Hi all! I'm currently using a

notify

type within an ec2 off-hours-policy with Slack delivery via the mailer, using the following snippet:

- type: notify
  slack_template: slack-alert
  slack_msg_color: warning
  subject: "EC2 Instance(s) Stopped for Off-Hours"
  violation_desc: "Your EC2 instance(s) have been automatically stopped as part of off-hours management."
  action_desc: "..."
  to:
    - <slack://tag/Owner>
  transport:
    type: sqs
    queue: <https://X>

The issue I'm hitting is that when multiple instances match the filter, they get bundled into a single message payload, which means the mailer Lambda sends all of them to one

Owner

tag recipient — usually just the first one found. What I'd like is for each resource to be sent to its respective

Owner

, ideally as separate messages or otherwise handled individually in the mailer. Should I be using a different

to:

value than

<slack://tag/Owner>

? Or is there a way to split/group the message per

Owner

so the mailer sends them separately? Appreciate any pointers — thanks! 🙏

Can CloudCustodian auto attach a AWS WAF to newly created AWS NLBs?

hi @team I have been trying to use the below action in one of our policies.

actions:
      - type: set-instance-profile

when trying to push this policy to our git repo, I'm getting a error like "Exception: Invalid action type found for phase: set-instance-profile" but i was able to push this policy to one f our AWS account manually using the command "custodian run -s /home/ubuntu/logs /home/ubuntu/ec2.yml" and its working fine by creating a lambda also. what action can be used here? why the error comes when using pipeline to push GitHub repo but not when deploying manually ?

Is there a best practice or built-in process for how to bulk-update a ton of policy Lambda function runtimes? We have hundreds that are still on

python3.9

from when it was the default. I’d like to bump them to the new default

python3.11

. I’m using c7n-org if it makes a difference.

👋 Hi everyone!

Anyone knows about any development to support IBM Cloud?

Hi there, just been testing cloud-custodian at work. We have a load of bash scripts which run and test for unused resources over 90 days and can list them all etc. cloud-custodian seems great, but when adding a new DSL and policy for doing the same thing as the bash scripts , say list all used and unused firehoses, it stubbles into AWS pagnation issues, just lists 10 and stops. Its a shame as I'd prefer to go the cloud custodian route , can this be overcome in anyway, for example we've got over 150 firehoses

Hi @kapilt, I raised a PR to resolve the duplicate notify delivery by c7n-mailer in GCP env Issue - https://github.com/cloud-custodian/cloud-custodian/issues/8702 PR - https://github.com/cloud-custodian/cloud-custodian/pull/10221 Please take a look

hello, friends

Hi team, Can we identify the untagged images stored in an ECR repository and a provision to delete them using cloud custodian

Is there a simple way to filter IAM roles based on whether they are service roles or not?

Hey All, We're using CloudCustodian to find unused resources. I imagine a lot of people are doing the same - does anyone have a YAML file they've built already with these rules? Seems like a common use-case but I haven't come across one yet that is comprehensive. Ex. For Cloudfront distributions we want to find any that don't have requests in last 6 mo, for EC2 we'd check CPU perhaps etc.

pretty-report.py

I made a quick script to give me a pretty report in terminal with links to AWS Config for any resources that match my filters. Pasting the code here in case it’s helpful for anyone else.

I didn’t want to set up notifications or take actions yet. Just wanted a quick way to validate the output and take action manually.

Custodian has an aws config filter re dsl for less code if that’s your jam

doh! Didn’t realize that. Thank you!

I’m curious what would have helped you write the policy yaml instead?

Is that llm generated code?

Ya it’s llm generated code. Quick and dirty but it was for a very pointed use case.

There’s enough policies in the wild and public on third party repos, you should try the llm on policy yaml

Ya I’ve tried it. Ran into a bunch of errors so have started going deeper and reviewing each policy.

Which llm did you try out of curiosity?

Gemini. I’ve found it easier to iterate in their Canvas view

So back to original question re helping, and I just noticed we’re not threaded anymore. What would have helped you write the policy, instead of prompting code, that you also need to validate?

Hi Everyone, Not sure if anyone has experienced this before When I pull an image from dockerhub, it does not pull the latest image but an image from days ago. And when I try referencing the full image URL, I get an error

unsupported media type application/vnd.dev.cosign.simplesigning.v1+json

. But if I reference the full image URL of the image from days ago, that works smoothly

Does the max-resources parameter limit resources before or after filters? Does having that mean the number of resources scanned is limited, or do they all still get evaluated by filters?

Hi experts, is there a way to use environmental variables in policy?

I am referring to https://github.com/cloud-custodian/cloud-custodian/pull/7465

Basically, I want to pass my api key for the webhook action type. Any thoughts would greatly appreciate.