Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Jorge O. Castro
@castrojo
Yes, there will be full recordings of everything!
also, due to prepping for Governance as Code day we won't be doing our usual docs hangout today, but it will return after KubeCon!
David Hodge
@davezen1
Adding an action to enable cloud trail: - type: enable-cloudtrail trail: events-trail bucket: aws-cloudtrail-logs-{account_id} results in botocore.exceptions.ClientError: An error occurred (InvalidLocationConstraint) when calling the CreateBucket operation: The specified location-constraint is not valid. Running with a default region
1 reply
pbissiwu
@pbissiwu
Hello, I am new here. Quick question. Can I run cloud custodian in kubernetes?
1 reply
David Hodge
@davezen1
Is it possible to 'pipe' output of a policy into variable into another policy? For example, find accounts without MFA, for all accounts with MFA, add them to group 'No-MFA'. So the first policy would find accounts and then that list can be fed to a second policy that acts on iam-user resources.
raaajit
@raaajit
@kapilt , is there a way to detect vpc peerings?
5 replies
Jorge O. Castro
@castrojo
We're live now at KubeCon, Brian Lozada from HBO is on now if you want to tune in! https://hopin.com/events/governance-as-code-day-with-cloud-custodian-hosted-by-stacklet
sur
@surkat918_gitlab
Folks, We have CloudCustodian and policies running but our main developer quit. Now we have no idea how to fix it. In this regard, we are looking for a consultant who can help us couple of hours to understand. We will pay by hour. Pls accept my apologies if I posted into wrong room. Please feel free to point me in right direction
anergiti
@anergiti
Hello,
RDS publicly accessible issue - I have an RDS that is set as publicly accessible on the Connectivity segment.
Executing this policy does not detect it. any thoughts? thanks!
`
policies:
  • name: aws_rds_publicaly_accessible
    resource: rds
    filters:
    • PubliclyAccessible: true
      `
16 replies
sur
@surkat918_gitlab
Folks, what would be the difference BTW AWS Conformance pack for compliance https://github.com/awslabs/aws-config-rules and CloudCustodian
pendyalal
@pendyalal
Hi all , any idea how we can check these 2 conditions in Custodian policy
#Checking 4. Volume throughput is less than 125 Mbps (Read Bytes Sum + Write Bytes Sum for each minutes should be less than 7500, i.e. 125 x 60)
                #Checking 5. Volume IOPS are less than 3000 (Read IOPS Sum + Write IOPS Sum for each minute should be less than 180,000, i.e. 3000 x 60)
7 replies
manvik4u
@manvik4u
image.png

Hello,

I am seeing an issue with the c7n mailer notifications, I have included an email address under cc field in my c7n policy, but the same email is also appearing under to field when email is received, see above screenshot. we would like to see 'to' and 'cc' separated. Is this a bug, can I get fix?

Here is my notify action:

actions:

  - type: notify
    template: default-tag.html
    subject: "{{account_id }} | {{region}} | S3 - AWS Custodian Tagging Findings"
    to:
      - "{acc_owner}"
    cc: 
      - IT-AWSCustodian@abc.com

P.S: acc_owner variable doesn't contain 'IT-AWSCustodian@abc.com' email address.

10 replies
manvik4u
@manvik4u
Can either of you respond to the above issue: @jtroberts83 | @kapilt | @ajkerrigan
jkoermer-eqxm
@jkoermer-eqxm

I have a policy to send notification emails directly to users. It appears that the notifications are being sent multiple times. I'm trying to understand why this might be? When I look at the logs, I see that only 1 event was triggered, but it looks like the lambda is running multiple times. I'm seeing an access denied error in the logs. Would this cause the function to reprocess and duplicate sends? Is it being sent multiple times because of multiple users?

boto3.exceptions.S3UploadFailedError: Failed to upload /tmp/tmp3foduz1n/metadata.json.gz to custodian-results-bucket/iam-aging-key-notification-owner-XXXXXXXXXXXX/2021/10/14/21/metadata.json.gz: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
[ERROR] 2021-10-14T21:07:16.544Z 59665190-1b2a-4454-8d83-c30374c84a1d error during policy execution Traceback (most recent call last): File "/var/runtime/boto3/s3/transfer.py", line 279, in upload_file future.result() File "/var/runtime/s3transfer/futures.py", line 106, in result return self._coordinator.result() File "/var/runtime/s3transfer/futures.py", line 265, in result raise self._exception File "/var/runtime/s3transfer/tasks.py", line 126, in __call__ return self._execute_main(kwargs) File "/var/runtime/s3transfer/tasks.py", line 150, in _execute_main return_value = self._main(**kwargs) File "/var/runtime/s3transfer/upload.py", line 694, in _main client.put_object(Bucket=bucket, Key=key, Body=body, **extra_args) File "/var/runtime/botocore/client.py", line 386, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 705, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/var/task/c7n/handler.py", line 165, in dispatch_event p.push(event, context) File "/var/task/c7n/policy.py", line 1164, in push return mode.run(event, lambda_ctx) File "/var/task/c7n/policy.py", line 531, in run return PullMode.run(self) File "/var/task/c7n/policy.py", line 334, in run return resources File "/var/task/c7n/ctx.py", line 103, in __exit__ self.output.__exit__(exc_type, exc_value, exc_traceback) File "/var/task/c7n/output.py", line 486, in __exit__ self.upload() File "/var/task/c7n/output.py", line 494, in upload self.upload_file(os.path.join(root, f), key) File "/var/task/c7n/resources/aws.py", line 542, in upload_file self.transfer.upload_file( File "/var/runtime/boto3/s3/transfer.py", line 285, in upload_file raise S3UploadFailedError( boto3.exceptions.S3UploadFailedError: Failed to upload /tmp/tmp3foduz1n/metadata.json.gz to custodian-results-bucket/iam-aging-key-notification-owner-XXXXXXXXXXXX/2021/10/14/21/metadata.json.gz: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Here is the policy (with the mode information removed - I'm just using periodic):

- name: iam-aging-key-notification-owner-XXXXXXXXXXXX
    mode:
    resource: iam-user
    description: Notify IAM users with aging access keys
    filters:
      - type: access-key
        key: Status
        value: Active
      - type: access-key
        key: CreateDate
        value_type: age
        value: 170
        op: greater-than
      - "tag:OwnerContact": present
    actions:
    - type: notify
      template: iam_user_notification
      to: 
        - resource-owner
      subject: "[Custodian] AWS Access Keys"
      violation_desc: "XXXXXXXXXXXX - Aging Access Keys"
      action_desc: "All personal IAM access keys must be rotated after 180 days.  Please rotate your AWS IAM Access keys.  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html."
      transport:
        type: sqs
        queue: https://sqs.us-east-1.amazonaws.com/<queueurl>
5 replies
Ro
@rohanpower_twitter

Hi all,
New to the group. Hoping to get some assistance on the following policy filter if possible?

  - name: secgrp-risk-remediate
    mode:
    resource: security-group
    description:
    filters:
      - or:
          - type: ingress
            OnlyPorts: [ 443 ]
            Cidr:
              value: "0.0.0.0/0"
          - type: ingress
            OnlyPorts: [ 443 ]
            CidrV6:
              value: "::/0"
          - and:
              - type: value
                key: "tag:application"
                value: "cc_exempted"
                value_type: normalize
                op: not-equal
              - type: ingress
                OnlyPorts: [ 9999 ]
                Cidr:
                  value: "0.0.0.0/0"

I'm trying to allow SGs with a particular tag and inbound port to be allowed, but the policy always removes the rule from the group.
Is this because it's matching on one of the other OR conditions?

2 replies
Craig P.
@crizznaig_twitter

Hello!
Is there anyway to parse the value of a Tag Key within AWS?
so example:

Key: "kubernetes.io/cluster/<cluster_name>"
Value: "owned"

is there some pattern where I can check for "kubernetes.io" within the value of the Key itself?

Igor-Potyomkin
@Igor-Potyomkin

Hi Team, i'm new in custodian and i try to find a way to store the response locally in the same structure as i customized for webhook. The resources.json and metadata.json files don't contain what i need, so i trying to set that up.
My .yaml file config is: 

  - name: IAM-Test
    description: IAM-Test
    resource: account
    region: us-east-1
    filters:
      - or:
        - and:
          - type: password-policy
            key: RequireUppercaseCharacters
            value: false
    actions:
      - type: webhook
        url: https://hooks.slack.com
        body: |-
          {
            "attachments": [
              {
                "fallback": `CloudCustodian`,
                "color": `warning`,
                "fields": [
                  {
                    "title": `Account Id`,
                    "value": resource.account_id,
                    "short": `true`
                  },
                  {
                    "title": `Account Name`,
                    "value": resource.account_name,
                    "short": `true`
                  },
                { "There may be other custom fields": "custom field value"}
                ],
                "icon_emoji": `:rotating_lights:`
              }
            ]
          }

Thanks.

myoung34
@myoung34

dumb question but 

policies:
  - name: IAM User with active access key
    resource: iam-user
    region: us-east-1
    filters:
      - type: access-key
        key: Status
        value: Active
      - not:
        - or:
          - tag:vendor: "true"
          - tag:Name: "orgaccess+aws@foo.com

is there a way to add not in account 1111111 somehow to the rule?

45 replies
Javier Collado
@jcollado

Hello all,

I'm looking into using Cloud Custodian to automatically add an owner tag to and EC2 instance and its EBS volumes when the instance is launched.

In the documentation I've seen this policy which looks like a very good starting point:
https://cloudcustodian.io/docs/aws/examples/ec2-auto-tag-user.html

In some video from the youtube Stacklet channel, I also saw an example of copying tags from the instance to the volumes using the copy-instance-tags action:
https://cloudcustodian.io/docs/aws/resources/ebs.html#aws-ebs-actions-copy-instance-tags

However, I'm not sure about how that would work.
My understanding is that the EC2 policy would be triggered by CloudWatch by parsing CloudTrail logs.
How would the EBS volume policy be triggered?
Using the pull or the periodic execution mode doesn't seem to be the best approach
because ideally, the volumes should be tagged at the same time as the instance.
Unfortunately, it doesn't seem to be possible to tag both the EC2 instance and the EBS volumes in the same rule.

What would be the best approach to do this?

6 replies
Jin Kang
@jinkang23

Hello, is it possible to parse a raw JSON string using the event filter? 
Currently, I'm using JMESPATH query for key in my event filter, and because the actual value of policyDocument attribute is escaped raw stringify JSON, it is unable to parse it. Is there a way within custodian policy to convert this to an object that can be parsed by JMESPATH? If not, any recommendations on how I can parse this?

Thank you!

Here's an example of my partial event payload: 

{
    "version": "0",
    "id": "5710ee03-2735-056e-02e3-e5baad43ae30",
    "detail-type": "AWS API Call via CloudTrail",
    "detail": {
        "eventTime": "2021-10-18T21:31:11Z",
        "eventSource": "iam.amazonaws.com",
        "eventName": "PutRolePolicy",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "cloudformation.amazonaws.com",
        "userAgent": "cloudformation.amazonaws.com",
        "requestParameters": {
            "roleName": "test",
            "policyName": "allow-all",
            "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"*\",\"Resource\":\"*\",\"Effect\":\"Allow\",\"Sid\":\"AllowAllAdmin\"}]}"
        },
        "responseElements": null,
    },
    "debug": true
}

Here's the custodian policy I'm working with:

policies:
  - name: iam-role-has-admin-policy-attached
    resource: aws.iam-role
    description: |
      Cloud Custodian IAM Role has Administrative policy attached
    mode:
      type: cloudtrail
      events:
        - source: iam.amazonaws.com
          event: PutRolePolicy
          ids: "requestParameters.roleName"
    filters:
      - type: event
        key: "detail.requestParameters.policyDocument.Statement[].Action"
        value_type: swap
        op: in
        value: "*"
9 replies
Javier Collado
@jcollado

How do you manage the lifecycle of the policies that create resources, such as lambda functions or cloudwatch metric filters? My understanding is that I need to delete those resources on my own. Is that correct? Is there maybe a custodian policy that is able to remove resources created by custodian itself based on tags?

To provide some background about what I was expecting as a new custodian user:

  • in terraform there's a state file and when a resource is removed from the terraform code, terraform will remove the resource in the next apply command call
  • in ansible there isn't any state file, but it's possible to set state to either present or absent. Hence, when I want to remove a resource from my code, I can set the state to absent first, let ansible remove it and then remove it from the code.
5 replies
Matthew Tordoff
@mat-tordoff

Regards conditional execution of policy actions. I found this issue:
cloud-custodian/cloud-custodian#6024

Just wondering if there are any plans to implement this? Or if it is possible in another way?

My use-case is:
1) Run SSM "send-command" action.
2) IF successful run "tag" action to tag the resource to show particular piece of software has been installed.
ELSE don't tag and try send-command action again next time policy runs.

3 replies
Jin Kang
@jinkang23

Hello, is there a way to conditionally handle errors raised while performing any of the actions?

For example, I have a policy where if IAM role has allow-all policy, it will attach a aws-managed deny-all policy. However, if the IAM role already has 10 managed policies attached, Custodian lambda function raises an error LimitExceeded. What I would like to do is.. handle this by detaching one of the 10 managed policies and attempt it again.
Thank you!

My sample policy: 

policies:
  - name: iam-role-has-admin-policy-attached-test
    resource: aws.iam-role
    description: |
      Cloud Custodian IAM Role has Administrative policy attached 
    mode:
      type: cloudtrail
      role: arn:aws:iam::111111111111:role/test-role
      events:
        - source: iam.amazonaws.com
          event: PutRolePolicy
          ids: "requestParameters.roleName"
    filters:
      - or:
        - type: has-specific-managed-policy
          value: AdministratorAccess
        - type: check-permissions
          match: denied
          actions:
            - '*:*'
      - type: value
        key: AssumeRolePolicyDocument.Statement[].Action
        value_type: swap
        op: in
        value: 'sts:AssumeRoleWithSAML'
    actions:
      - type: set-policy
        state: attached
        arn: arn:aws:iam::aws:policy/AWSDenyAll

Error message from the Custodian lambda function:

{
  "errorMessage": "An error occurred (LimitExceeded) when calling the AttachRolePolicy operation: Cannot exceed quota for PoliciesPerRole: 10",
  "errorType": "LimitExceededException",
  "stackTrace": [
    "  File \"/var/task/custodian_policy.py\", line 4, in run\n    return handler.dispatch_event(event, context)\n",
    "  File \"/var/task/c7n/handler.py\", line 165, in dispatch_event\n    p.push(event, context)\n",
    "  File \"/var/task/c7n/policy.py\", line 1164, in push\n    return mode.run(event, lambda_ctx)\n",
    "  File \"/var/task/c7n/policy.py\", line 459, in run\n    return self.run_resource_set(event, resources)\n",
    "  File \"/var/task/c7n/policy.py\", line 489, in run_resource_set\n    results = action.process(resources)\n",
    "  File \"/var/task/c7n/resources/iam.py\", line 1091, in process\n    client.attach_role_policy(\n",
    "  File \"/var/runtime/botocore/client.py\", line 386, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 705, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}
2 replies
Samarth Shivaramu
@s_samarth03_twitter

I've deployed CIS benchmark validation in AWS accounts via Cloud Custodian. The Cloud Custodian policy gets deployed as part of AWS account creation that is executed via a bash script. The CC policy does get deployed successfully in the new AWS account, but NOT in all the AWS regions. I see the following error message in the regions given below:

2021-10-17 20:06:10,343: c7n_org:ERROR Exception running policy:cis-cloudtrail-is-secure-and-running account:<account_name> region:ap-northeast-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.
2021-10-17 20:06:10,560: c7n_org:ERROR Exception running policy:cis-cloudtrail-is-secure-and-running account:<account_name> region:eu-west-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.

Regions:

ap-northeast-1
eu-west-1
eu-west-2
ap-northeast-3
eu-west-3
ap-south-1

The ap-northeast-3 (Osaka) region is not enabled for new AWS accounts in my organization, so it makes sense if the CC policy is not deployed in that region. But all the other regions are enabled for new AWS accounts and the error occurs in only these regions and is successfully deployed in the other regions.

Based on some information gathered from this forum and stack overflow, i did re-verify that the IAM role does have "lambda.amazonaws.com" in it's trust relationship (if not, the policy would not have deployed in all the AWS regions). The other information I was able to gather was this error could be prevented by introducing a few seconds of delay, for which I used the "delay" property for the "cloudtrail" mode in the CC policy. Adding the "delay" property did not resolve the issue.

However, I did notice that this error occurs only if I invoke the policy execution via the account creation bash script. If I execute the CC policy from my local machine, the CC policy is executed successfully in all the regions.

Has anybody experienced such an issue? If so, how can I troubleshoot, why a CC policy is failing in certain AWS regions?

6 replies
Jin Kang
@jinkang23
Does check-permissions filter take into consideration the AWS Organizations SCPs? The reason I'm asking is because I am getting inconsistent results and trying to understand if this filter when used against aws.iam-role resource evaluates more than just the in-line policies and managed policies that are attached to the IAM role.
7 replies
Deep Patel
@SilentWolf__gitlab

Hello,
I am trying to access specific data from resource.json file into webhook action filter in policy yaml file
Or How I can use entire json data to post in webhook ?
for example, I need CidrIp info into my webhook action json file
How I am going to access it ?

Here is my resource.json
{
"Description": "launch-wizard-3 created 2021-10-18T20:14:49.325-04:00",
"GroupName": "launch-wizard-3",
"IpPermissions": [
{
"FromPort": 80,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 80,
"UserIdGroupPairs": []
},
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0",
"Description": ""
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 22,
"UserIdGroupPairs": []
}
],

14 replies
LA
@liz-acosta
Since I've got webhooks on the brain, is there a way you could send authentication headers with the webhook action?
sur
@surkat918_gitlab

I got question related to storing the policy pass/violation into our database. In this regard, we got 3 questions:
1) How to find if policy has passed or been violated?
2) Instead of posting to webhook, we want to store the results into database. Whats the recommended way to do that?
3) Is there any policy package readily available for NIST/CIS compliance for AWS.

Thanks for help in advance. I appreciate the awesome community.

6 replies
Jorge O. Castro
@castrojo
Good news folks, if you missed Governance as Code Day we now have all the vids on YouTube: https://www.youtube.com/playlist?list=PLtIlR7WdaxTEj45N63lUgrd2IhS_gD3pe
2 replies
Lots of good info there!
altenx
@altenx
I'm re-upping this ASG policy that is failing to stop the creation and running of AWS EC2 instances with public IP addresses. I've gone through this over 30 times with variations in the resource, event, filter to no avail. I've looked at the source code in asg.py and searched the CC gitter and searched the Internet with no success. I've test wiith ASG configurations as well as with EC2 templates with no luck. Here's what I believe should be the correct policy (based on asg.py comments).
6 replies 
- name: zsec-enforce-ASGPublicIpPolicy
  resource: asg
  mode:
    type: cloudtrail
    events:
    - source: autoscaling.amazonaws.com
      event: CreateAutoScalingGroup
      ids: requestParameters.autoScalingGroupName
    role: zsecEnforcementsLambdaRole
  filters:
  - type: launch-config
    key: "AssociatePublicIpAddress"
    value: true
  actions:
  - suspend
A similar policy, that checks for ASG spinning up only 1 EC2 instance, works fine (i.e. it is suspended). 
- name: zsec-enforce-ASGPublicIpPolicy
  resource: asg
  mode:
    type: cloudtrail
    events:
    - source: autoscaling.amazonaws.com
      event: CreateAutoScalingGroup
      ids: requestParameters.autoScalingGroupName
    role: zsecEnforcementsLambdaRole
  filters:
  - type: value
    key: MinSize
    value: 1
    op: eq
  actions:
  - suspend
Here is the CloudWatch log.
altenx
@altenx
2021-10-20T22:43:30.871-07:00   START RequestId: 3793703f-6f8a-4e16-8ef7-d524089dffde Version: $LATEST

2021-10-20T22:43:31.684-07:00 [INFO]    2021-10-21T05:43:31.668Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Processing event

{
    "version": "0",
    "id": "f0d64faa-dc3c-fcb5-fb86-4e5a0728bc58",
    "detail-type": "AWS API Call via CloudTrail",
    "source": "aws.autoscaling",
    "account": "xxxxxxxx8633",
    "time": "2021-10-21T05:43:13Z",
    "region": "eu-central-1",
    "resources": [],
    "detail": {
        "eventVersion": "1.08",
        "userIdentity": {
            "type": "AssumedRole",
            "principalId": "AROAI2VPKICTIPIAGCZSS:aalten@xxxxx.com",
            "arn": "arn:aws:sts::xxxxxxxx8633:assumed-role/Full-Admin-SAML-Role/aalten@xxxxx.com",
            "accountId": "xxxxxxxx8633",
            "accessKeyId": "ASIARBGJCOO4ZD5244OA",
            "sessionContext": {
                "sessionIssuer": {
                    "type": "Role",
                    "principalId": "AROAI2VPKICTIPIAGCZSS",
                    "arn": "arn:aws:iam::xxxxxxxx8633:role/Full-Admin-SAML-Role",
                    "accountId": "xxxxxxxx8633",
                    "userName": "Full-Admin-SAML-Role"
                },
                "webIdFederationData": {},
                "attributes": {
                    "creationDate": "2021-10-21T03:08:17Z",
                    "mfaAuthenticated": "false"
                }
            }
        },
        "eventTime": "2021-10-21T05:43:13Z",
        "eventSource": "autoscaling.amazonaws.com",
        "eventName": "CreateAutoScalingGroup",
        "awsRegion": "eu-central-1",
        "sourceIPAddress": "98.47.41.143",
        "userAgent": "aws-internal/3 aws-sdk-java/1.12.75 Linux/5.4.141-78.230.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard",
        "requestParameters": {
            "minSize": 1,
            "tags": [
                {
                    "propagateAtLaunch": true,
                    "key": "Name",
                    "value": "aalten-test-public-asg-33",
                    "resourceType": "auto-scaling-group"
                }
            ],
            "maxSize": 1,
            "newInstancesProtectedFromScaleIn": false,
            "autoScalingGroupName": "aalten-test-public-asg-33",
            "healthCheckType": "EC2",
            "healthCheckGracePeriod": 300,
            "desiredCapacity": 1,
            "launchConfigurationName": "aalten-launch-config-public-internet-1",
            "vPCZoneIdentifier": "subnet-6340202e"
        },
        "responseElements": null,
        "requestID": "e7dff48e-de6e-4203-9d49-719bb73b87b8",
        "eventID": "3e2837d6-8388-4f95-a2bf-79959e1bc2c8",
        "readOnly": false,
        "eventType": "AwsApiCall",
        "managementEvent": true,
        "recipientAccountId": "xxxxxxxx8633",
        "eventCategory": "Management"
    },
    "debug": true
}
2nd half of the CloudWatch log. 
2021-10-20T22:43:31.684-07:00   [DEBUG] 2021-10-21T05:43:31.684Z 3793703f-6f8a-4e16-8ef7-d524089dffde Disabling cache

2021-10-20T22:43:31.685-07:00   [WARNING] 2021-10-21T05:43:31.685Z 3793703f-6f8a-4e16-8ef7-d524089dffde Custodian reserves policy lambda tags starting with custodian - policy specifies custodian-info

2021-10-20T22:43:31.685-07:00 [INFO]    2021-10-21T05:43:31.685Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Found resource ids:['aalten-test-public-asg-33']
[INFO] 2021-10-21T05:43:31.685Z 3793703f-6f8a-4e16-8ef7-d524089dffde Found resource ids:['aalten-test-public-asg-33']

2021-10-20T22:43:31.992-07:00 [INFO]    2021-10-21T05:43:31.991Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Resources [{'AutoScalingGroupName': 'aalten-test-public-asg-33', 'AutoScalingGroupARN': 'arn:aws:autoscaling:eu-central-1:xxxxxxxx8633:autoScalingGroup:c530605e-c1bb-40b8-81e0-46781cd90eda:autoScalingGroupName/aalten-test-public-asg-33', 'LaunchConfigurationName': 'aalten-launch-config-public-internet-1', 'MinSize': 1, 'MaxSize': 1, 'DesiredCapacity': 1, 'DefaultCooldown': 300, 'AvailabilityZones': ['eu-central-1c'], 'LoadBalancerNames': [], 'TargetGroupARNs': [], 'HealthCheckType': 'EC2', 'HealthCheckGracePeriod': 300, 'Instances': [{'InstanceId': 'i-0e07ac595df620bce', 'InstanceType': 'c4.large', 'AvailabilityZone': 'eu-central-1c', 'LifecycleState': 'Pending', 'HealthStatus': 'Healthy', 'LaunchConfigurationName': 'aalten-launch-config-public-internet-1', 'ProtectedFromScaleIn': False}], 'CreatedTime': datetime.datetime(2021, 10, 21, 5, 43, 13, 211000, tzinfo=tzlocal()), 'SuspendedProcesses': [], 'VPCZoneIdentifier': 'subnet-6340202e', 'EnabledMetrics': [], 'Tags': [{'ResourceId': 'aalten-test-public-asg-33', 'ResourceType': 'auto-scaling-group', 'Key': 'Name', 'Value': 'aalten-test-public-asg-33', 'PropagateAtLaunch': True}], 'TerminationPolicies': ['Default'], 'NewInstancesProtectedFromScaleIn': False, 'ServiceLinkedRoleARN': 'arn:aws:iam::xxxxxxxx8633:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'}]

2021-10-20T22:43:31.992-07:00 [INFO]    2021-10-21T05:43:31.992Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filtering resources using 1 filters

2021-10-20T22:43:32.072-07:00 [DEBUG]   2021-10-21T05:43:32.071Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filter #1 applied 1->0 filter:
{
    "type": "launch-config",
    "key": "AssociatePublicIpAddress",
    "value": true
}

[DEBUG] 2021-10-21T05:43:32.071Z 3793703f-6f8a-4e16-8ef7-d524089dffde Filter #1 applied 1->0 filter: {"type": "launch-config", "key": "AssociatePublicIpAddress", "value": true}

2021-10-20T22:43:32.072-07:00 [DEBUG]   2021-10-21T05:43:32.072Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filtered from 1 to 0 asg

2021-10-20T22:43:32.072-07:00 [INFO]    2021-10-21T05:43:32.072Z        3793703f-6f8a-4e16-8ef7-d524089dffde    Filtered resources 0 of 1

2021-10-20T22:43:32.072-07:00 [INFO]    2021-10-21T05:43:32.072Z        3793703f-6f8a-4e16-8ef7-d524089dffde    policy:zsec-enforce-ASGPublicIpPolicy resources:asg no resources matched

2021-10-20T22:43:32.073-07:00   END RequestId: 3793703f-6f8a-4e16-8ef7-d524089dffde

2021-10-20T22:43:32.073-07:00   REPORT RequestId: 3793703f-6f8a-4e16-8ef7-d524089dffde Duration: 1202.16 ms Billed Duration: 1203 ms Memory Size: 512 MB Max Memory Used: 78 MB Init Duration: 572.68 ms
Any useful advice would be most appreciated. Thank you.
altenx
@altenx
Here is the correct version. 
$ custodian version
0.9.13
Matthew Tordoff
@mat-tordoff
Hi all - I am trying to pull route 53 resolvers and ideally the ENIs associated with them. Do you know if this is possible currently? I did find the aws.eni policy which I am going to investigate, but that doesn't solve the resolver ask. Thanks.
4 replies
vdmanjunath
@vdmanjunath
Hi All, I'm trying to send a notification using cloud custodian for the azure resource (azure.aks cluster) based on the CPU resource usage by creating the policy and would like to know what is the metric we use for Azure AKS Cluster and how to send the notification?
Matthew Tordoff
@mat-tordoff
Regards executing SSM documents - is it possible to trigger SSM Distributor packages? I tried using send-command which seems to be limited to SSM Command Documents. I am guessing this just isn't supported at the moment also?
7 replies
Cenisar-Villanueva
@Cenisar-Villanueva

Hi
I'm new to Cloud Custodian and very interested in using it.

May I ask if it is possible to create a c7n policy that will check if auto-scaling is enabled in DynamoDb tables?
Thanks in advance for answering my question.

4 replies
Jorge Castro
@jcastro:matrix.org
[m]
Liz and I won't be doing a doc sprint this afternoon, we'll be returning next week!
cleo2525
@cleo2525

Hello, I'm looking to set the TLS security policy on some Cloudfront distributions. I tried the following action, but received this error (my credentials have access to update the distro)

botocore.exceptions.ClientError: An error occurred (InternalError) when calling the UpdateDistribution operation (reached max retries: 4):

Is there a way to set the MinimumProtocolVersion with c7n?

  actions:
    - type: set-attributes
      attributes:
        ViewerCertificate:
            MinimumProtocolVersion: TLSv1.2_2018
2 replies
Cenisar-Villanueva
@Cenisar-Villanueva

Hi
I'm having trouble checking if multi-region cloud trail in my account. Below is my policy.

policies:
  - name: check-cloudtrail-multi-region
    resource: aws.account
    filters:
      - type: check-cloudtrail
        multi-region: true

and the output is this none even if I have a trail that is muti-region.

2021-10-24 16:45:52,103: custodian.policy:INFO policy:check-cloudtrail-multi-region resource:aws.account region:us-east-2 count:0 time:2.99

Can anyone advise what is wrong with my policy?
Thanks in advance!

1 reply
Shawn L
@slaphitter
Hello, looking for a confirmation on this… it appears to me that CC can not manipulate the "Requester Pays" setting for an S3 bucket. Is this correct?