Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
thisisshi on event-rule-deletion-target-filter
thisisshi on master
aws.event-rule - add delete wit… (compare)
thisisshi on event-rule-deletion-target-filter
aws - kinesis video streams res… azure - resolve arm tagging iss… core - enable richer policy met… and 1 more (compare)
thisisshi on event-rule-deletion-target-filter
drive by for #6494 (compare)
policies:
- name: Security Hub Non compliant resources
resource: aws.iam-user
filters:
- type: finding
query:
ComplianceStatus:
- Comparison: EQUALS
Value: FAILED
Title:
- Comparison: EQUALS
Value: "1.4 Ensure access keys are rotated every 90 days or less"
RecordState:
- Comparison: EQUALS
Value: ACTIVE
Is anyone having this error for vpc flow logs using s3 buckets? 2020-05-27 18:24:02,273: custodian.output:ERROR Error while executing policy
14:24:02 Traceback (most recent call last):
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/policy.py", line 291, in run
14:24:02 resources = self.policy.resource_manager.resources()
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/query.py", line 466, in resources
14:24:02 resources = self.filter_resources(resources)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/manager.py", line 109, in filter_resources
14:24:02 resources = f.process(resources, event)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/filters/core.py", line 299, in process
14:24:02 return self.process_set(resources, event)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/filters/core.py", line 318, in process_set
14:24:02 resources = f.process(resources, event)
14:24:02 File "/usr/local/lib/python3.7/site-packages/c7n/resources/vpc.py", line 149, in process
14:24:02 fl['LogDestination'], destination)
14:24:02 KeyError: 'LogDestination'
```
policies:
- not:
- type: flow-logs
enabled: true
set-op: or
op: equal
traffic-type: all
status: active
destination: vpcflow-govcloud
Hello, it seems I'm having trouble with this variable {account_id}
. I'm running it on docker with version 0.8.46.0. Here is my policy, mailer.yml and output. I did a dryrun where it runs custodian and the mailer. Any ideas why I'm getting this error? botocore.exceptions.ClientError: An error occurred (InvalidAddress) when calling the ReceiveMessage operation: The address https://queue.amazonaws.com/ is not valid for this endpoint.
policies:
- name: ec2-tag-compliance-notify-only
resource: ec2
description: |
Scan EC2 resources that do not meet tag compliance policies.
filters:
- type: value
key: "State.Name"
op: ni
value: ['terminated']
- or: *tag-compliance-filters
actions:
- type: notify
template: general_template.html
priority_header: 2
subject: "Enterprise Tagging - {{ policy['resource'] }} Compliance Report! [{{ account }} - {{ region }}] ***TEST EMAIL***"
violation_desc: "is not tag compliant. Please see Cheat Sheet Link below and fix your tags!"
action_desc: |
resource out of compliance. Informational only. No marking, stopping or deleting of resources.
to:
- test@example.com
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/{account_id}/cloud-custodian-mailer
mailer.yml
queue_url: https://sqs.us-east-1.amazonaws.com/{account_id}/cloud-custodian-mailer
role: arn:aws:iam::{account_id}:role/cloud-custodian
from_address: test@example.com
Output:
2020-05-27 22:47:17,807: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:ap-northeast-1 count:349 time:4.05
2020-05-27 22:47:19,742: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:ap-southeast-2 count:31 time:1.84
2020-05-27 22:47:24,625: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:eu-central-1 count:64 time:4.86
2020-05-27 22:47:30,105: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:us-east-1 count:167 time:5.45
2020-05-27 22:47:34,732: custodian.policy:INFO policy:ec2-tag-compliance-notify-only resource:ec2 region:us-east-2 count:187 time:4.57
2020-05-27 22:47:35,449 - custodian-mailer - INFO - Downloading messages from the SQS queue.
Traceback (most recent call last):
File "/usr/local/bin/c7n-mailer", line 11, in <module>
load_entry_point('c7n-mailer==0.5.7', 'console_scripts', 'c7n-mailer')()
File "/usr/local/lib/python3.8/site-packages/c7n_mailer-0.5.7-py3.8.egg/c7n_mailer/cli.py", line 253, in main
processor.run()
File "/usr/local/lib/python3.8/site-packages/c7n_mailer-0.5.7-py3.8.egg/c7n_mailer/sqs_queue_processor.py", line 117, in run
for sqs_message in sqs_messages:
File "/usr/local/lib/python3.8/site-packages/c7n_mailer-0.5.7-py3.8.egg/c7n_mailer/sqs_queue_processor.py", line 54, in __next__
response = self.aws_sqs.receive_message(
File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 635, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidAddress) when calling the ReceiveMessage operation: The address https://queue.amazonaws.com/ is not valid for this endpoint.
make: *** [cust-dryrun-report-prod] Error 1
When I hardcode the account number it works.
Hi all,
Does anyone used CC for select all s3 buckets which have turned on Versioning and don't have policy to delete old versions
I tried to write some filter like:
filters:
- type: value
key: Versioning.Status
value: Enabled
- type: value
key: Lifecycle.Rules[].NoncurrentVersionExpiration.NoncurrentDays
value: absent
op: not-in
but my filter looks wrong,
how it possible to write a correct filter?
When I run this policy
policies:
- name: auto-clean-security-groups-egress
resource: security-group
description: |
Remove security group internet egress at creation
mode:
type: cloudtrail
role: arn:aws:iam::{account_id}:role/Vid-CloudCustodianClientRole
events:
- source: ec2.amazonaws.com
event: CreateSecurityGroup
ids: "responseElements.groupId"
tags:
Name: "auto-clean-security-groups-remediate-egress"
supportgroup: "CLOUD"
service: "CloudCustodian"
costcenter: "{varcostcenter}"
projectcode: "{varprojectcode}"
actions:
- type: set-permissions
remove-egress:
- IpProtocol: "-1"
Cidr: "0.0.0.0/0"
I get the following error:
botocore.exceptions.ParamValidationError: Parameter validation failed:
Unknown parameter in IpPermissions[0]: "Cidr", must be one of: FromPort, IpProtocol, IpRanges, Ipv6Ranges, PrefixListIds, ToPort, UserIdGroupPairs
policies:
- name: default-sgs
resource: aws.security-group
filters:
- type: value
key: GroupName
value: default
op: eq
- type: ingress
IpProtocol: "-1"
IpRanges:
- CidrIp: "0.0.0.0/0"
actions:
- type: set-permissions
remove-ingress: matched
add-ingress:
- IpPermissions:
-
FromPort: -1
IpProtocol: "-1"
ToPort: -1
UserIdGroupPairs:
- GroupId: '{ GroupId }'