Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
khapp
@khapp
@jtroberts83 Hello. I've run into an issue with a cross-account sns policy recognizing org-ids as cross-account and sending notifications but not removing the org-id from the access policy. Could this be a bug or is there something additional that needs done to remove org ids when using remove-statements? This works fine when adding an invalid account number (the statement to the invalid acct number is removed and the notification is sent)
Kostiantyn Vorobiov
@Kostiantyn-Vorobiov
Hi guys, is it possible to count running EC2 instances of some type and kill if there are more then limit
1 reply
pendyalal
@pendyalal
Hi all, I have a quick question, for Iam-user resource, can we filter based on accountId?
14 replies
Mike Weiss
@wiredin
I'm creating a lambda policy that will be trigged through cloudtrail event (CloudTrail Mode) I need it to run when AddPermission event occurs. Looking through CloudTrail the actual event appears in CloudTrail as "AddPermission20150331v2" and through googling apparently sometimes "AddPermission20150331" aswell. There doesn't seem to be any information available as to why that is. Does anyone have a suggestion on how to handle this other than referencing both in the mode? I tried using AddPermission* as the event but wildcards are not supported. I want to make sure my policy is future proof as it seems AWS may change it to something else at anytime.. Thanks!
2 replies
aakshaik2
@aakifshaikh
Is there a way I can find a missing tag for all resources for an account (both AWS and Azure). Right now I have to write 1 policy for 1 resource to find the missing tag. Is there a good way- I can find missing tags for ALL Resources for a specific account. Here is my policy for 1 resource-1filter. At the moment, I have like 100 policies looking for missing tags on 100 resources. I wanted to combine in one policy and one output file.
vars:
  absent-tags-filter: &absent-tags
    - "tag:department": absent
    - "tag:owner": absent
    - "tag:service": absent

policies:

- name: resourcegroup-missing-tag
  resource: azure.resourcegroup
  description: Find all Resource Groups that does not meet the mandatory tagging requirements (owner, dept, service).
  filters:
    - or: *absent-tags
  mode:
    type: azure-periodic
    schedule: 0 30 9 * * *
    provision-options:
      identity:
        type: UserAssigned
        id: 000xxxxxx
    execution-options:
      output_dir: azure://cloxxxxxxxxxxxx/xxxxxx/}
Michael Davis
@MichaelDavisTSN
is there a way to force delete a VM in GCP, getting error 'Resource cannot be deleted if it's protected against deletion.'
Jon Gilmore
@JonGilmore_gitlab
maybe a bit of a long shot, but what are people using to deploy python lambdas that don't quite fit the use case of c7n here? It'd be awesome if I could re-use the deployment process that c7n already uses to do this, but I'm not sure if that's possible or not. For more background, I've got some sorta simple python scripts that fill some gaps that c7n cannot do, and was sorta looking at serverless to deploy them, but it feels a bit heavy for this task.
5 replies
Ryan Ash
@ryanash999
Anyone know if it is possible to write a policy to ensure the root user email is from a certain domain? I am not seeing it off the aws.account resource type.
1 reply
Kostiantyn Vorobiov
@Kostiantyn-Vorobiov
Guys, I can't find documentation for variables. Can I pass some variable via cli and catch that in the policies? like custodian run policy.yml -v SNS and catch it like {SNS} in the template
5 replies
Jose Manuel Holgueras Monedero
@josemanuelholgueras

Hi colleagues, I don't see much information about actions in Azure for encryption and backup/snapshots of resources. These topics are still pending, are they ?
As I ask a lot and offer little, I attach an example of a 'gcp-audit' policy that I haven't seen many examples of that

policies:

  • name: notify-none-standart-instance
    resource: gcp.instance
    mode:
    type: gcp-audit
    methods:

     - "v1.compute.instances.start"

    filters:

    • type: event
      key: "resource.labels.zone"
      op: not-in
      value:
      • us-central1-a

    actions:

    • stop
Matt Clark
@matticulous
does anyone have a suggested path for troubleshooting issues with duplicative emails? i have a few policies that seem to be resulting in multiple emails for the same resource
1 reply
cleo2525
@cleo2525

Hello, I have a policy that detects s3 buckets with public write ACL and removes them. However, this policy also removes the corresponding Read ACL, if present.

Is there a way to remove just the Write & Write_ACP global grant?

policies:
    - name: public-access-write-s3
    resource: s3
    description: remove public write access acl
    filters:
      - type: global-grants
        allow_website: false
        permissions: [WRITE, WRITE_ACP]
    actions:
      - type: delete-global-grants
        grantees:
          - "http://acs.amazonaws.com/groups/global/AllUsers"
          - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
Dan Barr
@danbarr
Hi all! Is it possible to reference a property of the resource being checked, in the value of a filter comparison? I want to do something like this, but not sure how to properly reference the VpcId or if this is even supported (I've tried the below and it's not working):
    resource: aws.vpc
    filters:
      - not:
        - type: flow-logs
          enabled: true
          set-op: or
          op: equal
          traffic-type: reject
          status: active
          log-group: "/vpcflow/{VpcId}"
2 replies
cleo2525
@cleo2525

I have another question. I'm trying to create a filter that will find all the s3 buckets with bucket policies that grant public access.

So far I can find buckets with Principal or AWS: , but I can't figure out how to set the filter to recoginze if the policy has a condition.

This is my filter that finds buckets with public Get access

  - name: public-access-policy-s3-mark
    resource: s3
    description: tag bucket with public read access policy
    filters:
      - or:
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal:
                AWS: '*'
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal: '*'

I've tried adding the Conditions object, which gives a validation error

  - name: public-access-policy-s3-mark
    resource: s3
    description: tag bucket with public read access policy
    filters:
      - or:
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal:
                AWS: '*'
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal: '*'
      - not:
        - type: has-statement
          statements:
            - Condition: { "StringEquals": {"aws:PrincipalOrgID": "o-#########"}}

I also tried using the cross-account type, but this causes the filter to not match on any of my buckets.

  - name: public-access-policy-s3-mark
    resource: s3
    description: tag bucket with public read access policy
    filters:
      - or:
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal:
                AWS: '*'
        - type: has-statement
          statements:
            - Effect: Allow
              Action: 's3:Get*'
              Principal: '*'
      - not:
        - type: cross-account
          everyone_only: true
2 replies
sl805
@sl805
Hi everyone, is it possible to verify if ec2 instance was built from an AMI with speific name or attribute ? I need to check if ec2 instances in particular AWS account are created from AMIs with specific source attribute
7 replies
sl805
@sl805
@kapilt Hello, is it possible to do something like this with cloud-custodian? So basically I'm creating valid AMI list with first policy and then refencing result from second policy
- name: Valid AMI list
  resource: ec2.ami
  filters:
    - type: value
      key: source                
      op: regex                 
      value: '^XXXXXXXXXXXX/.*'

- name: Non-Compliant EC2 instances
  resource: ec2
  filters:
    - type: value
      key: image_id
      op: not-in
      value: ${resource.ec2.ami.output}
1 reply
jmahowald-slalom
@jmahowald-slalom
We've seen several policies fail because the custodian code is expecting a newer version of boto3 ( 1.17.x) and the python 3.8 runtime ships with 1.16.31. I was trying to figure out if I could specify a "custom" lambda layer for the deployments, so we could package up the expected version but I can't find anything so far.
6 replies
pentagonal-proboscis
@pentagonal-proboscis
Hi All - I want to turn on Cost Anomaly detection in all of my AWS accounts and add an anomaly alarm - is this possible with C7N - I went through the AWS reference but didn't find anything obvious.
4 replies
cleo2525
@cleo2525

Hello, I have a policy that detects s3 buckets with public write ACL and removes them. However, this policy also removes the corresponding Read ACL, if present.

Is there a way to remove just the Write & Write_ACP global grant?

policies:
    - name: public-access-write-s3
    resource: s3
    description: remove public write access acl
    filters:
      - type: global-grants
        allow_website: false
        permissions: [WRITE, WRITE_ACP]
    actions:
      - type: delete-global-grants
        grantees:
          - "http://acs.amazonaws.com/groups/global/AllUsers"
          - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"

Hi just following up to see if anyone knows if there's a way to just remove the Write access from the global grants and leave the Read access if present.

aakshaik2
@aakifshaikh
Does auto-tag-user policy works on the existing resources? Can it look back like 365 days or X days and find the event owner to tag the same on the resources.
7 replies
kapilt
@kapilt:matrix.org
[m]
The docs have examples of full syntax for events
vgtom
@vgtom
can c7n be used for cost optimization?
2 replies
Steve Craig
@stevesworkgithub
Hi - sorry, I've asked a similar question before, but do we have a rough idea when 0.9.11 will be released? I'm being pushed to get a fix in before quarter-end which I could just patch in if needs be, but would prefer to get a stable release in if at all possible. Thanks very much in advance :-)
Hopkins Nji
@HopkinsNji_twitter

I'm experiencing difficulties using the marked-for-op filter with security groups. I have a security group that got tagged by cloud custodian with cc-cleanup: Resource does not meet policy: delete@2021/05/30, but when I use the marked-for-op filter, it doesn't find the security group.

filters:

  # - tag:cc-cleanup: present
  - type: marked-for-op
    tag: cc-cleanup
    op: delete

Has anyone experienced this with security groups or am I missing something?

12 replies
Ben Khmelnytskiy
@benkhmelnytskiy

Hello guys,

I'm looking for some best practices on how to manage multi-account setup in AWS with Cloud Custodian, especially for CI/CD part.

Where/how do you keep policies state?
How do you know which policy and where to deploy? Do you use maybe CSV file with list of accounts/OUs/policies?

5 replies
Kapil Thangavelu
@kapilt
new custodian release 0.9.11.0 - release notes https://github.com/cloud-custodian/cloud-custodian/releases/tag/0.9.11.0
yourdog
@yourdog

Looking for some assistance with proper filter writing for my use case. At a high level, I'm looking to filter on AWS Security Groups where TCP/22 is opened up to public CIDRs (ie, non-RFC 1918). I've been trying multiple

  • or:
    • type: ingress
      IpProtocol: "tcp"
      Ports: [22]
      Cidr:
      value_type: cidr
      op: in
      value: "0.0.0.0/5"

type of statements, but my match only matches 1 ingress block at a time

2 replies
mundey
@mundey

Hello community,
I am just starting to use custodian today and trying out with tags absent policy

how can we test tags absence which has a key with ":" in it
olicies:

  • name: ec2-tag-compliance
    resource: ec2
    comment: |
    Report on total count of non compliant instances
    filters:
    • or:
      • "tag:application": absent
      • "tag:acme:owner": absent

it is somehow not picking up acme:owner tag key resources and show in the report

5 replies
Samarth Shivaramu
@s_samarth03_twitter

Hi,

I found the following policy here to identify IAM user accounts with access keys older than 90 days.

policies:
- name: iam-user-access-keys-created-before-90-days
  resource: iam-user
  filters:
    - type: credential
      key: access_keys.last_rotated
      value_type: age
      value: 90
      op: greater-than

The policy is returning incorrect results about the access key age of the IAM user accounts. We do have a few IAM user accounts that were created more than a year ago, but the access keys of some of these IAM user accounts were rotated around 2 weeks back and they still show up as stale accounts when the aforementioned policy is executed. Does this policy retrieve IAM user account details based on the user account creation date or based on the access key age? It also does not ignore the IAM user accounts which have the "Access Key Age" listed as "None".

1 reply
cleo2525
@cleo2525

Hi All, I'm trying to create a policy that has a filter that looks for a combination of things before it takes an action (which is clearing some tags).

Filter requirements

  1. If the tags public-access-policy and public-access-exception are present, take action.
  2. If the tag public-access-policy is present and the global-grants are not present, take the action.

This is what my filter looks like and it works in my testing environment.

    filters:
      - "tag:public-access-policy": present
      - or:
          - "tag:public-access-exception": present
          - not:
              - type: global-grants
                permissions: [READ, READ_ACP]

However, in production I had a scenerio where a user deleted the public-access-exception tag. The bucket had public ACLs, which caused the bucket to fall out of compliance. My other policy triggered and marked the bucket for op with the tag public-access-policy and sent a notifcation email. This was all as expected.

Then when this policy was scheduled to run, it triggered on the non-compliant bucket and cleared the public-access-policy tag.

I'm trying to figure out where my filter logic is broken. The bucket had the public-access-policy tag, it did not have the public-access-exception tag nor were the global-grants NOT present

Alexandre Marcé
@AlexandreMarce_gitlab
Hello
I'm trying to export logs to cloudwatch using c7n-org, did I miss something or is this option not available ?
2 replies
Phrancoua2
@Phrancoua2
Hello All
I'm trying to forward the monitoring of someone's else guardduty with CloudCustodian. I have an issue with executing the command line as I don't understand how to grant c7n-guardian the credentials of my account.
It is for now taking the default credentials that I have, but how do i command it to take other credentials that i want to use ?
6 replies
pendyalal
@pendyalal
hi all, i've set a lambda memory to 128 mb when created. Now i want to change it to a 256. any easy solution?
4 replies
mini1989
@mini1989

hello @here @kapilt
Can anyone advise what is wrong in this policy, i want to find all EC2 instance on public subnet

  • name: ec2-publicsubnet
    resource: ec2
    filters:
    • type: subnet
      key: MapPublicIpOnLaunch
      value: true

It is currently filtering all, please advise
[DEBUG] 2021-03-24T09:20:00.705Z e4a8ef01-4351-43d6-9788-9084478e23eb Filtered from 80 to 80 subnet
[DEBUG] 2021-03-24T09:20:00.719Z e4a8ef01-4351-43d6-9788-9084478e23eb Filtered from 49 to 0 ec2

17 replies
Kristina Trump
@KristinaTrump_twitter
Hi @kapilt , Can you please let me know has this change been released -> cloud-custodian/cloud-custodian#6007
2 replies
Phrancoua2
@Phrancoua2
Hi all,
Goal : Centralize findings from GuardDuty on one policy.
c7n-guardian is only working for enabling/disabling accounts for Guardduty
As for modes, it looks resources by resources.
Do you have any idea how i can gather all those findings in one file ?
2 replies
codehead1997
@codehead1997
how can we filter iam-users which have been inactive since more than 30 days?

policies:

  • name: usage-unused-users
    resource: iam-user
    filters:
    • type: usage
      match-operator: all
      LastAuthenticated:
      type: value
      value_type: age
      op: more-than
      value: 30

This is what i came up with?
Is it correct?

codehead1997
@codehead1997
How can i filter iam user based on their age of last activity?
6 replies
Eugen Olteanu
@eugenolteanu_twitter
Hi, is there a way to change the Lambda names? Seems it always adds custodian- in front.
4 replies
Shawn L
@slaphitter
Hello. I've got a policy to normalize tag cases which worked great in testing but once I applied it against all the EC2 instances it broke as soon as it hit one that didn't have one of the tag keys on it. Is there a way to get CC to act just on the keys that exist on a given resource, or must I write a policy for each of the tags I wish to normalize?
4 replies
sadik13
@sadik13
HI Team,
i am new to cloud custodian, i wanna to check public IP of EC2 in aws by using custodian policy. Thanks in advance!!!
8 replies
Kristina Trump
@KristinaTrump_twitter

@kapilt , when I was trying to delete Old lambda versions it gives an error as below, - name: delete-old-lambda-versions
resource: lambda
filters:

    - type: value
      key: FunctionName
      op: regex
      value: ^(custodian-ec2-delete-old:?)

actions:

    - type: trim-versions                                                                                                                                                       

"{
"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"ResourceARNList\", must be one of: PaginationToken, TagFilters, ResourcesPerPage, TagsPerPage, ResourceTypeFilters, IncludeComplianceDetails, ExcludeCompliantResources",
"errorType": "ParamValidationError",
"stackTrace": [
" File \"/var/task/custodian_policy.py\", line 4, in run\n return handler.dispatch_event(event, context)\n",
" File \"/var/task/c7n/handler.py\", line 165, in dispatch_event\n p.push(event, context)\n",
" File \"/var/task/c7n/policy.py\", line 1143, in push\n return mode.run(event, lambda_ctx)\n",
" File \"/var/task/c7n/policy.py\", line 526, in run\n return PullMode.run(self)\n",
" File \"/var/task/c7n/policy.py\", line 285, in run\n resources = self.policy.resource_manager.resources()\n",
" File \"/var/task/c7n/query.py\", line 517, in resources\n resources = self.augment(resources)\n",
" File \"/var/task/c7n/query.py\", line 573, in augment\n return self.source.augment(resources)\n",
" File \"/var/task/c7n/resources/awslambda.py\", line 30, in augment\n return universal_augment(\n",
" File \"/var/task/c7n/tags.py\", line 91, in universal_augment\n resource_tag_results = client.get_resources(\n",
" File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 648, in _make_api_call\n request_dict = self._convert_to_request_dict(\n",
" File \"/var/runtime/botocore/client.py\", line 696, in _convert_to_request_dict\n request_dict = self._serializer.serialize_to_request(\n",
" File \"/var/runtime/botocore/validate.py\", line 297, in serialize_to_request\n raise ParamValidationError(report=report.generate_report())\n""

6 replies
Ben Khmelnytskiy
@benkhmelnytskiy

hello,

does anyone here have experience with running custodian tool in AWS Lambda and reading info from SQS?

for example, you send to SQS info about which policy and for which account it should be applied, Lambda is triggered by an event from SQS, gets all this info, and pass these parameters to custodian inside lambda container

1 reply
Abel
@Abikjose
@kapilt Do we have an action to create azure disk snapshot yet?
1 reply
aakshaik2
@aakifshaikh
Azure refer to this resource as Container Instances - Under WHAT resource type does Cloud Custodian covers it? Is there a mapping of what Azure calls and Cloud Custodian calls
3 replies
sadik13
@sadik13
Hi Team, How to get the age of the root account password? please provide your suggestions for preparing the policy. Thank you!!!