangavelu
@kapilt
invoke-lambda action
@lpendyala_gitlab mailer supports centralized deployments to a single team, as well fan out to resource owners.
I assume all companies have smtp, else they don't have email..
@lpendyala_gitlab RunInstances supports tag on create, but say for whatever reason team x doesn't want to bother doing the right thing wrt to tag on create.. you can go periodic after the fact either via config-rule, or periodic lambda, or poll (default) execution via c7n or c7n-org
Kapil Thangavelu
@kapilt
@rikkuness the best way to achieve that is cross-account filter with remove matched.. cross-account filter takes into account various permutations of spelling an iam statement and allows white listing on conditions and actions, etc.
Todd Stansell
@tjstansell
Looking for a way to standardize our s3 access logging configs across all of our buckets. I see toggle-logging will allow you to disable logging, or enable it if it's disabled... but what's the best way to update the logging config if it doesn't match the correct settings?
lakshmi Pendyala
@lpendyala_gitlab
@kapilt we are using smtp, if we use smtp we've to deploy lambda within the vpc rt?
Darrian
@rikkuness
@kapilt thanks man, that worked a charm, dunno how I missed that one!
Kapil Thangavelu
@kapilt
@tjstansell think of toggle as set, so a filter for incorrect log targets, with a toggle thats sets to the correct one.
Todd Stansell
@tjstansell
@kapilt except that the code will only set the logging config if the resource doesn't have one. it won't allow overriding an existing config. and there's no way to filter based on the values we plan to have because it doesn't allow us to use the same format variables since we only have the generic value filters to look at the existing settings... so I was thinking about working on a pair of PRs that allows both ... a way to override an existing logging config ... and a new filter that lets you filter based on your logging config using the same set of format variables you can use when setting the logging config. actually, i'll start my just opening a ticket to discuss the need for this ...
myoung34
@myoung34
anyone have a good example of looking through roles with attached policies or inline policies that contain iam:PassRole ?
chennarao
@uvemuch_gitlab
@uvemuch_gitlab yes
lambda function will be in different account will that be possible ?
jlb-ts
@jlb-ts
How are other people managing IAM for their custodian policies - A single policy with all the perms every custodian policy needs, or does each custodian policy get its own IAM policy with all the perms needed to execute?
chennarao
@uvemuch_gitlab

How are other people managing IAM for their custodian policies - A single policy with all the perms every custodian policy needs, or does each custodian policy get its own IAM policy with all the perms needed to execute?

+1

Todd Stansell
@tjstansell
We use a single role in each account for any actions cloud custodian might take.
raaajit
@raaajit
@kapilt , I was trying to find HTTP Only configured CloudFront distribution by using the below filter. But it doesn't working , filters:
- type: value
  key: origins.items[].customOriginConfig.originProtocolPolicy
  op: contains
  value: "http-only"
Maki2020
@Maki2020
@kapilt Hello, hope my questions make sense, I tested cloud custodian in our development account successfully. I have a few questions in regard to using cloud custodian to monitor multiple accounts using AWS Organizations with c7n-org tool (just read about this tool). 1. If I define a policy using c7n-org, will this policy be applied across each account in AWS Organizations? And when this policy is triggered in one of the multiple accounts, will the cloud custodian alert provide information around in which specific account was this policy triggered? 3. Is there a way to create a cloud custodian policy to be triggered whenever an elastic IP address is assigned to an EC2 instance in any of the accounts within AWS Organizations? Thank you so much.
Ethan Lo
@bb1314
@maki2020 look up documentation for mode cloudtrail. It deploys a Lambda Function in each account that has a CloudTrail trigger. You can define which api call to be the trigger all in one single policy.
sdfengw
@sdfengw
@kapilt Hello, firstly came here and ask help :-) ~~ my found the default connection endpoint is Azure Global in custodian , could you help how to modify code ? so we can connect to Azure China. Thanks so much.
Kapil Thangavelu
@kapilt
@sdfengw greetings, see also #5166 nutshell we need to have a mapping of the endpoints in the code base and then use the --region flag to set the endpoints.
@Maki2020 its also possible to deploy centrally with c7n-org for non lambda policies and run across org,, for lambda policies central deployment (in addition to provisioning with c7n-org) is possible with cwe trail mode, but requires out of band setup of CWE bus forwarding, and has different operational tradeoffs (blast radius for updates, monitoring, etc, see member-role in cwe mode). other lambda modes don't support that.
Kapil Thangavelu
@kapilt
@raaajit specify the key based on the aws cloudfront list-distributions output, not the mangled form in the cloud watch event, custodian normalizes resources regardless of source to describe format.
ie key: Origins.Items[].CustomOriginConfig.OriginOnlyProtocol
@jlb-ts some folks subdivide across more than one role, ie its really a policy and policy collection choice for deployment depending on biz requirements.
@myoung34 use check-permissions re looking for specific permissions on iam entities or resources with iam roles attached.
@tjstansell thanks for filing an issue, yeah that makes sense, toggle should behave more like set.
raaajit
@raaajit

@raaajit specify the key based on the aws cloudfront list-distributions output, not the mangled form in the cloud watch event, custodian normalizes resources regardless of source to describe format.

@kapilt Thanks , I'll be look in to this