Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Kapil Thangavelu
@kapilt
@mmcenti no.. we don't pass iam auth headers to generic web https urls.
man.. gitter ux is seriously confusing
minhasgithub
@minhasgithub
@kapilt I am creating policies for VPC & resources under it . Basically create, delete notification . VPC delete is working and giving me information in notification about the VPC deleted , However same is not working with subnet delete . The resource id is not coming and my understanding about this is as its deleted so it is not able to get those details . Checked lambda logs also however no resource id information there too . Is there any way to show in notification the resource id of subnet deleted
Kapil Thangavelu
@kapilt
for deleted resources using the account resource with the missing filter
the id will be in the event
actually you don't even need the missing filter, just use the account resource on the delete events your checking for to notify
minhasgithub
@minhasgithub
@kapilt Thanks for your response. Missing filter is like I already know what to search for here I am in need of if someone delete any subnet , my custodian should be track that from cloudtrial mode and notify
DigeratiDad
@digeratidad
Hello, I’m trying to determine the best way to implement a “catch-all” for iam policies. So basically, ANY/ALL IAM changes would trigger a notification.
satvan23
@satvan23
Guys. We are having MFA using ADFS/AWS and soon now moving to OKTA MFA. How does Custodian handle MFA ?
Kapil Thangavelu
@kapilt
@minhasgithub like I said just do the event against the account which is a synthetic resource which can track/catch arbitrary events like deletes where a resource policy wouldn’t because there is no resource to act on
@satvan23 pretty much the same for roles, for humans it’s an mfa auth and run for sts timeout period
lkolchin
@lkolchin
Hello,
Is there a way to combine filters of 2 policies and execute action based on "and" logic:
policies:
  - name: untag-datadog-monitor-lambdas
    resource: aws.lambda
    region: ap-southeast-2
    filters:
      - and:
        - type: value                                                                                                                                                                                                                      
          key: "tag:datadog"
          value: "monitor"
        - type: value                                                                                                                                                                                                                      
          key: "tag:microservice"
          value: "some-data"
        - type: value                                                                                                                                                                                                                      
          key: "tag:STAGE"
          value: "sree01"
  - name: aws-account
    resource: aws.account
    region: ap-southeast-2
    filters:
        - type: value                                                                                                                                                                                                                      
          key: "account_name"
          op: regex 
          value: '^((?!-prod).)*$'
angystardust
@angystardust
Hi to all, do you know if there's a way to express a custodian policy to keep the latest most-recent n AWS AMIs? I don't want to use age or date filters as I want to be sure to keep the most recent ones without caring about their age. I can see there's a "resource_count" filter but i don't know if it can be used for my needs...
KVInventoR
@KVInventoR
HI all
Is there any possibility to filter all IAM Roles for service: ec2.amazonaws.com
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
tomarv2
@tomarv2
@kapilt i saw your note above on new release .9 I want to see if there are any breaking changes coming.. when is it planned.. I m planning prod rollout for azure, I was thinking should I wait or continue with .8.45
Kapil Thangavelu
@kapilt
@lkolchin and is the default top level operator for filters you don't need to specify it
@tomarv2 nothing breaking, I'm just cautious by default, there's a large set of changes relating to lazy loading which improves performance quite a bit for serverless and cli usage.
@angystardust so keep last 3 sort of thing with a given tag? not exactly, but I dig the use case, I'd suggest filing an issue with an example
Marty Hill
@martyhill
Is it possible (in a policy) to attach an existing security group (referenced by its GroupName) to a newly created EC2 instance in response to its CloudTrail RunInstances event? What would be the action in the policy? If it's not possible, what's a good alternative approach -- writing my own CloudTrail-triggered Lambda?
Mike
@mac-flanker
I'm running the action to remove all ingress and egress rules from a security group (default). The first pass clears the rules no problem, afterward if no rules exist, an error is thrown.
here is the filter
- or:
          - type: value
            key: GroupName
            value: "default"
            op: eq
Mike
@mac-flanker
Is there a filter change I can make to ensure if a rule doesn't exist, the action of removing all egress and ingress rules doesn't result in an error
Jamison Roberts
@jtroberts83

Is there a way to filter the {account_id} variable using the S3 file value_from. Getting an error with the following policy:

policies:

- name: iamaccesstest
  resource: iam-user
  filters:
          - type: value
            key: {account_id}
            op: not-in
            value_from:
                url: s3://mybucket/Exceptions.csv
                format: csv2dict

This throws the error:

error:'dict' object has no attribute 'startswith'
Kapil Thangavelu
@kapilt
@jtroberts83 that looks like a bug, that should work although you may need to quote "{account_id}" to ensure its a string
some accounts start with 0 which will otherwise get interpreted as an octal number
@jtroberts83 please file an issue with the traceback
Jamison Roberts
@jtroberts83

ok tried quotes but throws another error:

c7n_org:ERROR Exception running policy:iamaccesstest account:my-account-name region:us-east-1 error:invalid token: Parse error at column 0, token "12345678900" (NUMBER), for expression:
"12345678900"
 ^

Filling an issue now. Thanks!

Jamison Roberts
@jtroberts83
@kapilt Would this bug need to be fixed within the c7n/resolver.py file?
Jayzeruk
@Jayzeruk
Hi folks, relatively new to developing policies. Within AWS want to understand if any user creates an Internet Gateway and posts to security hub. Not getting any luck. Any help appreciated:
policies:
  - name: IGW creation check
    resource: vpc
    description: |
      Cloud Custodian unauthorized IGW creation check
    mode:
      packages: [boto3, botocore, urllib3]
      type: cloudtrail
      role: arn:aws:iam::{account_id}:role/CloudCustodianAdminRole
      member-role: arn:aws:iam::{account_id}:role/CloudCustodianAdminRole
      events:
      - source: ec2.amazonaws.com
        event:  CreateInternetGateway
        ids: "requestParameters.internetGatewayId"
    filters:
      - type: internet-gateway: true
     actions:
      - type: post-finding
        severity_normalized: 100
        types:
          - "Software and Configuration Checks/AWS Security Best Practices"
        compliance_status: "FAILED"
        recommendation: test message
        region: eu-west-1
John
@John03520885_twitter

Any one else having issues with Cloud Custodian report finding feature where you are seeing duplicate findings?

For example: I am testing ec2 tag enforcement policy. Its a two part policy where first policy will identify non compliant instances and mark them for termination. the second policy will terminate the instances after 5 mins and report findings into security hub.

The issue: Every time a new EC2 is terminated, it continues to report older terminated instances by second policy. Is something being cached that is causing this duplicate reporting?

Kai
@kiwiz
@John03520885_twitter There's a cache you can disable with --cache-period 0, but I'm not sure if that's the cause.
Default is 15 mins.
John
@John03520885_twitter
Its seems like this is an issue when using in "perodic" mode. It doesnt seem to happen when using "cloudtrail" mode
Andrew Chin
@andrewtchin
im trying to create a filter for cidr < 32 and not a rfc 1918 addr but it seems like the negation is not working for me - any ideas?
  filters:
    - not:
      - type: ingress
        Ports: [22]
        Cidr:
          value: ^(10|127|169\.254|172\.1[6-9]|172\.2[0-9]|172\.3[0-1]|192\.168)\.*$
          op: regex
    - type: ingress
      SelfReference: false
      Ports: [22]
      Cidr:
        op: lt
        value: 32
        value_type: cidr_size
Andrew Chin
@andrewtchin
updated regex to ^(10|127|169\.254|172\.1[6-9]|172\.2[0-9]|172\.3[0-1]|192\.168)\..*$ but custodian is still not picking up my test case of 1.2.3.0/24
Jamison Roberts
@jtroberts83
@andrewtchin Maybe try a negative regex? Have you tested the regex on regex101 or something similar to verify it matches your string?
Andrew Chin
@andrewtchin
also is there a way to output which rule in the security group matched?
Jamison Roberts
@jtroberts83
One you get one to match you would look at the resources.json file for that policy and there should be like a c7n:matched-filters section which would show you what it is matching on
Jamison Roberts
@jtroberts83
@John03520885_twitter What do you policy filters look like?
You might need to query the instance state to make sure it's only in a "Running" state
sent2020
@sent2020
Mm0ommmpmmOm
Mmmmpmm0mmmpmOm
Mommy mommies member P0
Ammu mm mmmmmOOmOmo kl momentum omni moot 0
Sanjay Naikwadi
@sanjaynaikwadi
Does resource ASG, action support : termination ?
I have my policy where I wan't to terminate an instances but those instance are operated via ASG, so how does termination is handle for ASG ?
Jamison Roberts
@jtroberts83
@sent2020 Did something fall on your keyboard :laughing:
@sanjaynaikwadi Are you wanting to have the ASG shut down all it's instances or just terminate one so that the ASG spins up another?
sent2020
@sent2020
@jtroberts83 just now saw it .. I was using from mobile and somehow it got typed automatically. Sry
Jamison Roberts
@jtroberts83
lol