we're moving to slack https://communityinviter.com/apps/cloud-custodian/c7n-chat
kapilt on main
core - handle non importable re… (compare)
kapilt on upstream
kapilt on gh-pages
kapilt on add-pratmis
kapilt on docs-publishing-direct
policies:
- name: untrusted1-ami1
resource: aws.ec2
comment: |
Stop running ec2 which does not match with the trusted AMI
filters:
- "State.Name": running
- type: value
key: ImageId
op: ni
value:
- ami-123456 # Trusted AMI
mode:
type: periodic
schedule: "rate(1 minute)"
role: arn:aws:iam::**********:role/lambdaRole
policies:
- name: eni-with-ip-addresses
resource: aws.eni
description: |
Find all ENIs with IP Addresses
filters:
- type: value
key: PrivateIpAddresses[].Association.PublicIp
op: in
value: [34.228.103.209]
HI @ajkerrigan could you please me on the Unauthorized API calls Events or filters for the custodian policy....if anyone tries to call an API if they are not authorized to perform the action, custodian has to trigger the mail for the particular team. I am trying to figure it out but not able to find any solution on this. If you help me on this it will be more helpful for me.
Thanks in Advance!!!
policies:
- name: untagged-ebs-snapshots
resource: ebs-snapshot
comment: |
Report on total count of untagged ebs snapshots
filters:
- and:
- "tag:Owner": absent
- "tag:Application": absent
- "tag:Name": absent
actions:
- type: notify
template: default.html
template_format: html
priority_header: '1'
violation_desc: "These EBS Snapshots are untagged:"
action_desc: |
"Actions Taken: Recommend Add Tags.
The listed EBS Snapshots are untagged and should be tagged."
subject: "{{ account }} Untagged EBS Snapshots"
to:
- first.last@company.com
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/0123456789/cloud-custodian
Hi @ajkerrigan , could you please help me on custodian policy for cloudtrail changes
the Events are:
CreateTrail
DeleteTrail
UpdateTrail
StartLogging and
StopLogging
These are the event ids which are working good fo me
event: CreateTrail
ids: "detail.responseElements.trailARN"
event: UpdateTrail
ids: "detail.responseElements.trailARN"
This 2 events are working fine for me and for the remaining events i am getting error like ""Could not find resource ids""
could you please help me for the remaining event id's. With your help it will be useful for me.Thanks in Advance!!!
Hello All,
I am running a polcy whcih one runs in one region for checking ebs-encrytion at account.
But still I can see differnt values for ebs encrption in differnt regions:
policies:
Hi Everyone,
how to auto add mail id tag (ex: OwnerContact --> abc@gmail.com ) in AWS ec2 instances while creating the instances.?
policies:
- name: rds-encryption-not-enabled-at-rest
resource: aws.rds
filters:
- type: value
key: StorageEncrypted
op: ne
value: true
Hi @ajkerrigan
Could you please help me on the custodian policy for Unauthorized API calls, we had tried by executing the events like "Access Denied" and "Unauthorized Operation" but those are not working as per my requirement. These are the event and id's we are using
events:
- source: apigateway.amazonaws.com
event: Accessdenied
ids: "requestParameters.ApiEvent"
can you please suggest me for the Events and id's for the policy
Could you please help me on the custodian policy or please suggest me any of the documentation for my requirement. Can you please tell me if this Custodian policy can be created or is there anyway to create the Unauthorized API calls.
Please respond on this, Thanks.
Thanks in Advance!!!
Hi all,
Can you help to check with the aws security-group filter spec prefix list policy?
The below policy I tested multi times. It can filter each IpProtocol, but not for AllTraffic in "-1".
Usally we used like only Cidr/Cidrv6 as filter can match all the IpProtocol, even AllTraffic rules.
Is there anything wrong with my usage or policy?
policies:
- name: prefix
resource: security-group
description: Match the spec Prefix List
filters:
- or:
- type: ingress
PrefixListIds: [PrefixListId: "pl-xxxx"]
Hello Guys,
I am using resource:rest-api, rest-stage and want to make few accounts as exceptions but not getting account number details to filter out in c7n.
Can anyone please let me know how to use accounts number from accounts.yml file to filter it and process it accordingly.
Hi @ajkerrigan,
We need to deploy some custodian policies which are related to IAM policyevents and id's, as per our requirement we have the Events for our requirement, we are facing issues with the Resources and events id's....
These are the resource and events which we are using:
resource: iam-policy
description: |
Notify if any IAM policy is modified.
mode:
type: cloudtrail
events:
- source: iam.amazonaws.com
event: CreatePolicy
ids: "requestParameters.policyArn"
- source: iam.amazonaws.com
event: CreatePolicyVersion
ids: "requestParameters.policyArn"
role: arn:aws:iam::{account_id}:role/cloud-custodian
is there any correction in the event id's or resource. If i got any response from you it will be more useful for me to complete this and for the resource I tried with account level also but the emails are not getting triggerd
"resource: account"
Thanks in Advance!!!
Hi @ajkerrigan, we are trying to execute the custodian policies in the resource: "Account" but we are not getting exact messages in the email description, based on the event or aws resource info. The message what we are getting is only like the account number or account name only but not the resource info. This is the example policy events and resource what we are using:-
- source: ec2.amazonaws.com
event: DeleteVpc
ids: "requestParameters.vpcId"
actions:Output what we are getting in email subject:-
Please refer the attachment in the above
Please suggest if any corrections are needed in my policy to get the full information about the resource details.
Thanks in Advance!!!
Hello, we need to use a variable to set the retention that is different depending from customers; I've added the variable in the policy
- type: age
op: greater-than
days: {retention_days}
and into the c7n inventory
retention_days: 30
but we continue to receive the errore: "unsupported type for timedelta days component: dict"
Do you have some suggestion?
Hello Everyone, Iam having issue in one of the policy which i have shared below
policies:
- name: mark-for-op
resource: ec2
filters:
- "tag:Name": present
actions:
- type: mark-for-op
op: terminate
hours: 1
Will this policy terminate the ec2 instance after an hour?? While iam running this policy is only tag the instances that have a "Name" tag for termination, it will not actually terminate the instances.
:point_up: Edit: Hello Everyone, Iam having issue in one of the policy which i have shared below
policies:
- name: mark-for-op
resource: ec2
filters:
- "tag:Name": present
actions:
- type: mark-for-op
op: terminate
hours: 1
Will this policy terminate the ec2 instance after an hour?? While iam running this policy is only tag the instances that have a "Name" tag for termination, it is not actually terminate the instances.
policies:
- name: custodian-s3-object-encryption
resource: s3
actions:
- type: encrypt-keys
crypto: aws:kms
key-id: alias/aws/s3