Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
jfricioni
@jfricioni
Hi, I was wondering if filters/actions is smart enough for me to include a type of if/elif/elif/else type of intelligence. I want to be able to change the volume type of an EBS volume from SSD to HDD if a tag is missing but I want to check if the volume is root and if so then specify magnetic, if not root and over 125GB then change to st1. I know I can do this with different policies but I wanted to incorporate it into one policy to have only one lambda do the work instead of having multiples check.
4 replies
Samarth Shivaramu
@s_samarth03_twitter

I'm trying to create a policy to identify IAM user accounts in my AWS organization with active access keys and console login. Is there a way to identify if these IAM user accounts were created by a specific AD account?

Here's the policy used:

policies:
  - name: iam-users-with-access-keys-and-console-login
    resource: iam-user
    comment: |
      Identify IAM users with active keys and console login
    filters:
      - type: access-key
        key: Status
        value: Active
      - type: credential
        key: access_keys.active
        value: present
      - type: credential
        key: password_enabled
        value: true
        op: eq

Which filters can I use to identify the creator of these IAM user accounts enumerated by the aforementioned policy?

1 reply
Kunal Shah
@kunalshah

Hello all, I have AMI cleanup policy that is supposed to delete the AMI snapshots when the AMI is deregisterd.

policies:
  - name: cleanup-unused-unshared-ami-with-snapshot
    resource: ami
    comment: Delete the unused AMI(s) not shared with any AWS account. AMI Snapshot will also be deleted.
    mode:
      type: pull
    filters:
      - type: image-age
        days: 5
      - type: unused
        value: true
      - not:
        - type: cross-account
    actions:
      - deregister
      - delete-snapshots: true
        type: deregister

When I run it against AWS China account, AMI and the snapshot are not deleted. It seems a no-op.

output:

$ custodian version
0.9.10
$ 
$ custodian validate cleanup-unused-unshared-ami-with-snapshot.yml -v
2021-03-05 12:22:38,688: custodian.cache:DEBUG Disabling cache
2021-03-05 12:22:38,688: custodian.commands:INFO Configuration valid: cleanup-unused-unshared-ami-with-snapshot.yml
$ 
$ custodian run -s out --cache-period 0 --region cn-northwest-1 --profile "AdminRole" cleanup-unused-unshared-ami-with-snapshot.yml --verbose
2021-03-05 12:13:19,659: custodian.cache:DEBUG Disabling cache
2021-03-05 12:13:19,660: custodian.commands:DEBUG Loaded file cleanup-unused-unshared-ami-with-snapshot.yml. Contains 1 policies
2021-03-05 12:13:20,989: custodian.output:DEBUG Storing output with <LogFile file://out/cleanup-unused-unshared-ami-with-snapshot/custodian-run.log>
2021-03-05 12:13:20,998: custodian.policy:DEBUG Running policy:cleanup-unused-unshared-ami-with-snapshot resource:ami region:cn-northwest-1 c7n:0.9.10
2021-03-05 12:13:21,841: custodian.resources.ec2:DEBUG Filtered from 0 to 0 ec2
2021-03-05 12:13:22,265: custodian.resources.asg:DEBUG Filtered from 0 to 0 asg
2021-03-05 12:13:22,567: custodian.resources.ami:DEBUG Filtered from 1 to 1 ami
2021-03-05 12:13:22,567: custodian.policy:INFO policy:cleanup-unused-unshared-ami-with-snapshot resource:ami region:cn-northwest-1 count:1 time:1.57
2021-03-05 12:13:22,576: custodian.actions:INFO Implicitly filtered 1 non owned images
2021-03-05 12:13:22,576: custodian.policy:INFO policy:cleanup-unused-unshared-ami-with-snapshot action:deregister resources:1 execution_time:0.01
2021-03-05 12:13:22,583: custodian.actions:INFO Implicitly filtered 1 non owned images
2021-03-05 12:13:22,583: custodian.policy:INFO policy:cleanup-unused-unshared-ami-with-snapshot action:deregister resources:1 execution_time:0.01
2021-03-05 12:13:22,584: custodian.output:DEBUG metric:ResourceCount Count:1 policy:cleanup-unused-unshared-ami-with-snapshot restype:ami scope:policy
2021-03-05 12:13:22,584: custodian.output:DEBUG metric:ApiCalls Count:4 policy:cleanup-unused-unshared-ami-with-snapshot restype:ami
$

Any suggestion on why policy doesn't delete the resources?

2 replies
ElChavoDelOcho
@ElChavoDelOcho
Anyone leveraging GAnthos with C7N?
Or managing Anthos with C7N, ping me. Thanks.
Surendars Ss
@SsSurendars_twitter
Custodian policy shows unix time format when fetching details of resources,how to change it
Rachana
@rachgupt
Hi, Is there way to get TDE enabled or disabled in azure sql database?
vgtom
@vgtom
hi all...i am new to custodian..so why do we need a tool like custodian and write yaml rules when i can do it using terraform?
2 replies
aakshaik2
@aakifshaikh
Custdian creates 3 files as output- run-log, metadata, resources.....I know resources.json file provides the details on non-compliant items. I don't want to use the converter to convert this into a CSV file everytime. How can I make the output to introduce the report in CSV file also. GOAL- I want to have the output result in CSV format for every single policy. This CSV can be consumed elsewhere as needed.
4 replies
Mostafa Hadi
@ItsReallyHadi

Hi :wave:
How can can I optimise following policy to run faster?

policies:
  - name: iam-role
    resource: iam-role
    description: "Check IAM-Role for * in action policy."
    filters:
      - or:
        - type: check-permissions
          match: allowed
          actions:
            - iam:*
        - type: check-permissions
          match: allowed
          actions:
            - s3:*
        - type: check-permissions
          match: allowed
          actions:
            - kms:*
        - type: check-permissions
          match: allowed
          actions:
            - sns:*
        - type: check-permissions
          match: allowed
          actions:
            - sqs:*

or better than that catch all actions with * on any resource?
Thanks in advance :smiley: :heart:

1 reply
vgtom
@vgtom
i am getting build errors on centos??
ERROR: InvocationError for command /home/vinu/Desktop/Company/Security/cloud-custodian/.tox/py36/bin/pytest -n auto tests tools (exited with code 1)
WARNING: test command found but not installed in testenv
cmd: /usr/bin/make
env: /home/vinu/Desktop/Company/Security/cloud-custodian/.tox/lint
Maybe you forgot to specify a dependency? See also the allowlist_externals envconfig setting.
vgtom
@vgtom
ERROR: py37: InterpreterNotFound: python3.7
ERROR: py38: InterpreterNotFound: python3.8
ERROR: py39: InterpreterNotFound: python3.9
1 reply
i guess the build is actually OK...right?? its just saying python 3.7,3.8 and 3.9 are not available
Steven Scoleri
@scoleri
I wanted to put this out there because it took me all day to do it. This checks for buckets that are locked and can only be unlocked by root. As when i try to tag buckets across my fleet and there is a bucket in an account thats in this condition it breaks the actions for that account.
policies:
  - name: s3-perm-check
    resource: s3
    filters:
     - type: value
       key: '"c7n:DeniedMethods"[]'
       op: in
       value: get_bucket_tagging
       value_type: swap
2 replies
this is what the bucket looks like in resources
{
    "Name": "XXXXXXXX",
    "CreationDate": "2020-06-25T03:37:07+00:00",
    "Location": {
      "LocationConstraint": "eu-west-1"
    },
    "c7n:DeniedMethods": [
      "get_bucket_tagging",
      "get_bucket_policy",
      "get_bucket_acl",
      "get_bucket_replication",
      "get_bucket_versioning",
      "get_bucket_website",
      "get_bucket_logging",
      "get_bucket_notification_configuration",
      "get_bucket_lifecycle_configuration"
    ],
    "c7n:MatchedFilters": [
      "\"c7n:DeniedMethods\"[]"
    ]
  }
aakshaik2
@aakifshaikh
I want to check on s3 bucket that are exposed to public via bucket policy. How do I look for both the value in one filter logic. * and AWS *
3 replies
  filters:
    - type: has-statement # Look for S3 bucket with this statement.
      statements:
        - Effect: Allow
          Action: 's3:*'
          Principal: '*'
  filters:
    - type: has-statement # Look for S3 bucket with this statement.
      statements:
        - Effect: Allow
          Action: 's3:*'
          Principal: 'AWS: *'
Kristina Trump
@KristinaTrump_twitter
@kapilt , have we include the lambda trim-action based on ->cloud-custodian/cloud-custodian#6007 , if so can you please give me an example policy
2 replies
Ridma Pabasara
@ridmapabasara
hey guys, can someone pls give me some insigh how we can implement something like following from fileter
2 replies
S3Bucket should not have policy.Statement contain [Effect='Allow' and (Principal='' or Principal.AWS='') and (Action contain [$ regexMatch /^s3:Delete/] or Action regexMatch /^s3:Delete/)]
aakshaik2
@aakifshaikh
Quick Question- This is more of AWS related. I have a custodian policy to check on s3 public bucket via acl and via bucket policy (notify only policy). A separate policy to S3 bucket public blocks (checking on settings for BlockPublicPolicy and BlockPublicAcls) (notify only policy). I have an action policy to change the public block settings from True to FALSE (on creation- for new resources). My question- Which settings supersedes another? Example- if user create an s3 bucket with public access via acl or policy- this action policy will put the settings on PUBLIC BLOCK....which one gets applied first.....
aakshaik2
@aakifshaikh
Trying to deploy the cloud custodian policies using the azure function hosting method via service principal and getting an error- (custodian) XYZ@ cloud-custodian % custodian run --output-dir=. sec-n-resourcegroup-orphaned.yml
2021-03-10 20:15:55,078: custodian.azure.policy.AzureFunctionMode:ERROR policy:sec-n-resourcegroup-orphaned function policies should use UserAssigned Identities see https://cloudcustodian.io/docs/azure/configuration/functionshosting.html#authentication-options #Issue6520 (Custodian Version 0.9.11)
Ghost
@ghost~604a2e3f6da0373984688f90
How to filter the S3 objectownership = Bucketownerprefered
1 reply
Ghost
@ghost~604a2e3f6da0373984688f90
?
khapp
@khapp
@jtroberts83 Hello. I've run into an issue with a cross-account sns policy recognizing org-ids as cross-account and sending notifications but not removing the org-id from the access policy. Could this be a bug or is there something additional that needs done to remove org ids when using remove-statements? This works fine when adding an invalid account number (the statement to the invalid acct number is removed and the notification is sent)
Kostiantyn Vorobiov
@Kostiantyn-Vorobiov
Hi guys, is it possible to count running EC2 instances of some type and kill if there are more then limit
1 reply
pendyalal
@pendyalal
Hi all, I have a quick question, for Iam-user resource, can we filter based on accountId?
14 replies
Mike Weiss
@wiredin
I'm creating a lambda policy that will be trigged through cloudtrail event (CloudTrail Mode) I need it to run when AddPermission event occurs. Looking through CloudTrail the actual event appears in CloudTrail as "AddPermission20150331v2" and through googling apparently sometimes "AddPermission20150331" aswell. There doesn't seem to be any information available as to why that is. Does anyone have a suggestion on how to handle this other than referencing both in the mode? I tried using AddPermission* as the event but wildcards are not supported. I want to make sure my policy is future proof as it seems AWS may change it to something else at anytime.. Thanks!
2 replies
aakshaik2
@aakifshaikh
Is there a way I can find a missing tag for all resources for an account (both AWS and Azure). Right now I have to write 1 policy for 1 resource to find the missing tag. Is there a good way- I can find missing tags for ALL Resources for a specific account. Here is my policy for 1 resource-1filter. At the moment, I have like 100 policies looking for missing tags on 100 resources. I wanted to combine in one policy and one output file.
vars:
  absent-tags-filter: &absent-tags
    - "tag:department": absent
    - "tag:owner": absent
    - "tag:service": absent

policies:

- name: resourcegroup-missing-tag
  resource: azure.resourcegroup
  description: Find all Resource Groups that does not meet the mandatory tagging requirements (owner, dept, service).
  filters:
    - or: *absent-tags
  mode:
    type: azure-periodic
    schedule: 0 30 9 * * *
    provision-options:
      identity:
        type: UserAssigned
        id: 000xxxxxx
    execution-options:
      output_dir: azure://cloxxxxxxxxxxxx/xxxxxx/}
Michael Davis
@MichaelDavisTSN
is there a way to force delete a VM in GCP, getting error 'Resource cannot be deleted if it's protected against deletion.'
Jon Gilmore
@JonGilmore_gitlab
maybe a bit of a long shot, but what are people using to deploy python lambdas that don't quite fit the use case of c7n here? It'd be awesome if I could re-use the deployment process that c7n already uses to do this, but I'm not sure if that's possible or not. For more background, I've got some sorta simple python scripts that fill some gaps that c7n cannot do, and was sorta looking at serverless to deploy them, but it feels a bit heavy for this task.
5 replies
Ryan Ash
@ryanash999
Anyone know if it is possible to write a policy to ensure the root user email is from a certain domain? I am not seeing it off the aws.account resource type.
1 reply
Kostiantyn Vorobiov
@Kostiantyn-Vorobiov
Guys, I can't find documentation for variables. Can I pass some variable via cli and catch that in the policies? like custodian run policy.yml -v SNS and catch it like {SNS} in the template
5 replies
Jose Manuel Holgueras Monedero
@josemanuelholgueras

Hi colleagues, I don't see much information about actions in Azure for encryption and backup/snapshots of resources. These topics are still pending, are they ?
As I ask a lot and offer little, I attach an example of a 'gcp-audit' policy that I haven't seen many examples of that

policies:

  • name: notify-none-standart-instance
    resource: gcp.instance
    mode:
    type: gcp-audit
    methods:

     - "v1.compute.instances.start"

    filters:

    • type: event
      key: "resource.labels.zone"
      op: not-in
      value:
      • us-central1-a

    actions:

    • stop
Matt Clark
@matticulous
does anyone have a suggested path for troubleshooting issues with duplicative emails? i have a few policies that seem to be resulting in multiple emails for the same resource
1 reply
cleo2525
@cleo2525

Hello, I have a policy that detects s3 buckets with public write ACL and removes them. However, this policy also removes the corresponding Read ACL, if present.

Is there a way to remove just the Write & Write_ACP global grant?

policies:
    - name: public-access-write-s3
    resource: s3
    description: remove public write access acl
    filters:
      - type: global-grants
        allow_website: false
        permissions: [WRITE, WRITE_ACP]
    actions:
      - type: delete-global-grants
        grantees:
          - "http://acs.amazonaws.com/groups/global/AllUsers"
          - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
Dan Barr
@danbarr
Hi all! Is it possible to reference a property of the resource being checked, in the value of a filter comparison? I want to do something like this, but not sure how to properly reference the VpcId or if this is even supported (I've tried the below and it's not working):
    resource: aws.vpc
    filters:
      - not:
        - type: flow-logs
          enabled: true
          set-op: or
          op: equal
          traffic-type: reject
          status: active
          log-group: "/vpcflow/{VpcId}"
2 replies
cleo2525
@cleo2525

I have another question. I'm trying to create a filter that will find all the s3 buckets with bucket policies that grant public access.

So far I can find buckets with Principal or AWS: , but I can't figure out how to set the filter to recoginze if the policy has a condition.

This is my filter that finds buckets with public Get access

  - name: public-access-policy-s3-mark
    resource: s3
    description: tag bucket with public read access policy
    filters:
      - or:
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal:
                AWS: '*'
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal: '*'

I've tried adding the Conditions object, which gives a validation error

  - name: public-access-policy-s3-mark
    resource: s3
    description: tag bucket with public read access policy
    filters:
      - or:
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal:
                AWS: '*'
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal: '*'
      - not:
        - type: has-statement
          statements:
            - Condition: { "StringEquals": {"aws:PrincipalOrgID": "o-#########"}}

I also tried using the cross-account type, but this causes the filter to not match on any of my buckets.

  - name: public-access-policy-s3-mark
    resource: s3
    description: tag bucket with public read access policy
    filters:
      - or:
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal:
                AWS: '*'
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal: '*'
      - not:
        - type: cross-account
          everyone_only: true
2 replies
sl805
@sl805
Hi everyone, is it possible to verify if ec2 instance was built from an AMI with speific name or attribute ? I need to check if ec2 instances in particular AWS account are created from AMIs with specific source attribute
7 replies
sl805
@sl805
@kapilt Hello, is it possible to do something like this with cloud-custodian? So basically I'm creating valid AMI list with first policy and then refencing result from second policy
- name: Valid AMI list
  resource: ec2.ami
  filters:
    - type: value
      key: source                
      op: regex                 
      value: '^XXXXXXXXXXXX/.*'

- name: Non-Compliant EC2 instances
  resource: ec2
  filters:
    - type: value
      key: image_id
      op: not-in
      value: ${resource.ec2.ami.output}
1 reply
jmahowald-slalom
@jmahowald-slalom
We've seen several policies fail because the custodian code is expecting a newer version of boto3 ( 1.17.x) and the python 3.8 runtime ships with 1.16.31. I was trying to figure out if I could specify a "custom" lambda layer for the deployments, so we could package up the expected version but I can't find anything so far.
6 replies
pentagonal-proboscis
@pentagonal-proboscis
Hi All - I want to turn on Cost Anomaly detection in all of my AWS accounts and add an anomaly alarm - is this possible with C7N - I went through the AWS reference but didn't find anything obvious.
4 replies
cleo2525
@cleo2525

Hello, I have a policy that detects s3 buckets with public write ACL and removes them. However, this policy also removes the corresponding Read ACL, if present.

Is there a way to remove just the Write & Write_ACP global grant?

policies:
    - name: public-access-write-s3
    resource: s3
    description: remove public write access acl
    filters:
      - type: global-grants
        allow_website: false
        permissions: [WRITE, WRITE_ACP]
    actions:
      - type: delete-global-grants
        grantees:
          - "http://acs.amazonaws.com/groups/global/AllUsers"
          - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"

Hi just following up to see if anyone knows if there's a way to just remove the Write access from the global grants and leave the Read access if present.

aakshaik2
@aakifshaikh
Does auto-tag-user policy works on the existing resources? Can it look back like 365 days or X days and find the event owner to tag the same on the resources.
7 replies
kapilt
@kapilt:matrix.org
[m]
The docs have examples of full syntax for events
vgtom
@vgtom
can c7n be used for cost optimization?
2 replies
Steve Craig
@stevesworkgithub
Hi - sorry, I've asked a similar question before, but do we have a rough idea when 0.9.11 will be released? I'm being pushed to get a fix in before quarter-end which I could just patch in if needs be, but would prefer to get a stable release in if at all possible. Thanks very much in advance :-)