I need to make a webhook call with an api key call in a header. Is there a way to interpolate secrets in the call?

Hello Custodian Community, At EazyOps, we’ve been long-time admirers and heavy users of Cloud Custodian, and we felt it was time to give something back. After all, good custodianship means not just managing resources, but also sharing them. We’re excited to introduce the Cloud Custodian MCP (Multi-Cloud Copilot) Server: https://github.com/Eazy-Ops/cloud-custodian-mcp Think of it as giving Custodian a co-pilot who can reason in plain English, keep YAML tidy, and never forget to validate. Highlights: • Policy generation from natural language prompts • Automatic organization into cloud-wise folders • Installs Custodian if it isn’t already present • Validates policies before saving • Provides human-friendly explanations of YAML policies • Answers Custodian-related questions • Multi-cloud support: AWS today, GCP and Azure coming soon • LangGraph + Flask backend, designed for CLI and web The repository includes a quickstart guide, example flows, and integration details. We’d love to hear your feedback, ideas, or contributions. Consider it our way of keeping the Custodian ecosystem a little cleaner, one policy at a time. — The EazyOps Team https://www.eazyops.com

Hey Team, hope this is the place for this question... We updated to a newer version of Custodian (0.9.45) and it is failing to start since the cluster nodes are in FIPS mode. For those not familiar, FIPS mode is a mode of encryption required for all systems running within the US government, so your newer versions will not work for any government agency or any company (like us) that provides their product for the government. We believe the reason is that your base container OS - Ubuntu 24.04 is forcing certain FIPS checks that the previous Ubuntu 22.04 base was not. If you would like more details about the problem, please let us know. You can replicate by trying to run your product on Amazon EKS with an Amazon Linux 2023 node in FIPS mode ( sudo fips-mode-setup --enable)

in aws, what happens if you use a tag action on a resource that already has that tag?

nevermind. AI answered the question for me

AND just noticed AI can build policies too

so much for my job

Hello everyone, i am running issue with tag action once integrated with security Hub. The error is here: “c7n_org:ERROR Exception running policy:audit-missing-esat-tag-for-org-account account:aws-mgmt region:us-gov-west-1 error:An error occurred (UnrecognizedClientException) when calling the TagResources operation: The security token included in the request is invalid”. And here is the policy: policies: ◦ name: audit-missing-esatsid-tag-for-org-account resource: aws.org-account description: Lists org account missing env-EsatsId tags filters: • not: ◦ or: ◦ tagesatsId present ◦ tagesatsid present ◦ tagenv EsatsId present actions: • type: post-finding severity_normalized: 80 compliance_status: FAILED types: ◦ "Software and Configuration Checks/AWS Security Best Practices" title: "Account has not EsatsId tag" description: "This account does not have EsatsId attached.". Please help to suggest how to solve this issue. I am running c7n-org in mgmt cloudshell and its working fine if I do not add the action post-finding integration with Security Hub.

Hello. I had a question regarding the ec2 resource. I've found that there's a way to check whether a host is truly public via looking at its attributes and using jmespath to look at IpPermissions for exposure. Is there a way to then action on those group rules directly within the ec2 resource policy? Alternatively, is there a way to pass what has been filtered to another policy within the same policies list for further actions like ec2 evaluates and passes to sg policy for actions?

I am deploying policies to Azure and infosec have just deleted the storage accounts because they were exposed publicly. How can this be rectified? HELP!!!!!!!!

cloud custodian 0.9.47 released, release notes https://github.com/cloud-custodian/cloud-custodian/releases/tag/0.9.47.0

When evaluating a security group for all ports, I'm encountering a weird case where when attempting to set new add-ingress for all ports, its assigning random single ports instead of the entire port range even though the set-permission is using From/To-Port properties. Is this a bug or does this not work and if so, is there an alternate way to deal with this case?

Hello ! First time here 🙂 I'm trying

custodian

and

c7n-org

to update tags on ~150 AWS accounts. Running from my machine (Mac), I noticed that running the command over and over (to go through the 150 accounts), my machine starts to crawl. At some point I can't make any network connection unless I stop the loop and wait a few minutes. It seems that network connections might be left open, has anyone experienced this issue with custodian ?

mailer problem. i'm getting this error: error: STARTTLS extension not supported by server. Here is my mailer.yml: queue_url: <https://sqs.us-east-1.amazonaws.com/014084670816/cloud-custodian-mailer%7C&lt;&gt;redacted> role: <redacted> region: us-east-1 from_address: &lt;redacted> smtp_server: <http://exchgw.tyson.com|<>redacted> smtp_port: 25 smtp_ssl: True contact_tags: - "Owner" - "AdminOwner" - "owner" - "adminowner" Nothing has changed, but the mailer stopped working on Monday. Was working fine on Sunday? Any idea why I'm getting a TLS error?

Hi, good day. In Azure, policy deployed as function app needs an App Service Plan (ASP), by default using Dynamic Tier (Linux Consumption hosting plan). New subscriptions do not have Quota for this tier and needs Microsoft Support for extension. Also, this tier will be retired by 30 September 2028 in existing subscriptions. This is blocking policy deployment in Azure. Other ASP (Basic/Standard/Premium) have some fixed cost associated, discouraging its usage. Is anyone getting this issue? Is there any alternate approach? Is there any plans to support Flex Consumption ASP for azure policy deployment? Error Message: Content: {"Code":"Unauthorized","Message":"This region has quota of 0 instances for your subscription. Try selecting different region or SKU.","Target":null,"Details":[{"Message":"This region has quota of 0 instances for your subscription. Try selecting different region or SKU."},{"Code":"Unauthorized"},{"ErrorEntity":{"ExtendedCode":"52039","MessageTemplate":"{0}. Try selecting different region or SKU.","Parameters":["This region has quota of 0 instances for your subscription"],"Code":"Unauthorized","Message":"This region has quota of 0 instances for your subscription. Try selecting different region or SKU."}}],"Innererror":null}

Hello all - Having some trouble getting started with implementing cloud custodian as an Azure function. In reading this, it seems there is a bit of yaml that needs to be used to deploy/create this, but when I go through vscode to create a python based azure function, it seems to require a whole other set of files, which is not present in the cloud custodian github repo. The schema provided does not seem to match the policy format either (starts with "policies" root ) so it does not seem to be something I can manually run using the custodian command line either. Thanks in advance for any help. I checked around and did not see a getting started/etc channel, so hopefully this is the right place for this question. We have already manually created all the resources (function container holder, storage blob, etc), but unsure how to run cloud custodian (which seems to be command line based) and how to point it at the various resources to reference policy files

Hi all! I have a question, I have a policies that use the action

- type: invoke-lambda

. Does this purely just invoke the lambda? I'm wondering if I have the code, that it will upload my lambda if it's missing.

Trying again. Hope someone can help with setting up cloud custodian in Azure as a function app. I tried to feed the schema provided in the above link into custodian, but it fails validation. (I updated the storage/app insight/etc names inline as well) If I try to export the overall schema and use vscode to validate. vscode is not able to parse it. I am able to reference other schemas from schemastore.org and it works fine.

Hey. I've written some terraform modules that allow you to deploy and manage cloud-custodian lambda resources using native terraform ((aws_lambda_function etc) as opposed to using the cloud-custodian CLI. This is the repository - https://github.com/elsevierlabs-os/terraform-cloud-custodian-lambda

Hi all- When I use custodian to create the azure functions, it has these warnings regarding use of older python/etc. I am running on the latest version of custodian (0.9.47). While I can update some of this (runtime version /python version) in the function app afterwards- are there any issues with doing so?

Hello- I dont see a channel for c7n-org so posting here- When c7n-org is used to target multiple subscriptions in a Azure tenant- is it basically just creating a copy of the resources (function app/storage/etc) in each subscription? When I tried to run it, that seems to be what its trying to do.

Looking for some help around the use of

AZURE_FUNCTION_SUBSCRIPTION_ID

/

AZURE_FUNCTION_MANAGEMENT_GROUP_NAME

variables. The only docs I can find around this is here. Are these just used to override the default subscription that is selected when I run

az login

beforehand on a per subscription level, and to deploy a single function app (which will reside in the subscriptioin I am currently in ) which will operate against all subscriptions that the management group has control over?

👋 Hi everyone!

I was wondering if Cloud Custodian is being used by anyone for OCI

Hey apologies on the late notice, we’re not doing the cloud custodian community meeting today due to holiday in us

Hello all- when trying to apply a tag to an azure resource - its complaining of possibly the syntax, which I believe matches what the docs say. Anyone can help with this?

Any suggestions on a preferred way to use

c7n-org

in combination with

custodian validate

? I power my setup with

c7n-org

and have historically been running

custodian validate

as part of pull request validation. I added some

vars

to the

c7n-org

config file for the first time, and it’s broken the

custodian validate

logic since the variables aren’t resolved by

custodian

.

c7n-org

config:

accounts:
- account_id: '0000000000'
  name: xxxxx
  regions:
  - us-east-1
  - us-west-2
  role: arn:aws:iam::0000000000:role/xxxxx
  vars:
    lambda_runtime: python3.12
# etc etc

Policy:

policies:
- name: xxxxx
  # ...
  mode:
    type: cloudtrail
    # ...
    runtime: "{lambda_runtime}"

Error:

2025-11-24 13:25:41,565: custodian.commands:ERROR             Error on policy:xxxxx resource:xxxxx

'{lambda_runtime}' is not one of ['python3.10', 'python3.11', 'python3.12', 'python3.13']

            Failed validating 'enum' in schema[1]['properties']['runtime']:

                {'enum': ['python3.10', 'python3.11', 'python3.12', 'python3.13']}

Hello all, I am starting to work with custodian for some use cases and I wonder I can I use the same "custodian run" command for running the policy for serveral subscriptions

Hello all, I wonder whether azure nat gateway unattached is supported? I do not find it in the filters documentation