Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 21:49
  • 21:15
    vparv labeled #8231
  • 21:15
    vparv opened #8231
  • 19:49
    femio27 opened #8230
  • 16:52
  • 16:37
    kapilt commented #8222
  • 15:59
    PratMis closed #8163
  • 15:59
    PratMis commented #8163
  • 15:56
    castrojo synchronize #8229
  • 15:38

    kapilt on main

    core - handle non importable re… (compare)

  • 15:38
    kapilt closed #8199
  • 15:33

    kapilt on upstream

    (compare)

  • 15:32

    kapilt on gh-pages

    (compare)

  • 15:32

    kapilt on add-pratmis

    (compare)

  • 15:32

    kapilt on docs-publishing-direct

    (compare)

  • 14:40
    kapilt commented #8222
  • 14:19
    kapilt commented #8222
  • 14:19
    rutabanavalikar commented #8220
  • 14:16
    kapilt commented #8222
  • 13:53
    kapilt commented #8222
sharif_
@sharif_:matrix.org
[m]
Hello Guys, I was working on Custodian policies on AWS Lambda and run every 1 min. I was not getting resource.json in the Output directory, I was not knowing whats the reason behind. Can anyone help me out on this. I have attached the screenshot of output directory
policies:
  - name: untrusted1-ami1
    resource: aws.ec2
    comment: |
      Stop running ec2 which does not match with the trusted AMI
    filters:
      - "State.Name": running
      - type: value
        key: ImageId
        op: ni
        value:
          - ami-123456 # Trusted AMI
    mode:
      type: periodic
      schedule: "rate(1 minute)"
      role: arn:aws:iam::**********:role/lambdaRole
Brian Gaber
@bgaber
I want to filter ENI by Public IP Address. What is wrong with this code?
policies:
- name: eni-with-ip-addresses
  resource: aws.eni
  description: |
      Find all ENIs with IP Addresses
  filters:
    - type: value
      key: PrivateIpAddresses[].Association.PublicIp
      op: in
      value: [34.228.103.209]
3 replies
misumme-pg
@misumme-pg
Hi. Does any one know if Cloud Custodian has policy to amutomate tags for ami pipeline?
11 replies
RamyaHosavalike
@RamyaHosavalike
@ajkerrigan @Jamison Roberts
Any idea on the below :
Is it possible to check whether Connections to S3 Buckets is made using SSL connections only using custodian?
10 replies
classickar
@classickar
Hi @ajkerrigan @kapilt i have a requirement to attach an existing security group to ec2 instances. If this is possible with c7n policy, it would be very helpful, if you could you please share an example.
2 replies
vijay23vikram
@vijay23vikram

HI @ajkerrigan could you please me on the Unauthorized API calls Events or filters for the custodian policy....if anyone tries to call an API if they are not authorized to perform the action, custodian has to trigger the mail for the particular team. I am trying to figure it out but not able to find any solution on this. If you help me on this it will be more helpful for me.

Thanks in Advance!!!

1 reply
manikantaskanda
@manikantaskanda
Hi Team,
How do we create cloud trail to the unattached EBS volumes because my requirement is to trigger if the ebs volume is in available ..?
  • name: ebs-mark-unattached-deletion
    resource: ebs
    filters:
    • Attachments: []
    • "tag:maid_status": absent
      actions:
    • type: mark-for-op
      op: delete
      days: 30
1 reply
jkosanovong
@jkosanovong
Hello all. I am trying to filter ebs volumes by age. I'm not seeing this filter in the docs. Does anyone know if there is a way to filter based off a regex for 'CreateTime' using a 'value' filter with regex some how??
3 replies
Brian Gaber
@bgaber
I am producing a list of EBS Snapshots without tags. Is there a way to show the size in the notify email?
policies:
  - name: untagged-ebs-snapshots
    resource: ebs-snapshot
    comment: |
      Report on total count of untagged ebs snapshots
    filters:
      - and:
        - "tag:Owner": absent
        - "tag:Application": absent
        - "tag:Name": absent
    actions:
      - type: notify
        template: default.html
        template_format: html
        priority_header: '1'
        violation_desc: "These EBS Snapshots are untagged:"
        action_desc: |
            "Actions Taken: Recommend Add Tags.
            The listed EBS Snapshots are untagged and should be tagged."
        subject: "{{ account }} Untagged EBS Snapshots"
        to:
          - first.last@company.com
        transport:
          type: sqs
          queue: https://sqs.us-east-1.amazonaws.com/0123456789/cloud-custodian
5 replies
RamyaHosavalike
@RamyaHosavalike
image.png
1 reply
anupsah69
@anupsah69
Hi Cloud Custodian team. I need one help to understand that, is it possible if we run the policy first and then the policy will apply for future app service creation?
like there is a basic policy to stop an ec2 instance if the specific tag we filter.
policies:
  • name: my-first-policy
    resource: aws.ec2
    filters:
    • "tag:Custodian": present
      actions:
    • stop
if we run the policy first and if we create the ec2 instance after that with the above tag. will it stop the instance.
?
please guide me if it is possible then how i can do that?
1 reply
vijay23vikram
@vijay23vikram

Hi @ajkerrigan , could you please help me on custodian policy for cloudtrail changes
the Events are:
CreateTrail
DeleteTrail
UpdateTrail
StartLogging and
StopLogging

These are the event ids which are working good fo me

  • source: cloudtrail.amazonaws.com
        event:  CreateTrail
        ids:  "detail.responseElements.trailARN"
    • source: cloudtrail.amazonaws.com
        event:  UpdateTrail
        ids:  "detail.responseElements.trailARN"
      This 2 events are working fine for me and for the remaining events i am getting error like ""Could not find resource ids""
      could you please help me for the remaining event id's. With your help it will be useful for me.

Thanks in Advance!!!

1 reply
kshitij-singh
@kshitij-singh

Hello All,

I am running a polcy whcih one runs in one region for checking ebs-encrytion at account.
But still I can see differnt values for ebs encrption in differnt regions:
policies:

  • name: check-default-ebs-encryption
    resource: aws.account
    filters:
    • type: default-ebs-encryption
      key: "alias/aws/ebs"
      state: true
3 replies
gopinath145
@gopinath145

Hi Everyone,

how to auto add mail id tag (ex: OwnerContact --> abc@gmail.com ) in AWS ec2 instances while creating the instances.?

2 replies
sharif_
@sharif_:matrix.org
[m]
Hi Everyone, Can we enable storage encryption in rds using cloud custodian. I was able to filter out the Unencrypted rds using below policy. Help me out how to enable using cloud custodian actions
policies:
  - name: rds-encryption-not-enabled-at-rest
    resource: aws.rds
    filters:
      - type: value
        key: StorageEncrypted
        op: ne
        value: true
1 reply
anupsah69
@anupsah69
policies:
  • name: storage-https-not-enabled
    resource: azure.storage
    description: |
    Find all Keys - that does not have auto regenerate enabled or
    do not rotate every 30 days.
    filters:
    • or:
      • type: auto-regenerate-key
        value: false
      • type: regeneration-period
        op: ne
        value: P30D
1 reply
image.png
unable to filter the access key using this template.
any suggetion on this.
vijay23vikram
@vijay23vikram

Hi @ajkerrigan

Could you please help me on the custodian policy for Unauthorized API calls, we had tried by executing the events like "Access Denied" and "Unauthorized Operation" but those are not working as per my requirement. These are the event and id's we are using

events:

    - source: apigateway.amazonaws.com
      event: Accessdenied
      ids: "requestParameters.ApiEvent"

can you please suggest me for the Events and id's for the policy

Could you please help me on the custodian policy or please suggest me any of the documentation for my requirement. Can you please tell me if this Custodian policy can be created or is there anyway to create the Unauthorized API calls.

Please respond on this, Thanks.

Thanks in Advance!!!

3 replies
Zeno Ren
@ZenoRewn

Hi all,

Can you help to check with the aws security-group filter spec prefix list policy?

The below policy I tested multi times. It can filter each IpProtocol, but not for AllTraffic in "-1".
Usally we used like only Cidr/Cidrv6 as filter can match all the IpProtocol, even AllTraffic rules.
Is there anything wrong with my usage or policy?

policies:
  - name: prefix
    resource: security-group
    description: Match the spec Prefix List
    filters:
    - or:
      - type: ingress
        PrefixListIds: [PrefixListId: "pl-xxxx"]
10 replies
ChaseThompson8
@ChaseThompson8
Does anyone know if there's a way to use cloud custodian to filter by creation date of any kind of resource? I can only do it with a select few but I'd like to do it with DynamoDB, RDS, Lambda, SQS, SNS, S3, and more
1 reply
Smart of The Smartest
@pavantheavenger
Hello Team,
Is there any Custodian Policy that would be running any api call to list deprecated runtimes dynamically instead of passing the values of runtime in the policy yaml file ?
1 reply
ChaseThompson8
@ChaseThompson8
Not sure if my message went through but is there a way to delete a kms key and why is the documentation so unclear for a lot of this basic stuff?
1 reply
anupsah69
@anupsah69
Hello Team,
I need help on activity log alerts. can any one tell me what resource i can take and what filters i need to use to achieve the log alerts?
1 reply
mission-badams
@mission-badams
anyone have any good tips for getting the cloud custodian emails to look better? i know there's a way to use a custom template but I can't find super clear instructions on how to do it. any advice?
1 reply
niranjanashish
@niranjanashish

Hello Guys,

I am using resource:rest-api, rest-stage and want to make few accounts as exceptions but not getting account number details to filter out in c7n.

Can anyone please let me know how to use accounts number from accounts.yml file to filter it and process it accordingly.

1 reply
vijay23vikram
@vijay23vikram

Hi @ajkerrigan,

We need to deploy some custodian policies which are related to IAM policyevents and id's, as per our requirement we have the Events for our requirement, we are facing issues with the Resources and events id's....
These are the resource and events which we are using:
resource: iam-policy
description: |
Notify if any IAM policy is modified.
mode:
type: cloudtrail
events:

    - source: iam.amazonaws.com
      event: CreatePolicy
      ids: "requestParameters.policyArn"
    - source: iam.amazonaws.com
      event: CreatePolicyVersion
      ids: "requestParameters.policyArn"
  role: arn:aws:iam::{account_id}:role/cloud-custodian

is there any correction in the event id's or resource. If i got any response from you it will be more useful for me to complete this and for the resource I tried with account level also but the emails are not getting triggerd
"resource: account"

Thanks in Advance!!!

5 replies
DigeratiDad
@digeratidad

Hello -

Does anyone know if you can enable DNS querying logging for private hosted zones only?

vijay23vikram
@vijay23vikram
image.png
image.png

Hi @ajkerrigan, we are trying to execute the custodian policies in the resource: "Account" but we are not getting exact messages in the email description, based on the event or aws resource info. The message what we are getting is only like the account number or account name only but not the resource info. This is the example policy events and resource what we are using:-

  • name: VPC-deletion
    resource: account
    description: |
    Any VPC deletion will be notified
    mode:
    type: cloudtrail
    events:
     - source: ec2.amazonaws.com
       event: DeleteVpc
       ids: "requestParameters.vpcId"
    actions:

Output what we are getting in email subject:-
Please refer the attachment in the above

Please suggest if any corrections are needed in my policy to get the full information about the resource details.

Thanks in Advance!!!

4 replies
Saman Batool
@saman-batool:matrix.org
[m]
Hello -
Does anyone know can we invoke lambda from api gateway using cloud custodian
1 reply
Zeno Ren
@ZenoRewn

Hey Guys,
Can Custodian filter those security group who ingress allow any other security groups?
Like SG-A ingress allow SG-B to access.

Thanks~

Ro Billy
@robilly:matrix.org
[m]

Hello, we need to use a variable to set the retention that is different depending from customers; I've added the variable in the policy

  - type: age
    op: greater-than
    days: {retention_days}

and into the c7n inventory
retention_days: 30
but we continue to receive the errore: "unsupported type for timedelta days component: dict"

Do you have some suggestion?

2 replies
sharif_
@sharif_:matrix.org
[m]

Hello Everyone, Iam having issue in one of the policy which i have shared below

policies:
  - name: mark-for-op
    resource: ec2
    filters:
      - "tag:Name": present
    actions:
      - type: mark-for-op
        op: terminate
        hours: 1

Will this policy terminate the ec2 instance after an hour?? While iam running this policy is only tag the instances that have a "Name" tag for termination, it will not actually terminate the instances.

1 reply
sharif_
@sharif_:matrix.org
[m]

:point_up: Edit: Hello Everyone, Iam having issue in one of the policy which i have shared below

policies:
  - name: mark-for-op
    resource: ec2
    filters:
      - "tag:Name": present
    actions:
      - type: mark-for-op
        op: terminate
        hours: 1

Will this policy terminate the ec2 instance after an hour?? While iam running this policy is only tag the instances that have a "Name" tag for termination, it is not actually terminate the instances.

Ro Billy
@robilly:matrix.org
[m]
I've already tried to force into the policy with int and eval but it's always the same error (dict or str)
vijay23vikram
@vijay23vikram
Hi @ajkerrigan,
vijay23vikram
@vijay23vikram
Hi @ajkerrigan we are using "resource:account" for DeleteVpc event in the custodian policy and in the email template format we are getting only the account number and account name but if we use "resource:vpc" for deleting the events for vpc,s3,iam ... Custodian policies the event is not working and we are not able to trigger the email messages. Does the "resource:vpc" won't work for the Delete events? Is there anyway to resolve this issue. Already raised a query above with the example. Please suggest any solution on this. Thanks in Advance!!!
2 replies
misumme-pg
@misumme-pg
Hi Guys! Question does anyone know once the CC policy has been applied in aws is there a commend or way to disabled the previously applied policy??
2 replies
Eric Dahl
@ericdahl
when might the next release be? I'm looking forward to being able to use the new cloud-custodian/cloud-custodian#8091. I've done local builds to test it out for now
Eric Dahl
@ericdahl
well.. looks like 0.9.22.0 is released now - I appreciate it :+1:
zackriso
@zackriso
Hi all, I have the following policy, and I would like to know how is the encryption actually taking place behind the scenes: is it just encrypting or re-encrypting all objects in all buckets, or is it encrypting ONLY the unencrypted objects?
policies:
  - name: custodian-s3-object-encryption
    resource: s3
    actions:
      - type: encrypt-keys
        crypto: aws:kms
        key-id: alias/aws/s3
10 replies