May I know is there any specific python version for AWS c7mailer?

Is anyone else experiencing removing labels from gcp sql-instances not working silently?

Hi Good Day, Please kindly share working environment of AWS c7nmailer with python version, deployed ec2 instance os version like ubunru

Hi All. I noticed that the automated tests in github include python 3.13 on Ubuntu. What would be need to make sure using policies in the python3.13 runtime works successfully so it can be added as an allowed runtime in the policy schema? Also, currently python3.11 is the default runtime. There’s a little less than a year before AWS deprecates that runtime. The python3.12 runtime doesn’t reach deprecation until Oct 31, 2028. How close to the EOL of 3.11 would be a good time to change the default runtime?

With c7n-org I am attempting to run this policy which is almost identical to what the doc example (https://cloudcustodian.io/docs/aws/resources/aws-common-filters.html#aws-common-filters-usage) provides:

- name: unused-credentials
    resource: iam-user
    filters:
      - type: usage
        LastAuthenticated:
          type: value
          value_type: age
          op: greater-than
          value: 45
        match-operator: any

I get this error:

c7n_org:ERROR Exception running policy:unused-credentials account:go-noc-rd region:us-east-1 error:argument of type 'type' is not iterable

Any ideas on cause of error?

Hi all, I'm new to cloud custodian just starting to play around with it a bit at work. Trying to get vs code integration working, i'm using the YAML plugin from RedHat in vs code and have configured as per docs - https://cloudcustodian.io/docs/quickstart/index.html#editor-integration Whenever I am trying to write a policy i'm getting this error: $ref '/definitions/ManagedSourceConfiguration' in 'file:///Users/myuser/git/myrepo/schema.json' can not be resolved.YAML(768) in terms of versions - i'm running cloud custodian via docker with the latest image - schema was generated with this docker run -it \ cloudcustodian/c7n schema --json > schema.json

Hi. Just playing with cloud custodian.. I have multiple policies in a single file. Do i need to pass lambda function

role

to all the policy section.. is there anyway to mentioned Lambda IAM role in single place instead of just mentioning in all the policies section.

Exception running policy:ec2-auto-tagger account:default region:us-east-1 error:Lambda function role must be specified
Exception running policy:ami-auto-tagger account:default region:us-east-1 error:Lambda function role must be specified
Exception running policy:eip-auto-tagger account:default region:us-east-1 error:Lambda function role must be specified

Hi Team, i am Phe new here, and just start learning and testing how to use c7n-org. One concern here, i am trying to get tag in account level for Aws cloud, does custodian support that? For example aws.account or account. I did try to test but seems like the result returned not correct. If anyone have anything about that, it would be great.

Would the

cloudcustodian/c7n

and

cloudcustodian/c7n-org

Docker images be FIPS compliant so that they could be used in a FedRAMP environment?

I know this can't be an issue with code, because it is only happening with one instance and no changes have been made since long before it started happening. But I'm getting one instance that matches the following, even though it has been up for 8 months:

- name: ec2-stopped-over-60-notify-windows
  resource: aws.ec2
  description: |
    Notify Windows team of instances stopped over 60 days.
  query:
    - instance-state-name: stopped
  filters:
    - Platform: windows
    - type: state-age
      op: gt
      days: 60
    - not:
      - or:
        - "tag:cc-exemption": "stopped-dr"
        - "tag:cc-exemption": "stopped-asneeded"

Any ideas would be great.

Hi all. I'm hoping someone can help me out. I'm trying to create reports of non-compliant resources in AWS but I need to add tags to the reports. The tags aren't in the resources.json, is there a way to get custodian to include these tags?

Hi All- how would security vulnerabilities for c7n get shared with the community- would it be via the mailing list, posts in slack or something else? We are in the process of submitting a request to do a POC of cloud custodian in our environment, and need to provide this info to the security team. Thanks for any info.

Hey. For reporting in AWS i'm trying to find a way to apply policies against multiple resource types and upload the results to a database. The problem is the column headings differ for each resource type (unlike with Azure!) so uploading to mssql is impossible. Has anyone found a way to overcome this?

Hello all. Does anyone know how to filter on missing gcp labels? Typically in azure/aws, it would be:

- "tag:owner": absent
        - "tag:environment": absent

But using something like the below does not work:

- "label:owner": absent

You can definitely filter on label values. Just can’t find how to filter on missing labels

Hi all. For the azure-event-grid provision, is there a way to define how all created resources are tagged? I'm creating tag compliance policies and it's a little silly that the infra to run the policies can't be tagged 😆

Also I need to be able to specify the resourge group for the Event Grid System Topic, is that possible?

Is it possible to use the value_from field to assign tag values by manipulating regex? For example, taking the letters up to the first hyphen in prod3-ec2, and assigning it to a tag value of “env”? So the tag would value of “env” would be “prod3”

I noticed that if i have this

reduce

filter and it was working but then leaving a few resources per account and never cleaning them up

limit: 5
    limit-percent: 10

It seemed like there was only 2 resources found and then custodian would calculate 10% of that which is 0.2 and then it would round it down instead of up so we'd have N number of resources per account that were not getting flagged.

it is possible to execute a script/code to assign a value to a tag? i'm discovering some resources that doesn't have some tag, but I want to predict the value with IA, so I need to call an external function

Is this something that will require a change to the code? How do i request that?

HI, I am trying to install cloud-custodian on my local kind cluster via following this doc. https://cloudcustodian.io/getting-started/ Getting error. Command > helm install c7n-kube c7n/c7n-kube --namespace c7n-system -f values.yml --create-namespace This is my values.yml file >

certManager:
  enabled: true

policies:
  source: configMap
  configMap:
    policies:
      - name: missing-recommended-labels
        mode:
          type: k8s-admission
          on-match: deny
          operations:
            - CREATE
            - UPDATE
        description: |
          Kubernetes recommmended the following labels from its docs:
          app.kubernetes.io/name
          app.kubernetes.io/instance
          app.kubernetes.io/version
          app.kubernetes.io/component
          app.kubernetes.io/part-of
          app.kubernetes.io/managed-by
          <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
        resource: k8s.pod
        filters:
          - or:
              - metadata.labels."app.kubernetes.io/name": absent
              - metadata.labels."app.kubernetes.io/instance": absent
              - metadata.labels."app.kubernetes.io/version": absent
              - metadata.labels."app.kubernetes.io/component": absent
              - metadata.labels."app.kubernetes.io/part-of": absent
              - metadata.labels."app.kubernetes.io/managed-by": absent

webhook:
  caBundle: will-be-replaced-by-cert-manager

  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      operations: ["CREATE"]
      resources: ["pods"]
      scope: Namespaced

--- After running helm install command I am getting this error on pod.

Name:             c7n-kube-7b85676644-rswxb
Namespace:        c7n-system
Priority:         0
Service Account:  default
Node:             kind-c1-control-plane/172.18.0.2
Start Time:       Tue, 02 Sep 2025 17:51:37 +0530
Labels:           app=c7n_kube
                  app.kubernetes.io/component=AdmissionController
                  app.kubernetes.io/instance=c7n-kube
                  app.kubernetes.io/managed-by=Helm
                  app.kubernetes.io/name=c7n_kube.app_name
                  app.kubernetes.io/part-of=c7n
                  app.kubernetes.io/version=0.1.2
                  helm.sh/chart=c7n-kube-0.1.2
                  pod-template-hash=7b85676644
Annotations:      <none>
Status:           Running
IP:               10.244.0.27
IPs:
  IP:           10.244.0.27
Controlled By:  ReplicaSet/c7n-kube-7b85676644
Containers:
  web:
    Container ID:  <containerd://776f08f3a3dd5b87776797b6ce7268922404e40c40c1f2062c46596b6d6ee7e>3
    Image:         cloudcustodian/c7n:0.9.46.0
    Image ID:      docker.io/cloudcustodian/c7n@sha256:dee7aa35360b32295d69654658dbf60965575ff067748cd6ee3766fa282a259a
    Port:          8443/TCP
    Host Port:     0/TCP
    Command:
      c7n-kates
    Args:
      --host=0.0.0.0
      --port=8443
      --policy-dir=/policies
      --on-exception=warn
      --endpoint=/mutation
      --cert=/cert/tls.crt
      --ca-cert=/cert/ca.crt
      --cert-key=/cert/tls.key
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       StartError
      Message:      failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "c7n-kates": executable file not found in $PATH: unknown
      Exit Code:    128
      Started:      Thu, 01 Jan 1970 05:30:00 +0530
      Finished:     Tue, 02 Sep 2025 18:23:29 +0530
    Ready:          False
    Restart Count:  11
    Environment:    <none>
    Mounts:
      /cert from certificate (rw)
      /policies from policies (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-cf8wc (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  certificate:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  c7n-kube-webhook
    Optional:    false
  policies:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      c7n-kube-policies
    Optional:  false
  kube-api-access-cf8wc:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  32m                    default-scheduler  Successfully assigned c7n-system/c7n-kube-7b85676644-rswxb to kind-c1-control-plane
  Normal   Pulled     32m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.715s (1.715s including waiting). Image size: 161547461 bytes.
  Normal   Pulled     32m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.733s (1.733s including waiting). Image size: 161547461 bytes.
  Normal   Pulled     32m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.783s (1.783s including waiting). Image size: 161547461 bytes.
  Normal   Created    31m (x4 over 32m)      kubelet            Created container web
  Warning  Failed     31m (x4 over 32m)      kubelet            Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "c7n-kates": executable file not found in $PATH: unknown
  Normal   Pulled     31m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.644s (1.644s including waiting). Image size: 161547461 bytes.
  Normal   Pulling    31m (x5 over 32m)      kubelet            Pulling image "cloudcustodian/c7n:0.9.46.0"
  Warning  BackOff    2m26s (x140 over 32m)  kubelet            Back-off restarting failed container web in pod c7n-kube-7b85676644-rswxb_c7n-system(14ff6ab5-2d8e-49e1-9285-399dddd863bf)

@AJ Kerrigan Please can you help me out. I'm getting a lot of grief from my management about this!

Hi All, I am looking to pull CloudWatch metrics for aws.fsx resources, however, it seems like fsx doesn't support the metrics filter. Am I correct in this discovery? It seems like metrics works for a lot of other resources so I am trying to understand why not for fsx. Would it be a lot of work to get that added in? Are FSX metrics different in some way? Are there any alternative methods I can use to pull back an inventory of fsx instances and their metrics?

How do I upgrade the Python runtime version from 3.11 to 3.13? I have c7n 0.9.45 and Python 3.9.6 installed on my Mac, but when I deploy a policy, it uses Python 3.11. It appears the setting is configured within c7n itself.

I need to make a webhook call with an api key call in a header. Is there a way to interpolate secrets in the call?

Hello Custodian Community, At EazyOps, we’ve been long-time admirers and heavy users of Cloud Custodian, and we felt it was time to give something back. After all, good custodianship means not just managing resources, but also sharing them. We’re excited to introduce the Cloud Custodian MCP (Multi-Cloud Copilot) Server: https://github.com/Eazy-Ops/cloud-custodian-mcp Think of it as giving Custodian a co-pilot who can reason in plain English, keep YAML tidy, and never forget to validate. Highlights: • Policy generation from natural language prompts • Automatic organization into cloud-wise folders • Installs Custodian if it isn’t already present • Validates policies before saving • Provides human-friendly explanations of YAML policies • Answers Custodian-related questions • Multi-cloud support: AWS today, GCP and Azure coming soon • LangGraph + Flask backend, designed for CLI and web The repository includes a quickstart guide, example flows, and integration details. We’d love to hear your feedback, ideas, or contributions. Consider it our way of keeping the Custodian ecosystem a little cleaner, one policy at a time. — The EazyOps Team https://www.eazyops.com

Hey Team, hope this is the place for this question... We updated to a newer version of Custodian (0.9.45) and it is failing to start since the cluster nodes are in FIPS mode. For those not familiar, FIPS mode is a mode of encryption required for all systems running within the US government, so your newer versions will not work for any government agency or any company (like us) that provides their product for the government. We believe the reason is that your base container OS - Ubuntu 24.04 is forcing certain FIPS checks that the previous Ubuntu 22.04 base was not. If you would like more details about the problem, please let us know. You can replicate by trying to run your product on Amazon EKS with an Amazon Linux 2023 node in FIPS mode ( sudo fips-mode-setup --enable)

in aws, what happens if you use a tag action on a resource that already has that tag?