https://cloudcustodian.io logo
Join Slack
Powered by
# general
  • s
    Resource: ebs-snapshot Key: FullSnapshotSizeInBytes This key is in the latest aws api/cli but not yet in custodian? I tried thinking i could do a PR but failed with all the dependencies.
    a
    • 2
    • 2
  • s
    Morning everyone. This is my first post on this forum so pardon me if its not relevant to the general channel. I have an AWS account with 150+ Amazon Workspaces. I've deployed a policy of type "config-rule" for resource "aws.workspaces". Both the Lambda and the Config rule get deployed without any error. The Lambda has required permissions to perform number of actions including AWS-Managed ReadOnly permission policy. The objective of the policy is to just "filter" the resources based on missing tags (keys or values). There's no "action" defined in the YAML file. I have similar policies for EC2, S3, SNS, IAM etc. and they are working fine. Re-checked and there's no problem in the YAML file. When the policy first gets deployed and Config triggers the custom Lambda, Lambda throws errors which I can see in the CW Log Group. Due to error, no evaluation of the Workspaces is done hence Config Rules doesn't show any Workspace as COMPLIANT or NON_COMPLIANT. I see the following in CW log group for the Lambda behind the policy: 
    [ERROR] KeyError: 'WorkspaceId'
    Traceback (most recent call last):
    File "/var/task/custodian_policy.py", line 4, in run
    return handler.dispatch_event(event, context)
    File "/var/task/c7n/handler.py", line 170, in dispatch_event
    p.push(event, context)
    File "/var/task/c7n/policy.py", line 1347, in push
    return mode.run(event, lambda_ctx)
    File "/var/task/c7n/policy.py", line 1030, in run
    resources = super(ConfigRuleMode, self).run(event, lambda_context)
    File "/var/task/c7n/policy.py", line 506, in run
    resources = self.policy.resource_manager.filter_resources(
    File "/var/task/c7n/manager.py", line 113, in filter_resources
    resources = f.process(resources, event)
    File "/var/task/c7n/filters/core.py", line 352, in process
    return self.process_set(resources, event)
    File "/var/task/c7n/filters/core.py", line 369, in process_set
    resource_map = {r[rtype_id]: r for r in resources}
    File "/var/task/c7n/filters/core.py", line 369, in <dictcomp>
    resource_map = {r[rtype_id]: r for r in resources}
    The "invokingEvent" I see before this error has "Id", "resourceId", and "resourceName" in the structure. So the error above is valid as the Lambda doesn't find "WorkspaceId" in the structure it gets from the Config. I deployed the same policy without type "config-rule" from the terminal just to filter out the resources with missing tags. The run was successful and the result returned all the Workspaces which are complying to the rules defined in the "filter. So the issue seems to be only when Config gets involved. Moreover, have seen similar error (KeyError) when using Config with other resources like: elasticbeanstalk-environment, secretsmanager-secrets-manager, stepfunctions-step-machine Anyone has experienced the same when running policy through Config+Lambda? Thanks. -Shiraz
    k
    • 2
    • 3
  • s
    Hi #CAL4P6YE6 I’m new to Cloud Custodian and want to contribute. Could someone guide me to a good first issue or documentation to start with?
    a
    • 2
    • 1
  • p
    Hi Team
  • p
    Is there a way to scan for sensitive data (PII) in "AWS Systems Manager Parameter Store" using Cloud Custodian?
    a
    • 2
    • 2
  • j
    Hello all. Does anyone know the best approach to setting up a 
    c7n-mailer
    configuration for email for azure and aws. AWS has ses and i’ve configured that for c7n-mailer, but it looks like azure is rather limited here. So i’m wondering if it would be better to have a single smtp server with something like a postfix to handle aws and azure. But i don’t know if c7n-mailer when using postfix, would be able to use the function to retrieve the messages from aws sqs and azure aqs respectively
    a
    p
    • 3
    • 3
  • r
    I’m trying to create a policy to alert me once every 7 days but it’s alerting me every time it runs 🧵 • Tags when a resource is found and alerts • Checks if tag is present and checks the age is greater than 7 • Checks if tag is not present
    a
    s
    • 3
    • 45
  • u
    How does the logic eval for nested exclusion filters work? Equally, how can you tell which filter triggers a match? Say I'm doing a check to make sure all EBS volumes are encrypted with a specific set of KMS keys, but I want to allow-list some accounts to use a broader set of keys. I'm assuming it's straight logic checks so you'd end up with something like:
    Copy code
    - or:
  - type: ebs
    key: Encrypted
    value: false
  - or:
    - type: ebs
      key: KmsKeyId
      op: not-in
      value: [list]
    - not:
      - and:
          - type: event
            key: account
            op: in
            value: [ list ]
          - type: ebs
            key: KmsKeyId
            op: regex
            value: 'regex'
    That doesn't work the way I'd expect though - for some reason it matches a much wider range of accounts than intended, and I'm finding it extremely hard to pinpoint why as I don't know how to get c7n to show which specific filter caused the match.
  • r
    I was looking for continuous backup for dynamodb tables in the docs https://cloudcustodian.io/docs/aws/resources/dynamodb.html#aws-dynamodb-table and then searched for a past issue and found this PR which implemented the action 
    set-continuous-backup
    but it’s missing from the docs. Is this a bug in the automated documentation ?
    1
    k
    • 2
    • 17
  • r
    How is cloud custodian categorized in the security/compliance world? Is it a SOAR (security orchestration, automation, and response) or something else?
    • 1
    • 2
  • c
    Hi All, I am new to this forum and recently started working on cloud custodian policies. I have been trying out a few policies where i wanted to identify unattached loadbalancer but not getting the results. If anyone can point me in the right direction it will be really helpful. Attaching one of the policies that i have tried.
    a
    • 2
    • 2
  • l
    Hello, anybody know what is the new syntax for VPC flow logs?
    a
    • 2
    • 2
  • l
    Copy code
    - name: vpcflow
    resource: aws.vpc
    description: |
      Identify VPCs which don't have flow logs setup correctly.
    filters:
      - not:
          - type: flow-logs
            enabled: True
    actions:
      - type: notify
        kind: Security
        priority: HIGH
        subject: "VPC flow logs are not enabled"
        violation_desc: "VPC flow logs are not enabled"
        action_desc: |
          "Review and enable VPC flow logs for all your VPCs"
        <<: *sqsSaving
  • l
    And I'm getting a
    Copy code
    (.venv) PS E:\Dropbox\Projects\Hypercube\policies>           custodian validate aws/production.yml
2025-04-10 16:28:59,146: custodian.commands:WARNING deprecated usage found in policy
policy 's6t-cis-v140-aws-vpc-flow-log-reporting-pull' (production.yml:1428)
  filters:
    field 'flow-logs.enabled' has been deprecated (replaced by use list-item style attrs and set operators)
2025-04-10 16:28:59,147: custodian.commands:INFO Configuration valid: aws/production.yml
(.venv) PS E:\Dropbox\Projects\Hypercube\policies>
  • r
    Probably a silly question, i noticed that there is a cloud custodian slack and a #cloud-custodian channel in the cncf slack. 1. Is it better to post here in this community or in the official cncf one? 2. Is there a plan to consolidate?
    a
    k
    • 3
    • 3
  • l
    Trying to check out the docs for hiding tokens in the config. I can see the c7n-mailer supports hiding things with a secure string and will attempt to decrypt with kms. But I can’t see any details on how to set that up, give it a key or encrypt using kms. Is there any way to make it fetch values from param store or secrets manager? I just want to secure my slack tokens
    a
    • 2
    • 2
  • p
    Hi Everyone, I am Pavanipriya Sajja, UX designer for ED.Tech startup. I have been interested in learning about cloud networks or cloud related projects since I am here. Cloud related topics are very new for me. I really appreciate anyone guiding me on working on how to find UX related projects or is there any dedicated space or the UX team is helping backend and frontend applications in cloud platform. Any guidance would be appreciated thank you!
  • a
    👋 Hi everyone!
  • a
    I have 7000 people using sandboxed aws/azure account on my infra and controlling that with IAM became nightmare
  • a
    Quick question, does this allow us to limit things like s3 object size, on demand resources consumptions, or DynamoDB read/write capacity? We did custom EventBridge -> Lambda for those but writing that for every resource is lot of work
  • p
    Hi Everyone, I'm trying to develop a Cloud Custodian Policy to Delete Lambda Functions which haven't executed in the last 90 days. I tried developing some versions and did a dry run. I do have lots of functions (atleast 100) which never got executed in the last 90 days. Version 1: Result, no resources given in the resources.json file after the dry run, I don't get any errors (The indentation might look incorrect but I do indent the script properly)
    Copy code
    policies:

- name: delete-unused-lambdas

resource: aws.lambda

description: Delete Lambda functions not executed in last 90 days

filters:

- type: value

key: "LastModified"

value_type: age

op: ge

value: 90

actions:

- type: delete
    Version 2: Result, no resources given in the resources.json file after the dry run and I feel like Last Executed key may not be supported with lambda but perhaps with CloudWatch
    Copy code
    policies:

- name: delete-unused-lambdas

resource: aws.lambda

description: Delete Lambda functions not executed in last 90 days

filters:

- type: value

key: "LastExecuted"

value_type: age

op: ge

value: 90

actions:

- type: delete
    Version 3: Result, no resources given in the resources.json file after the dry run and statistic not expected
    Copy code
    policies:

- name: delete-unused-lambdas

resource: aws.lambda

description: Delete Lambda functions not executed in last 90 days

filters:

- type: metrics

name: Invocations

statistic: Sum

days: 90

period: 86400 # Daily granularity

op: eq

value: 0

actions:

- type: delete
    Version 4: Result, gives me an error about statistic being unexpected, tried to play around with it but it doesn't work
    Copy code
    policies:

- name: delete-unused-lambdas

resource: aws.lambda

description: Delete Lambda functions not executed in last 90 days

filters:

- type: value

key: "Configuration.LastExecuted"

statistic: Sum

days: 90

period: 86400 # Daily granularity

op: eq

value: 0

actions:

- type: delete
    Could someone help me with creating a working script to delete AWS Lambda functions that haven’t been invoked in the last 90 days? I’m struggling to get it working and I’m not sure if such an automation is even feasible. I’ve successfully built similar cleanup automations for other resources, but this one’s proving to be tricky.
    k
    • 2
    • 3
  • s
    Hello @AJ Kerrigan, @kapilt I was exploring a policy of GCP Compute Instance using memory metrics. I installed Ops Agent on my compute instance and metrics are visible on Metrics explorer. But when I am quering the same metric from custodian, I am getting a 404 error.. here's my policy policies: - name: test description: | test resource: gcp.instance filters: - type: metrics name: "agent.googleapis.com/memory/percent_used" aligner: ALIGN_MEAN days: 7 op: lte value: 0.35 here's my error googleapiclient.errors.HttpError: <HttpError 404 when requesting https://monitoring.googleapis.com/v3/projects/unique-pixel-449703-q9/timeSeries?filter=metric.type+%3D+%22agent.googleapis.com%2Fmemory%2Fpercent_used%22+AND+%28+metric.labels.instance_name+%3D+%22instance-20250417-022216%22+%29+&amp;interval.startTime=2025-04-10T03%3A23%3A13Z&amp;interval.endTime=2025-04-17T03%3A23%3A13Z&amp;aggregation.alignmentPeriod=604800.0s&amp;aggregation.perSeriesAligner=ALIGN_MEAN&amp;aggregation.crossSeriesReducer=REDUCE_NONE&amp;view=FULL&amp;alt=json returned "Cannot find metric(s) that match type = "agent.googleapis.com/memory/percent_used" label = "instance_name". If a metric was created recently, it could take up to 10 minutes to become available. Please try again soon.". Details: "Cannot find metric(s) that match type = "agent.googleapis.com/memory/percent_used" label = "instance_name". If a metric was created recently, it could take up to 10 minutes to become available. Please try again soon.">
    s
    • 2
    • 1
  • m
    hello, i am trying to identify Azure Virtual Machines with average CPU utilization <= 5% over the past 14 days (336 hours) that are more than 30 days old. 🧵
    • 1
    • 1
  • a
    Hey all, I've been told that c7n-org does multi threading. Does this happen by default?
    s
    k
    • 3
    • 17
  • r
    Is there an easy way to reduce the likelihood of api rate limiting with c7n-org ?
    a
    • 2
    • 1
  • s
    Hello guys, Need a help on this. I was exploring a policy of GCP Compute Instance using memory metrics. I installed Ops Agent on my compute instance and metrics are visible on Metrics explorer. But when I am quering the same metric from custodian, I am getting a 404 error.. here's my policy policies: - name: test description: | test resource: gcp.instance filters: - type: metrics name: "agent.googleapis.com/memory/percent_used" aligner: ALIGN_MEAN days: 7 op: lte value: 0.35 here's my error googleapiclient.errors.HttpError: <HttpError 404 when requesting https://monitoring.googleapis.com/v3/projects/unique-pixel-449703-q9/timeSeries?filter=metric.type+%3D+%22agent.googleapis.com%2Fmemory%2Fpercent_used%22+AND+%28+metric.labels.instance_name+%3D+%22instance-20250417-022216%22+%29+&amp;interval.startTime=2025-04-10T03%3A23%3A13Z&amp;interval.endTime=2025-04-17T03%3A23%3A13Z&amp;aggregation.alignmentPeriod=604800.0s&amp;aggregation.perSeriesAligner=ALIGN_MEAN&amp;aggregation.crossSeriesReducer=REDUCE_NONE&amp;view=FULL&amp;alt=json returned "Cannot find metric(s) that match type = "agent.googleapis.com/memory/percent_used" label = "instance_name". If a metric was created recently, it could take up to 10 minutes to become available. Please try again soon.". Details: "Cannot find metric(s) that match type = "agent.googleapis.com/memory/percent_used" label = "instance_name". If a metric was created recently, it could take up to 10 minutes to become available. Please try again soon.">
  • j
    Hi, I have a question regarding a fairly basic policy that is failing due to too many items being passed in an API call filter. Policy:
    Copy code
    policies:
  # policy to copy tags from RDS clusters to RDS instances
  - name: rds-copy-tags-from-cluster-to-instances
    resource: rds
    actions:
      - type: copy-related-tag
        resource: rds-cluster
        skip_missing: True
        key: DBClusterIdentifier
        tags: "*"
    Error:
    Copy code
    2025-04-23 14:30:45,805: custodian.policy:INFO policy:rds-copy-tags-from-cluster-to-instances resource:rds region:us-east-1 count:264 time:0.01
2025-04-23 14:30:46,304: custodian.resources.rdscluster:WARNING event ids not resolved: [<redacted, 206 cluster ids>] error:An error occurred (InvalidParameterCombination) when calling the DescribeDBClusters operation: Only up to 100 unique filter DB Cluster Identifiers may be specified per filter.
2025-04-23 14:30:46,312: custodian.actions:INFO Tagged 0 resources from related, missing-skipped 264 unchanged 0
2025-04-23 14:30:46,313: custodian.policy:INFO policy:rds-copy-tags-from-cluster-to-instances action:copyrelatedresourcetag resources:264 execution_time:0.49
    I managed to put together a fix by updating CopyRelatedResourceTag.get_resource_tag_map, and confirmed that it worked. Is this something that I could create a PR for? Thanks in advance!
    a
    • 2
    • 4
  • k
    Cloud Custodian 0.9.44 is released, release notes -> https://github.com/cloud-custodian/cloud-custodian/releases/tag/0.9.44.0
    🙌 6
  • r
    Is there a way to see progress while a policy is running? I used aws.iam-role's check-permissions filter and it takes a long time. It would be nice to see what percent complete it is every 30 seconds or so.
    a
    • 2
    • 5
  • k
    We'll be doing a remote and in person development sprint on cloud custodian Monday may 19th to Wednesday May 21st... For in person attendees its in pittsburgh convention center attached to pycon, you do not need a pycon ticket, coffee and lunch will be provided. I've created a github issue for organizing any potential topics, feel free to add comments on anything you might want to work on if your participating. https://github.com/cloud-custodian/cloud-custodian/issues/10112 https://us.pycon.org/2025/events/dev-sprints/
    ❤️ 1
    b
    • 2
    • 3