Hello, I have a policy that detects s3 buckets with public write ACL and removes them. However, this policy also removes the corresponding Read ACL, if present.
Is there a way to remove just the Write & Write_ACP global grant?
policies: - name: public-access-write-s3 resource: s3 description: remove public write access acl filters: - type: global-grants allow_website: false permissions: [WRITE, WRITE_ACP] actions: - type: delete-global-grants grantees: - "http://acs.amazonaws.com/groups/global/AllUsers" - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
Hi just following up to see if anyone knows if there's a way to just remove the Write access from the global grants and leave the Read access if present.
I'm experiencing difficulties using the marked-for-op filter with security groups. I have a security group that got tagged by cloud custodian with
Resource does not meet policy: delete@2021/05/30, but when I use the marked-for-op filter, it doesn't find the security group.
# - tag:cc-cleanup: present - type: marked-for-op tag: cc-cleanup op: delete
Has anyone experienced this with security groups or am I missing something?
I'm looking for some best practices on how to manage multi-account setup in AWS with Cloud Custodian, especially for CI/CD part.
Where/how do you keep policies state?
How do you know which policy and where to deploy? Do you use maybe CSV file with list of accounts/OUs/policies?
Looking for some assistance with proper filter writing for my use case. At a high level, I'm looking to filter on AWS Security Groups where TCP/22 is opened up to public CIDRs (ie, non-RFC 1918). I've been trying multiple
type of statements, but my match only matches 1 ingress block at a time
I am just starting to use custodian today and trying out with tags absent policy
how can we test tags absence which has a key with ":" in it
it is somehow not picking up acme:owner tag key resources and show in the report
I found the following policy here to identify IAM user accounts with access keys older than 90 days.
policies: - name: iam-user-access-keys-created-before-90-days resource: iam-user filters: - type: credential key: access_keys.last_rotated value_type: age value: 90 op: greater-than
The policy is returning incorrect results about the access key age of the IAM user accounts. We do have a few IAM user accounts that were created more than a year ago, but the access keys of some of these IAM user accounts were rotated around 2 weeks back and they still show up as stale accounts when the aforementioned policy is executed. Does this policy retrieve IAM user account details based on the user account creation date or based on the access key age? It also does not ignore the IAM user accounts which have the "Access Key Age" listed as "None".
Hi All, I'm trying to create a policy that has a filter that looks for a combination of things before it takes an action (which is clearing some tags).
This is what my filter looks like and it works in my testing environment.
filters: - "tag:public-access-policy": present - or: - "tag:public-access-exception": present - not: - type: global-grants permissions: [READ, READ_ACP]
However, in production I had a scenerio where a user deleted the public-access-exception tag. The bucket had public ACLs, which caused the bucket to fall out of compliance. My other policy triggered and marked the bucket for op with the tag public-access-policy and sent a notifcation email. This was all as expected.
Then when this policy was scheduled to run, it triggered on the non-compliant bucket and cleared the public-access-policy tag.
I'm trying to figure out where my filter logic is broken. The bucket had the public-access-policy tag, it did not have the public-access-exception tag nor were the global-grants NOT present
hello @here @kapilt
Can anyone advise what is wrong in this policy, i want to find all EC2 instance on public subnet
It is currently filtering all, please advise
[DEBUG] 2021-03-24T09:20:00.705Z e4a8ef01-4351-43d6-9788-9084478e23eb Filtered from 80 to 80 subnet
[DEBUG] 2021-03-24T09:20:00.719Z e4a8ef01-4351-43d6-9788-9084478e23eb Filtered from 49 to 0 ec2
This is what i came up with?
Is it correct?
@kapilt , when I was trying to delete Old lambda versions it gives an error as below, - name: delete-old-lambda-versions
- type: value key: FunctionName op: regex value: ^(custodian-ec2-delete-old:?)
- type: trim-versions
"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"ResourceARNList\", must be one of: PaginationToken, TagFilters, ResourcesPerPage, TagsPerPage, ResourceTypeFilters, IncludeComplianceDetails, ExcludeCompliantResources",
" File \"/var/task/custodian_policy.py\", line 4, in run\n return handler.dispatch_event(event, context)\n",
" File \"/var/task/c7n/handler.py\", line 165, in dispatch_event\n p.push(event, context)\n",
" File \"/var/task/c7n/policy.py\", line 1143, in push\n return mode.run(event, lambda_ctx)\n",
" File \"/var/task/c7n/policy.py\", line 526, in run\n return PullMode.run(self)\n",
" File \"/var/task/c7n/policy.py\", line 285, in run\n resources = self.policy.resource_manager.resources()\n",
" File \"/var/task/c7n/query.py\", line 517, in resources\n resources = self.augment(resources)\n",
" File \"/var/task/c7n/query.py\", line 573, in augment\n return self.source.augment(resources)\n",
" File \"/var/task/c7n/resources/awslambda.py\", line 30, in augment\n return universal_augment(\n",
" File \"/var/task/c7n/tags.py\", line 91, in universal_augment\n resource_tag_results = client.get_resources(\n",
" File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 648, in _make_api_call\n request_dict = self._convert_to_request_dict(\n",
" File \"/var/runtime/botocore/client.py\", line 696, in _convert_to_request_dict\n request_dict = self._serializer.serialize_to_request(\n",
" File \"/var/runtime/botocore/validate.py\", line 297, in serialize_to_request\n raise ParamValidationError(report=report.generate_report())\n""
does anyone here have experience with running custodian tool in AWS Lambda and reading info from SQS?
for example, you send to SQS info about which policy and for which account it should be applied, Lambda is triggered by an event from SQS, gets all this info, and pass these parameters to custodian inside lambda container