Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
man.. gitter ux is seriously confusing
@kapilt I am creating policies for VPC & resources under it . Basically create, delete notification . VPC delete is working and giving me information in notification about the VPC deleted , However same is not working with subnet delete . The resource id is not coming and my understanding about this is as its deleted so it is not able to get those details . Checked lambda logs also however no resource id information there too . Is there any way to show in notification the resource id of subnet deleted
the id will be in the event
actually you don't even need the missing filter, just use the account resource on the delete events your checking for to notify
@satvan23 pretty much the same for roles, for humans it’s an mfa auth and run for sts timeout period
Hello,
Is there a way to combine filters of 2 policies and execute action based on "and" logic:
Is there a way to combine filters of 2 policies and execute action based on "and" logic:
policies:
- name: untag-datadog-monitor-lambdas
resource: aws.lambda
region: ap-southeast-2
filters:
- and:
- type: value
key: "tag:datadog"
value: "monitor"
- type: value
key: "tag:microservice"
value: "some-data"
- type: value
key: "tag:STAGE"
value: "sree01"
- name: aws-account
resource: aws.account
region: ap-southeast-2
filters:
- type: value
key: "account_name"
op: regex
value: '^((?!-prod).)*$'
Hi to all, do you know if there's a way to express a custodian policy to keep the latest most-recent n AWS AMIs? I don't want to use age or date filters as I want to be sure to keep the most recent ones without caring about their age. I can see there's a "resource_count" filter but i don't know if it can be used for my needs...
@tomarv2 nothing breaking, I'm just cautious by default, there's a large set of changes relating to lazy loading which improves performance quite a bit for serverless and cli usage.
@angystardust so keep last 3 sort of thing with a given tag? not exactly, but I dig the use case, I'd suggest filing an issue with an example
Is it possible (in a policy) to attach an existing security group (referenced by its GroupName) to a newly created EC2 instance in response to its CloudTrail RunInstances event? What would be the
action in the policy? If it's not possible, what's a good alternative approach -- writing my own CloudTrail-triggered Lambda?
here is the filter
- or:
- type: value
key: GroupName
value: "default"
op: eq
Is there a way to filter the {account_id} variable using the S3 file value_from. Getting an error with the following policy:
policies:
- name: iamaccesstest
resource: iam-user
filters:
- type: value
key: {account_id}
op: not-in
value_from:
url: s3://mybucket/Exceptions.csv
format: csv2dictThis throws the error:
error:'dict' object has no attribute 'startswith'
some accounts start with 0 which will otherwise get interpreted as an octal number
@jtroberts83 please file an issue with the traceback
ok tried quotes but throws another error:
c7n_org:ERROR Exception running policy:iamaccesstest account:my-account-name region:us-east-1 error:invalid token: Parse error at column 0, token "12345678900" (NUMBER), for expression:
"12345678900"
^Filling an issue now. Thanks!
cloud-custodian/cloud-custodian#5273 Thanks Kapil
Hi folks, relatively new to developing policies. Within AWS want to understand if any user creates an Internet Gateway and posts to security hub. Not getting any luck. Any help appreciated:
policies:
- name: IGW creation check
resource: vpc
description: |
Cloud Custodian unauthorized IGW creation check
mode:
packages: [boto3, botocore, urllib3]
type: cloudtrail
role: arn:aws:iam::{account_id}:role/CloudCustodianAdminRole
member-role: arn:aws:iam::{account_id}:role/CloudCustodianAdminRole
events:
- source: ec2.amazonaws.com
event: CreateInternetGateway
ids: "requestParameters.internetGatewayId"
filters:
- type: internet-gateway: true
actions:
- type: post-finding
severity_normalized: 100
types:
- "Software and Configuration Checks/AWS Security Best Practices"
compliance_status: "FAILED"
recommendation: test message
region: eu-west-1
Any one else having issues with Cloud Custodian report finding feature where you are seeing duplicate findings?
For example: I am testing ec2 tag enforcement policy. Its a two part policy where first policy will identify non compliant instances and mark them for termination. the second policy will terminate the instances after 5 mins and report findings into security hub.
The issue: Every time a new EC2 is terminated, it continues to report older terminated instances by second policy. Is something being cached that is causing this duplicate reporting?
Default is 15 mins.
im trying to create a filter for cidr < 32 and not a rfc 1918 addr but it seems like the negation is not working for me - any ideas?
filters:
- not:
- type: ingress
Ports: [22]
Cidr:
value: ^(10|127|169\.254|172\.1[6-9]|172\.2[0-9]|172\.3[0-1]|192\.168)\.*$
op: regex
- type: ingress
SelfReference: false
Ports: [22]
Cidr:
op: lt
value: 32
value_type: cidr_size
You might need to query the instance state to make sure it's only in a "Running" state
Mmmmpmm0mmmpmOm
Mommy mommies member P0
Ammu mm mmmmmOOmOmo kl momentum omni moot 0
@sanjaynaikwadi Are you wanting to have the ASG shut down all it's instances or just terminate one so that the ASG spins up another?