Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Igor-Potyomkin
@Igor-Potyomkin

Hi Team, i'm new in custodian and i try to find a way to store the response locally in the same structure as i customized for webhook. The resources.json and metadata.json files don't contain what i need, so i trying to set that up.
My .yaml file config is:

  - name: IAM-Test
    description: IAM-Test
    resource: account
    region: us-east-1
    filters:
      - or:
        - and:
          - type: password-policy
            key: RequireUppercaseCharacters
            value: false
    actions:
      - type: webhook
        url: https://hooks.slack.com
        body: |-
          {
            "attachments": [
              {
                "fallback": `CloudCustodian`,
                "color": `warning`,
                "fields": [
                  {
                    "title": `Account Id`,
                    "value": resource.account_id,
                    "short": `true`
                  },
                  {
                    "title": `Account Name`,
                    "value": resource.account_name,
                    "short": `true`
                  },
                { "There may be other custom fields": "custom field value"}
                ],
                "icon_emoji": `:rotating_lights:`
              }
            ]
          }

Thanks.

myoung34
@myoung34

dumb question but

policies:
  - name: IAM User with active access key
    resource: iam-user
    region: us-east-1
    filters:
      - type: access-key
        key: Status
        value: Active
      - not:
        - or:
          - tag:vendor: "true"
          - tag:Name: "orgaccess+aws@foo.com

is there a way to add not in account 1111111 somehow to the rule?

45 replies
Javier Collado
@jcollado

Hello all,

I'm looking into using Cloud Custodian to automatically add an owner tag to and EC2 instance and its EBS volumes when the instance is launched.

In the documentation I've seen this policy which looks like a very good starting point:
https://cloudcustodian.io/docs/aws/examples/ec2-auto-tag-user.html

In some video from the youtube Stacklet channel, I also saw an example of copying tags from the instance to the volumes using the copy-instance-tags action:
https://cloudcustodian.io/docs/aws/resources/ebs.html#aws-ebs-actions-copy-instance-tags

However, I'm not sure about how that would work.
My understanding is that the EC2 policy would be triggered by CloudWatch by parsing CloudTrail logs.
How would the EBS volume policy be triggered?
Using the pull or the periodic execution mode doesn't seem to be the best approach
because ideally, the volumes should be tagged at the same time as the instance.
Unfortunately, it doesn't seem to be possible to tag both the EC2 instance and the EBS volumes in the same rule.

What would be the best approach to do this?

6 replies
Jin Kang
@jinkang23

Hello, is it possible to parse a raw JSON string using the event filter? 
Currently, I'm using JMESPATH query for key in my event filter, and because the actual value of policyDocument attribute is escaped raw stringify JSON, it is unable to parse it. Is there a way within custodian policy to convert this to an object that can be parsed by JMESPATH? If not, any recommendations on how I can parse this?

Thank you!

Here's an example of my partial event payload:

{
    "version": "0",
    "id": "5710ee03-2735-056e-02e3-e5baad43ae30",
    "detail-type": "AWS API Call via CloudTrail",
    "detail": {
        "eventTime": "2021-10-18T21:31:11Z",
        "eventSource": "iam.amazonaws.com",
        "eventName": "PutRolePolicy",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "cloudformation.amazonaws.com",
        "userAgent": "cloudformation.amazonaws.com",
        "requestParameters": {
            "roleName": "test",
            "policyName": "allow-all",
            "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"*\",\"Resource\":\"*\",\"Effect\":\"Allow\",\"Sid\":\"AllowAllAdmin\"}]}"
        },
        "responseElements": null,
    },
    "debug": true
}

Here's the custodian policy I'm working with:

policies:
  - name: iam-role-has-admin-policy-attached
    resource: aws.iam-role
    description: |
      Cloud Custodian IAM Role has Administrative policy attached
    mode:
      type: cloudtrail
      events:
        - source: iam.amazonaws.com
          event: PutRolePolicy
          ids: "requestParameters.roleName"
    filters:
      - type: event
        key: "detail.requestParameters.policyDocument.Statement[].Action"
        value_type: swap
        op: in
        value: "*"
9 replies
Javier Collado
@jcollado

How do you manage the lifecycle of the policies that create resources, such as lambda functions or cloudwatch metric filters? My understanding is that I need to delete those resources on my own. Is that correct? Is there maybe a custodian policy that is able to remove resources created by custodian itself based on tags?

To provide some background about what I was expecting as a new custodian user:

  • in terraform there's a state file and when a resource is removed from the terraform code, terraform will remove the resource in the next apply command call
  • in ansible there isn't any state file, but it's possible to set state to either present or absent. Hence, when I want to remove a resource from my code, I can set the state to absent first, let ansible remove it and then remove it from the code.
5 replies
Matthew Tordoff
@mat-tordoff

Regards conditional execution of policy actions. I found this issue:
cloud-custodian/cloud-custodian#6024

Just wondering if there are any plans to implement this? Or if it is possible in another way?

My use-case is:
1) Run SSM "send-command" action.
2) IF successful run "tag" action to tag the resource to show particular piece of software has been installed.
ELSE don't tag and try send-command action again next time policy runs.

3 replies
Jin Kang
@jinkang23

Hello, is there a way to conditionally handle errors raised while performing any of the actions?

For example, I have a policy where if IAM role has allow-all policy, it will attach a aws-managed deny-all policy. However, if the IAM role already has 10 managed policies attached, Custodian lambda function raises an error LimitExceeded. What I would like to do is.. handle this by detaching one of the 10 managed policies and attempt it again.
Thank you!

My sample policy:

policies:
  - name: iam-role-has-admin-policy-attached-test
    resource: aws.iam-role
    description: |
      Cloud Custodian IAM Role has Administrative policy attached 
    mode:
      type: cloudtrail
      role: arn:aws:iam::111111111111:role/test-role
      events:
        - source: iam.amazonaws.com
          event: PutRolePolicy
          ids: "requestParameters.roleName"
    filters:
      - or:
        - type: has-specific-managed-policy
          value: AdministratorAccess
        - type: check-permissions
          match: denied
          actions:
            - '*:*'
      - type: value
        key: AssumeRolePolicyDocument.Statement[].Action
        value_type: swap
        op: in
        value: 'sts:AssumeRoleWithSAML'
    actions:
      - type: set-policy
        state: attached
        arn: arn:aws:iam::aws:policy/AWSDenyAll

Error message from the Custodian lambda function:

{
  "errorMessage": "An error occurred (LimitExceeded) when calling the AttachRolePolicy operation: Cannot exceed quota for PoliciesPerRole: 10",
  "errorType": "LimitExceededException",
  "stackTrace": [
    "  File \"/var/task/custodian_policy.py\", line 4, in run\n    return handler.dispatch_event(event, context)\n",
    "  File \"/var/task/c7n/handler.py\", line 165, in dispatch_event\n    p.push(event, context)\n",
    "  File \"/var/task/c7n/policy.py\", line 1164, in push\n    return mode.run(event, lambda_ctx)\n",
    "  File \"/var/task/c7n/policy.py\", line 459, in run\n    return self.run_resource_set(event, resources)\n",
    "  File \"/var/task/c7n/policy.py\", line 489, in run_resource_set\n    results = action.process(resources)\n",
    "  File \"/var/task/c7n/resources/iam.py\", line 1091, in process\n    client.attach_role_policy(\n",
    "  File \"/var/runtime/botocore/client.py\", line 386, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 705, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}
2 replies
Samarth Shivaramu
@s_samarth03_twitter

I've deployed CIS benchmark validation in AWS accounts via Cloud Custodian. The Cloud Custodian policy gets deployed as part of AWS account creation that is executed via a bash script. The CC policy does get deployed successfully in the new AWS account, but NOT in all the AWS regions. I see the following error message in the regions given below:

2021-10-17 20:06:10,343: c7n_org:ERROR Exception running policy:cis-cloudtrail-is-secure-and-running account:<account_name> region:ap-northeast-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.
2021-10-17 20:06:10,560: c7n_org:ERROR Exception running policy:cis-cloudtrail-is-secure-and-running account:<account_name> region:eu-west-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.

Regions:

ap-northeast-1
eu-west-1
eu-west-2
ap-northeast-3
eu-west-3
ap-south-1

The ap-northeast-3 (Osaka) region is not enabled for new AWS accounts in my organization, so it makes sense if the CC policy is not deployed in that region. But all the other regions are enabled for new AWS accounts and the error occurs in only these regions and is successfully deployed in the other regions.

Based on some information gathered from this forum and stack overflow, i did re-verify that the IAM role does have "lambda.amazonaws.com" in it's trust relationship (if not, the policy would not have deployed in all the AWS regions). The other information I was able to gather was this error could be prevented by introducing a few seconds of delay, for which I used the "delay" property for the "cloudtrail" mode in the CC policy. Adding the "delay" property did not resolve the issue.

However, I did notice that this error occurs only if I invoke the policy execution via the account creation bash script. If I execute the CC policy from my local machine, the CC policy is executed successfully in all the regions.

Has anybody experienced such an issue? If so, how can I troubleshoot, why a CC policy is failing in certain AWS regions?

6 replies
Jin Kang
@jinkang23
Does check-permissions filter take into consideration the AWS Organizations SCPs? The reason I'm asking is because I am getting inconsistent results and trying to understand if this filter when used against aws.iam-role resource evaluates more than just the in-line policies and managed policies that are attached to the IAM role.
7 replies
Deep Patel
@SilentWolf__gitlab

Hello,
I am trying to access specific data from resource.json file into webhook action filter in policy yaml file
Or How I can use entire json data to post in webhook ?
for example, I need CidrIp info into my webhook action json file
How I am going to access it ?

Here is my resource.json
{
"Description": "launch-wizard-3 created 2021-10-18T20:14:49.325-04:00",
"GroupName": "launch-wizard-3",
"IpPermissions": [
{
"FromPort": 80,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 80,
"UserIdGroupPairs": []
},
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0",
"Description": ""
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 22,
"UserIdGroupPairs": []
}
],

14 replies
LA
@liz-acosta
Since I've got webhooks on the brain, is there a way you could send authentication headers with the webhook action?
sur
@surkat918_gitlab

I got question related to storing the policy pass/violation into our database. In this regard, we got 3 questions:
1) How to find if policy has passed or been violated?
2) Instead of posting to webhook, we want to store the results into database. Whats the recommended way to do that?
3) Is there any policy package readily available for NIST/CIS compliance for AWS.

Thanks for help in advance. I appreciate the awesome community.

6 replies
Jorge O. Castro
@castrojo
Good news folks, if you missed Governance as Code Day we now have all the vids on YouTube: https://www.youtube.com/playlist?list=PLtIlR7WdaxTEj45N63lUgrd2IhS_gD3pe
2 replies
Lots of good info there!
altenx
@altenx
I'm re-upping this ASG policy that is failing to stop the creation and running of AWS EC2 instances with public IP addresses. I've gone through this over 30 times with variations in the resource, event, filter to no avail. I've looked at the source code in asg.py and searched the CC gitter and searched the Internet with no success. I've test wiith ASG configurations as well as with EC2 templates with no luck. Here's what I believe should be the correct policy (based on asg.py comments).
7 replies
- name: zsec-enforce-ASGPublicIpPolicy
  resource: asg
  mode:
    type: cloudtrail
    events:
    - source: autoscaling.amazonaws.com
      event: CreateAutoScalingGroup
      ids: requestParameters.autoScalingGroupName
    role: zsecEnforcementsLambdaRole
  filters:
  - type: launch-config
    key: "AssociatePublicIpAddress"
    value: true
  actions:
  - suspend
A similar policy, that checks for ASG spinning up only 1 EC2 instance, works fine (i.e. it is suspended).
- name: zsec-enforce-ASGPublicIpPolicy
  resource: asg
  mode:
    type: cloudtrail
    events:
    - source: autoscaling.amazonaws.com
      event: CreateAutoScalingGroup
      ids: requestParameters.autoScalingGroupName
    role: zsecEnforcementsLambdaRole
  filters:
  - type: value
    key: MinSize
    value: 1
    op: eq
  actions:
  - suspend
Here is the CloudWatch log.
altenx
@altenx
2021-10-20T22:43:30.871-07:00   START RequestId: 3793703f-6f8a-4e16-8ef7-d524089dffde Version: $LATEST

2021-10-20T22:43:31.684-07:00 [INFO]    2021-10-21T05:43:31.668Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Processing event

{
    "version": "0",
    "id": "f0d64faa-dc3c-fcb5-fb86-4e5a0728bc58",
    "detail-type": "AWS API Call via CloudTrail",
    "source": "aws.autoscaling",
    "account": "xxxxxxxx8633",
    "time": "2021-10-21T05:43:13Z",
    "region": "eu-central-1",
    "resources": [],
    "detail": {
        "eventVersion": "1.08",
        "userIdentity": {
            "type": "AssumedRole",
            "principalId": "AROAI2VPKICTIPIAGCZSS:aalten@xxxxx.com",
            "arn": "arn:aws:sts::xxxxxxxx8633:assumed-role/Full-Admin-SAML-Role/aalten@xxxxx.com",
            "accountId": "xxxxxxxx8633",
            "accessKeyId": "ASIARBGJCOO4ZD5244OA",
            "sessionContext": {
                "sessionIssuer": {
                    "type": "Role",
                    "principalId": "AROAI2VPKICTIPIAGCZSS",
                    "arn": "arn:aws:iam::xxxxxxxx8633:role/Full-Admin-SAML-Role",
                    "accountId": "xxxxxxxx8633",
                    "userName": "Full-Admin-SAML-Role"
                },
                "webIdFederationData": {},
                "attributes": {
                    "creationDate": "2021-10-21T03:08:17Z",
                    "mfaAuthenticated": "false"
                }
            }
        },
        "eventTime": "2021-10-21T05:43:13Z",
        "eventSource": "autoscaling.amazonaws.com",
        "eventName": "CreateAutoScalingGroup",
        "awsRegion": "eu-central-1",
        "sourceIPAddress": "98.47.41.143",
        "userAgent": "aws-internal/3 aws-sdk-java/1.12.75 Linux/5.4.141-78.230.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard",
        "requestParameters": {
            "minSize": 1,
            "tags": [
                {
                    "propagateAtLaunch": true,
                    "key": "Name",
                    "value": "aalten-test-public-asg-33",
                    "resourceType": "auto-scaling-group"
                }
            ],
            "maxSize": 1,
            "newInstancesProtectedFromScaleIn": false,
            "autoScalingGroupName": "aalten-test-public-asg-33",
            "healthCheckType": "EC2",
            "healthCheckGracePeriod": 300,
            "desiredCapacity": 1,
            "launchConfigurationName": "aalten-launch-config-public-internet-1",
            "vPCZoneIdentifier": "subnet-6340202e"
        },
        "responseElements": null,
        "requestID": "e7dff48e-de6e-4203-9d49-719bb73b87b8",
        "eventID": "3e2837d6-8388-4f95-a2bf-79959e1bc2c8",
        "readOnly": false,
        "eventType": "AwsApiCall",
        "managementEvent": true,
        "recipientAccountId": "xxxxxxxx8633",
        "eventCategory": "Management"
    },
    "debug": true
}
2nd half of the CloudWatch log.
2021-10-20T22:43:31.684-07:00   [DEBUG] 2021-10-21T05:43:31.684Z 3793703f-6f8a-4e16-8ef7-d524089dffde Disabling cache

2021-10-20T22:43:31.685-07:00   [WARNING] 2021-10-21T05:43:31.685Z 3793703f-6f8a-4e16-8ef7-d524089dffde Custodian reserves policy lambda tags starting with custodian - policy specifies custodian-info

2021-10-20T22:43:31.685-07:00 [INFO]    2021-10-21T05:43:31.685Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Found resource ids:['aalten-test-public-asg-33']
[INFO] 2021-10-21T05:43:31.685Z 3793703f-6f8a-4e16-8ef7-d524089dffde Found resource ids:['aalten-test-public-asg-33']

2021-10-20T22:43:31.992-07:00 [INFO]    2021-10-21T05:43:31.991Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Resources [{'AutoScalingGroupName': 'aalten-test-public-asg-33', 'AutoScalingGroupARN': 'arn:aws:autoscaling:eu-central-1:xxxxxxxx8633:autoScalingGroup:c530605e-c1bb-40b8-81e0-46781cd90eda:autoScalingGroupName/aalten-test-public-asg-33', 'LaunchConfigurationName': 'aalten-launch-config-public-internet-1', 'MinSize': 1, 'MaxSize': 1, 'DesiredCapacity': 1, 'DefaultCooldown': 300, 'AvailabilityZones': ['eu-central-1c'], 'LoadBalancerNames': [], 'TargetGroupARNs': [], 'HealthCheckType': 'EC2', 'HealthCheckGracePeriod': 300, 'Instances': [{'InstanceId': 'i-0e07ac595df620bce', 'InstanceType': 'c4.large', 'AvailabilityZone': 'eu-central-1c', 'LifecycleState': 'Pending', 'HealthStatus': 'Healthy', 'LaunchConfigurationName': 'aalten-launch-config-public-internet-1', 'ProtectedFromScaleIn': False}], 'CreatedTime': datetime.datetime(2021, 10, 21, 5, 43, 13, 211000, tzinfo=tzlocal()), 'SuspendedProcesses': [], 'VPCZoneIdentifier': 'subnet-6340202e', 'EnabledMetrics': [], 'Tags': [{'ResourceId': 'aalten-test-public-asg-33', 'ResourceType': 'auto-scaling-group', 'Key': 'Name', 'Value': 'aalten-test-public-asg-33', 'PropagateAtLaunch': True}], 'TerminationPolicies': ['Default'], 'NewInstancesProtectedFromScaleIn': False, 'ServiceLinkedRoleARN': 'arn:aws:iam::xxxxxxxx8633:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'}]

2021-10-20T22:43:31.992-07:00 [INFO]    2021-10-21T05:43:31.992Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filtering resources using 1 filters

2021-10-20T22:43:32.072-07:00 [DEBUG]   2021-10-21T05:43:32.071Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filter #1 applied 1->0 filter:
{
    "type": "launch-config",
    "key": "AssociatePublicIpAddress",
    "value": true
}

[DEBUG] 2021-10-21T05:43:32.071Z 3793703f-6f8a-4e16-8ef7-d524089dffde Filter #1 applied 1->0 filter: {"type": "launch-config", "key": "AssociatePublicIpAddress", "value": true}

2021-10-20T22:43:32.072-07:00 [DEBUG]   2021-10-21T05:43:32.072Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filtered from 1 to 0 asg

2021-10-20T22:43:32.072-07:00 [INFO]    2021-10-21T05:43:32.072Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filtered resources 0 of 1

2021-10-20T22:43:32.072-07:00 [INFO]    2021-10-21T05:43:32.072Z        3793703f-6f8a-4e16-8ef7-d524089dffde    policy:zsec-enforce-ASGPublicIpPolicy resources:asg no resources matched

2021-10-20T22:43:32.073-07:00   END RequestId: 3793703f-6f8a-4e16-8ef7-d524089dffde

2021-10-20T22:43:32.073-07:00   REPORT RequestId: 3793703f-6f8a-4e16-8ef7-d524089dffde Duration: 1202.16 ms Billed Duration: 1203 ms Memory Size: 512 MB Max Memory Used: 78 MB Init Duration: 572.68 ms
Any useful advice would be most appreciated. Thank you.
altenx
@altenx
Here is the correct version.
$ custodian version
0.9.13
Matthew Tordoff
@mat-tordoff
Hi all - I am trying to pull route 53 resolvers and ideally the ENIs associated with them. Do you know if this is possible currently? I did find the aws.eni policy which I am going to investigate, but that doesn't solve the resolver ask. Thanks.
4 replies
vdmanjunath
@vdmanjunath
Hi All, I'm trying to send a notification using cloud custodian for the azure resource (azure.aks cluster) based on the CPU resource usage by creating the policy and would like to know what is the metric we use for Azure AKS Cluster and how to send the notification?
Matthew Tordoff
@mat-tordoff
Regards executing SSM documents - is it possible to trigger SSM Distributor packages? I tried using send-command which seems to be limited to SSM Command Documents. I am guessing this just isn't supported at the moment also?
7 replies
Cenisar-Villanueva
@Cenisar-Villanueva

Hi
I'm new to Cloud Custodian and very interested in using it.

May I ask if it is possible to create a c7n policy that will check if auto-scaling is enabled in DynamoDb tables?
Thanks in advance for answering my question.

4 replies
Jorge Castro
@jcastro:matrix.org
[m]
Liz and I won't be doing a doc sprint this afternoon, we'll be returning next week!
cleo2525
@cleo2525

Hello, I'm looking to set the TLS security policy on some Cloudfront distributions. I tried the following action, but received this error (my credentials have access to update the distro)

botocore.exceptions.ClientError: An error occurred (InternalError) when calling the UpdateDistribution operation (reached max retries: 4):

Is there a way to set the MinimumProtocolVersion with c7n?

  actions:
    - type: set-attributes
      attributes:
        ViewerCertificate:
            MinimumProtocolVersion: TLSv1.2_2018
4 replies
Cenisar-Villanueva
@Cenisar-Villanueva

Hi
I'm having trouble checking if multi-region cloud trail in my account. Below is my policy.

policies:
  - name: check-cloudtrail-multi-region
    resource: aws.account
    filters:
      - type: check-cloudtrail
        multi-region: true

and the output is this none even if I have a trail that is muti-region.

2021-10-24 16:45:52,103: custodian.policy:INFO policy:check-cloudtrail-multi-region resource:aws.account region:us-east-2 count:0 time:2.99

Can anyone advise what is wrong with my policy?
Thanks in advance!

8 replies
Shawn L
@slaphitter
Hello, looking for a confirmation on this… it appears to me that CC can not manipulate the "Requester Pays" setting for an S3 bucket. Is this correct?
Jin Kang
@jinkang23
When defining Custodian policy with multiple filters, is the default evaluation logic using AND operator or OR operator?
3 replies
Jin Kang
@jinkang23
Can single policy support multiple modes so that I can have the policy be triggered via cloudtrail event + periodic schedule?
2 replies
Mike
@mikejgray
Question re: Azure c7n-mailer...if I want to forward to Datadog, do I have to use SendGrid? Or is it possible to use the LogicApps notification?
myoung34
@myoung34

C7N-Org and non-cloudtrail events...

  policies:
    - name: ebs-snapshots-90-days-old
      resource: ebs-snapshot
      comment: Delete old EBS snapshots
      filters:
        - type: age
          days: 90
          op: ge
     conditions:
       - type: value
         key: account_id
         op: in
         value:
           - "111111111" # foo-production

how can i specify a role here?

this runs from a central account in the org which needs to assume the role in the account i have in the conditional (the role in 11111111)

in other ones i can add mode.role but i dont think i can do that here

24 replies
CraigRichardsJET
@CraigRichardsJET
Hi All. I have a (hopefully) QQ. I've got a filter to find RDS instances with certain DBInstanceIdentifier but it doesn't seem to work. Was wondering if someone could point me in the direction of why it's not working? The filter is as follows:
      - type: value
        key: DBInstanceIdentifier
        op: regex
        value: '(?:\b|_)test(?=\b|_)'
4 replies
Jorge Castro
@jcastro:matrix.org
[m]
I am working on the agenda for today's community meeting: https://hackmd.io/@c7n/ByE8RSCzK If anyone has a burning issue or PR that needs eyeballs please let me know!
Jorge Castro
@jcastro:matrix.org
[m]
The community meeting is at the top of the hour! (3m from when I'm posting this), if you wanna drop by and say hello or just see how the sausage is made it's open for everyone! https://meet.google.com/mii-evqh-esh
Matthew Tordoff
@mat-tordoff
It there anywhere in the c7n documentation that explains how to use variables? I have been looking and can't seem to find anything. I want to specify an arn, and to inject the region variable into it so it works cross region e.g. arn:aws:ssm:{{ region }}:123456789:document/packageName. Do I do this with single or double parenthesis? Which built in variables are supported? Can these variables be used anywhere within a policy?
6 replies
anergiti
@anergiti
Hello, I have 2 AWS accounts. for using c7n-org, should I have identical roles on both accounts? or only one role a selected account and setup assumerole on the other?
68 replies
Matt Cui
@mattcui
Hello, I am working on policy definition to identify idle database on AWS, Azure and GCP. We have completed the policy definition for AWS, just follow/reference https://cloudcustodian.io/docs/aws/examples/rdsdeleteunused.html, but for Azure, we would like to make it consistent with AWS, no DB connections for x days. From azure.sql-server resource doc (https://cloudcustodian.io/docs/azure/resources/sql-server.html), I don't find a similar filter to get the connection number for x days. Any idea? Thanks.
3 replies
Jin Kang
@jinkang23

Hello, I have a policy tha is trying to detect any IAM roles with AssumeRolePolicy to external account ids while checking for aws:PrincipalOrgID condition. If any IAM roles are found to trust external accounts, it should is non-compliant.. unless it has a condition restricting access to one of our Org Principal Ids

This is the current policy:

policies:
  - name: iam-role-has-external-trust
    resource: aws.iam-role
    description: |
      IAM Role has external trust relationship defined in the assume role policy document.
    mode:
      type: cloudtrail
      role: ‘my-role'
      function-prefix: ‘my-function-prefix'
      events:
        - source: iam.amazonaws.com
          event: UpdateAssumeRolePolicy
          ids: "requestParameters.roleName"
        - source: iam.amazonaws.com
          event: CreateRole
          ids: "requestParameters.roleName"
        - source: iam.amazonaws.com
          event: UpdateRole
          ids: "requestParameters.roleName"
    filters:
      - and: 
        - type: cross-account 
          whitelist_from:    
            url: s3://bucket/whitelist_accounts.json
            format: json
            expr: 'Accounts[].Id'
        - and: 
          - type: value
            key: AssumeRolePolicyDocument.Statement[].Condition.StringEquals."aws:PrincipalOrgID"
            value_type: swap
            op: not-in
            value: 'o-example1'
          - type: value
            key: AssumeRolePolicyDocument.Statement[].Condition.StringEquals."aws:PrincipalOrgID"[]
            value_type: swap
            op: not-in
            value: 'o-example2'

And here’s an example of the Assume Role Policy Document for one of the IAM roles

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111111111111:root",
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgID": "o-example1"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Even though this policy is non-compliant due to the 2nd statement allowing access to external account (e.g. 222222222222), it is not detecting it.. because the filter for value type. If I change the value type filter to explictly check for the 2nd statement like so: AssumeRolePolicyDocument.Statement[1].Condition.StringEquals."aws:PrincipalOrgID”, it works. Is there anyway to update the filter so that it is more dynamic? Thank you!

Jin Kang
@jinkang23
Since AWS IAM condition keys are not case sensitive, how are you handling this when using value filter type since JMESPATH doesn’t allow you to be case insensitive?
Sujeet Kumar
@mrsujeet
Hi Kapil & team, I have guardrail for s3 encryption. how can I exclude a bucket having resource policy. “Condition”: {
”StringNotEqual”: {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
}
} I can have hard coded for filter (has-statement) for a given account and a given region but how can we have a general filter to exclude those bucket for multiple accounts and regions. Looking forward for your kind response !!
3 replies
Sujeet Kumar
@mrsujeet
@kapilt @castrojo any comment on above query
Cenisar-Villanueva
@Cenisar-Villanueva

Hi
I'm having below error when trying to check the permissions of a lambda function. Can anyone advise what is causing this?
ERROR:

error:An error occurred (ValidationError) when calling the GetRole operation: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

And this is my policy:

policies:
  - name: Check-lambda-permissions
    resource: aws.lambda
    filters:
      - type: check-permissions
        match: allowed
        actions:
          - s3:PutObject

Thanks in advance!

2 replies
Brian Gaber
@bgaber

I am attempting to use c7n-mailer to send the output of a notify policy. However, I am not receiving any e-mail. I am following the instructions at https://pypi.org/project/c7n-mailer/
I have validated my email address in SES.
Here is my mailer.yml:

queue_url: https://sqs.us-east-1.amazonaws.com/0123456789/cloud-custodian
role: arn:aws:iam::0123456789:role/sre-ec2-role-assumed
from_address: brian.gaber@mycompany.com

I have confirmed that a new AWS Lambda function has been created

Here is my test policy:

policies:
  - name: c7n-mailer-test
    resource: ec2
    filters:
      - "tag:MailerTest": absent
    actions:
      - type: notify
        template: default
        priority_header: '2'
        subject: testing the c7n mailer
        to:
          - brian.gaber@mycompany.com
        transport:
          type: sqs
          queue: https://sqs.us-east-1.amazonaws.com/0123456789/cloud-custodian
9 replies
Brian Gaber
@bgaber

I want to modify what I posted above to use SNS. From the documentation I read I can replace the email address with an SNS topic. I have created a SNS topic with name of CloudCustodian. I have tried this policy without success.

policies:
  - name: c7n-mailer-test
    resource: ec2
    filters:
      - "tag:MailerTest": absent
    actions:
      - type: notify
        template: default
        priority_header: '2'
        subject: testing the c7n mailer
        to:
          - CloudCustodian
        transport:
          type: sqs
          queue: https://sqs.us-east-1.amazonaws.com/0123456789/cloud-custodian

By, "without success", I mean I do not receive an e-mail and I am subscribed to the topic. Are other modifications required?