by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 09 23:04
    rficcaglia commented #5165
  • Aug 09 22:36
  • Aug 09 20:08
    kapilt commented #5997
  • Aug 09 20:08
    kapilt commented #5997
  • Aug 09 18:24
    tjstansell commented #5997
  • Aug 09 18:20
    tjstansell commented #5469
  • Aug 09 13:57
    85matthew commented #6015
  • Aug 08 20:54
    akv3132 commented #5469
  • Aug 08 20:51
    akv3132 commented #5469
  • Aug 08 04:35
    pzbiegiel opened #6025
  • Aug 08 04:35
    pzbiegiel labeled #6025
  • Aug 08 01:56
  • Aug 08 00:49
    lazywinadmin starred cloud-custodian/cloud-custodian
  • Aug 07 22:18
    kapilt commented #6023
  • Aug 07 21:19
    JohnHillegass commented #6023
  • Aug 07 21:19
    JohnHillegass commented #4912
  • Aug 07 21:18
    JohnHillegass edited #6024
  • Aug 07 21:17
    JohnHillegass edited #6024
  • Aug 07 21:17
    JohnHillegass labeled #6024
  • Aug 07 21:17
    JohnHillegass opened #6024
tomarv2
@tomarv2
i am putting a policy that will look for tag: DeleteAfter: MM-DD-YY I thought I can do mark-for-op but that does seem to solve the problem, any suggestion?
3 replies
Gautami Kher
@gautamikhervista_gitlab
Hi Team, Is there any policy for aws S3 bucket to encrypt specific bucket? and not entire buckets in region
Jason Terlecki
@jterlecki_gitlab

When I run this policy

policies:
  - name: auto-clean-security-groups-egress
    resource: security-group
    description: |
      Remove security group internet egress at creation
    mode:
        type: cloudtrail
        role: arn:aws:iam::{account_id}:role/Vid-CloudCustodianClientRole
        events:
          - source: ec2.amazonaws.com
            event: CreateSecurityGroup
            ids: "responseElements.groupId"
        tags:
            Name: "auto-clean-security-groups-remediate-egress"
            supportgroup: "CLOUD"
            service: "CloudCustodian"
            costcenter: "{varcostcenter}"
            projectcode: "{varprojectcode}"
    actions:
      - type: set-permissions
        remove-egress:
          - IpProtocol: "-1"
            Cidr: "0.0.0.0/0"

I get the following error:
botocore.exceptions.ParamValidationError: Parameter validation failed:
Unknown parameter in IpPermissions[0]: "Cidr", must be one of: FromPort, IpProtocol, IpRanges, Ipv6Ranges, PrefixListIds, ToPort, UserIdGroupPairs

Jason Terlecki
@jterlecki_gitlab
should I be using something like this instead?
  IpRanges:
    - CidrIp: "0.0.0.0/0"
Kapil Thangavelu
@kapilt
@jterlecki_gitlab its a straight pass through so its the same parameters that you pass to the cli/api for removing an egress permission
KISStian
@KISStian
I'm looking to have VPC flow logs from a large number of accounts directed to a centralized logging account. I noticed that c7n-log-exporter supports kinesis for realtime export. However, I didn't see any documentation regarding how this can be implemented. Is there something out there that I can review to understand how this can best be setup?
Kapil Thangavelu
@kapilt
you use a custodian policy to ensure all vpcs have flow logs set to a known cloud watch log group.. and then you use tools/c7n_log_exporter to send the log groups to a centralized kinesis destination, and optionally to archive them to s3
Giulio Denardi
@gelouko
Hi!
I was wondering: is there currently a built-in way of adding a default action for all policies?
e.g regardless of policy, I'd like to add the same notify action. So I could use a default action for that, and write it just in one place
4 replies
pendyalal
@pendyalal
Hi all, for a security group, if the CIDR is 0.0.0.0/0 for type: ingress, then in the actions set-permissions can we do SelfReference the group in the custodian policy?
7 replies
Ty Segall
@tysegall
Hi all. One of the security peeps on my team asked about a check for the "Instance Metadata Service Version" since it was part of the Capital One hack. Doing a quick grep on the IP address "169.254.169.254" yielded a few hits. I'm not finding a whole lot; just wanted to make sure a check for Instance Metadata Service Version 1 vs 2 isn't already out there. :)
26 replies
Should say, grep on the Cloud Custodian source
aakshaik2
@aakifshaikh
@kapilt - Is there a way we can identify the sub-domains that are stale and not used for long time
3 replies
pendyalal
@pendyalal
Can we pass filtered security group Id in actions?
3 replies
orangutang
@orangutang
Hey all, has anyone used Athena with c7n-org generated resources.json files? The file begins with a [ and Athena is expecting { it would seem. I'd like to avoid writing a lambda if possible.
1 reply
fakiestyle
@fakiestyle
@kapilt I fixed ./c7n_gcp/resources/function.py for gcp-audit mode. Place {region} instead {location_id} in static method.
5 replies
fakiestyle
@fakiestyle
and in what file should I set scope: folder and scope_id: folder_id for multi project gcp-audit ?
2 replies
pendyalal
@pendyalal
@jtroberts83/@kapilt, Need help with the following policy. In the policy below how do I replace GroupId(whatever sg's are filtered need to replace) in actions?
policies:
     - name: default-sgs
       resource: aws.security-group
       filters:
         - type: value
           key: GroupName
           value: default
           op: eq
         - type: ingress
           IpProtocol: "-1"
           IpRanges:
             - CidrIp: "0.0.0.0/0"
       actions:
         - type: set-permissions
           remove-ingress: matched
           add-ingress:
             -  IpPermissions:
                 -
                   FromPort: -1
                   IpProtocol: "-1"
                   ToPort: -1
                   UserIdGroupPairs:
                       - GroupId: '{ GroupId }'
5 replies
mogmismo
@mogmismo_twitter
Curious on how to make a compound AND filter on a aws.ec2 that verifies that the AWS account (I'm using c7n-org) has a particular tag and the instance has a particular age. Can you filter on mulitple resources, and perform an action on just one?
10 replies
Mike
@mikejgray
Hey all, I'm seeing some unexpected behavior with mugc. I've changed a bunch of policies from periodic mode to pull mode and it looks like mugc isn't cleaning up the Lambdas. Is that expected? If so, is there a flag or something I can add to have it clean up the now-outdated Lambdas? TIA!
4 replies
Dan Parsons
@danparsons
Is there a way via c7n-org and c7n-mailer to specify a different email address per aws account for the reports to go to?
Ideally what I'm looking for is... for each account c7n-org iterates over, email the report to both ops@mycompany and also specific_department@mycompany
Kristina Trump
@KristinaTrump_twitter
@kapilt , is there away to revert back the remove-launch-permissions action in AMI
3 replies
mini1989
@mini1989
is the latest version with ecr registry auto enable scan on push ... already released.. or still waiting...
5 replies
Hugh Saunders
@hughsaunders
Hey, is there any way to include one policy in another, or set a global vars block for all policy files? I want to set notification defaults but have policies organised into files by resource type.
3 replies
Michael Davis
@MichaelDavisTSN
@ingwarsw Thanks for GCP labeling, it also fixed my issue #4838. How about a "copy-related-tags" for GCP. Should I open an issue? And @kapilt can anyone suggest a workaround that provides this functionality?
2 replies
fakiestyle
@fakiestyle
@kapilt I have added GCP custom resource to storage.py to get ACL's of buckets. added it to resource_map.py. It works. But there is no notify action in output of custodian schema, only webhook for this resource. How to add notify action? I'll do a PR if u can explain me how to add notify action for resource.
11 replies
JK
@JK_AWS_twitter
New to Cloud Custodian.... Looking though documentation. Is there anyway that GCP can leverage Cloud functions in the same (similar) manner as AWS Lambda?
6 replies
fakiestyle
@fakiestyle
image.png
11 replies
fakiestyle
@fakiestyle
```
Jimmy Grover
@jimmy.grover_gitlab
Is it possible to list the principal values o an SQS Q. Were trying to track down SQS Q with "*" in the principal.
30 replies
Thomas Callahan
@tcallahan06_gitlab
Hello Everyone, new to Cloud Custodian. I was wondering if there is any cleanup/removal functionality? Lets say I deploy a policy that creates a lambda in 10 accounts. Is there a way to remove that policy and have it cloud custodian remove any resources it created? Or do you have to manually go clean them up?
6 replies
tomarv2
@tomarv2
question on off-hours, i want to shutdown ec2 instances from 8pm - 8am, based on the time-zone, can this be accomplished by one policy or different policy, like ec2 instances used by team in India(apac-) shutdown at their night and while team is us (us-*) regions shutdown in their time
4 replies
Karl de Castro Fonseca
@KarlCF
Hey guys, sorry if this is a dumb question, but is there a way for a policy to always trigger an action? I have a lambda that I need to run periodically, and I know that I can set the periods on Cloud-Custodian, but I also need to make sure that it is triggered. I'm open to explore solutions outside of the tool, but would prefer it if it was with it
5 replies
pjshort22
@pjshort22
image.png
@kapilt on the Cloud_Custodian container images, can awscli be added to image, as latest awscli breaks cloud custodian as when latest awscli installed, itupgrades botocore to latest version which is then incompatiable with boto3 version used by cloud custodian. I am looking to use awscli on container to transfer fer files to and from s3
3 replies
Gautami007
@Gautami007
Hello Team, Need some help on Azure Security Group lockdown policy open to world.
@kapilt if you can take a look into it quickly!
I am getting below error, while executing policy;
2020-06-08 19:39:20,946: custodian.resources.networksecuritygroup:INFO NSG Cloudcustodiansecgrp. Creating new rule to Deny access for ports ['3389']
2020-06-08 19:39:22,316: custodian.resources.networksecuritygroup:ERROR Failed to create or update security rule for Cloudcustodiansecgrp NSG.
2020-06-08 19:39:22,421: custodian.resources.networksecuritygroup:ERROR Azure Error: SecurityRuleInvalidPriority
Message: Security rule has invalid Priority. Value provided: 90 Allowed range 100-4096.
10 replies
pendyalal
@pendyalal
hi all, when i select the output directory as s3 and writing all the resources to a cross account bucket, then is custodian setting "bucket-owner-full-control" for that object?
2 replies
Marty Hill
@martyhill
Can a c7n policy attach an IAM Managed Policy to new IAM User in response to the IAM CreateUser event? I've been reading/searching without luck. Thanks.
2 replies
José Netto
@mineiro
Hey guys! I'm using c7n-mailer to send events to a Splunk that's using a private signed certificate. Is there a way to include a custom CA bundle in the c7n-mailer lambda?
aakshaik2
@aakifshaikh
With 0.9.2.0 release do I have to change the python version in the build pipeline: because version 2 is no longer supported? @kapilit
1 reply
build:
docker:
- image: circleci/python:2.7.14
Dan Parsons
@danparsons
Is there a way to have c7n/c7n-mailer send emails not just To: but also add a cc: address? basically, send 2 emails per report instead of just one
34 replies
veenagurram
@veenagurram
@kapilt Can we use Custodian to find ELB missing stickiness, if yes what will be the filter ? and can we add stickiness if missing, if yes what will be the action?
4 replies
pendyalal
@pendyalal
@Kapilt, Can custodian check if there are any long proccesing jobs running on EC2?
4 replies
Zohaib Ahmad Hassan
@zahassan
What is better tool for security and compliance CloudCustodian or AWS Config?
3 replies
Zohaib Ahmad Hassan
@zahassan
If there are some S3 Buckets with Access Status Error Can we skip them using filters ?
pendyalal
@pendyalal

What is better tool for security and compliance CloudCustodian or AWS Config?

of course CloudCustodian. Custodian, will check for violations and take actions immediately, within a minute or two.

2 replies