Also I need to be able to specify the resourge group for the Event Grid System Topic, is that possible?

Is it possible to use the value_from field to assign tag values by manipulating regex? For example, taking the letters up to the first hyphen in prod3-ec2, and assigning it to a tag value of “env”? So the tag would value of “env” would be “prod3”

I noticed that if i have this

reduce

filter and it was working but then leaving a few resources per account and never cleaning them up

limit: 5
    limit-percent: 10

It seemed like there was only 2 resources found and then custodian would calculate 10% of that which is 0.2 and then it would round it down instead of up so we'd have N number of resources per account that were not getting flagged.

it is possible to execute a script/code to assign a value to a tag? i'm discovering some resources that doesn't have some tag, but I want to predict the value with IA, so I need to call an external function

Is this something that will require a change to the code? How do i request that?

HI, I am trying to install cloud-custodian on my local kind cluster via following this doc. https://cloudcustodian.io/getting-started/ Getting error. Command > helm install c7n-kube c7n/c7n-kube --namespace c7n-system -f values.yml --create-namespace This is my values.yml file >

certManager:
  enabled: true

policies:
  source: configMap
  configMap:
    policies:
      - name: missing-recommended-labels
        mode:
          type: k8s-admission
          on-match: deny
          operations:
            - CREATE
            - UPDATE
        description: |
          Kubernetes recommmended the following labels from its docs:
          app.kubernetes.io/name
          app.kubernetes.io/instance
          app.kubernetes.io/version
          app.kubernetes.io/component
          app.kubernetes.io/part-of
          app.kubernetes.io/managed-by
          <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
        resource: k8s.pod
        filters:
          - or:
              - metadata.labels."app.kubernetes.io/name": absent
              - metadata.labels."app.kubernetes.io/instance": absent
              - metadata.labels."app.kubernetes.io/version": absent
              - metadata.labels."app.kubernetes.io/component": absent
              - metadata.labels."app.kubernetes.io/part-of": absent
              - metadata.labels."app.kubernetes.io/managed-by": absent

webhook:
  caBundle: will-be-replaced-by-cert-manager

  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      operations: ["CREATE"]
      resources: ["pods"]
      scope: Namespaced

--- After running helm install command I am getting this error on pod.

Name:             c7n-kube-7b85676644-rswxb
Namespace:        c7n-system
Priority:         0
Service Account:  default
Node:             kind-c1-control-plane/172.18.0.2
Start Time:       Tue, 02 Sep 2025 17:51:37 +0530
Labels:           app=c7n_kube
                  app.kubernetes.io/component=AdmissionController
                  app.kubernetes.io/instance=c7n-kube
                  app.kubernetes.io/managed-by=Helm
                  app.kubernetes.io/name=c7n_kube.app_name
                  app.kubernetes.io/part-of=c7n
                  app.kubernetes.io/version=0.1.2
                  helm.sh/chart=c7n-kube-0.1.2
                  pod-template-hash=7b85676644
Annotations:      <none>
Status:           Running
IP:               10.244.0.27
IPs:
  IP:           10.244.0.27
Controlled By:  ReplicaSet/c7n-kube-7b85676644
Containers:
  web:
    Container ID:  <containerd://776f08f3a3dd5b87776797b6ce7268922404e40c40c1f2062c46596b6d6ee7e>3
    Image:         cloudcustodian/c7n:0.9.46.0
    Image ID:      docker.io/cloudcustodian/c7n@sha256:dee7aa35360b32295d69654658dbf60965575ff067748cd6ee3766fa282a259a
    Port:          8443/TCP
    Host Port:     0/TCP
    Command:
      c7n-kates
    Args:
      --host=0.0.0.0
      --port=8443
      --policy-dir=/policies
      --on-exception=warn
      --endpoint=/mutation
      --cert=/cert/tls.crt
      --ca-cert=/cert/ca.crt
      --cert-key=/cert/tls.key
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       StartError
      Message:      failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "c7n-kates": executable file not found in $PATH: unknown
      Exit Code:    128
      Started:      Thu, 01 Jan 1970 05:30:00 +0530
      Finished:     Tue, 02 Sep 2025 18:23:29 +0530
    Ready:          False
    Restart Count:  11
    Environment:    <none>
    Mounts:
      /cert from certificate (rw)
      /policies from policies (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-cf8wc (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  certificate:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  c7n-kube-webhook
    Optional:    false
  policies:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      c7n-kube-policies
    Optional:  false
  kube-api-access-cf8wc:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  32m                    default-scheduler  Successfully assigned c7n-system/c7n-kube-7b85676644-rswxb to kind-c1-control-plane
  Normal   Pulled     32m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.715s (1.715s including waiting). Image size: 161547461 bytes.
  Normal   Pulled     32m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.733s (1.733s including waiting). Image size: 161547461 bytes.
  Normal   Pulled     32m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.783s (1.783s including waiting). Image size: 161547461 bytes.
  Normal   Created    31m (x4 over 32m)      kubelet            Created container web
  Warning  Failed     31m (x4 over 32m)      kubelet            Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "c7n-kates": executable file not found in $PATH: unknown
  Normal   Pulled     31m                    kubelet            Successfully pulled image "cloudcustodian/c7n:0.9.46.0" in 1.644s (1.644s including waiting). Image size: 161547461 bytes.
  Normal   Pulling    31m (x5 over 32m)      kubelet            Pulling image "cloudcustodian/c7n:0.9.46.0"
  Warning  BackOff    2m26s (x140 over 32m)  kubelet            Back-off restarting failed container web in pod c7n-kube-7b85676644-rswxb_c7n-system(14ff6ab5-2d8e-49e1-9285-399dddd863bf)

@AJ Kerrigan Please can you help me out. I'm getting a lot of grief from my management about this!

Hi All, I am looking to pull CloudWatch metrics for aws.fsx resources, however, it seems like fsx doesn't support the metrics filter. Am I correct in this discovery? It seems like metrics works for a lot of other resources so I am trying to understand why not for fsx. Would it be a lot of work to get that added in? Are FSX metrics different in some way? Are there any alternative methods I can use to pull back an inventory of fsx instances and their metrics?

How do I upgrade the Python runtime version from 3.11 to 3.13? I have c7n 0.9.45 and Python 3.9.6 installed on my Mac, but when I deploy a policy, it uses Python 3.11. It appears the setting is configured within c7n itself.

I need to make a webhook call with an api key call in a header. Is there a way to interpolate secrets in the call?

Hello Custodian Community, At EazyOps, we’ve been long-time admirers and heavy users of Cloud Custodian, and we felt it was time to give something back. After all, good custodianship means not just managing resources, but also sharing them. We’re excited to introduce the Cloud Custodian MCP (Multi-Cloud Copilot) Server: https://github.com/Eazy-Ops/cloud-custodian-mcp Think of it as giving Custodian a co-pilot who can reason in plain English, keep YAML tidy, and never forget to validate. Highlights: • Policy generation from natural language prompts • Automatic organization into cloud-wise folders • Installs Custodian if it isn’t already present • Validates policies before saving • Provides human-friendly explanations of YAML policies • Answers Custodian-related questions • Multi-cloud support: AWS today, GCP and Azure coming soon • LangGraph + Flask backend, designed for CLI and web The repository includes a quickstart guide, example flows, and integration details. We’d love to hear your feedback, ideas, or contributions. Consider it our way of keeping the Custodian ecosystem a little cleaner, one policy at a time. — The EazyOps Team https://www.eazyops.com

Hey Team, hope this is the place for this question... We updated to a newer version of Custodian (0.9.45) and it is failing to start since the cluster nodes are in FIPS mode. For those not familiar, FIPS mode is a mode of encryption required for all systems running within the US government, so your newer versions will not work for any government agency or any company (like us) that provides their product for the government. We believe the reason is that your base container OS - Ubuntu 24.04 is forcing certain FIPS checks that the previous Ubuntu 22.04 base was not. If you would like more details about the problem, please let us know. You can replicate by trying to run your product on Amazon EKS with an Amazon Linux 2023 node in FIPS mode ( sudo fips-mode-setup --enable)

in aws, what happens if you use a tag action on a resource that already has that tag?

nevermind. AI answered the question for me

AND just noticed AI can build policies too

so much for my job

Hello everyone, i am running issue with tag action once integrated with security Hub. The error is here: “c7n_org:ERROR Exception running policy:audit-missing-esat-tag-for-org-account account:aws-mgmt region:us-gov-west-1 error:An error occurred (UnrecognizedClientException) when calling the TagResources operation: The security token included in the request is invalid”. And here is the policy: policies: ◦ name: audit-missing-esatsid-tag-for-org-account resource: aws.org-account description: Lists org account missing env-EsatsId tags filters: • not: ◦ or: ◦ tagesatsId present ◦ tagesatsid present ◦ tagenv EsatsId present actions: • type: post-finding severity_normalized: 80 compliance_status: FAILED types: ◦ "Software and Configuration Checks/AWS Security Best Practices" title: "Account has not EsatsId tag" description: "This account does not have EsatsId attached.". Please help to suggest how to solve this issue. I am running c7n-org in mgmt cloudshell and its working fine if I do not add the action post-finding integration with Security Hub.

Hello. I had a question regarding the ec2 resource. I've found that there's a way to check whether a host is truly public via looking at its attributes and using jmespath to look at IpPermissions for exposure. Is there a way to then action on those group rules directly within the ec2 resource policy? Alternatively, is there a way to pass what has been filtered to another policy within the same policies list for further actions like ec2 evaluates and passes to sg policy for actions?

I am deploying policies to Azure and infosec have just deleted the storage accounts because they were exposed publicly. How can this be rectified? HELP!!!!!!!!

cloud custodian 0.9.47 released, release notes https://github.com/cloud-custodian/cloud-custodian/releases/tag/0.9.47.0

When evaluating a security group for all ports, I'm encountering a weird case where when attempting to set new add-ingress for all ports, its assigning random single ports instead of the entire port range even though the set-permission is using From/To-Port properties. Is this a bug or does this not work and if so, is there an alternate way to deal with this case?

Hello ! First time here 🙂 I'm trying

custodian

and

c7n-org

to update tags on ~150 AWS accounts. Running from my machine (Mac), I noticed that running the command over and over (to go through the 150 accounts), my machine starts to crawl. At some point I can't make any network connection unless I stop the loop and wait a few minutes. It seems that network connections might be left open, has anyone experienced this issue with custodian ?

mailer problem. i'm getting this error: error: STARTTLS extension not supported by server. Here is my mailer.yml: queue_url: <https://sqs.us-east-1.amazonaws.com/014084670816/cloud-custodian-mailer%7C&lt;&gt;redacted> role: <redacted> region: us-east-1 from_address: &lt;redacted> smtp_server: <http://exchgw.tyson.com|<>redacted> smtp_port: 25 smtp_ssl: True contact_tags: - "Owner" - "AdminOwner" - "owner" - "adminowner" Nothing has changed, but the mailer stopped working on Monday. Was working fine on Sunday? Any idea why I'm getting a TLS error?

Hi, good day. In Azure, policy deployed as function app needs an App Service Plan (ASP), by default using Dynamic Tier (Linux Consumption hosting plan). New subscriptions do not have Quota for this tier and needs Microsoft Support for extension. Also, this tier will be retired by 30 September 2028 in existing subscriptions. This is blocking policy deployment in Azure. Other ASP (Basic/Standard/Premium) have some fixed cost associated, discouraging its usage. Is anyone getting this issue? Is there any alternate approach? Is there any plans to support Flex Consumption ASP for azure policy deployment? Error Message: Content: {"Code":"Unauthorized","Message":"This region has quota of 0 instances for your subscription. Try selecting different region or SKU.","Target":null,"Details":[{"Message":"This region has quota of 0 instances for your subscription. Try selecting different region or SKU."},{"Code":"Unauthorized"},{"ErrorEntity":{"ExtendedCode":"52039","MessageTemplate":"{0}. Try selecting different region or SKU.","Parameters":["This region has quota of 0 instances for your subscription"],"Code":"Unauthorized","Message":"This region has quota of 0 instances for your subscription. Try selecting different region or SKU."}}],"Innererror":null}

Hello all - Having some trouble getting started with implementing cloud custodian as an Azure function. In reading this, it seems there is a bit of yaml that needs to be used to deploy/create this, but when I go through vscode to create a python based azure function, it seems to require a whole other set of files, which is not present in the cloud custodian github repo. The schema provided does not seem to match the policy format either (starts with "policies" root ) so it does not seem to be something I can manually run using the custodian command line either. Thanks in advance for any help. I checked around and did not see a getting started/etc channel, so hopefully this is the right place for this question. We have already manually created all the resources (function container holder, storage blob, etc), but unsure how to run cloud custodian (which seems to be command line based) and how to point it at the various resources to reference policy files

Hi all! I have a question, I have a policies that use the action

- type: invoke-lambda

. Does this purely just invoke the lambda? I'm wondering if I have the code, that it will upload my lambda if it's missing.

Trying again. Hope someone can help with setting up cloud custodian in Azure as a function app. I tried to feed the schema provided in the above link into custodian, but it fails validation. (I updated the storage/app insight/etc names inline as well) If I try to export the overall schema and use vscode to validate. vscode is not able to parse it. I am able to reference other schemas from schemastore.org and it works fine.

Hey. I've written some terraform modules that allow you to deploy and manage cloud-custodian lambda resources using native terraform ((aws_lambda_function etc) as opposed to using the cloud-custodian CLI. This is the repository - https://github.com/elsevierlabs-os/terraform-cloud-custodian-lambda

Hi all- When I use custodian to create the azure functions, it has these warnings regarding use of older python/etc. I am running on the latest version of custodian (0.9.47). While I can update some of this (runtime version /python version) in the function app afterwards- are there any issues with doing so?