https://cloudcustodian.io logo
Join Slack
Powered by
# general
  • j
    Is there a way to check a patch in AWS and change the state of the corresponding Securithub finding? E.g. I need an action for a policy like:
    Copy code
    policies:
  - name: ec2-patched-now
    resource: ec2
    filters:
      - type: finding
        key: Severity.Title
        op: equals
        value: "Systems Manager Patch Summary - Managed Instance Non-Compliant"
        state: ACTIVE
      - type: ssm-compliance
        compliance_types:
          - Association
          - Patch
        states:
          - COMPLIANT
  • j
    Has anyone written a policy to detect unmanaged nodegroups in EKS clusters?
    👀 2
  • c
    Does anybody know a way to use Cloud Custodian to check on the remaining IP addresses in an AWS subnet?
    j
    • 2
    • 1
  • p
    Hi Good Day ! We are getting below c7n-mailer error and need your feedback & support
    k
    • 2
    • 2
  • p
    Copy code
    Traceback (most recent call last):
  File "/aws-cet-custodian-aws/_work/cet-cloudcustodian-aws/cet-cloudcustodian-aws/custodian/bin/c7n-mailer", line 8, in <module>
    sys.exit(main())
  File "/aws-cet-custodian-aws/_work/cet-cloudcustodian-aws/cet-cloudcustodian-aws/custodian/lib64/python3.9/site-packages/c7n_mailer/cli.py", line 255, in main
    deploy.provision(mailer_config, functools.partial(session_factory, mailer_config))
  File "/aws-cet-custodian-aws/_work/cet-cloudcustodian-aws/cet-cloudcustodian-aws/custodian/lib64/python3.9/site-packages/c7n_mailer/deploy.py", line 86, in provision
    archive = get_archive(config)
  File "/aws-cet-custodian-aws/_work/cet-cloudcustodian-aws/cet-cloudcustodian-aws/custodian/lib64/python3.9/site-packages/c7n_mailer/deploy.py", line 48, in get_archive
    archive = PythonPackageArchive(modules=deps)
  File "/aws-cet-custodian-aws/_work/cet-cloudcustodian-aws/cet-cloudcustodian-aws/custodian/lib64/python3.9/site-packages/c7n/mu.py", line 82, in __init__
    self.add_modules(None, modules)
  File "/aws-cet-custodian-aws/_work/cet-cloudcustodian-aws/cet-cloudcustodian-aws/custodian/lib64/python3.9/site-packages/c7n/mu.py", line 126, in add_modules
    module = importlib.import_module(module_name)
  File "/usr/lib64/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 984, in _find_and_load_unlocked
ModuleNotFoundError: No module named 'ellipticcurve'
after_in_child hook reset_at_fork was unregistered without first being registered
2025-07-09 05:30:22,490 - ddtrace.internal.forksafe - INFO - after_in_child hook reset_at_fork was unregistered without first being registered
Error: Process completed with exit code 1.
  • k
  • a
    Does anyone have an example of how to register GCP actions for all resources? I know it looks something like this for AWS resources
    Copy code
    from c7n.actions.core import BaseAction
from c7n.manager import resources as manager_resources
from c7n.utils import dumps

class ConsoleLog(BaseAction):
...
    @classmethod
    def register_resource(cls, registry, resource_class):
        if "console-log" in resource_class.action_registry:
            return

        resource_class.action_registry.register("console-log", cls)


# Registers this action for all resources
resources.subscribe(ConsoleLog.register_resource)
  • l
    Hello Everyone, I'm using 
    c7n-org
    to deploy a 
    periodic
    policy that needs to execute in a VPC (AWS Lambda). I'd like to find a way to parametrize the 
    security_groups
    and 
    subnets
    parameters. The policy looks like:
    Copy code
    policies:
  - name: my-lambda
    mode:
      type: periodic
      schedule: "cron(00 11 ? * MON *)"
      role: arn:aws:iam::{account_id}:role/my-role
      security_groups:
        - sg-12345678
      subnets:
        - subnet-aabbccdd
        - subnet-00112233
        - subnet-44556677
    filters:
    ...
    As I'm deploying the same policy to multiple accounts / multiples regions, I need to make those 
    security_groups
    / 
    subnets
    parameters not hardcoded in the policy - but dependent on the account (may be OK) and the region (more complex). Variables can be used in the accounts Yaml file - which takes care of the account dependency: • Policy
    Copy code
    policies:
  - name: my-lambda
    mode:
      type: periodic
      schedule: "cron(00 11 ? * MON *)"
      role: arn:aws:iam::{account_id}:role/my-role
      security_groups: "{security_groups}"
      subnets: "{subnets}"
    filters:
    ...
    • Accounts
    Copy code
    - account_id: '012345670901'
  regions:
  - eu-west-1
  - eu-west-3
  ....
  vars:
      security_groups:
        - sg-12345678
      subnets:
        - subnet-aabbccdd
        - subnet-00112233
        - subnet-44556677
  ....
    But this can only make variables depend on 
    account
    . However the 
    security_groups
    and 
    subnets
    are dependent on 
    account
    X 
    region
    . I tried to index the variable reference with either:
    Copy code
    security_groups: "{security_groups[{region}]}"
    or
    Copy code
    security_groups: "{security_groups[region]}"
    But it's not supported. I may be able to "fix it" by adding special handling of variable resolution with references to other variables, but I was wondering if someone else had face this issue and how it was overcome. (One solution would be to denormalize the accounts - duplicate each account the same number of time it has different regions ; but I'm looking for an alternative) Let me know your thoughts.
  • a
    Hi @AJ Kerrigan (or any of the C7N folks): Re: https://github.com/cloud-custodian/cloud-custodian/issues/9067 > For the enable case, we’ll want an example policy that includes 
    - IncludeDisabled: true
    in the 
    query
    block because disabled AMIs won’t be visible by default How can I do that from a Policy’s YAML definition; I’m not immediately finding a way to do this in the docs
    • 1
    • 1
  • p
    Hi Good Day ! We are getting below c7n-mailer error after upgrading python3.9 to python3.11 in deployment pipeline from AWS deployed Mailer feedback & support
  • p
    Copy code
    2025-07-24T13:39:57.654Z
[ERROR] Runtime.ImportModuleError: Unable to import module 'periodic': No module named 'jwt'
Traceback (most recent call last):

[ERROR] Runtime.ImportModuleError: Unable to import module 'periodic': No module named 'jwt' Traceback (most recent cal

2025-07-24T13:39:57.799Z
INIT_REPORT Init Duration: 1365.58 ms	Phase: invoke	Status: error	Error Type: Runtime.ImportModuleError

INIT_REPORT Init Duration: 1365.58 ms Phase: invoke Status: error Error Type: Runtime.ImportModuleError
  • p
    cc-m-error.png
  • p
    May I know is there any specific python version for AWS c7mailer?
    k
    r
    • 3
    • 9
  • a
    Is anyone else experiencing removing labels from gcp sql-instances not working silently?
    • 1
    • 1
  • p
    Hi Good Day, Please kindly share working environment of AWS c7nmailer with python version, deployed ec2 instance os version like ubunru
    u
    • 2
    • 6
  • s
    Hi All. I noticed that the automated tests in github include python 3.13 on Ubuntu. What would be need to make sure using policies in the python3.13 runtime works successfully so it can be added as an allowed runtime in the policy schema? Also, currently python3.11 is the default runtime. There’s a little less than a year before AWS deprecates that runtime. The python3.12 runtime doesn’t reach deprecation until Oct 31, 2028. How close to the EOL of 3.11 would be a good time to change the default runtime?
    a
    • 2
    • 11
  • b
    With c7n-org I am attempting to run this policy which is almost identical to what the doc example (https://cloudcustodian.io/docs/aws/resources/aws-common-filters.html#aws-common-filters-usage) provides:
    Copy code
    - name: unused-credentials
    resource: iam-user
    filters:
      - type: usage
        LastAuthenticated:
          type: value
          value_type: age
          op: greater-than
          value: 45
        match-operator: any
    I get this error:
    Copy code
    c7n_org:ERROR Exception running policy:unused-credentials account:go-noc-rd region:us-east-1 error:argument of type 'type' is not iterable
    Any ideas on cause of error?
    k
    • 2
    • 6
  • j
    Hi all, I'm new to cloud custodian just starting to play around with it a bit at work. Trying to get vs code integration working, i'm using the YAML plugin from RedHat in vs code and have configured as per docs - https://cloudcustodian.io/docs/quickstart/index.html#editor-integration Whenever I am trying to write a policy i'm getting this error: $ref '/definitions/ManagedSourceConfiguration' in 'file:///Users/myuser/git/myrepo/schema.json' can not be resolved.YAML(768) in terms of versions - i'm running cloud custodian via docker with the latest image - schema was generated with this docker run -it \ cloudcustodian/c7n schema --json > schema.json
    a
    • 2
    • 3
  • a
    Hi. Just playing with cloud custodian.. I have multiple policies in a single file. Do i need to pass lambda function 
    role
    to all the policy section.. is there anyway to mentioned Lambda IAM role in single place instead of just mentioning in all the policies section.
    Copy code
    Exception running policy:ec2-auto-tagger account:default region:us-east-1 error:Lambda function role must be specified
Exception running policy:ami-auto-tagger account:default region:us-east-1 error:Lambda function role must be specified
Exception running policy:eip-auto-tagger account:default region:us-east-1 error:Lambda function role must be specified
    s
    • 2
    • 4
  • p
    Hi Team, i am Phe new here, and just start learning and testing how to use c7n-org. One concern here, i am trying to get tag in account level for Aws cloud, does custodian support that? For example aws.account or account. I did try to test but seems like the result returned not correct. If anyone have anything about that, it would be great.
    k
    s
    • 3
    • 20
  • b
    Would the 
    cloudcustodian/c7n
    and 
    cloudcustodian/c7n-org
    Docker images be FIPS compliant so that they could be used in a FedRAMP environment?
    k
    • 2
    • 3
  • m
    I know this can't be an issue with code, because it is only happening with one instance and no changes have been made since long before it started happening. But I'm getting one instance that matches the following, even though it has been up for 8 months:
    Copy code
    - name: ec2-stopped-over-60-notify-windows
  resource: aws.ec2
  description: |
    Notify Windows team of instances stopped over 60 days.
  query:
    - instance-state-name: stopped
  filters:
    - Platform: windows
    - type: state-age
      op: gt
      days: 60
    - not:
      - or:
        - "tag:cc-exemption": "stopped-dr"
        - "tag:cc-exemption": "stopped-asneeded"
    a
    • 2
    • 5
  • m
    Any ideas would be great.
  • s
    Hi all. I'm hoping someone can help me out. I'm trying to create reports of non-compliant resources in AWS but I need to add tags to the reports. The tags aren't in the resources.json, is there a way to get custodian to include these tags?
    a
    • 2
    • 7
  • p
    Hi All- how would security vulnerabilities for c7n get shared with the community- would it be via the mailing list, posts in slack or something else? We are in the process of submitting a request to do a POC of cloud custodian in our environment, and need to provide this info to the security team. Thanks for any info.
    a
    • 2
    • 2
  • s
    Hey. For reporting in AWS i'm trying to find a way to apply policies against multiple resource types and upload the results to a database. The problem is the column headings differ for each resource type (unlike with Azure!) so uploading to mssql is impossible. Has anyone found a way to overcome this?
    a
    • 2
    • 2
  • j
    Hello all. Does anyone know how to filter on missing gcp labels? Typically in azure/aws, it would be:
    Copy code
    - "tag:owner": absent
        - "tag:environment": absent
    But using something like the below does not work:
    Copy code
    - "label:owner": absent
    You can definitely filter on label values. Just can’t find how to filter on missing labels
    s
    • 2
    • 2
  • s
    Hi all. For the azure-event-grid provision, is there a way to define how all created resources are tagged? I'm creating tag compliance policies and it's a little silly that the infra to run the policies can't be tagged 😆
  • s
    Also I need to be able to specify the resourge group for the Event Grid System Topic, is that possible?
  • d
    Is it possible to use the value_from field to assign tag values by manipulating regex? For example, taking the letters up to the first hyphen in prod3-ec2, and assigning it to a tag value of “env”? So the tag would value of “env” would be “prod3”
    d
    • 2
    • 2