Hi, I have a question regarding a fairly basic policy that is failing due to too many items being passed in an API call filter. Policy:

policies:
  # policy to copy tags from RDS clusters to RDS instances
  - name: rds-copy-tags-from-cluster-to-instances
    resource: rds
    actions:
      - type: copy-related-tag
        resource: rds-cluster
        skip_missing: True
        key: DBClusterIdentifier
        tags: "*"

Error:

2025-04-23 14:30:45,805: custodian.policy:INFO policy:rds-copy-tags-from-cluster-to-instances resource:rds region:us-east-1 count:264 time:0.01
2025-04-23 14:30:46,304: custodian.resources.rdscluster:WARNING event ids not resolved: [<redacted, 206 cluster ids>] error:An error occurred (InvalidParameterCombination) when calling the DescribeDBClusters operation: Only up to 100 unique filter DB Cluster Identifiers may be specified per filter.
2025-04-23 14:30:46,312: custodian.actions:INFO Tagged 0 resources from related, missing-skipped 264 unchanged 0
2025-04-23 14:30:46,313: custodian.policy:INFO policy:rds-copy-tags-from-cluster-to-instances action:copyrelatedresourcetag resources:264 execution_time:0.49

I managed to put together a fix by updating CopyRelatedResourceTag.get_resource_tag_map, and confirmed that it worked. Is this something that I could create a PR for? Thanks in advance!

Cloud Custodian 0.9.44 is released, release notes -> https://github.com/cloud-custodian/cloud-custodian/releases/tag/0.9.44.0

Is there a way to see progress while a policy is running? I used aws.iam-role's check-permissions filter and it takes a long time. It would be nice to see what percent complete it is every 30 seconds or so.

We'll be doing a remote and in person development sprint on cloud custodian Monday may 19th to Wednesday May 21st... For in person attendees its in pittsburgh convention center attached to pycon, you do not need a pycon ticket, coffee and lunch will be provided. I've created a github issue for organizing any potential topics, feel free to add comments on anything you might want to work on if your participating. https://github.com/cloud-custodian/cloud-custodian/issues/10112 https://us.pycon.org/2025/events/dev-sprints/

Hello.. I am using lambda & policy with SNS i get slack message but the message is not readable format. Any suggestions.

actions:
  - type: notify
    template: default
    subject: "[C7N] Auto-Tagging Alert **"
    to:
      - resource-owner
    transport:
      type: sns
      topic: arn:aws:sns:us-west-2:xxx:cloud-custodian-slack-topic
      json: true

import os
import json
import gzip
import base64
import urllib.request
from io import BytesIO

def lambda_handler(event, context):
    print("Received event:", json.dumps(event))
    webhook_url = os.environ['SLACK_WEBHOOK_URL']

    for record in event['Records']:
        sns_message = record['Sns']['Message']
        print("SNS message raw:", sns_message)

        try:
            # Step 1: Extract and parse JSON wrapper
            wrapper = json.loads(sns_message)
            encoded_text = wrapper.get('text')

            if not encoded_text:
                raise ValueError("Missing 'text' field in SNS message")

            print("Base64-encoded string length:", len(encoded_text))

            # Step 2: Base64 decode
            compressed_bytes = base64.b64decode(encoded_text)
            print("Decoded base64 length:", len(compressed_bytes))

            # Step 3: Gzip decompress
            with gzip.GzipFile(fileobj=BytesIO(compressed_bytes)) as f:
                decompressed_bytes = f.read()
            message = json.loads(decompressed_bytes)
            print("Decompressed message:", message)

            slack_text = f"[Cloud Custodian Notification]\n```{json.dumps(message, indent=2)}```"

        except Exception as e:
            print("Decompression/decoding failed:", str(e))
            slack_text = f"(raw fallback) {sns_message}"

        # Send to Slack
        payload = {"text": slack_text}
        req = urllib.request.Request(
            webhook_url,
            data=json.dumps(payload).encode('utf-8'),
            headers={'Content-Type': 'application/json'}
        )
        try:
            with urllib.request.urlopen(req) as response:
                print("Slack response:", response.read().decode())
        except Exception as e:
            print("Failed to send to Slack:", str(e))

    return {"status": "done"}

Is there a way to see age since a specific date when using the

c7n-org report

feature ?

Hi , I am trying to use value_from filter to fetch the values from dynamodb to do some comparison , but with this filter it returns all the resources under violation let say i run this for ec2 it will return all ec2 instance sttaing they have incorrect service tag although only 1 has wrong value .can some help with what is the right query for dynamodb ?

# Fetch allowed service tag values from dynamodb and validate against the resource's service tag
      - type: value
        key: tag:service
        op: not-in
        value_from:
          url: dynamodb
          query: select id from "service_tag_extract"
          expr: '[*].id.S'

Does the redshift resource also cover redshift serverless ? https://cloudcustodian.io/docs/aws/resources/redshift.html

How do cloud custodian feature requests get prioritized? Or is it all community work to get features added ?

Hello Please let me know if we are over provisioning for RDS so that my plan is to collect CPUs or connections less than 2 percent, it should output for me. Do I need to write a policy for this?

Hello 👋, I just now pulled the image for cloud custodian can anyone help me out for the next step?

Hi all. I noticed that custodian cannot access an s3 bucket (or any resource policy) if the s3 bucket policy defines what principal can

s3:GetBucketPolicy

and custodian’s iam role happens to NOT be on that list. That means there are a number of s3 buckets with policies that custodian cannot access. Is there a way to craft a policy to detect all of these s3 buckets ?

Hi all, I was trying to find elbs that were unused by checking if they had no instances by using

- name: elb-no-instances

resource: elb

description: |

Find any ELB with no instances

filters:

- Instances: []

But running cloud custodian would only get me the

classic

lbs with no instances. Is there a way to get all elbs/albs with no instances? I tried:

- name: elb-no-instances-v2
  resource: app-elb
  description: |
    Find any ELB with no instances
  filters:
    - Instances: []

to no avail. I appreciate the help. Thank you!

Can you chain things together in a single config file, or do you have to go out and then back in? I'd like to be able to do something like

policies:
  - name: clean-test-vpcs
    resource: aws.vpc
    filters:
      - "tag:environment": "ci"
    actions:
      - mark-for-op
  - name: clean-leaked-enis
    resource: aws.eni
    filters:
      - type: vpc
        # and uh, value is in the list of things matched by `clean-test-vpcs`
    actions:
      - delete

Hello. Does anyone know if cloudcustodian supports assume role with

externalId

? To prevent confused deputy. I have my cross account roles setup fine, just want to know if i can lock it down further with an

externalId

. I’m not sure if that would be set in the accounts.yaml for c7n-org.

No #sprint-pycon-2025 channel?

We've been hitting throttling issues with custodian and we were able to reduce those by setting

AWS_MAX_ATTEMPTS=10

. I hope that helps others too.

Hi folks! I am struggling with a eks c7n policy. I want to detect eks that doesn't have audit type enabled at the cluster logging level. This is how my policy looks like, but it is not working as expected:

policies:
 - name: check-eks
   resource: eks
   filters:
   - not: 
     - type: value
       key: "logging.clusterLogging[].types[]"
       op: contains
       value: 
         - audit

the resource json schema looks like this:

"logging": {
   "clusterLogging": [
    {
     "types": [
      "api",
      "audit",
      "authenticator",
      "controllerManager",
      "scheduler"
     ],
     "enabled": true
    }
   ]
  }

Any ideas? thanks in advance!

i'll be at finopsx next week if any custodian users wants to meetup in IRL

Can all iam resources be restricted to

us-east-1

by default ? This would save us from adding this to all of our iam cloud custodian policies

conditions:
      - region: us-east-1

When using iam resources and using check-permission, if a glob is used, does it ensure that all of the permissions are able to be done by the principal ? Or is it any permissions of the glob that can be done by the principal? I'm guessing the former. E.g.

policies:
  - name: super-users
    resource: aws.iam-user
    filters:
      - type: check-permissions
        match: allowed
        actions:
         - iam:*

cloud custodian 0.9.45.0 released - release notes https://github.com/cloud-custodian/cloud-custodian/releases/tag/0.9.45.0

Hi all! I'm currently using a

notify

type within an ec2 off-hours-policy with Slack delivery via the mailer, using the following snippet:

- type: notify
  slack_template: slack-alert
  slack_msg_color: warning
  subject: "EC2 Instance(s) Stopped for Off-Hours"
  violation_desc: "Your EC2 instance(s) have been automatically stopped as part of off-hours management."
  action_desc: "..."
  to:
    - <slack://tag/Owner>
  transport:
    type: sqs
    queue: <https://X>

The issue I'm hitting is that when multiple instances match the filter, they get bundled into a single message payload, which means the mailer Lambda sends all of them to one

Owner

tag recipient — usually just the first one found. What I'd like is for each resource to be sent to its respective

Owner

, ideally as separate messages or otherwise handled individually in the mailer. Should I be using a different

to:

value than

<slack://tag/Owner>

? Or is there a way to split/group the message per

Owner

so the mailer sends them separately? Appreciate any pointers — thanks! 🙏

Can CloudCustodian auto attach a AWS WAF to newly created AWS NLBs?

hi @team I have been trying to use the below action in one of our policies.

actions:
      - type: set-instance-profile

when trying to push this policy to our git repo, I'm getting a error like "Exception: Invalid action type found for phase: set-instance-profile" but i was able to push this policy to one f our AWS account manually using the command "custodian run -s /home/ubuntu/logs /home/ubuntu/ec2.yml" and its working fine by creating a lambda also. what action can be used here? why the error comes when using pipeline to push GitHub repo but not when deploying manually ?

Is there a best practice or built-in process for how to bulk-update a ton of policy Lambda function runtimes? We have hundreds that are still on

python3.9

from when it was the default. I’d like to bump them to the new default

python3.11

. I’m using c7n-org if it makes a difference.

👋 Hi everyone!

Anyone knows about any development to support IBM Cloud?

Hi there, just been testing cloud-custodian at work. We have a load of bash scripts which run and test for unused resources over 90 days and can list them all etc. cloud-custodian seems great, but when adding a new DSL and policy for doing the same thing as the bash scripts , say list all used and unused firehoses, it stubbles into AWS pagnation issues, just lists 10 and stops. Its a shame as I'd prefer to go the cloud custodian route , can this be overcome in anyway, for example we've got over 150 firehoses

Hi @kapilt, I raised a PR to resolve the duplicate notify delivery by c7n-mailer in GCP env Issue - https://github.com/cloud-custodian/cloud-custodian/issues/8702 PR - https://github.com/cloud-custodian/cloud-custodian/pull/10221 Please take a look