Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
Doesn't work:
c7n-org run-script -c accounts.yaml -s c7n-org-out-mugc -a [account] "python scripts/mugc.py -c policy.yml --dryrun"Works:
python scripts/mugc.py -c policy.yml -r us-east-1 --assume [role_copied_from_c7n-org_account_config] --dryrunAm I missing something important? (I am using the version of mugc from master btw)
4 replies
key: "tag:Division"
op: not-in
value_from:
url: s3:/s3bucket/ValidDivisions.csv
format: csv2dict
2 replies
7 replies
getting below error
unauthorizedoperation error.plz help to fix
3 replies
c7n_org:INFO error running script on account:account_name region:eu-west-1 script:./mugc.py -c policy.yml --prefix c7n --region eu-west-1 --dryrun``
4 replies
Hi all,
I want to write a policy to catch all IAM-Roles with wide-open actions, such as *, s3:*, sqs:*, ... . which an example can be seen bellow.
Policies:
- PolicyName: default
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
- sdb:*
Resource:
- '*'I have prepared following policy but seems like it has two issues:
1) does not accept * and return error
2) does not act as OR and it acts as AND
policies:
- name: iam-role
resource: iam-role
filters:
- type: check-permissions
match: allowed
actions:
# - *
- iam:*
- s3:*
- sdb:*
- sns:*
- sqs:*
- rds:*Is there any way that I make this work, with a regex pattern or any other way?
3 replies
filters:
- and:
- "tag:aws:autoscaling:groupName": absent
- "tag:biorad:c7n:tag-compliance": absent
- or: *tag-compliance-filters
here is my json file from s3:
{
"us-east-1": [
"ami-01",
"ami-02"
],
"us-east-2": [
"ami-002",
"ami-003",
"ami-004"
]
}c7n policy i'm using to compare values:
policies:
- name: ec2-invalid-ami
description: un approved ami
comment: high
resource: ec2
filters:
# - "State.Name": running
- type: value
key: ImageId
op: not-in
value_from:
url: s3://bucketname/approved-amis/region-list.json
expr: [0]."us-east-1"[]I'm getting error Can someone correct this for me
2 replies
Hello,
I'm trying to run Custodian to filter s3 buckets that are not following tag compliance.
The problem is that the email template is looking for the Name tag of the bucket, but not all the buckets have the Name tag so some rows in the email report shows a blank name.
My question is how can I grab the s3 bucket names the way how it's showing in the AWS console?
S3 policy
policies:
- name: s3-tag-compliance-notify-only
resource: s3
description: |
Scan s3 buckets that do not meet tag compliance.
filters:
- type: value
key: "State.Name"
op: ni
value: ['terminated']
- or: *tag-compliance-filters
actions:
- type: tag
tag: TagCompliant
value: "no"
- type: notify
template: general_template.html
priority_header: 2
subject: "Enterprise Tagging - {{ policy['resource'] }} Compliance Report! [{{ account }} {{ account_id }} - {{ region }}]"
violation_desc: "Your s3 bucket is not tag compliant. Please see Cheat Sheet Link below and fix your tags."
action_desc: "s3 bucket out of compliance. Informational only. This report policy does not mark, stop or delete resources."
to:
# - resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/01234567890/cloud-custodian-mailerEmail Template
{% elif policy['resource'] == "s3" %}
{% if resources[0]['GlobalPermissions'] is defined %}
{% set columnNames = ['Name','GlobalPermissions'] %}
{% elif 'tag' in policy['name'] and 'unmark' not in policy['name'] %}
{% set columnNames = ['Name','Contact','Environment','Billing','Priority','BusinessUnit','Group','Owner','Services','Deploy','Invalid / Missing Tags'] %}
{% else %}
{% set columnNames = ['Name','Contact','Environment','Billing','Priority','BusinessUnit','Group','Owner','Services','Deploy'] %}
{% endif %}
{{ createTable(columnNames, resources, '80') }}Running version 0.9.4.0
2 replies
4 replies
We are using cloud-custodian to do a scheduled EC2 instance stop at 6PM EST everyday. We started observing an error: ResourceCountExceeded in lambda errors. I believe its because our account's instance count has grown and the list of EC2 instances is too big for the API call? Has anyone encountered this situation?
2 replies
[ERROR] TypeError: unsupported operand type(s) for /: 'datetime.datetime' and 'float'
Traceback (most recent call last):
File "/var/task/custodian_policy.py", line 4, in run
return handler.dispatch_event(event, context)
File "/var/task/c7n/handler.py", line 165, in dispatch_event
p.push(event, context)
File "/var/task/c7n/policy.py", line 1140, in push
return mode.run(event, lambda_ctx)
File "/var/task/c7n/policy.py", line 853, in run
resources = super(ConfigRuleMode, self).run(event, lambda_context)
File "/var/task/c7n/policy.py", line 437, in run
resources = self.resolve_resources(event)
File "/var/task/c7n/policy.py", line 835, in resolve_resources
return [source.load_resource(self.cfg_event['configurationItem'])]
File "/var/task/c7n/resources/dynamodb.py", line 23, in load_resource
resource['CreationDateTime'] = datetime.fromtimestamp(resource['CreationDateTime'] / 1000.0)
[ERROR] TypeError: unsupported operand type(s) for /: 'datetime.datetime' and 'float' Traceback (most recent call last): File "/var/task/custodian_policy.py", line 4, in run return handler.dispatch_event(event, context) File "/var/task/c7n/handler.py", line 165, in dispatch_event p.push(event, context) File "/var/task/c7n/policy.py", line 1140, in push return mode.run(event, lambda_ctx) File "/var/task/c7n/policy.py", line 853, in run resources = super(ConfigRuleMode, self).run(event, lambda_context) File "/var/task/c7n/policy.py", line 437, in run resources = self.resolve_resources(event) File "/var/task/c7n/policy.py", line 835, in resolve_resources return [source.load_resource(self.cfg_event['configurationItem'])] File "/var/task/c7n/resources/dynamodb.py", line 23, in load_resource resource['CreationDateTime'] = datetime.fromtimestamp(resource['CreationDateTime'] / 1000.0)
Hey All, I was looking out if there would be a way to identify services that are unused for a period of n days through usage filter for iam entities (group / role) and if found unused beyond n days, add a deny statement to the existing policy / new policy . I am looking out for this as a method for enforcing least privilege model in AWS something that repokid from netflix does, but through c7n.
I have following two issues :-
i. I am able to do a filter based on usage , but I was not able to figure out the services that were unused dynamically which could be passed to an action set to deny those alone.
ii. I could'nt find an action in role and user which could create a policy dynamically with passed unused services from filter and attach it to the user / role.
It would be really helpful if anyone can provide a solution for this (if it exists), if not any hacky way through c7n is also appreciated !!
My requirement is as follows:
I need to validate/evaluate the existing standard custom tag having service keys and values from my array list of values.
If exists we can ignore the resource of notify/disable/deletion else I need to take action.
for eg:
I had list of array valid service tags value as
["abc", "xyz", "def", "jkl" ]if my resource had prefix with above valid tags like below
service: abc-uiAs per the above example, the resource should be ignored.
service: dummy-packAction should be taken for the above one.
It would be very much helpful and thanks if I get the solution for the above.
5 replies
Hey, guys. Maybe this is a trivial question, but believe me, I've been reading documentation and I still can't find it.
I am using a simple policy to check my AWS iam users keys expiration, and I want to send an email to the specific user without Tags. Previously, by using contact_tags: ['myTag'] in the mailer worked as expected. But now I changed all the names of my iam users to use email ids . e.g before it was sam, now it's sam@mail.com.
How can I reference the username itself when using the notify action?
- name: iam-user-password-105days-older
resource: iam-user
...truncated...
actions:
- type: notify
subject: "[custodian] IAM - Password Not Changed"
...truncated...
to:
- **TO_WHO? That's my big question :( I don't want to use tags, but I want to access the actual username who already has the email on it**
transport:
type: sqs
...truncated...Hey Guys, I have a question not sure whether it answered or not yet. If answered please paste the reference link with this reply.
My requirement is as follows:
I need to validate/evaluate the existing standard custom tag having service keys and values from my array list of values.
If exists we can ignore the resource of notify/disable/deletion else I need to take action.
for eg:
I had list of array valid service tags value as["abc", "xyz", "def", "jkl" ]
if my resource had prefix with above valid tags like belowservice: abc-ui
As per the above example, the resource should be ignored.service: dummy-pack
Action should be taken for the above one.
It would be very much helpful and thanks if I get the solution for the above.
Thanks I got solution for the above and have below too..
One more query will it possible to declare as variable or make it as argument file the values?
4 replies
i am trying to filter my KMS keys
i have 1 aws managed KMS key (can not be tagged) and 1 customer managed key called testkey1 (that has been tagged properly)
Im using the below filter but testkey1 keeps being picked up by the filter. any ideas what im doing wrong please ?
filters:
- or:
- "tag:costcentre": absent
- "tag:live": absent
- not:
- type: value
key: "tag:live"
value_type: normalize
value: ['yes', 'no']
op: in
- and:
- not:
- type: value
key: "AliasName"
value_type: normalize
value: 'alias/aws/'
op: contains
- type: notify
template: default.html
priority_header: 2
subject: "EC2 - Instance Tagging Out of Compliance!!! - {{ account }} - {{ account_id }} - {{ region }}"
violation_desc: |
Your EC2 instance is out of compliance and is missing mandatory tag(s)
action_desc: |
Include all required tags on the EC2 instance
to stop receiving daily notifications. You can find the tagging wiki here -
to:
- resource-owner
3 replies
looking for some idea, I have two different templates, one templates is used to open a Jira ticket and one is used to send email to users, how I can accomplish it in one action, I was thinking this would work, but no, is creating a new policy the only option:
actions: - type: notify subject: "S3 bucket has not been Tagged with Owner tag" template: jira.html to: - jira@tomarv2.com transport: type: sns topic: "arn:aws:sns:us-east-2:123456789:custodian-mailer-nonprod-us-notify" - type: notify subject: "S3 bucket has not been Tagged with Owner tag" template: default.html to: - varun@tomarv2.com transport: type: sns topic: "arn:aws:sns:us-east-2:123456789:custodian-mailer-nonprod-us-notify"
Hello, Can I please have a document or anybody configured for Jira ticket creation as a notification with Jira token API? I got this quote but couldn't find the template or how to use it. Please let me know if there is any link that exists for my requirement. Thanks in advance.
2 replies
2 replies
policies:
- name: transitgateway-attachments
resource: aws.transit-attachment
description: Notify when some attaches transitgateway.
mode:
type: cloudtrail
role: CustodianLambdaExecutionRole
memory: 256
timeout: 180
runtime: python3.8
events:
- source: ec2.amazonaws.com
event: CreateTransitGatewayVpcAttachment
ids: requestParameters.CreateTransitGatewayVpcAttachmentRequest.TransitGatewayId
filters:
- or:
- not:
- type: event
key: requestParameters.CreateTransitGatewayVpcAttachmentRequest.TagSpecifications.Tag[].Contact
value: 'test'
op: contains
- type: event
key: requestParameters.CreateTransitGatewayVpcAttachmentRequest.TagSpecifications.Tag[].Project
op: ne
value: Infrastructure
value_type: normalize
actions:
- type: notifyHey, there is one requirement from my side. i.e., I need to have both in a single filter
value: regex
value_from: s3 URL
for eg:-
I have an array of standard tags in my file.json as below
"service": ["abc", "xyz", "lmn"]
}filters were like below:- type: value
key: "tag:service"
op: in
value_from:
url: s3://bucket_name/key/file.json
value_regex:- type: value
key: "tag:service"
op: regex
value: '^(abc|xyz|lmn)([\-].*)?$'
will it be possible to have both for tag validation?
Please let me know if there is any solution for this one. Thanks in advance.
1 reply
Hey, guys. Maybe this is a trivial question, but believe me, I've been reading documentation and I still can't find it.
I am using a simple policy to check my AWS iam users keys expiration, and I want to send an email to the specific user without Tags. Previously, by using contact_tags: ['myTag'] in the mailer worked as expected. But now I changed all the names of my iam users to use email ids . e.g before it was sam, now it's sam@mail.com.
How can I reference the username itself when using the notify action?
resource: iam-user
- type: notify
to:
- **TO_WHO? That's my big question :( I don't want to use tags, but I want to access the actual username who already has the email on it**
I am building a policy to detect root login . I want to send the event which triggered the check to be forwarded to slack. I tried {{ event }} for violation_desc but i am not getting the intended output on slack.
policies:
- name: root-user-login-detected
resource: account
description: |
Notifies Security and Cloud Admins teams on any AWS root user console logins
mode:
role: custodian-role
type: cloudtrail
events:
- ConsoleLogin
filters:
- type: event
key: "detail.userIdentity.type"
value_type: swap
op: in
value: Root
actions:
- type: notify
slack_msg_color: danger
violation_desc: {{ event }}
action_desc: Root user login detected! Take action if this is not intended login.
to:
- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport:
type: sqs
queue: https://sqs.us-east-2.amazonaws.com/xxxxxxxxxxxxxxxxxxxxxxxx
region: us-east-2