by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 21:39
    jtroberts83 labeled #6161
  • 21:39
    jtroberts83 opened #6161
  • 21:37
    jtroberts83 labeled #6160
  • 21:37
    jtroberts83 opened #6160
  • 21:32
    jtroberts83 labeled #6159
  • 21:32
    jtroberts83 opened #6159
  • 19:37
    al3pht labeled #6158
  • 19:37
    al3pht opened #6158
  • 19:34
    Lucas-Irvine opened #6157
  • 19:34
    Lucas-Irvine review_requested #6157
  • 17:31
    veenagurram labeled #6156
  • 17:31
    veenagurram opened #6156
  • 16:51
    amitsehgal commented #6136
  • 16:36
    marcoceppi synchronize #6142
  • 16:34
    marcoceppi synchronize #6142
  • 16:31
    marcoceppi synchronize #6142
  • 16:23
    marcoceppi synchronize #6142
  • 16:11
    marcoceppi synchronize #6142
  • 16:09
    marcoceppi synchronize #6142
  • 16:08
    marcoceppi synchronize #6142
Kshitij Singh
@kshitijsingh14_twitter
@kapilt I am looking to make some progress over iam-analyser. My policy below finds if a S3 bucket is public or not but I wish to differentiate between Public read and Public write. Could you guide me through different keywords available.
policies:
  • name: s3-check
    resource: aws.s3
    filters:
    • type: iam-analyzer
      key: isPublic
      value: true
1 reply
Steve Craig
@stevesworkgithub
Hi, I'm trying to trigger a Custodian RDS event policy via a PHD event, but am not getting the expected output (the lambda doesn't trigger at all, so I don't even have logs). I've not been able to find a working example, but does this look like it should work? I'm especially suspicious of sticking a wildcard in the events...
  - name: rds-phd-health-event
    resource: rds
    mode:
      type: phd
      categories: ['scheduledChange','issue']
      events: ['*']
      role: custodian-health-read-role
      tags:
        Project: cloud-custodian
    filters:
      - type: health-event
        statuses: [upcoming,open]
RazaHasan84
@RazaHasan84
I am working on RDS policy that check for "PerformanceInsightsEnabled" and enable it if it is disable. But is is not working ! and pointing key error : EnablePerformanceInsights.....This is my policy document
filters:
         - DBInstanceStatus: available
         - PerformanceInsightsEnabled: False
   actions:
        - type: modify-db
          update:
            - property: 'EnablePerformanceInsights'
              value: true
              immediate: true 
Carl
@Cjcascade_gitlab
We are using cloud custodian to notify on user (service accounts) access keys. I have two different policies - 1.) triggers a notification for user access keys over 90 day old - 2.) triggers a notification for user (service accounts) access keys oder 180 days old. All service access keys begin with svc_. I've tried:

We are using cloud custodian to notify on user (service accounts) access keys. I have two different policies - 1.) triggers a notification for user access keys over 90 day old - 2.) triggers a notification for user (service accounts) access keys oder 180 days old. All service access keys begin with svc_. I've tried:

  • type: value
    key: FunctionName ─▶ The value from the describe call, or resources.json
    op: regex ─▶ Special operator
    value: '(custodian|c7n)\w+' ─▶ Regex string: match all values beginning with custodian or c7n_

  • type: value
    key: name ─▶ The value from the describe call, or resources.json
    op: regex ─▶ Special operator
    value: '^.c7n.$' ─▶ Regex string: match all values containing c7n

  • type: value
    key: name ─▶ The value from the describe call, or resources.json
    op: regex ─▶ Special operator
    value: '^((?!c7n).)*$' ─▶ Regex string: match all values not containing c7n

Non of which worked.

My example:

  • name: iam-user-service-access-keys-older-than-180days
    description: |
    Retrieve all IAM user service accounts whom have active access keys that are older than 80days
    resource: iam-user
    filters:
    - type: access-key
      key: Status
      value: Active
    - type: access-key
      match-operator: and
      key: CreateDate
      value: 180
      op: greater-than
      value_type: age
    - type: value
      key: FunctionName
      op: regex               
      value: '(svc)_\w+'
nitro
@nitrocode
is it possible to use a tag action with a value coming from the resources ?
12 replies
for instance, since cost explorer doesn't separate s3 bucket costs unless s3 buckets are tagged, we're thinking about taggign our s3 bucket's with bucket_name=<s3bucketname>
anthonygruetzmacher
@anthonygruetzmacher
Is there a place that documents the default notify actions JSON schema that it outputs?
16 replies
pendyalal
@pendyalal
Hi all, we would like to check if any privileged roles are being attached to lambda , if attached can we modify the role and set a non-privileged role? Any ideas or thoughts?
4 replies
Ryan Ash
@ryanash999
Question for the group: For all of our policies we have a default action of SQS to start our event processing. However, is it possible an alternative action if the policy did not match. So if policy didn't match it is GOOD (no issue), do this alternative action to show check=ok for account/resource. Is this an option or possible?
10 replies
Michael Nguyen
@micnguyen266
Hello, I have a policy that looks at all ec2 resources..is it possible to only filter ec2 that are not tied with any Load Balancer or ASG? I know you can add conditions to a policy, but how would the syntax look like? Examples would be greatly appreciated!
2 replies
Ryan Ash
@ryanash999
@micnguyen266 If you could add tags it would be easier to account for those within the policy
1 reply
WeAreGroot
@WeAreGroot
Has anyone ever gotten a shouldn't have gotten this far without keys error when using the iam.user & credential filter? I have one user with two keys that I can't seem to filter out. In the resources output, the c7n:matched-keys is empty, so clearly no keys matched, but it still tried to process it.
xlrd
@xlrd
I have a similar problem related to access-keys, I cannot filter out users that don't have ACTIVE keys (either no keys at all, or 1 key in total which is "Inactive", or 2 "Inactive" keys) which means I don't want filter to include users with 1 Active and 1 Inactive keys. Has anyone got a similar setup and solved it?
purushothamkdr143
@purushothamkdr143
Hi All, I am novice to cloudcustodian working on usecase where i need to take the snapshot of the ebs volume, then delete the ebs volume after snapshot is completed. How can i makesure the snapshot is completed 100 percent, only when snapshot reaches 100 percent i should delete the volume used for snapshot. Kindly do the needful.
KVInventoR
@KVInventoR

Hi all,
Is it possible to get multiple metrics for 1 resource, I would like to retrieve multiple metrics for s3 bucket. Like as:

      - type: value
        key: Versioning.Status
        value: Enabled
      - type: value
        key: "Lifecycle.Rules[].NoncurrentVersionExpiration.NoncurrentDays"
        value: absent
        value_type: swap

      - and:
        - type: metrics
          name: BucketSizeBytes
          dimensions:
            StorageType: StandardStorage
          days: 2
          value: 0
          op: gte
          statistics: Maximum

        - type: metrics
          name: BucketSizeBytes
          dimensions:
            StorageType: IntelligentTieringIAStorage
          days: 2
          value: 0
          op: gte
          statistics: Maximum

        - type: metrics
          name: BucketSizeBytes
          dimensions:
            StorageType: IntelligentTieringFAStorage
          days: 2
          value: 0
          op: gte
          statistics: Maximum

But result of this policy looks like as:

   "c7n:MatchedFilters": [
      "Versioning.Status",
      "Lifecycle.Rules[].NoncurrentVersionExpiration.NoncurrentDays"
    ],
    "c7n.metrics": {
      "AWS/S3.BucketSizeBytes.Maximum": [
        {
          "Timestamp": "2020-09-21T11:48:00+00:00",
          "Maximum": 107114312881.0,
          "Unit": "Bytes"
        }
      ]
    }
  }

and there is no possibility to recognize which metrics was used
I am working on CC mail report where I would like to have a multiple columns and each column included information for each bucket metric size for each storage type

4 replies
Adiba02
@Adiba02
Hi, I have a policy to delete untagged resources in a region. How do I apply this policy to a specific resource group?
8 replies
Jon Gilmore
@JonGilmore_gitlab
anybody have any idea why this policy to copy-related-tag from AMI > EBS snapshot doesn't work? the custodian run log reports this: Tagged 0 resources from related, missing-skipped 186
---
policies:
  - name: tag-snapshot-from-ami
    resource: ebs-snapshot
    actions:
      - type: copy-related-tag
        resource: ami
        skip_missing: True
        key: "BlockDeviceMappings[].Ebs.SnapshotId"
        tags: "*"
10 replies
Amit Sehgal
@amitsehgal
unable to find an example . Has anyone tried creating managed config rule using custodian ? i can create one managed config rule to check tags on all services...for custodian; i have to check individual aws service and write policy for every service. I was wondering if , i can add managed config rule using custodian policy
2 replies
Amit Sehgal
@amitsehgal
and somehow marry remediation (action part) with managed config rule
Amit Sehgal
@amitsehgal
@kapilt there has always been a question in my mind to monitor custodian lambda's for errors.....i have 70-80 odd accounts where i have deployed custodian policies using c7n-org.... sometimes...i dont know if the custodian lambdas has errors /access issues etc... is there any built in alert...i can send to slack
9 replies
pendyalal
@pendyalal
How to check if a multi-part upload is set or not on an s3 bucket?
4 replies
Gary Baines
@garybaines

I'm trying to do a JMESPath query within a webhook body to pick out individual tag values, like you might do on with CLI with a command like

aws ec2 describe-instances --query 'Reservations[].Instances[].{live:Tags[?Key==`live`].Value}'

Within my webhook policy body, I've tried:

"Live": resource.Tags.[?Key==`live`].Value,

and a few variants with different quotes, but the policy errors when the lambda tries to run it.

Note resource.Tags works to print out all tags, but I just want to print a specific tag.

Does anyone know if custodian supports this sort of query?

6 replies
RaghvendraGit
@RaghvendraGit
I am using policy for network load balancer, but it seems that it is only working for application load balancer but not for NLB.
1 reply
here is my policy
policies:
  • name: app-elb-invalid-ciphers
    resource: app-elb
    mode:
    type: periodic
    timeout: 300
    schedule: "cron(0/15 ? )"
    role: arn:aws:iam::{account_id}:role/cloud-custodian
    tags:
    CreatedBy: CloudCustodian
    ModeType: periodic
    filters:
    • or:
      • Type: network

        - Type: application

    • type: listener
      key: Protocol
      value: HTTPS
    • type: listener
      key: sslPolicy
      value: ['ELBSecurityPolicy-TLS-1-1-2017-01','ELBSecurityPolicy-TLS-1-2-2017-01']
      op: ni
      matched: true
      actions:
    • type: notify
Did anyone faced similar issue already ?
My custodian version is : 0.9.4
dmlutz2
@dmlutz2
I'm wondering where to find the docs on the policy modifiers like start: and end:
2 replies
Jin
@jinkang23
Hello everyone! New Cloud Custodian user here just getting started. I was hoping someone could help me with a question, or at least point me in the right direction :) I've been testing c7n-org for running my policies using mode: periodic in AWS... and the lambda function it provisions has a "custodian-" prefix in the function name (e.g. custodian-my-policy). Is it possible to provide my own prefix for lambda function names it provisions?
3 replies
Monica
@seemonicago
Is there a way to use the value of the resource ARN currently being evaluated inside the policy. I’d like to dynamically populate this sqs resource policy statement at Lambda run time with the ARN of the SQS queue it's working on.
 actions:
   - type: modify-policy
     add-statements: [{
         "Sid": "ReplaceWithMe",
         "Effect": "Allow",
         "Principal": {"AWS":"{account_id}"},
         "Action": ["sqs:GetQueueAttributes"],
         "Resource": "arn:aws:sqs:{region}:{account_id}:{<arn_of_sqs_at_runtime>}",
             }]
     remove-statements: '*'
19 replies
Rafael Barbosa
@rafavinnce
hello @kapilt .
I haven't found much about elasticache. How do I validate that an elasticache has the encryption parameter active = true?
1 reply
Gautami007
@Gautami007
Hello @kapilt , We are trying to configure slack integration for one of our policy; however; getting below error;
botocore.exceptions.ClientError: An error occurred (KMS.AccessDeniedException) when calling the SendMessage operation: null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: b5f4fb9f-7e55-46e9-8a5a-dcc631aa1257; Proxy: null)
2020-09-25 16:18:56,094: custodian.commands:ERROR The following policies had errors while executing
  • s3-deny-public-access-block
10 replies
Could you please help me to resolve this error?
mogmismo
@mogmismo_twitter

I'm having trouble with the AWS common filter reduce, this policy (or even the example policy in the docs),

  - name: aws-maximum-ec2-instances
    resource: aws.ec2
    filters:
      - type: reduce
        group-by: "tag:custodian"
        sort-by: "LaunchTime"
        order: desc
        limit: 10
      - State.Name: running
    actions:
      - terminate

is failing validation with a:

2020-09-25 11:03:12,557: custodian.commands:ERROR 'reduce' is not one of ['event']
Failed validating 'enum' in schema[0]['properties']['type']:
    {'enum': ['event']}
On instance['type']:
    'reduce'

Does anyone have a good example of a working reduce filter, or know what I'm doing incorrectly?

3 replies
13scoobie
@13scoobie_twitter
So came upon an interesting limitation and hoping someone can help or share ideas of what they have done - but we have hit the 300 rule maximum on our default eventbus - and so unable to add any more rules.
6 replies
Gautami007
@Gautami007
Hi @kapilt I am configuring slack notification for my cloud custodian policy and my messages are being sent to SQS queue but it is not delivering to slack
Could you please help here?
Amit Sehgal
@amitsehgal
has anyone tried actions type: mark-for-op with set-statements as op
2 replies
i want to deny access to bucket after delayed ops.....let me know if you have tried this
i can definitely tag and filter dates etc...but would like to do it in a simple straight fwd way if can
Christian Yarros
@CYarros10
anyone here that has recently contributed support for a new resource that would be give me tips thru the process? I am looking to build support for Athena WorkGroups, WAFV2, and Event Bus, for starters. - I've gone thru the c7n/resources but have questions around detail_spec, enum_spec, etc.
Samarth Shivaramu
@s_samarth03_twitter

I'm working on creating a CC policy for auto tagging AWS resources by retrieving user identities from CloudTrail. I'm seeing the following issue with "aws.glue-workflow", "aws.glue-ml-transform" and "aws.glue-job".

custodian.commands:ERROR invalid policy file: auto-tag-user.yml error: Failed to validate policy glue-job-auto-tag-user 
 Error on policy:glue-job-auto-tag-user resource:glue-job
Additional properties are not allowed ('filters', 'actions' were unexpected)

I've verified that the "auto-tag-user" action is supported in CC for "aws.glue-workflow", "aws.glue-ml-transform" and "aws.glue-job" and the events added in the policy are supported in CloudTrail.

4 replies
nitro
@nitrocode
Problem: I'd like to see all EC2 instances that currently use amzn1 linux
Solution: My AMIs are tagged with type=amzn1 and type=amzn2. I'd like custodian to copy related tags from my AMIs to EC2s that use those AMIs. Is this possible ?
4 replies
jpearsonmv
@jpearsonmv

When using the s3 policy filter "- type: check-public-block" if a single bucket within an Account has a resource policy that includes a DENY statement that prevents access to the IAM Role used with c7n; Custodian bails on the entire Account, even though there are hundreds of buckets that do not include a DENY statement. Is there a way to continue processing and report on all of the buckets; but leave the one that had the Access Denied as an empty column?

c7n_org: WARNING Access denied api: GetPublicAccessBlock ...

When using the same policy without the filter for check-public-block; ALL buckets are reported and the ACL + Resource Policy fields are blank for the single bucket that had a DENY statement. I would like to achieve the same result but include the PublicAccessBlock information. With the filter, all buckets in the Account are excluded from the resources.json file.

Praveen M
@praveen8735

Hello @kapilt, we are trying to identify RDS snapshots count, for each RDS resources do we have a 7days snapshots..If not we are marking it non-compliant. Could you help on that.
I'm using below one but not able to get the snapshot count according to resource name.

- type: value key: SnapshotCreateTime value_type: age value: 7 op: lt

rachgupt
@rachgupt
Hi, Does c7n-org support pushing data to blob ? I could do it via custodian but unable to get it working for c7n-org
Giulio Denardi
@gelouko

Hello!

I'm facing a problem with the sns-subscription filters.
If I filter using en email regex, (e.g: for only accepting gmail emails), the following behavior occur:

I create an SNS Subscription with a hotmail email - it detects the subscription (OK)
Now, within the same SNS topic, if I add a subscription to a gmail email, (and keep the previous one), it won't detect both of the emails.

Example policy:

policies:
  - name: test-sns-subscription
    resource: sns-subscription
    filters:
      - not:
        - type: value
          key: Endpoint
          op: regex
          value: '^.*@(gmail.com)'

Has someone faced that before?

7 replies
veenagurram
@veenagurram
is there a custodian policy to check dedicated hosts with no running instances
6 replies