Cloud custodian is an open source software managing cloud security and governance using a YAML based DSL.
Questions tagged [cloudcustodian]
58 questions
2
votes
1 answer
Cloud custodian policy to retrieve access keys older than 90 days and notify the users periodically
All,
I want a policy that only retrieves ACTIVE access keys that are older than 90 days and notify them periodically.
policies:
- name: iam-user-access-keys-older-than-90days
description: |
Retrieve all IAM users whom have active access…
cloudbud
- 2,948
- 5
- 28
- 54
2
votes
1 answer
How to set up cloud custodian on Docker
All,
I am trying to implement cloud custodian solution on AWS ECS scheduled task on Fargate.
My Dockerfile looks like:
FROM cloudcustodian/c7n:latest
WORKDIR /opt/src
COPY policy.yml policy.yml
COPY mailer.yml mailer.yml
ENTRYPOINT [ "/bin/sh"…
cloudbud
- 2,948
- 5
- 28
- 54
1
vote
1 answer
JMESPath query with CloudCustodian filter Key for ec2 ami
I would like to find and stop, using cloudcustodian, all ec2s that are running an ami older than a certain date and that have a certain tag. The tags on such ami would look like
"Tags": [
{
"Key": "tag-1",
"Value": "value-1"
…
user2175783
- 1,291
- 1
- 12
- 28
1
vote
1 answer
Include OS type (Linux/Windows) in Cloud Custodian's EC2 findings for AWS Security Hub
We have a Cloud Custodian policy for AWS EC2 that posts its findings to AWS Security Hub.
Is there a way to include the EC2 OS type (Linux/Windows) in the details that are sent to Security Hub by Cloud Custodian?
We're pushing Security Hub findings…
Harish KM
- 1,303
- 7
- 17
1
vote
1 answer
Cloud custodian GCP storage enable versioning check for all storage
i am trying to write GCP storage bucket policy of Cloud custodian but not getting idea how to filter out the versioning on all avilable buckets
policies:
- name: check-all-bucket-versioning
description: |
Check all bucket versionig…
Chagan
- 13
- 2
1
vote
1 answer
how do I combine strings with jmespath queries to build up a webhook body?
I am trying to use Cloud Custodian webhooks to create tagged events in Datadog using the Datadog API.
The following code nearly works, except account_id is not created as a tag in Datadog. If I capture the body sent, it contains "01234" (i.e. a…
mikejmcfarlane
- 11
- 4
1
vote
2 answers
Get Data from Cloud Custodian into an Amazon S3 Bucket
I want to export data from Cloud Custodian to an Amazon S3 bucket. I understand Cloud Custodian can be easily integrated with AWS Security Hub and once I have data in security hub using event bridge i can dumb it to an Amazon S3 bucket but in my…
Bokambo
- 4,204
- 27
- 79
- 130
1
vote
1 answer
How to delete GCF function or How to change trigger type of existing one using cloudcustodian?
I have GCF function deployed using Cloudcustodian c7n-org, I have to change trigger type of existing function with HTTP trigger, when I tried to delete it , it has been deleted, but when I am trying to apply rule, it is created HTTP trigger function…
kohi
- 936
- 2
- 12
- 31
1
vote
1 answer
Cloud custodian policy to get all open ports of AWS EC2 instance
I want to list down all open ports for an ec2 instance using cloud custodian policy.. Is there a possible way to do this in single step
policies:
name: ec2-by-port
resource: ec2
filters:
type: security-group
match-resource: true
…
isurikz
- 41
- 4
1
vote
3 answers
What are good alternatives to Cloud Custodian?
I recently created an AWS account and I need a tool that can help me manage my AWS instances (EC2, RDS, Load Balancer). Specifically, I want the tool to be able to act as an instance scheduler with the following requirements:
Ability to…
coderhk
- 286
- 2
- 14
1
vote
3 answers
Alert or monitor, when your s3 bucket hits 90% of max limit for the particular account
We recently hit the limit for max no of s3 buckets in our AWS account. We started to look for something which sends alerts when we use 90% s3 buckets quota in our account. But we not been able to find no such metric in cloud watch. Also, we looked…
Prashant Tiwari
- 67
- 2
- 9
1
vote
1 answer
Cloud-Custodian: Deleting just specific backups of specific DynamoDB tables
When I want to use an aging policy for DaynamoDB there is not filtering for tables and backups and it deletes all backups of all tables which age is in the defined interval. Is there any way filtering and deleting just some of backups os some…
seremet
- 175
- 2
- 11
1
vote
1 answer
Cloud-Custodian resource:ec2 send mail region and account-name variable problem
I have prepared a Cloud-CustodianPolicy which detects new created EC2s and send emails. The structure works but I could not write account-name and region information into nor subject or body of mail. While yaml can understand in role part as…
seremet
- 175
- 2
- 11
0
votes
1 answer
GCP-Audit Cloud Custodian
I've been trying out cloud custodian and looking at this article trying the simplest thing using gcp-audit (all services/APIs needed are enabled)
policies:
- name: gcp-uniform-access-storage-remediation
resource: gcp.bucket
mode:
…
AnonyGummy
- 68
- 2
- 9
0
votes
1 answer
Target specific buckets for applying cloud custodian policy
I am trying to target all the buckets in my account that have name like Prod-** with my custodian policy.
The custodian policy basically checks if replication is enabled and if not then goes ahead and enables the replication.
I am able to write the…
Yash Kamdar
- 131
- 6