Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 03:49
    VishalGupta04 labeled #6246
  • 03:49
    VishalGupta04 opened #6246
  • Oct 26 22:52
  • Oct 26 22:52
  • Oct 26 22:36
    griffint61 labeled #6245
  • Oct 26 22:36
    griffint61 opened #6245
  • Oct 26 22:00
  • Oct 26 19:19
    nhemchandra commented #6231
  • Oct 26 18:41
    kapilt commented #6244
  • Oct 26 18:20
    PratMis commented #6231
  • Oct 26 18:19
    PratMis commented #6231
  • Oct 26 17:59
    nhemchandra commented #6231
  • Oct 26 17:41
  • Oct 26 15:43
    anovis commented #6244
  • Oct 26 14:26
    PratMis commented #6231
  • Oct 26 14:05
    nhemchandra commented #6231
  • Oct 26 14:05
    nhemchandra commented #6231
  • Oct 26 11:48
    kapilt commented #6243
  • Oct 26 11:10

    kapilt on gh-pages

    Updated generated Sphinx docume… (compare)

  • Oct 26 11:00

    kapilt on master

    aws - mq-configuration - taggin… (compare)

Gautami007
@Gautami007
I am getting below error, while executing policy;
2020-06-08 19:39:20,946: custodian.resources.networksecuritygroup:INFO NSG Cloudcustodiansecgrp. Creating new rule to Deny access for ports ['3389']
2020-06-08 19:39:22,316: custodian.resources.networksecuritygroup:ERROR Failed to create or update security rule for Cloudcustodiansecgrp NSG.
2020-06-08 19:39:22,421: custodian.resources.networksecuritygroup:ERROR Azure Error: SecurityRuleInvalidPriority
Message: Security rule has invalid Priority. Value provided: 90 Allowed range 100-4096.
10 replies
pendyalal
@pendyalal
hi all, when i select the output directory as s3 and writing all the resources to a cross account bucket, then is custodian setting "bucket-owner-full-control" for that object?
2 replies
Marty Hill
@martyhill
Can a c7n policy attach an IAM Managed Policy to new IAM User in response to the IAM CreateUser event? I've been reading/searching without luck. Thanks.
2 replies
José Netto
@mineiro
Hey guys! I'm using c7n-mailer to send events to a Splunk that's using a private signed certificate. Is there a way to include a custom CA bundle in the c7n-mailer lambda?
aakshaik2
@aakifshaikh
With 0.9.2.0 release do I have to change the python version in the build pipeline: because version 2 is no longer supported? @kapilit
1 reply
build:
docker:
- image: circleci/python:2.7.14
Dan Parsons
@danparsons
Is there a way to have c7n/c7n-mailer send emails not just To: but also add a cc: address? basically, send 2 emails per report instead of just one
34 replies
veenagurram
@veenagurram
@kapilt Can we use Custodian to find ELB missing stickiness, if yes what will be the filter ? and can we add stickiness if missing, if yes what will be the action?
4 replies
pendyalal
@pendyalal
@Kapilt, Can custodian check if there are any long proccesing jobs running on EC2?
4 replies
Zohaib Ahmad Hassan
@zahassan
What is better tool for security and compliance CloudCustodian or AWS Config?
3 replies
Zohaib Ahmad Hassan
@zahassan
If there are some S3 Buckets with Access Status Error Can we skip them using filters ?
pendyalal
@pendyalal

What is better tool for security and compliance CloudCustodian or AWS Config?

of course CloudCustodian. Custodian, will check for violations and take actions immediately, within a minute or two.

2 replies
Our observation with AWS Config is the delay.
fakiestyle
@fakiestyle
Guys, I need your help. How to write key with colon symbol?
key: resources[].c7n:bucket[].bindings[].members[]
python thinks that bucket is value of c7n when yml converting to json
11 replies
Steven Scoleri
@scoleri
aws workspaces delete?
JK
@JK_AWS_twitter
Leveraging JSON file output to various automated reports? Anyone define any best practices or recommendations there? An example might be to leverage tags to see EC2 growth across multiple accounts within applications. Thoughts?
Trevor Cotton
@TrevorCottonGB_twitter
Hi - I am having a problem with a policy I wrote a while back. I thought it worked but now it is failing. I want to auto-tag AWS Elastic IPs when they get created so the mode type is cloudtrail. This docs are confusing me - should the resource by network-addr or elastic-ip? The error I get is botocore.exceptions.ParamValidationError: Parameter validation failed:
Unknown parameter in input: "AllocationId", must be one of: Filters, PublicIps, AllocationIds, DryRun
Code is
2 replies
  • name: eip-auto-tag-creator
    resource: network-addr
    mode:
    type: cloudtrail
    role: arn:aws-us-gov:iam::{account_id}:role/cc7nautotagger
    tags:
      Project: Infra
      Env: core
    events:
    - source: "ec2.amazonaws.com"
      event: "AllocateAddress"
      ids: "responseElements.publicIp"
    filters:
    • tag:CreatorName: absent
      actions:
    • type: auto-tag-user
      tag: CreatorName
      principal_id_tag: CreatorId
Jimmy Grover
@jimmy.grover_gitlab
can you use report function with out an S3 and just pull from the local output folder?
1 reply
SrikanthSoma
@SrikanthSoma_gitlab
cloud custodian detect findings from aws compute optimizer findings and remediates?
1 reply
pendyalal
@pendyalal
hi all, Can we get the usage of iam-role?
20 replies
Jake
@DjangoFett
Hi All, I've been having issues with this policy. I can't for the life of me figure out why it is not working. I've spent a great deal of time looking at it, but can't for the life of me figure out why it wouldn't filter correctly. Anyone have any thoughts?
policies:
  - name: get-ec2-manual-sg-edits
    resource: security-group
    description: |
        Trap events wherein a Security Group is not edited via specified users

    mode:
      type: cloudtrail

      events:
        - source: ec2.amazonaws.com
          event: AuthorizeSecurityGroupIngress
          ids: 'requestParameters.groupId'
        - source: ec2.amazonaws.com
          event: AuthorizeSecurityGroupEgress
          ids: 'requestParameters.groupId'
        - source: ec2.amazonaws.com
          event: RevokeSecurityGroupEgress
          ids: 'requestParameters.groupId'
        - source: ec2.amazonaws.com
          event: RevokeSecurityGroupIngress
          ids: 'requestParameters.groupId'

    filters:
      - not:
        - type: event
          key: 'detail.userIdentity.arn'
          value: example
          op: contains

    actions:
      - type: notify    
        template: get-ec2-manual-sg-edits.html
        priority_header: '1'
        subject: 'AWS Guardrails: Trap manual Security Group rule edits'
        to:
          - event-owner
        transport:
          type: sqs
          queue: <queue>
          region: us-east-1
2 replies
pendyalal
@pendyalal
@kapilt , c7n-trailcreator works for cloudformation resources too? Let's say if I'm creating a DBInstances using cloudformation template, then can we get creator name using c7n-trailcreator
1 reply
Edward Moon
@edwardmoon
is there any ec2 filters to detect classic ec2 instances?
luceropv
@luceropv
I like to run in a hourly basis snapshot but for somereason this is not working periodically, just once, can you give me some suggestion?
policies:
- name: ec2-daily-backup
  resource: ec2
  description: |
     Cloud Custodian EBS Daily Backup
  comments: |
     Cloud Custodian EBS Daily Backup based on tag mybackup
     mode:
       type: periodic
       schedule: "rate(60 minutes)"
       role: arn:aws:iam::178375044839:role/custodian-generic-role
  filters:
   - "tag:mybackup": present

  actions:
   - type: snapshot
     copy-tags:
       - Owner
       - Appname
Limon Chandra Howlader
@limonhowlader
Hi @kapilt, How are you?
I'm interested to setup Cloud Custodian on my Azure Cloud Infrastructure. Could you please guide me how to do that ?
pendyalal
@pendyalal
@Kapilt I've the below policy to find iam-role last usage. so I've few users who assumed custodian-role in last 1 day. When I run the below policy ,I couldn't find any users. I'm sure that I'm missing something in the policy. Also when ran the policy noticed 6004 api calls. Is it normal?
policies:
  - name:  role-usage
    resource: iam-role
    region: us-east-1
    filters:
       - type: value
         key: RoleName
         value: "custodian-role"
       - type: usage
         TotalAuthenticatedEntities: 1
         LastAuthenticated:
             type: value
             value_type: age
             op: lt
             value: 1
         match-operator: all
vkuchi
@vinaykuchibhotla
Hi, I have custodian deployed in lambda's in several accounts and trying to send notifications from all those lambdas to a dedicated Slack channel. Most of the example policy's I came across use sqs as transport type even for slack messages and trying to understand why an sqs queue is needed for sending notifications to a slack channel. Any thoughts please. thnx.
tynas
@tynas
Hi, is support for AWS WAFv2 on the roadmap for cloud custion? I would like to be able to check if logging is enabled on deployed web acls
2 replies
Amit Sehgal
@amitsehgal
Have you added maidoffhour tag to RDS clusters... i can add it fine for EC2 but getting error on RDS -> Tag values may only contain unicode letters, digits, whitespace, or one of these symbols: . : / = + - @ (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 64f008e6-9ff2-459f-b4e3-399bffcc0d01)
how are you overriding on and off time for RDS ?
off=(M-U,21);on=(M-U,4)
"maid_offhours": "off=(M-U,21);on=(M-U,4)"
Amit Sehgal
@amitsehgal
nvm i see it's an issue
i have 70 accounts and many DBs.....let me try option a) requesting aws support to allow these characters
Graeme Stirling
@cr-gstirling
Hi,
I'm following the tutorial to deploy a docker image into Azure ACI.
I am following the documentation: https://cloudcustodian.io/docs/azure/configuration/acitutorial.html
But when I get to the deploy part it complains as it is referencing a template from the path --template-file tools/ops/azure/container-host/aci/aci-template.json
Where is this template so I can refactor my command to do my test deployment.
Thanks!
vkuchi
@vinaykuchibhotla
what is the best way of sending notifications to a slack channel from custodian deployed as Lambda’s in a multi-account landscape ? I was thinking of sending sns notifications to local topics which have cross account central queue subscribed to them. And then use a separate Lambda for decoding each message before sending it Slack. Is this an over kill or is there a more straight forward way of handling this?
3 replies
veenagurram
@veenagurram
policies:
  - name: cloudwatch-delete-stale-log-group
    resource: log-group
    filters:
      - type: last-write
        days: 182.5
    actions:
      - delete
getting :
ClientError: An error occurred (ThrottlingException) when calling the DescribeLogStreams operation (reached max retries: 4): Rate exceeded
veenagurram
@veenagurram
@kapilt
Ben Pankow
@benpankow
Hi all. Looking for a tool to help find cost-cutting improvements in our AWS infrastructure, and wondering if Cloud Custodian is a good choice. We'd be using it as more of a monitoring tool than a corrective one, tagging resources and pointing out inefficiencies to relevant teams rather than taking direct action. I appreciate the clean policy format but I am wondering what the limitations are to the sort of logic that they can perform. Are checks requiring more complex logic, such as detecting overprovisioning or underprovisioning or the absence of ASGs possible?
grainger-ryanm
@grainger-ryanm

hello, i'm having trouble understanding why my policy is generating an access denied warning

2020-06-10 21:25:55,168: c7n_org:DEBUG Running policy:ami-older-than-90days account:DIStaging region:us-east-2
2020-06-10 21:25:55,751: c7n_org:DEBUG Running policy:ami-older-than-90days account:DIProduction region:us-east-1
2020-06-10 21:25:55,936: c7n_org:DEBUG Running policy:ami-older-than-90days account:DIProduction region:us-east-2
2020-06-10 21:25:56,121: c7n_org:WARNING Access denied api:SendMessage policy:ami-older-than-90days account:DISandbox region:us-east-2
2020-06-10 21:25:56,300: c7n_org:WARNING Access denied api:SendMessage policy:ami-older-than-90days account:DIPreview region:us-east-2
2020-06-10 21:25:56,417: c7n_org:WARNING Access denied api:SendMessage policy:ami-older-than-90days account:DISandbox region:us-east-1

the role has the permissions given on the website, the SQS queue is accessible by the role from every other account, did i miss a setup step somewhere?

some places it runs fine, some places its denied, but it seems inconsistent. here is the policy for reference:
policies:
  - name: ami-older-than-90days
    resource: ami
    filters:
      - type: image-age
        days: 90
    actions:
        - type: notify
          template: default
          priority_header: '2'
          subject: AMi older than 90
          to:
           - x@x.com
          transport:
            type: sqs
            queue: https://sqs.us-east-1.amazonaws.com/acc###/CloudCustodian
Graeme Stirling
@cr-gstirling

Hi,
I'm following the tutorial to deploy a docker image into Azure ACI.
I am following the documentation: https://cloudcustodian.io/docs/azure/configuration/acitutorial.html
But when I get to the deploy part it complains as it is referencing a template from the path --template-file tools/ops/azure/container-host/aci/aci-template.json
Where is this template so I can refactor my command to do my test deployment.
Thanks!

Just to update this. I found that the command in the documentation az group deployment create is deprecated, replaced with az deployment group create.
Also, the json that is referenced as a template-file can be pulled using the template-uri instead.
Is there any way I can feedback on this to get the documentation updated to reflect this correction?

veenagurram
@veenagurram

@kapilt

policies:
  - name: cloudwatch-delete-stale-log-group
    resource: log-group
    filters:
      - type: last-write
        days: 182.5
    actions:
      - delete

getting :

ClientError: An error occurred (ThrottlingException) when calling the DescribeLogStreams operation (reached max retries: 4): Rate exceeded

Any suggestion on resolving this?

9 replies
veenagurram
@veenagurram
@kapilt
Is there any policy to check the log-streams age and delete it?
9 replies
grainger-ryanm
@grainger-ryanm

does anyone know how to check MutliAZ as an RDS property? I tried filters:

- MultiAZ: false

and

- type: db-parameter 
  key: MultiAZ
  value: false