Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community

Hello, I have a policy that detects s3 buckets with public write ACL and removes them. However, this policy also removes the corresponding Read ACL, if present.

Is there a way to remove just the Write & Write_ACP global grant?

    - name: public-access-write-s3
    resource: s3
    description: remove public write access acl
      - type: global-grants
        allow_website: false
        permissions: [WRITE, WRITE_ACP]
      - type: delete-global-grants
          - "http://acs.amazonaws.com/groups/global/AllUsers"
          - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"

Hi just following up to see if anyone knows if there's a way to just remove the Write access from the global grants and leave the Read access if present.

Does auto-tag-user policy works on the existing resources? Can it look back like 365 days or X days and find the event owner to tag the same on the resources.
7 replies
The docs have examples of full syntax for events
can c7n be used for cost optimization?
2 replies
Steve Craig
Hi - sorry, I've asked a similar question before, but do we have a rough idea when 0.9.11 will be released? I'm being pushed to get a fix in before quarter-end which I could just patch in if needs be, but would prefer to get a stable release in if at all possible. Thanks very much in advance :-)
Hopkins Nji

I'm experiencing difficulties using the marked-for-op filter with security groups. I have a security group that got tagged by cloud custodian with cc-cleanup: Resource does not meet policy: delete@2021/05/30, but when I use the marked-for-op filter, it doesn't find the security group.


  # - tag:cc-cleanup: present
  - type: marked-for-op
    tag: cc-cleanup
    op: delete

Has anyone experienced this with security groups or am I missing something?

12 replies
Ben Khmelnytskiy

Hello guys,

I'm looking for some best practices on how to manage multi-account setup in AWS with Cloud Custodian, especially for CI/CD part.

Where/how do you keep policies state?
How do you know which policy and where to deploy? Do you use maybe CSV file with list of accounts/OUs/policies?

5 replies
Kapil Thangavelu
new custodian release - release notes https://github.com/cloud-custodian/cloud-custodian/releases/tag/

Looking for some assistance with proper filter writing for my use case. At a high level, I'm looking to filter on AWS Security Groups where TCP/22 is opened up to public CIDRs (ie, non-RFC 1918). I've been trying multiple

  • or:
    • type: ingress
      IpProtocol: "tcp"
      Ports: [22]
      value_type: cidr
      op: in
      value: ""

type of statements, but my match only matches 1 ingress block at a time

2 replies

Hello community,
I am just starting to use custodian today and trying out with tags absent policy

how can we test tags absence which has a key with ":" in it

  • name: ec2-tag-compliance
    resource: ec2
    comment: |
    Report on total count of non compliant instances
    • or:
      • "tag:application": absent
      • "tag:acme:owner": absent

it is somehow not picking up acme:owner tag key resources and show in the report

5 replies
Samarth Shivaramu


I found the following policy here to identify IAM user accounts with access keys older than 90 days.

- name: iam-user-access-keys-created-before-90-days
  resource: iam-user
    - type: credential
      key: access_keys.last_rotated
      value_type: age
      value: 90
      op: greater-than

The policy is returning incorrect results about the access key age of the IAM user accounts. We do have a few IAM user accounts that were created more than a year ago, but the access keys of some of these IAM user accounts were rotated around 2 weeks back and they still show up as stale accounts when the aforementioned policy is executed. Does this policy retrieve IAM user account details based on the user account creation date or based on the access key age? It also does not ignore the IAM user accounts which have the "Access Key Age" listed as "None".

1 reply

Hi All, I'm trying to create a policy that has a filter that looks for a combination of things before it takes an action (which is clearing some tags).

Filter requirements

  1. If the tags public-access-policy and public-access-exception are present, take action.
  2. If the tag public-access-policy is present and the global-grants are not present, take the action.

This is what my filter looks like and it works in my testing environment.

      - "tag:public-access-policy": present
      - or:
          - "tag:public-access-exception": present
          - not:
              - type: global-grants
                permissions: [READ, READ_ACP]

However, in production I had a scenerio where a user deleted the public-access-exception tag. The bucket had public ACLs, which caused the bucket to fall out of compliance. My other policy triggered and marked the bucket for op with the tag public-access-policy and sent a notifcation email. This was all as expected.

Then when this policy was scheduled to run, it triggered on the non-compliant bucket and cleared the public-access-policy tag.

I'm trying to figure out where my filter logic is broken. The bucket had the public-access-policy tag, it did not have the public-access-exception tag nor were the global-grants NOT present

Alexandre Marcé
I'm trying to export logs to cloudwatch using c7n-org, did I miss something or is this option not available ?
2 replies
Hello All
I'm trying to forward the monitoring of someone's else guardduty with CloudCustodian. I have an issue with executing the command line as I don't understand how to grant c7n-guardian the credentials of my account.
It is for now taking the default credentials that I have, but how do i command it to take other credentials that i want to use ?
6 replies
hi all, i've set a lambda memory to 128 mb when created. Now i want to change it to a 256. any easy solution?
4 replies

hello @here @kapilt
Can anyone advise what is wrong in this policy, i want to find all EC2 instance on public subnet

  • name: ec2-publicsubnet
    resource: ec2
    • type: subnet
      key: MapPublicIpOnLaunch
      value: true

It is currently filtering all, please advise
[DEBUG] 2021-03-24T09:20:00.705Z e4a8ef01-4351-43d6-9788-9084478e23eb Filtered from 80 to 80 subnet
[DEBUG] 2021-03-24T09:20:00.719Z e4a8ef01-4351-43d6-9788-9084478e23eb Filtered from 49 to 0 ec2

17 replies
Kristina Trump
Hi @kapilt , Can you please let me know has this change been released -> cloud-custodian/cloud-custodian#6007
2 replies
Hi all,
Goal : Centralize findings from GuardDuty on one policy.
c7n-guardian is only working for enabling/disabling accounts for Guardduty
As for modes, it looks resources by resources.
Do you have any idea how i can gather all those findings in one file ?
2 replies
how can we filter iam-users which have been inactive since more than 30 days?


  • name: usage-unused-users
    resource: iam-user
    • type: usage
      match-operator: all
      type: value
      value_type: age
      op: more-than
      value: 30

This is what i came up with?
Is it correct?

How can i filter iam user based on their age of last activity?
6 replies
Eugen Olteanu
Hi, is there a way to change the Lambda names? Seems it always adds custodian- in front.
4 replies
Shawn L
Hello. I've got a policy to normalize tag cases which worked great in testing but once I applied it against all the EC2 instances it broke as soon as it hit one that didn't have one of the tag keys on it. Is there a way to get CC to act just on the keys that exist on a given resource, or must I write a policy for each of the tags I wish to normalize?
4 replies
HI Team,
i am new to cloud custodian, i wanna to check public IP of EC2 in aws by using custodian policy. Thanks in advance!!!
8 replies
Kristina Trump

@kapilt , when I was trying to delete Old lambda versions it gives an error as below, - name: delete-old-lambda-versions
resource: lambda

    - type: value
      key: FunctionName
      op: regex
      value: ^(custodian-ec2-delete-old:?)


    - type: trim-versions                                                                                                                                                       

"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"ResourceARNList\", must be one of: PaginationToken, TagFilters, ResourcesPerPage, TagsPerPage, ResourceTypeFilters, IncludeComplianceDetails, ExcludeCompliantResources",
"errorType": "ParamValidationError",
"stackTrace": [
" File \"/var/task/custodian_policy.py\", line 4, in run\n return handler.dispatch_event(event, context)\n",
" File \"/var/task/c7n/handler.py\", line 165, in dispatch_event\n p.push(event, context)\n",
" File \"/var/task/c7n/policy.py\", line 1143, in push\n return mode.run(event, lambda_ctx)\n",
" File \"/var/task/c7n/policy.py\", line 526, in run\n return PullMode.run(self)\n",
" File \"/var/task/c7n/policy.py\", line 285, in run\n resources = self.policy.resource_manager.resources()\n",
" File \"/var/task/c7n/query.py\", line 517, in resources\n resources = self.augment(resources)\n",
" File \"/var/task/c7n/query.py\", line 573, in augment\n return self.source.augment(resources)\n",
" File \"/var/task/c7n/resources/awslambda.py\", line 30, in augment\n return universal_augment(\n",
" File \"/var/task/c7n/tags.py\", line 91, in universal_augment\n resource_tag_results = client.get_resources(\n",
" File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 648, in _make_api_call\n request_dict = self._convert_to_request_dict(\n",
" File \"/var/runtime/botocore/client.py\", line 696, in _convert_to_request_dict\n request_dict = self._serializer.serialize_to_request(\n",
" File \"/var/runtime/botocore/validate.py\", line 297, in serialize_to_request\n raise ParamValidationError(report=report.generate_report())\n""

6 replies
Ben Khmelnytskiy


does anyone here have experience with running custodian tool in AWS Lambda and reading info from SQS?

for example, you send to SQS info about which policy and for which account it should be applied, Lambda is triggered by an event from SQS, gets all this info, and pass these parameters to custodian inside lambda container

1 reply
@kapilt Do we have an action to create azure disk snapshot yet?
1 reply
Azure refer to this resource as Container Instances - Under WHAT resource type does Cloud Custodian covers it? Is there a mapping of what Azure calls and Cloud Custodian calls
3 replies
Hi Team, How to get the age of the root account password? please provide your suggestions for preparing the policy. Thank you!!!
Adam Kosmin
Hello, I don't seem to be able to generate a report from S3 anymore despite the fact that my runs do succeed and store data in my bucket
I've rules out permissions, and have verified both run and reporting functionality using a local directory for -s
18 replies
Adam Kosmin
custodian report -s s3://my-damn-bucket/output policy.yaml --profile mylegitprofile
where policy.yaml contains just a single policy that uses the aws.s3 resource to look for buckets that don't have a set of tags. That policy.yaml is valid since it has produced daily outputs into the s3 bucket I'm trying to report against
Mihir Deshpande
Hello! Do we have any action that can enable encryption on EFS?

Hi Team, How to get the age of the root account password? please provide your suggestions for preparing the policy. Thank you!!!


Mihir Deshpande
Do we have any way of notifying if a custom domain is created with a specific TLSv?
3 replies
what is the command to see the installed c7n-azure version?
1 reply
Anyone ingesting cloud custodian logs from AZURE blob storage into SumoLogic SIEM? Need help please? Ping me.
1 reply
I am using below policy to invoke a lambda for remediation, my question is how can i ensure that lambda gets invoked and executed properly? Is SQS integration for action type invoke-lambda is possible?
  • name: ec2-public-ip-check
    resource: ec2
    type: config-rule
    role: arn:aws:iam::xxxxxxxxxxxx:role/ec2-public-ip-check-lambda-role
    description: |
    If a EC2 instance has Risk tag as "high" and a public IP attached, take some action.
    • "tag:Risk": "High"
    • "PublicIpAddress": present
    • type: invoke-lambda
      function: ec2-public-ip-remediation
      batch_size: 1
      async: true
Adam Kosmin
Using 0.9.10, which I've used successfully many times, I'm now seeing oddness where I can't report against data that I know has been output into my S3 bucket. My runs are triggered via a cronjob and I've verified the job has sent output into the bucket. However, I continue to see 0 hits when I run my reports. The crazy thing is that if I issue a run from my local binary (the same binary I use to report), I can then get the corresponding hits when I report. Would anyone be willing to get into the weeds of this with me? I'm convinced it's something obvious I'm overlooking
7 replies
is there a way i can create a custodian lambda that can copy ec2 image tags from account A to accounts B, C, D ?
2 replies
Is there a way for me to create two eventbridges for one lambda? I want to run on the 2nd and 3rd Saturday of a month to handle OS patching but I would prefer to have my accounts/regions as clean as possible and not have two lambdas that do the same thing but on different schedules
Michael Nguyen
Kind of a newbie question, but how do you guys upgrade Cloud-Custodian easily? I'm currently on version and was wondering how can I upgrade without overwriting certain files such as the mailer.yml, makefile, Dockerfile, etc due to custom things I have added.
Just a little context on my env, I would push my changes to our Cloud-Custodian repo then a Jenkins job would kick off to create an image and send it to our main AWS account in ECR. Then I have fargate tasks that run on a Cloudwatch schedule that pulls from the Cloud Custodian image in ECR. Also running c7n-org from these tasks.
I'm trying to publish reports to datadog - primary goal is to send a notification to team with list of resources which are not meeting tagging policies, Can someone help me how i can solve this @kapilt
Does custodian support policies for apigatewayv2 (http and websocket api) ?
The docs have filters/actions for rest-api resource, and rest-api resource doesn't filter out http api.
indrajeet singh

Hi team. Just started exploring custodian and testing on aws.
Created a simple yaml for stop and start an ec2 instance with a tag applied on the instance. Problem is this that if I stop an instance it works fine, but when I try to start it again, it gives error. To add: Before stopping the instance it was made sure that all checks has been passed in Status checks. However, after an interval of like 28 minutes approx, the same yaml gets executed successfully and the instance gets stopped or started. can someone please let me know if something wrong. I hope cusotdian checks the instances status checks post executing. Mnay thanks !

  - name: my-first-policy
    resource: aws.ec2
      - "tag:custodian": present
      - stop

Error/warning it gives post starting the instance and using the same yaml with "start" in action

2021-04-02 19:47:57,891: custodian.policy:INFO policy:my-first-policy resource:aws.ec2 region:us-east-1 count:1 time:0.00
2021-04-02 19:47:57,892: custodian.actions:WARNING stop implicitly filtered 0 of 1 resources key:State.Name on running
2021-04-02 19:47:57,892: custodian.policy:INFO policy:my-first-policy action:stop resources:1 execution_time:0.00

After 28 minutes the same command gets executed successfully

custodian run  -s out custodian.yml --region=us-east-1
2021-04-02 20:11:03,541: custodian.policy:INFO policy:my-first-policy resource:aws.ec2 region:us-east-1 count:1 time:63.05
2021-04-02 20:12:05,418: custodian.policy:INFO policy:my-first-policy action:stop resources:1 execution_time:61.88

Im hitting a mental wall…..

Im testing out c7n-org

Basically I have a role cloud-custodian in all my org accounts that can be assumed by a single one of them via stacksets

Thats working.
The stackset that creates the arn:aws:iam::{acct id}:role/cloud-custodian role has a policy:

            "Action": [
            "Resource": "*",
            "Effect": "Allow"

But Im getting the error
2021-04-02 15:16:14,308: c7n_org:ERROR Exception running policy:iam-users-with-active-keys account:users region:us-east-1 error:An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: arn:aws:sts::{acct id}:assumed-role/cloud-custodian/CloudCustodian is not authorized to perform: securityhub:BatchImportFindings on resource: arn:aws:securityhub:us-east-1::product/cloud-custodian/cloud-custodian

Is assumed-role different from my role permissions? Im not sure why its not picking up that permission

7 replies