by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jul 03 22:10
    jcderose labeled #5925
  • Jul 03 22:10
    jcderose opened #5925
  • Jul 03 07:21
    endwall labeled #5924
  • Jul 03 07:21
    endwall opened #5924
  • Jul 03 04:26
    tjstansell synchronize #5874
  • Jul 03 00:37
    PratMis labeled #5923
  • Jul 03 00:37
    PratMis opened #5923
  • Jul 02 22:52
  • Jul 02 22:13
    mpradeep23 commented #5921
  • Jul 02 20:51
    wildbinaryforest opened #5922
  • Jul 02 20:51
    wildbinaryforest labeled #5922
  • Jul 02 20:45
    wildbinaryforest commented #5921
  • Jul 02 19:55
    anovis synchronize #5908
  • Jul 02 19:07
    mpradeep23 opened #5921
  • Jul 02 17:54
    kapilt commented #5916
  • Jul 02 17:51
    shivakumar-anandan starred cloud-custodian/cloud-custodian
  • Jul 02 17:29
  • Jul 02 17:16
    tjstansell commented #5874
  • Jul 02 16:19
    tjstansell commented #5874
manitmalik
@manitmalik
Ran into another issue with "config-compliance". Hence kindly share inputs.
Use Case : Get the non compliant resources via config compliance by giving the security hub config rule name rather than using our own filters.
Issue : Resource count of non compliant resources is coming as 0 rather than matching with the security hub
- name: iam-user-remediate-non-compliant
  resource: aws.iam-user
  filters:
  - type: config-compliance
    rules: [securityhub-iam-user-unused-credentials-check-nv6rb]
    states: [NON_COMPLIANT]
11 replies
manitmalik
@manitmalik
image.png
Alicia Steen
@aliciasteen
Has anyone managed to filter SAML Identity Providers? I've found this issue cloud-custodian/cloud-custodian#4871 but was wondering if anyone had a working solution?
wjamka
@wjamka
Hi All, I have simple question regarding mark-for-op, can I create my op name? For example here:
- name: disable-rds-deletion-protection
  resource: rds
  mode:
    role: arn:aws:iam::{account_id}:role/ABCD
    type: periodic
    schedule: "rate(1 day)"
    execution-options:
        output_dir: s3://ABCD
  filters:
    - type: marked-for-op
      op: modify-db
  actions:
    - type: modify-db
      update:
        - property: 'DeletionProtection'
          value: false
        - property: 'PubliclyAccessible'
          value: false
1 reply
Srinivas Krishna
@srini_krishna_twitter
hello, I want to create the custodian policy to get the rds properties and see if the 'EnabledCloudwatchLogsExports': [
'string',
], is enabled or not. anybody have already done this , any help in the policy please?
Kapil Thangavelu
@kapilt
@srini_krishna_twitter the value filter allows for rich comparisions with any resource attribute
3 replies
fakiestyle
@fakiestyle
Hello, I have a couple of questions:
Does c7n-org module support gcp.audit mode policies? I want to try some gcp.audit polices in such way that Custodian's Cloud Function could watch events in other projects from same organization. Is it possible?
Kapil Thangavelu
@kapilt
@fakiestyle you don't need c7n-org for that, you just run c7n in the centralized project, c7n-org is for parallel fan out execution
11 replies
fakiestyle
@fakiestyle
policies:
  - name: no_ssh_from_internet
    resource: gcp.firewall
    mode:
      type: gcp-audit
      methods:
        - v1.compute.firewalls.insert
        - v1.compute.firewalls.patch
    filters:
      - type: value
        key: allowed[?IPProtocol=='tcp'].ports[]
        value: "22"
        op: contains
      - or:
        - type: value
          key: "sourceRanges | {range: join(', ', @)}.range"
          value: 0.0.0.0
          op: contains
        - type: value
          key: "sourceRanges | {range: join(', ', @)}.range"
          value: /0
          op: contains
    actions:
      - type: notify
        subject: no_ssh_from_internet
        to:
          - test@test.com
        format: json
        transport:
          type: pubsub
          topic: projects/root-cortex-265110/topics/custodian
how to set multiple projects logs subscriber?
Edward Moon
@edwardmoon

Is there a way in Cloud Custodian to detect public EBS snapshots?

I created a test EBS snapshot and set it to public. When I ran a custodian script to generate EBS schema, I didn't find anything in the schema that the snapshot was public.

Kapil Thangavelu
@kapilt
@edwardmoon cross-account filter
manitmalik
@manitmalik
This message was deleted
1 reply
manitmalik
@manitmalik
thought to share in case someone is also trying to get the results of the security hub findings compliance failures
policies:
  - name: Security Hub Non compliant resources
    resource: aws.iam-user
    filters:
        - type: finding
          query:
            ComplianceStatus:
                - Comparison: EQUALS
                  Value: FAILED
            Title:
                - Comparison: EQUALS
                  Value: "1.4 Ensure access keys are rotated every 90 days or less"
            RecordState:
                - Comparison: EQUALS
                  Value: ACTIVE
Edward Moon
@edwardmoon
@kapilt Can you give more details on "cross-account filter"? the only reference to account_id i found was in the advanced usage section which i don't think applies
6 replies
Jorge Bianquetti
@jbianquetti-nami
Hello team! We're heavy users of CloudCustodian in several cloud providers and I'm in love with it: great job! We want to consolidate all our garbage collection actions using it, but we lack Kubernetes support which is marked as Not Ready yet. Do we have an ETA for that? How can I help with that since there's little information on this?
8 replies
Gautami Kher
@gautamikhervista_gitlab
Hello Team, I am using cloud custodian for sending email using sqs as transport. I dont want to use the default template for email but to utilize my own template. However, while running command "c7n-mailer --run -c mailer.yml" I am getting following error;
error: An error occurred (InvalidParameterValue) when calling the SendRawEmail operation: Missing '"'
Can you please help me with same?
4 replies
Amarankit Srivastava
@amarankit-srivastava

Hello Team, Delete with additional options is supported for IAM users but not for Roles and Grps? ``` actions:

  - type: delete
    options:
      - inline-user-policies

```

Jamison Roberts
@jtroberts83
Hi @kapilt I see that version 9.2.0 is supposed to have tag support for codecommit and codepipeline but those don't show up in the schema as an option in 0.9.2.0
4 replies
Fidel Rodriguez
@fidelito

Is anyone having this error for vpc flow logs using s3 buckets? 2020-05-27 18:24:02,273: custodian.output:ERROR Error while executing policy
14:24:02 Traceback (most recent call last):
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/policy.py", line 291, in run
14:24:02 resources = self.policy.resource_manager.resources()
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/query.py", line 466, in resources
14:24:02 resources = self.filter_resources(resources)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/manager.py", line 109, in filter_resources
14:24:02 resources = f.process(resources, event)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/filters/core.py", line 299, in process
14:24:02 return self.process_set(resources, event)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/filters/core.py", line 318, in process_set
14:24:02 resources = f.process(resources, event)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/resources/vpc.py", line 149, in process
14:24:02 fl['LogDestination'], destination)
14:24:02 KeyError: 'LogDestination'

```
policies:

  • name: vpc-flowlog-enable-s3-test-GovCloud
    resource: vpc
    filters:
    - not:
      - type: flow-logs
        enabled: true
        set-op: or
        op: equal
        traffic-type: all
        status: active
        destination: vpcflow-govcloud
2 replies
custodian version is 0.9.1
Todd Stansell
@tjstansell
@kapilt is the github CI environment broken? PRs don't seem to be able to run tests...
4 replies
Michael Nguyen
@micnguyen266

Hello, it seems I'm having trouble with this variable {account_id}. I'm running it on docker with version 0.8.46.0. Here is my policy, mailer.yml and output. I did a dryrun where it runs custodian and the mailer. Any ideas why I'm getting this error? botocore.exceptions.ClientError: An error occurred (InvalidAddress) when calling the ReceiveMessage operation: The address https://queue.amazonaws.com/ is not valid for this endpoint.

policies:
  - name: ec2-tag-compliance-notify-only
    resource: ec2
    description: |
       Scan EC2 resources that do not meet tag compliance policies.
    filters:
      - type: value
        key: "State.Name"
        op: ni
        value: ['terminated']
      - or: *tag-compliance-filters
    actions:
      - type: notify
        template: general_template.html
        priority_header: 2
        subject: "Enterprise Tagging - {{ policy['resource'] }} Compliance Report! [{{ account }} - {{ region }}] ***TEST EMAIL***"
        violation_desc: "is not tag compliant. Please see Cheat Sheet Link below and fix your tags!"
        action_desc: |
          resource out of compliance. Informational only. No marking, stopping or deleting of resources.
        to:
          - test@example.com
        transport:
          type: sqs
          queue: https://sqs.us-east-1.amazonaws.com/{account_id}/cloud-custodian-mailer

mailer.yml

queue_url: https://sqs.us-east-1.amazonaws.com/{account_id}/cloud-custodian-mailer
role: arn:aws:iam::{account_id}:role/cloud-custodian
from_address: test@example.com

Output:

2020-05-27 22:47:17,807: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:ap-northeast-1 count:349 time:4.05
2020-05-27 22:47:19,742: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:ap-southeast-2 count:31 time:1.84
2020-05-27 22:47:24,625: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:eu-central-1 count:64 time:4.86
2020-05-27 22:47:30,105: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:us-east-1 count:167 time:5.45
2020-05-27 22:47:34,732: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:us-east-2 count:187 time:4.57
2020-05-27 22:47:35,449 - custodian-mailer - INFO - Downloading messages from the SQS queue.
Traceback (most recent call last):
  File "/usr/local/bin/c7n-mailer", line 11, in <module>
    load_entry_point('c7n-mailer==0.5.7', 'console_scripts', 'c7n-mailer')()
  File "/usr/local/lib/python3.8/site-packages/c7n_mailer-0.5.7-py3.8.egg/c7n_mailer/cli.py", line 253, in main
    processor.run()
  File "/usr/local/lib/python3.8/site-packages/c7n_mailer-0.5.7-py3.8.egg/c7n_mailer/sqs_queue_processor.py", line 117, in run
    for sqs_message in sqs_messages:
  File "/usr/local/lib/python3.8/site-packages/c7n_mailer-0.5.7-py3.8.egg/c7n_mailer/sqs_queue_processor.py", line 54, in __next__
    response = self.aws_sqs.receive_message(
  File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidAddress) when calling the ReceiveMessage operation: The address https://queue.amazonaws.com/ is not valid for this endpoint.
make: *** [cust-dryrun-report-prod] Error 1

When I hardcode the account number it works.

5 replies
Amarankit Srivastava
@amarankit-srivastava
Hello team, @kapilt @jtroberts83 , any advice on how to approach (to modify codes) to achieve "Action: Detach the policies from identity: role, user, group whenever policies has <service>:?? and effect: allow, without considering resource (resource: or resource:<S3 arn>) except for Get, Describe, List* in allow block in IAM Policies​"? Many thanks
3 replies
fakiestyle
@fakiestyle
@kapilt , the last release where gcp-audit mode is working is 0.8.46.1. Any higher version - resource not loaded in traceback of cloud function with any resource.
5 replies
KVInventoR
@KVInventoR

Hi all,
Does anyone used CC for select all s3 buckets which have turned on Versioning and don't have policy to delete old versions
I tried to write some filter like:

    filters:
      - type: value
        key: Versioning.Status
        value: Enabled
      - type: value
        key: Lifecycle.Rules[].NoncurrentVersionExpiration.NoncurrentDays
        value: absent
        op: not-in

but my filter looks wrong,
how it possible to write a correct filter?

ndesai15
@ndesai15
Is there anyway I can tell to custodian report command to extract out specific fields from output of "resources.json" instead default fields for a particular resource?
2 replies
Brian Bohrer
@BrianBohrer
With regards to Cloud Custodian Security Group Policies, is it feasible to enforce that every ingress rule must specify a port or ports? Ingress rule created with 'all' ports would be remediated basically. Thanks!
2 replies
tomarv2
@tomarv2
i am putting a policy that will look for tag: DeleteAfter: MM-DD-YY I thought I can do mark-for-op but that does seem to solve the problem, any suggestion?
3 replies
Gautami Kher
@gautamikhervista_gitlab
Hi Team, Is there any policy for aws S3 bucket to encrypt specific bucket? and not entire buckets in region
Jason Terlecki
@jterlecki_gitlab

When I run this policy

policies:
  - name: auto-clean-security-groups-egress
    resource: security-group
    description: |
      Remove security group internet egress at creation
    mode:
        type: cloudtrail
        role: arn:aws:iam::{account_id}:role/Vid-CloudCustodianClientRole
        events:
          - source: ec2.amazonaws.com
            event: CreateSecurityGroup
            ids: "responseElements.groupId"
        tags:
            Name: "auto-clean-security-groups-remediate-egress"
            supportgroup: "CLOUD"
            service: "CloudCustodian"
            costcenter: "{varcostcenter}"
            projectcode: "{varprojectcode}"
    actions:
      - type: set-permissions
        remove-egress:
          - IpProtocol: "-1"
            Cidr: "0.0.0.0/0"

I get the following error:
botocore.exceptions.ParamValidationError: Parameter validation failed:
Unknown parameter in IpPermissions[0]: "Cidr", must be one of: FromPort, IpProtocol, IpRanges, Ipv6Ranges, PrefixListIds, ToPort, UserIdGroupPairs

Jason Terlecki
@jterlecki_gitlab
should I be using something like this instead?
  IpRanges:
    - CidrIp: "0.0.0.0/0"
Kapil Thangavelu
@kapilt
@jterlecki_gitlab its a straight pass through so its the same parameters that you pass to the cli/api for removing an egress permission
KISStian
@KISStian
I'm looking to have VPC flow logs from a large number of accounts directed to a centralized logging account. I noticed that c7n-log-exporter supports kinesis for realtime export. However, I didn't see any documentation regarding how this can be implemented. Is there something out there that I can review to understand how this can best be setup?
Kapil Thangavelu
@kapilt
you use a custodian policy to ensure all vpcs have flow logs set to a known cloud watch log group.. and then you use tools/c7n_log_exporter to send the log groups to a centralized kinesis destination, and optionally to archive them to s3
Giulio Denardi
@gelouko
Hi!
I was wondering: is there currently a built-in way of adding a default action for all policies?
e.g regardless of policy, I'd like to add the same notify action. So I could use a default action for that, and write it just in one place
4 replies
pendyalal
@pendyalal
Hi all, for a security group, if the CIDR is 0.0.0.0/0 for type: ingress, then in the actions set-permissions can we do SelfReference the group in the custodian policy?
7 replies
Ty Segall
@tysegall
Hi all. One of the security peeps on my team asked about a check for the "Instance Metadata Service Version" since it was part of the Capital One hack. Doing a quick grep on the IP address "169.254.169.254" yielded a few hits. I'm not finding a whole lot; just wanted to make sure a check for Instance Metadata Service Version 1 vs 2 isn't already out there. :)
26 replies
Should say, grep on the Cloud Custodian source
aakshaik2
@aakifshaikh
@kapilt - Is there a way we can identify the sub-domains that are stale and not used for long time
3 replies
pendyalal
@pendyalal
Can we pass filtered security group Id in actions?
3 replies
orangutang
@orangutang
Hey all, has anyone used Athena with c7n-org generated resources.json files? The file begins with a [ and Athena is expecting { it would seem. I'd like to avoid writing a lambda if possible.
1 reply
fakiestyle
@fakiestyle
@kapilt I fixed ./c7n_gcp/resources/function.py for gcp-audit mode. Place {region} instead {location_id} in static method.
5 replies
fakiestyle
@fakiestyle
and in what file should I set scope: folder and scope_id: folder_id for multi project gcp-audit ?
2 replies
pendyalal
@pendyalal
@jtroberts83/@kapilt, Need help with the following policy. In the policy below how do I replace GroupId(whatever sg's are filtered need to replace) in actions?
policies:
     - name: default-sgs
       resource: aws.security-group
       filters:
         - type: value
           key: GroupName
           value: default
           op: eq
         - type: ingress
           IpProtocol: "-1"
           IpRanges:
             - CidrIp: "0.0.0.0/0"
       actions:
         - type: set-permissions
           remove-ingress: matched
           add-ingress:
             -  IpPermissions:
                 -
                   FromPort: -1
                   IpProtocol: "-1"
                   ToPort: -1
                   UserIdGroupPairs:
                       - GroupId: '{ GroupId }'
5 replies
mogmismo
@mogmismo_twitter
Curious on how to make a compound AND filter on a aws.ec2 that verifies that the AWS account (I'm using c7n-org) has a particular tag and the instance has a particular age. Can you filter on mulitple resources, and perform an action on just one?
10 replies
Mike
@mikejgray
Hey all, I'm seeing some unexpected behavior with mugc. I've changed a bunch of policies from periodic mode to pull mode and it looks like mugc isn't cleaning up the Lambdas. Is that expected? If so, is there a flag or something I can add to have it clean up the now-outdated Lambdas? TIA!
4 replies
Dan Parsons
@danparsons
Is there a way via c7n-org and c7n-mailer to specify a different email address per aws account for the reports to go to?