Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
hello,
does anyone here have experience with running custodian tool in AWS Lambda and reading info from SQS?
for example, you send to SQS info about which policy and for which account it should be applied, Lambda is triggered by an event from SQS, gets all this info, and pass these parameters to custodian inside lambda container
1 reply
18 replies
Hi Team, How to get the age of the root account password? please provide your suggestions for preparing the policy. Thank you!!!
policies:
- name: ec2-public-ip-check
resource: ec2
mode:
type: config-rule
role: arn:aws:iam::xxxxxxxxxxxx:role/ec2-public-ip-check-lambda-role
description: |
If a EC2 instance has Risk tag as "high" and a public IP attached, take some action.
filters:- "tag:Risk": "High"
- "PublicIpAddress": present
actions: - type: invoke-lambda
function: ec2-public-ip-remediation
batch_size: 1
async: true
7 replies
Just a little context on my env, I would push my changes to our Cloud-Custodian repo then a Jenkins job would kick off to create an image and send it to our main AWS account in ECR. Then I have fargate tasks that run on a Cloudwatch schedule that pulls from the Cloud Custodian image in ECR. Also running c7n-org from these tasks.
Hi team. Just started exploring custodian and testing on aws.
Created a simple yaml for stop and start an ec2 instance with a tag applied on the instance. Problem is this that if I stop an instance it works fine, but when I try to start it again, it gives error. To add: Before stopping the instance it was made sure that all checks has been passed in Status checks. However, after an interval of like 28 minutes approx, the same yaml gets executed successfully and the instance gets stopped or started. can someone please let me know if something wrong. I hope cusotdian checks the instances status checks post executing. Mnay thanks !
policies:
- name: my-first-policy
resource: aws.ec2
filters:
- "tag:custodian": present
actions:
- stopError/warning it gives post starting the instance and using the same yaml with "start" in action
2021-04-02 19:47:57,891: custodian.policy:INFO policy:my-first-policy resource:aws.ec2 region:us-east-1 count:1 time:0.00
2021-04-02 19:47:57,892: custodian.actions:WARNING stop implicitly filtered 0 of 1 resources key:State.Name on running
2021-04-02 19:47:57,892: custodian.policy:INFO policy:my-first-policy action:stop resources:1 execution_time:0.00After 28 minutes the same command gets executed successfully
custodian run -s out custodian.yml --region=us-east-1
2021-04-02 20:11:03,541: custodian.policy:INFO policy:my-first-policy resource:aws.ec2 region:us-east-1 count:1 time:63.05
2021-04-02 20:12:05,418: custodian.policy:INFO policy:my-first-policy action:stop resources:1 execution_time:61.88
Im hitting a mental wall…..
Im testing out c7n-org
Basically I have a role cloud-custodian in all my org accounts that can be assumed by a single one of them via stacksets
Thats working.
The stackset that creates the arn:aws:iam::{acct id}:role/cloud-custodian role has a policy:
"Action": [
"securityhub:BatchImportFindings"
],
"Resource": "*",
"Effect": "Allow"
}But Im getting the error2021-04-02 15:16:14,308: c7n_org:ERROR Exception running policy:iam-users-with-active-keys account:users region:us-east-1 error:An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: arn:aws:sts::{acct id}:assumed-role/cloud-custodian/CloudCustodian is not authorized to perform: securityhub:BatchImportFindings on resource: arn:aws:securityhub:us-east-1::product/cloud-custodian/cloud-custodian
Is assumed-role different from my role permissions? Im not sure why its not picking up that permission
7 replies
5 replies
- name: ec2-instance-tagging-policy
resource: ec2
filter:
- <<: *invalid_circle_tag
-name: ebs-volume-tagging-policy
resource: ebs
filter:
- <<: *invalid_circle_tag
...
I'm trying to filter for s3 bucket policies that contain certain actions. I know I can use the 'has-statement' filter with 'action' option. But I was wondering if I could use the generic 'value' filter with 'op: regex' so I don't have to list out every action I am filtering for.
I pulled the available keys from the 's3' resource and I see the bucket policy is contained in the "Policy" key. I want to narrow my filter down to just look at the Action section of the policy when applying the regex. But I'm not sure how to specify that in the filter. The following filter isn't working.
policies:
- name: s3-filter-test
resource: s3
filters:
- type: value
key: Policy.Statement.Action
- name: invalid-ip-address-login-detected
resource: account
description: |
Notifies on invalid external IP console logins
mode:
type: cloudtrail
role: CloudCustodian-QuickStart
events:
filters:- ConsoleLogin- not:
- type: event
key: 'detail.sourceIPAddress'
value: |
'^((158.103.|142.179.|187.39.)([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])
.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))|(12.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])
.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))$'
op: regex
actions:
- type: event
- type: notify
template: default.html
priority_header: 1
subject: "Login From Invalid IP Detected - [custodian {{ account }} - {{ region }}]"
violation_desc: "A User Has Logged In Externally From A Invalid IP Address Outside The Company's Range:"
action_desc: |
to:"Please investigate and revoke the invalid session along with any other restrictive actions if appropriate"- davidprinceshalem@gmail.com
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailer
region: us-east-1
- davidprinceshalem@gmail.com
- not:
3 replies
Hi there - I have created a policy in an attempt to return all AWS iam users + their credentials as follows:
policies:
- name: iam-users-inventory
resource: iam-user
region: us-east-1
filters:
- or:
- type: credential
key: password_enabled
value: false
- type: credential
key: password_enabled
value: trueHowever, this doesn't return every user in my account - is there something I am obviously doing wrong here?
5 replies
Hi, has anyone tried out azure multi-cloud support in the most recent release? Is it only supported in custodian or does c7n_org have support for it as well? I'm attempting to call ./c7n-org run -c azure_gov_subscription.yml -s output -u my_policy.yml --dryrun --region=AzureUSGovernment --verbose and it seems to produce an error correlating to commercial authentication endpoints login.microsoftonline.com instead of gov ones.
azure_gov_subscription.yml has the subscription name and ID that is located in Azure US Gov Cloudmy_policy.yml is a simple policy that should return the # of virtual machines under the specified subscription in azure_gov_subscription.yml
9 replies
I'm having trouble getting the cross-account whitelist_conditions filter to work on my s3 policies. I have a test policy like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OrgReadAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::devprivbucket-#######",
"arn:aws:s3:::devprivbucket-#######/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-##########"
}
}
}
]
}And my filter looks like this
policies:
- name: public-access-policy-s3-mark
resource: s3
description: |
tag bucket with public read access policy and send notifications
filters:
- type: check-public-block
- type: cross-account
everyone_only: true
- type: cross-account
whitelist_conditions: ["StringEquals"]When I run this filter, it matches on buckets with the whitelisted condition. My understanding is that 'whitelisted_conditions" should make the filter skip the bucket policy
10 replies
hey,
does anybody know why it happen?
2021-04-06 17:31:21,716: c7n.policies:WARNING policy:SecCCKmsRule resources:kms-key not available in region: us-east-1
2021-04-06 17:31:21,716: custodian.commands:WARNING Empty policy file(s). Nothing to do.
I'm trying to run custodian in lambda container and facing the above error; but when running the same policy from command line with exactly the same parameters - it works without any errors
1 reply
Hi All. I have a requirement where am trying to filter the data for nested JSON values. The value am trying to filter is "Type" and "Protocol" under the DefaultActions. Can anyone help. Below is the JSON and the syntax am trying which is unfortunately not working.
"c7n:MatchedListeners": [
{
"ListenerArn": "arn:aws:elasticloadbalancing:us-west-2:181167:listener/app/testhttpredirect/e2af8aa22/1c9c2c9c",
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:181167:loadbalancer/app/testhttpredirect/e2af8aa22",
"Port": 80,
"Protocol": "HTTP",
"DefaultActions": [
{
"Type": "redirect",
"Order": 1,
"RedirectConfig": {
"Protocol": "HTTPS",
"Port": "443",
"Host": "#{host}",
"Path": "/#{path}",
"Query": "#{query}",
"StatusCode": "HTTP_301"
}
}
]Filter:
- type: listener
key: DefaultActions.Type
value: "redirect"
op: eq
8 replies
{
"id": "xxxxxxxxx",
"name": "ssm_support_api",
"description": "API supporting centralizaed SSM EC2 registration.",
"createdDate": "2021-03-22T16:14:13+00:00",
"apiKeySource": "HEADER",
"endpointConfiguration": {
"types": [
"PRIVATE"
]
},
"policy": "{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Deny\\\",\\\"Principal\\\":\\\"*\\\",\\\"Action\\\":\\\"execute-api:Invoke\\\",\\\"Resource\\\":\\\"arn:aws:execute-api:us-east-1:xxxxxxxxx:xxxxxxxxx\\/*\\\",\\\"Condition\\\":{\\\"StringNotEquals\\\":{\\\"aws:SourceVpce\\\":\\\"vpce-xxxxxxxxxxxxxx\\\"}}},{\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\",\\\"Action\\\":\\\"execute-api:Invoke\\\",\\\"Resource\\\":\\\"arn:aws:execute-api:us-east-1:xxxxxxxxx:xxxxxxxxxx\\/*\\\"}]}",
"Tags": [],
"c7n:MatchedFilters": [
"policy"
]
}
]
1 reply