Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Kapil Thangavelu
@kapilt
the templates have the full resource and policy content, and annotations for keys matched by value filters
Michael Nguyen
@micnguyen266
@kapilt I've tried looking and couldn't find it..is there a doc or link you can provide?
1 reply
pendyalal
@pendyalal
@kapilt , so when enabling default-encryotion for ebs in an account I'm getting this error.
filters:
      - type: default-ebs-encryption
        key: "alias/aws/ebs"
        state: true
    actions:
      - type: set-ebs-encryption
        state: true
        key: alias/Standard-Key
41 replies
Jamison Roberts
@jtroberts83
I submitted a Feature Request to be able to check lambda function resources policies to verify if there are function triggers present and active - cloud-custodian/cloud-custodian#5755 (related to an issue)
Gautami007
@Gautami007

Hello Team,

Is it at all possible to filter by CloudTrail metadata?

I am figuring out how to do set a policy that will

  1. Detect AWS resources that were created manually on the web console
  2. Automatically add below tags to the resource
    a- Owner - should pick up value automatically "type: auto-tag-user"
    b- LastModified - should pick up value automatically "type: auto-tag-user"
  3. Also, if someone update/modify the configuration of any resource example security group inbound/outbound rule, then it will only update in tag b "LastModified".
4 replies
Anders
@staticaland
In run_account_script used in the c7n-org run-script command, would it be possible to include the account name in the env variables? Like just adding env.update({"AWS_ACCOUNT_NAME": account.get("name")}) or something like that
Ravindra babu
@Ravindrababu99_twitter
@ all How to filter IAM roles defined for EC2 service (ec2.amazonaws.com in trusted entity)
Ravindra babu
@Ravindrababu99_twitter
type: value
key: AssumeRolePolicyDocument.Statement[].Principal.Service
op: regex
value: ^ec2.*
@I am not able to filter roles that has ec2.amazonaws.com in trusted entities with the below filters, not sure where i am wrong as I am unable filter the desired roles.
type: value
key: AssumeRolePolicyDocument.Statement[].Principal.Service
op: regex
value: ^ec2.*
Ravindra babu
@Ravindrababu99_twitter

@kapilt can you please help how to filter roles that has only ec2 service in trusted entity, "type: used" filters all the roles that has Lambda, EC2 and ECS services in trusted entities.

policies:

  • name: iam-role-InUse-and-have-no-ssmmanaged-notify
    resource: iam-role
    mode:
    type: periodic
    role: arn:aws:iam::account-name:role/role-name
    schedule: "cron(21 6 ? *)"
    filters:
    • type: used
      state: true
    • type: no-specific-managed-policy
      value: AmazonSSMManagedInstanceCore
    • type: value
      key: AssumeRolePolicyDocument.Statement[].Principal.Service
      op: in
      value:
      • ec2.amazonaws.com
        actions:
    • type: notify
Gautami007
@Gautami007
Hi Team, I am performing following action on my security group ; which will ensure whoever will modify the configuration, "last modified time" tag should update accordingly, but time is not updating.
  • type: tag
        key: LastModifiedTime
        value: '{now} UTC'
7 replies
pendyalal
@pendyalal
hi all, while validating the policy, we should also validate if the policy has both schedule and event pattern in the rule. if they both exists then it shouldn't pass the validation.
Ravindra babu
@Ravindrababu99_twitter

@jtroberts83 can you please help how to filter roles that has only ec2 service in trusted entity, "type: used" filters all the roles that has Lambda, EC2 and ECS services in trusted entities.

policies:

name: iam-role-InUse-and-have-no-ssmmanaged-notify
resource: iam-role
mode:
type: periodic
role: arn:aws:iam::account-name:role/role-name
schedule: "cron(21 6 ? *)"
filters:
type: used
state: true
type: no-specific-managed-policy
value: AmazonSSMManagedInstanceCore
type: value
key: AssumeRolePolicyDocument.Statement[].Principal.Service
op: in
value:
ec2.amazonaws.com
actions:
type: notify

5 replies
mohinder6
@mohinder6
Hello. Does ECS services support offhours like we have for ec2? https://cloudcustodian.io/docs/aws/examples/offhours.html#scheduleparser-time-specifications
2 replies
Morgan McEntire
@mmcenti
Does aws.iam-role.actions.set-policy support dynamic IAM policy names? Looks like no but I could be missing something. I am trying to create a custodian policy to make sure an IAM role is unable to be modified and should therefore detach any IAM policies attached to it
14 replies
satvan23
@satvan23
Guys. So we have AWS only and was running c7n-org with no issues. But after a yum update, it asks for c7n-azure/cn7-gcp ?
4 replies
Dan Parsons
@danparsons
Hey everyone! I've got a single c7n policy here that, when i run c7n-mailer on the entries in SQS, it sends 2 emails for the 1 policy. Is there any way to control that? I'd prefer it all be in one email
In case it matters, the policy in question is simple, it's just looking for 0.0.0.0/0 or ::/0 in security groups
Maybe it's trying to avoid sending emails above a certain size?
Dan Parsons
@danparsons
Log looks like this:
2020-05-13 21:19:31,503 - custodian-mailer - INFO - Downloading messages from the SQS queue.
2020-05-13 21:19:33,088 - custodian-mailer - INFO - Sending account:xxxx-team-se policy:wide-open-sg security-group:35 email:default1.html to ['foo@xxxx3.com']
2020-05-13 21:19:34,750 - custodian-mailer - INFO - Sending account:xxxx-team-se policy:wide-open-sg security-group:250 email:default1.html to ['foo@xxxx3.com']
9 replies
brunoeustaquio
@brunoeustaquio

Hey guys, I'm just starting with c7n. Ran a few simple policies locally in my machine and now want to build a poc for the company. I have two questions:

1 - I ran locally following the example using STS credentials, but I want to use roles on AWS. Reading the documentation it's supported (https://cloudcustodian.io/docs/deployment.html#iam-setup) but I'm getting PermissionError: [Errno 13] Permission denied all the way. I added a role to the server giving read and list to all EC2 and policy is super simple, it just check if there's servers in regions which isn't supposed to:

  - name: ec2-invalid-regions
    resource: aws.ec2
    filters:
      - not:
        - type: value
          key: Placement.AvailabilityZone
          value: ap-southeast-2
          op: contains

Do I need to specify some specific flag when using roles instead of credentials?

2 - I see c7n can provision lambdas to execute some actions, but can c7n itself run from a lambda?

thanks!

13 replies
Amarankit Srivastava
@amarankit-srivastava

Hello experts, I have simple policies as below and it is working for a set of pre-created users BUT weirdly not working for a new user I created... any expert comments here?
Working for (1)
filters:

  - type: value
    key: UserName
    value: "sys_admin"
    op: eq
  - type: credential
    key: mfa_active
    value: false

Got result- [
{
"Path": "/",
"UserName": "sys_admin",
"UserId": "xxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxx:user/sys_admin",
"CreateDate": "2018-03-10T21:01:09+00:00",
"PasswordLastUsed": "2018-03-17T10:46:05+00:00",
"c7n:MatchedFilters": [
"UserName"
],
"c7n:credential-report": {
"user": "sys_admin",
"arn": "arn:aws:iam::xxxxxxxxx:user/sys_admin",
"user_creation_time": "2018-03-10T21:01:09+00:00",
"password_enabled": true,
"password_last_used": "2018-03-17T10:46:05+00:00",
"password_last_changed": "2018-03-17T10:45:39+00:00",
"password_next_rotation": "2018-06-15T10:45:39+00:00",
"mfa_active": false,
"access_keys": [
{
"active": true,
"last_rotated": "2018-03-10T21:01:11+00:00",
"last_used_date": null,
"last_used_region": null,
"last_used_service": null
}
]
}
}
]
Not working for (2) filters:

  - type: value
    key: UserName
    value: "sys_abc"
    op: eq
  - type: credential
    key: mfa_active
    value: false

Got result as - [] ------ AND it is only working when I am filtering ONLY with 'UserName' (i.e. after removing 'credential' filter and in that case it off-course doesn't shows "c7n:credential-report" in output).

11 replies
pendyalal
@pendyalal
@kapilt , enabling encryption for new s3 buckets ,especially If say I create-bucket, Custodian looks and doesn't see encryption while at the same time I'm execute a put-encryption with a kms key and custodian overwrites that with . how can we solve this?
6 replies
DigeratiDad
@digeratidad
Hey everyone. Is there a way to update policies or do you just have to delete them and re-deploy? I don’t see a —update flag so I assume I can’t update an exisiting policy but just want to make sure.
11 replies
manitmalik
@manitmalik
Is there a way to parameterize values in custodian policy ?
18 replies
DigeratiDad
@digeratidad
Hello, does anyone have a good example of a auto-tag-user policy for EBS volumes. Mine is not working. I keep getting event ids not resolved in my cloudwatch logs. Here is my policy:
policies:
  - name: ebs-auto-tag-creator
    resource: ec2
    mode:
      type: cloudtrail
      role: arn:aws:iam::{account_id}:role/CloudEng-Cloud_Custodian
      events:
        - source: ec2.amazonaws.com
          event: CreateVolume
          ids: "requestParameters.volumeId"
    filters:
      - "tag:Creator": absent
    actions:
      - type: auto-tag-user
        tag: Creator
10 replies
I’ve also tried ids: “responseElements.volumeId” and got the same error.
DigeratiDad
@digeratidad
Here is the exact error I’m seeing:
error:An error occurred (InvalidInstanceID.Malformed) when calling the DescribeInstances operation:
3 replies
KVInventoR
@KVInventoR
Hi All,
@kapilt
Do you have any example to filter all aws managed policies for iam role?
probably filter by arn: arn:aws:iam::aws:policy/aws-service-role/*.
Mike
@mikejgray
How do I disable the caching on a c7n-org report? I see a --cache-path parameter but I'm not clear on how it works or what it's doing.
23 replies
Allison D
@allisonis
I noticied recently have c7n_gcp enable flow logs is not enabling flow logs for a partiuclar region.
24 replies
Any thoughts on where to look for how subnet resources are iterated over per region?
DigeratiDad
@digeratidad
Has anyone seen this issue before with ELB
[WARNING]    2020-05-14T21:43:54.197Z    da8bfff2-799d-453c-8e82-313b6edd3046    event ids not resolved: ['arn:aws:elasticloadbalancing:us-west-2:########:loadbalancer/app/cctagtesting/0ae4bc40b82b22c9'] error:An error occurred (ValidationError) when calling the DescribeLoadBalancers operation: LoadBalancer name cannot be longer than 32 characters
Here is my policy:
policies:
  - name: elb-classic-auto-tag-creator
    resource: elb
    mode:
      type: cloudtrail
      role: arn:aws:iam::{account_id}:role/CloudEng-Cloud_Custodian
      events:
        - source: elasticloadbalancing.amazonaws.com
          event: CreateLoadBalancer
          ids: "responseElements.loadBalancers[].loadBalancerArn"
    filters:
      - "tag:Creator": absent
    actions:
      - type: auto-tag-user
        tag: Creator
29 replies
Ravindra babu
@Ravindrababu99_twitter
@jtroberts83 Hi, old custodian mail alerts also getting delivered after ugrading the mailer to 3.7 from 2.7 old version with a new msg-template, I've been using same sqs-mailer, so can you help me understand the scenario why am I getting older msgs getting delivered now and how can I stop that.
6 replies
Ravindra babu
@Ravindrababu99_twitter
@jtroberts83 getting below error in cloudwatch logs, assuming because of this mails are getting re-delivered.
error: An error occurred (InvalidParameterValue) when calling the SendRawEmail operation: Missing final '@domain'
1 reply
satvan23
@satvan23

@satvan23 It could look something like this:

- name: ec2-using-unapproved-ami
  resource: ec2
  filters:
      - type: value
        key: "ImageId"
        op: not-in
        value_from:
           url: s3://yours3bucket/ApprovedAMIs.csv
           format: csv2dict

@jtroberts83 Thanks !

1 reply
Mike
@mikejgray
Hey folks, I'm becoming enamored of this c7n-org report functionality...can it read from S3 logs directly? They're in a different tree structure than local logs so wondering if it does that
2 replies
amolkk1980
@amolkk1980_twitter
Hi Guys.. I have a question. Can Cloud Custodian be configured/supported with Oracle OCI?
2 replies
Alicia Steen
@aliciasteen
Hi, does the flag --region all work, I have tried to use it but come across the error botocore.exceptions.NoRegionError: You must specify a region.
10 replies
Ravindra babu
@Ravindrababu99_twitter

@kapilt , while three different custodian policies triggered on cloudtrail (CreateBucket) event to add tags, getting below error in one of the policies while defining mark-for-op tag. Due to this, mailer is not sending bucket information in the alert...Can you please help how to overcome this.

"errorMessage": "A conflicting conditional operation is currently in progress against this resource. Please try again."

7 replies
KVInventoR
@KVInventoR

How does or operator work?
Hi all, I tried run CC in cloudtrail mode and create a simple filter, I would like to filter any ec2 from elastimapreduce, datapipeline or if ec2 has specific tag
But I got many reports with ec2 which were part of emr cluster.
I checked the events in cloudwatch logs for lambda: ec2_tags_validate_mode_cloudtrail

        "eventTime": "2020-05-18T19:00:34Z",
        "eventSource": "ec2.amazonaws.com",
        "eventName": "RunInstances",
        "awsRegion": "us-west-2",
        "sourceIPAddress": "elasticmapreduce.amazonaws.com",
        "userAgent": "elasticmapreduce.amazonaws.com",

for it looks like something wrong with my filter or CC just ignored filters section.

policies:
  - name: ec2_tags_validate_mode_cloudtrail
    resource: ec2
    description: |
      EC2 validate tags on new started instances.
    mode:
      type: cloudtrail
      role: *lambda_role
      events:
        - RunInstances
      tags:
        Name: *lambda_name
        Team: "TEAMNAME"
    filters:
      - or:
        - "tag:TestTag": absent
        - type: event
          key: sourceIPAddress
          op: ne
          value: "elasticmapreduce.amazonaws.com"
        - type: event
          key: sourceIPAddress
          op: ne
          value: "datapipeline.amazonaws.com"

    actions:
      - <<: *notify-var
        subject: "CControl - EC2:TAGS validation in cloudtrail mode"

Could you please help to find, what can be wrong?

7 replies
aakshaik2
@aakifshaikh
what filter should i use to check on unencrypted snapshots: type: value key: Snapshots.Encrypted value: false
4 replies
Dan Parsons
@danparsons
Who here actually uses c7n-org? Care to answer a few questions for me? Like how am I supposed to give it a AWS_SESSION_TOKEN env var? To my knowledge, you only get a AWS_SESSION_TOKEN when you do a sts:AssumeRole, however c7n-org itself is going to be doing sts:AssumeRole to get into all my accounts.... so I can't feed it creds to start with (to then access all accounts) because all I have are the access key and secret key for the top level c7n account
46 replies
Eri Wahyudi
@ewahyudi_gitlab
Greetings all ! Cloud-Custodian newby here; I'm starting out with simple script to apply simple tag key/value pair. I'm trying to add tag value in json format as follows:
{"tz": "US/Eastern", "sched": "2-6:0800-1730"}, so far I have added single quotes like so -
  • type: tag
    key: EC2_Start_Stop
    value: '{"tz": "US/Eastern", "schedule": "2-6:0800-1730"}'
    When I ran the "custodian validate script.yml" command, this returned INFO Configuration valid but when I tried running, it failed. Does anyone have any insight to what is it in the syntax that may be wrong?
14 replies
tomarv2
@tomarv2
I am trying to find unused VPC, as VPC can have many resources, any suggestion?, look for unused ENI and then find VPC
8 replies
Jamison Roberts
@jtroberts83
This message was deleted
3 replies
Jamison Roberts
@jtroberts83
Question - When should I expect the Lambda policy functions 'LastModified' date to change? Should that be updated each time I deploy the lambda based policy or only when something changes? I see most of my custodian lambda functions LastModified date gets updated daily but then some lambda policy functions are showing as last modified several days or months ago. Is that to be expected??
4 replies
Barak Schoster Goihman
@schosterbarak
Question - I want to use c7n-org i see it can take role as a parameter for cross-account access. can it take external id too?
1 reply
Kapil Thangavelu
@kapilt
fwiw, there's a proposal up for being able to use custodian policies on iaac assets (terraform, cfn) in DevOps pipelines, comments welcome cloud-custodian/cloud-custodian#5782
1 reply