Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
@allisonis using the mailer is recommended for delivery to slack
@aakifshaikh value filter value_type: age assuming cert is available as an attribute off the gateway
@jlb-ts not related to that, its something dumb with boto3 freezing their dependencies because they couldn't bother to update their installer. 30k downstream projects affected. boto/botocore#1872
we've fixed it in trunk and our docker images are also fine, but we need to cut a new release
@prabin.pramanik_gitlab check your metric statistic
@satvan23 a custodian lambda or a random one off lambda? wrt to custodian lambdas, thats why its better to have them separate, because you have separate logs/metrics etc in terms of audit
@raaajit yes its possible
hate to drop in here asking silly questions but I've been pulling my hair out trying to work this one out, all I want to do is remove a bucket policy statement that has 'Allow: *' but I can't get it to remove just the one statement, what am I doing wrong?
name: s3-deny-bucket-public-policy-realtime
resource: s3
mode:
type: cloudtrail
role: cloudcustodian-lambda
member-role: arn:aws:iam::{account_id}:role/cloudcustodian
events:
- source: s3.amazonaws.com
event: PutBucketPolicy
ids: requestParameters.bucketName
filters:
- type: has-statement
statements:
- Effect: Allow
Principal: '*'
actions:
- type: remove-statements
statement_ids: matched
Hello Guys. Question about a lambda generated by CC. I get notified by email correctly, but at the end of the email, there's a link "email us" and the reply address is custodian@domain.com. Where do I change this email address ? I checked config.json file but don't see it there.
Thank you Kapil... have one other questions . we have a scenario where a team is creating ec2 instances first and then they are creating tags. RunInstances and createTags are 2 different api calls. we wrote a policy when there is runInstances event... I'm not getting tags as they are creating later.. Is there a way we can describe the instance later that violated before to get the tags in the same policy.
@kapilt till now we are not using c7n_mailer.. we have a centralized sqs queue, so we are sending all the violated resources to that queue, from that queue we are sending notifications only to the cloud team. But now we what to send notification to the resource owner before taking any actions. our company is not using ses/slack/datadog/splunk. Can someone suggest me a quick and easy solution for notification
@lpendyala_gitlab mailer supports centralized deployments to a single team, as well fan out to resource owners.
I assume all companies have smtp, else they don't have email..
@lpendyala_gitlab RunInstances supports tag on create, but say for whatever reason team x doesn't want to bother doing the right thing wrt to tag on create.. you can go periodic after the fact either via config-rule, or periodic lambda, or poll (default) execution via c7n or c7n-org
@kapilt except that the code will only set the logging config if the resource doesn't have one. it won't allow overriding an existing config. and there's no way to filter based on the values we plan to have because it doesn't allow us to use the same format variables since we only have the generic value filters to look at the existing settings... so I was thinking about working on a pair of PRs that allows both ... a way to override an existing logging config ... and a new filter that lets you filter based on your logging config using the same set of format variables you can use when setting the logging config. actually, i'll start my just opening a ticket to discuss the need for this ...
@kapilt Hello, hope my questions make sense, I tested cloud custodian in our development account successfully. I have a few questions in regard to using cloud custodian to monitor multiple accounts using AWS Organizations with c7n-org tool (just read about this tool). 1. If I define a policy using c7n-org, will this policy be applied across each account in AWS Organizations? And when this policy is triggered in one of the multiple accounts, will the cloud custodian alert provide information around in which specific account was this policy triggered? 3. Is there a way to create a cloud custodian policy to be triggered whenever an elastic IP address is assigned to an EC2 instance in any of the accounts within AWS Organizations? Thank you so much.
@sdfengw greetings, see also #5166 nutshell we need to have a mapping of the endpoints in the code base and then use the --region flag to set the endpoints.
@Maki2020 its also possible to deploy centrally with c7n-org for non lambda policies and run across org,, for lambda policies central deployment (in addition to provisioning with c7n-org) is possible with cwe trail mode, but requires out of band setup of CWE bus forwarding, and has different operational tradeoffs (blast radius for updates, monitoring, etc, see
member-role in cwe mode). other lambda modes don't support that.
ie
key: Origins.Items[].CustomOriginConfig.OriginOnlyProtocol
@jlb-ts some folks subdivide across more than one role, ie its really a policy and policy collection choice for deployment depending on biz requirements.
@myoung34 use check-permissions re looking for specific permissions on iam entities or resources with iam roles attached.
@tjstansell thanks for filing an issue, yeah that makes sense, toggle should behave more like set.