cloud-custodian / cloud-custodian Goto Github PK

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

Home Page: https://cloudcustodian.io

License: Apache License 2.0

Makefile 0.18% Python 96.60% Go 1.74% Shell 0.19% PowerShell 0.02% Smarty 0.01% HCL 1.02% Jinja 0.23% Just 0.01%

aws compliance cloud rules-engine cloud-computing management serverless lambda gcp azure

cloud-custodian's Introduction

Cloud Custodian (c7n)

Cloud Custodian, also known as c7n, is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

Custodian also supports running policies on infrastructure as code assets to provide feedback directly on developer workstations or within CI pipelines.

Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.

It integrates with the cloud native serverless capabilities of each provider to provide for real time enforcement of policies with builtin provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.

Cloud Custodian is a CNCF Incubating project, lead by a community of hundreds of contributors.

Features

Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
Run policies on infrastructure as code (terraform, etc) assets.
Supports arbitrary filtering on resources with nested boolean conditions.
Dry run any policy to see what it would do.
Automatically provisions serverless functions and event sources ( AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP AuditLog & Pub/Sub, etc)
Cloud provider native metrics outputs on resources that matched a policy
Structured outputs into cloud native object storage of which resources matched a policy.
Intelligent cache usage to minimize api calls.
Supports multi-account/subscription/project usage.
Battle-tested - in production on some very large cloud environments.

Quick Install

Custodian is published on pypi as a series of packages with the c7n prefix, its also available as a docker image.

$ python3 -m venv custodian
$ source custodian/bin/activate
(custodian) $ pip install c7n

Usage

The first step to using Cloud Custodian (c7n) is writing a YAML file containing the policies that you want to run. Each policy specifies the resource type that the policy will run on, a set of filters which control resources will be affected by this policy, actions which the policy with take on the matched resources, and a mode which controls which how the policy will execute.

The best getting started guides are the cloud provider specific tutorials.

As a quick walk through, below are some sample policies for AWS resources.

will enforce that no S3 buckets have cross-account access enabled.
will terminate any newly launched EC2 instance that do not have an encrypted EBS volume.
will tag any EC2 instance that does not have the follow tags "Environment", "AppId", and either "OwnerContact" or "DeptID" to be stopped in four days.

policies:
 - name: s3-cross-account
   description: |
     Checks S3 for buckets with cross-account access and
     removes the cross-account access.
   resource: aws.s3
   region: us-east-1
   filters:
     - type: cross-account
   actions:
     - type: remove-statements
       statement_ids: matched

 - name: ec2-require-non-public-and-encrypted-volumes
   resource: aws.ec2
   description: |
    Provision a lambda and cloud watch event target
    that looks at all new instances and terminates those with
    unencrypted volumes.
   mode:
    type: cloudtrail
    role: CloudCustodian-QuickStart
    events:
      - RunInstances
   filters:
    - type: ebs
      key: Encrypted
      value: false
   actions:
    - terminate

 - name: tag-compliance
   resource: aws.ec2
   description: |
     Schedule a resource that does not meet tag compliance policies to be stopped in four days. Note a separate policy using the`marked-for-op` filter is required to actually stop the instances after four days.
   filters:
    - State.Name: running
    - "tag:Environment": absent
    - "tag:AppId": absent
    - or:
      - "tag:OwnerContact": absent
      - "tag:DeptID": absent
   actions:
    - type: mark-for-op
      op: stop
      days: 4

You can validate, test, and run Cloud Custodian with the example policy with these commands:

# Validate the configuration (note this happens by default on run)
$ custodian validate policy.yml

# Dryrun on the policies (no actions executed) to see what resources
# match each policy.
$ custodian run --dryrun -s out policy.yml

# Run the policy
$ custodian run -s out policy.yml

You can run Cloud Custodian via Docker as well:

# Download the image
$ docker pull cloudcustodian/c7n
$ mkdir output

# Run the policy
#
# This will run the policy using only the environment variables for authentication
$ docker run -it \
  -v $(pwd)/output:/home/custodian/output \
  -v $(pwd)/policy.yml:/home/custodian/policy.yml \
  --env-file <(env | grep "^AWS\|^AZURE\|^GOOGLE") \
  cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml

# Run the policy (using AWS's generated credentials from STS)
#
# NOTE: We mount the ``.aws/credentials`` and ``.aws/config`` directories to
# the docker container to support authentication to AWS using the same credentials
# credentials that are available to the local user if authenticating with STS.

$ docker run -it \
  -v $(pwd)/output:/home/custodian/output \
  -v $(pwd)/policy.yml:/home/custodian/policy.yml \
  -v $(cd ~ && pwd)/.aws/credentials:/home/custodian/.aws/credentials \
  -v $(cd ~ && pwd)/.aws/config:/home/custodian/.aws/config \
  --env-file <(env | grep "^AWS") \
  cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml

The custodian cask tool is a go binary that provides a transparent front end to docker that mirors the regular custodian cli, but automatically takes care of mounting volumes.

Consult the documentation for additional information, or reach out on gitter.

Cloud Provider Specific Help

For specific instructions for AWS, Azure, and GCP, visit the relevant getting started page.

Get Involved

GitHub - (This page)
Slack - Real time chat if you're looking for help or interested in contributing to Custodian!
- Gitter - (Older real time chat, we're likely migrating away from this)
Mailing List - Our project mailing list, subscribe here for important project announcements, feel free to ask questions
Reddit - Our subreddit
StackOverflow - Q&A site for developers, we keep an eye on the cloudcustodian tag
YouTube Channel - We're working on adding tutorials and other useful information, as well as meeting videos

Community Resources

We have a regular community meeting that is open to all users and developers of every skill level. Joining the mailing list will automatically send you a meeting invite. See the notes below for more technical information on joining the meeting.

Community Meeting Videos
Community Meeting Notes Archive
Upcoming Community Events
Cloud Custodian Annual Report 2021 - Annual health check provided to the CNCF outlining the health of the project

Additional Tools

The Custodian project also develops and maintains a suite of additional tools here https://github.com/cloud-custodian/cloud-custodian/tree/master/tools:

Org: Multi-account policy execution.
ShiftLeft: Shift Left ~ run policies against Infrastructure as Code assets like terraform.
PolicyStream: Git history as stream of logical policy changes.
Salactus: Scale out s3 scanning.
Mailer: A reference implementation of sending messages to users to notify them.
Trail Creator: Retroactive tagging of resources creators from CloudTrail
TrailDB: Cloudtrail indexing and time series generation for dashboarding.
LogExporter: Cloud watch log exporting to s3
Cask: Easy custodian exec via docker
Guardian: Automated multi-account Guard Duty setup
Omni SSM: EC2 Systems Manager Automation
Mugc: A utility used to clean up Cloud Custodian Lambda policies that are deployed in an AWS environment.

Contributing

See https://cloudcustodian.io/docs/contribute.html

Security

If you've found a security related issue, a vulnerability, or a potential vulnerability in Cloud Custodian please let the Cloud Custodian Security Team know with the details of the vulnerability. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.

Code of Conduct

This project adheres to the CNCF Code of Conduct

By participating, you are expected to honor this code.

cloud-custodian's People

Contributors

Stargazers

Watchers

Forkers

ktseytlin brandon-o netvisao thacher aylamobilerelease rajeevkurupati ksmaheshkumar dmreiland gitter-badger rajmannartech shunsuke-aikawa-gmotech fnet123 mharris021 kangzhenkang pinterb garretthickey bellsrik kapilt jpoley ntmggr amritpalbhatia jeffastorey c1cy claytonbrown kartikeyap naveenb29 jozzas ramesshh ha-king pombredanne mruebush ramya0528 sheosinha nagyistge zeroxten tomzhang gwh59 aolarchive timothystone mukteshkrmishra scollier britztopher krashproof ocampocj stevenmjo ryanwolfe sixfeetup kumarsiyer andrewalexander chtompki nyetsche antonini jacowell agiza sivakandula prasaadk pthairu michaell-lin testaccountcc mjudeikis salwandhruvdev davidroman mchen804 krishnakvk satishveluvolu joshuaroot youngdev charwliu bradamant3 davidlago desponda testshastra jilu407 braghome jdubs galactose michaelj6 tabladrum taohungyang linearregression pilgrim2go pierreliddle bobbyryterski lamyanba maxwellzfl wernerb mking1 potter0815 sutto tleyden s0enke siddartha1992 periyatv-aws ameng chiragnayyar ikrauchanka odise etsangsplk codexnubes cmlicata

cloud-custodian's Issues

hygieia integration

send metrics/resource information filtered by appid to hygieia for display

tagmap not populated for elbs

The tagmap is not populated for ELB resources when doing reporting

Offhours/Onhours may always go to default?

@kapilt just hoping to confirm the logic here. Was tracing through the offhours module in paticular:

class OffHour(Time):

    def get_sentinel_time(self, tz):
        t = super(OffHour, self).get_sentinel_time(tz)
        return t.replace(hour=self.data.get('offhour', DEFAULT_OFFHOUR))


class OnHour(Time):

    def get_sentinel_time(self, tz):
        t = super(OnHour, self).get_sentinel_time(tz)
        return t.replace(hour=self.data.get('onhour', DEFAULT_ONHOUR))

Executing the following policy:

  - name: onhour-start-10
    resource: ec2
    comments: |
      Daily start at 10am
    filters:
      - type: onhour
        tag: c7n_downtime
        hour: 10
    actions:
      - start

I'm printing self.data and get the following: {'tag': 'c7n_downtime', 'type': 'onhour', 'hour': 10}
Seems like get_sentinel_time of the child classes will always return the default regardless of whats in the policy due to the key being type in this situation. Does this seem right? I'm assuming not the behaviour we'd want.

logger output: comparing sentinel: 2016-05-10 07:00:00-04:00 to current: 2016-05-10 21:00:00-04:00

Thanks,
Faisal

Error validating example policy

Using the first policy from the Usage section on the project page fails with the following error. Have I missed something?

Policy

policies:
 - name: remediate-extant-keys
   description: |
     Scan through all s3 buckets in an account and ensure all objects
     are encrypted (default to AES256).
   resources: s3
   actions:
     - encrypt-keys

Output

# custodian validate -c policy.yml
Traceback (most recent call last):
  File "C:/Dev/Projects/virtual_envs/cloud_custodian/Scripts/custodian-script.py", line 9, in <module>
    load_entry_point('c7n==0.8.3', 'console_scripts', 'custodian')()
  File "C:\Dev\Projects\github\cloud-custodian\c7n\cli.py", line 105, in main
    config = policy.load(options, options.config)
  File "C:\Dev\Projects\github\cloud-custodian\c7n\policy.py", line 45, in load
    raise errors[0]
jsonschema.exceptions.ValidationError: {'resources': 's3', 'name': 'remediate-extant-keys', 'actions': ['encrypt-keys'], 'description': 'Scan through all s3 buckets in an account and ensure all objects\nare encrypted (default to AES256).\n'} is not valid under any of the given schemas

Failed validating 'anyOf' in schema['properties']['policies']['items']:
    {'anyOf': [{'$ref': '#/definitions/resources/ami/policy'},
               {'$ref': '#/definitions/resources/rds/policy'},
               {'$ref': '#/definitions/resources/redshift/policy'},
               {'$ref': '#/definitions/resources/elb/policy'},
               {'$ref': '#/definitions/resources/s3/policy'},
               {'$ref': '#/definitions/resources/asg/policy'},
               {'$ref': '#/definitions/resources/ec2/policy'},
               {'$ref': '#/definitions/resources/ebs/policy'},
               {'$ref': '#/definitions/resources/kms/policy'},
               {'$ref': '#/definitions/resources/ebs-snapshot/policy'}]}

On instance['policies'][0]:
    {'actions': ['encrypt-keys'],
     'description': 'Scan through all s3 buckets in an account and ensure all objects\nare encrypted (default to AES256).\n',
     'name': 'remediate-extant-keys',
     'resources': 's3'}

Fix Requirements in Pypi Package

The requirements in setup.py need to be updated and a new pypi package needs to be delpoyed. When you run pip install c7n, the dependencies are not installed.

pypy support

elasticsearch indexing of metrics and records outputs

.cache folder is not created during first run

This might not be a bug but just hoping to confirm.

Recreated with the following steps:

I'm running on a freshly installed macbook as an FYI.
Installed cloud-custodian
I signed up for a new AWS account
setup credentials via IAM user/role
Ran an off hours policy on a empty account (which should return nothing)

I got the following error:

(cloud-custodian)➜  cc_policy custodian run --dryrun -c test.yaml -s out
2016-04-23 11:59:07,529: custodian.output:INFO Storing output with <DirectoryOutput to dir:out/offhour-stop-19>
2016-04-23 11:59:07,529: custodian.policy:INFO Running policy offhour-stop-19
2016-04-23 11:59:07,530: custodian.resources.ec2:INFO Querying ec2 instances with []
2016-04-23 11:59:08,414: custodian.output:ERROR Error while executing policy
Traceback (most recent call last):
  File "/Users/faisal/Documents/git/cloud-custodian/c7n/policy.py", line 169, in poll
    resources = self.resource_manager.resources()
  File "/Users/faisal/Documents/git/cloud-custodian/c7n/resources/ec2.py", line 79, in resources
    self._cache.save(qf, instances)
  File "/Users/faisal/Documents/git/cloud-custodian/c7n/cache.py", line 79, in save
    with open(self.cache_path, 'w') as fh:
IOError: [Errno 2] No such file or directory: '/Users/faisal/.cache/cloud-custodian.cache'
2016-04-23 11:59:08,415: custodian.commands:WARNING Error while executing policy offhour-stop-19, continuing
2016-04-23 11:59:08,415: custodian.output:INFO Storing output with <DirectoryOutput to dir:out/onhour-start-10>
2016-04-23 11:59:08,415: custodian.policy:INFO Running policy onhour-start-10
2016-04-23 11:59:08,415: custodian.resources.ec2:INFO Querying ec2 instances with []
2016-04-23 11:59:08,757: custodian.output:ERROR Error while executing policy
Traceback (most recent call last):
  File "/Users/faisal/Documents/git/cloud-custodian/c7n/policy.py", line 169, in poll
    resources = self.resource_manager.resources()
  File "/Users/faisal/Documents/git/cloud-custodian/c7n/resources/ec2.py", line 79, in resources
    self._cache.save(qf, instances)
  File "/Users/faisal/Documents/git/cloud-custodian/c7n/cache.py", line 79, in save
    with open(self.cache_path, 'w') as fh:
IOError: [Errno 2] No such file or directory: '/Users/faisal/.cache/cloud-custodian.cache'
2016-04-23 11:59:08,760: custodian.commands:WARNING Error while executing policy onhour-start-10, continuing

I'm wondering if the .cache folder should be generated as part of the process if it doesn't already exist? The fix was easy in that I just did a mkdir ~/.cache. Might just make things more friendly?

version subcommand or flag

ec2 resize instance support

output metric on api calls per policy

numerous documentation bugs

documenting incorrect usage of offhours, and several issues with the examples as well, they should call out cwe versus others. Also the grep replace changed maid_status to custodian_status (ditto for downtime) but thats not accurate.

include test data in pypi sdist release

errlog subscription automation

At the moment we setup log subscriptions with the tools/logsetup.py for ops notifications on deployed policies, we should incorporate that into policy provisioning automatically.

Can't install via pip

This fails:

$ pip install git+https://github.com/capitalone/cloud-custodian.git

Although your package is not on PyPI, we should be able to install it via pip.

Boto Credentials Error in long running Container

Getting a weird Boto error when I run custodian in a container. Not sure why the credentials are not being pulled properly. The custodian run was executing multiple policies but more than halfway through policy file it just lost creds.

2016-05-12 01:13:58,969: custodian.output:ERROR Error while executing policy
Traceback (most recent call last):
  File "/src/c7n/policy.py", line 161, in provision
    manager = LambdaManager(self.session_factory)
  File "/src/c7n/mu.py", line 195, in __init__
    self.client = self.session_factory().client('lambda')
  File "/src/c7n/credentials.py", line 37, in __call__
    self.assume_role, "CloudCustodian", session)
  File "/src/c7n/credentials.py", line 74, in assumed_session
    metadata=refresh(),
  File "/src/c7n/credentials.py", line 65, in refresh
    RoleSessionName=session_name)['Credentials']
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 258, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 537, in _make_api_call
    operation_model, request_dict)
  File "/usr/local/lib/python2.7/site-packages/botocore/endpoint.py", line 117, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/site-packages/botocore/endpoint.py", line 142, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/site-packages/botocore/endpoint.py", line 126, in create_request
    operation_name=operation_model.name)
  File "/usr/local/lib/python2.7/site-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/usr/local/lib/python2.7/site-packages/botocore/signers.py", line 124, in sign
    signer.add_auth(request=request)
  File "/usr/local/lib/python2.7/site-packages/botocore/auth.py", line 313, in add_auth
    raise NoCredentialsError
NoCredentialsError: Unable to locate credentials
Exception in thread Thread-21:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/local/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/src/c7n/log.py", line 222, in loop
    self.send()
  File "/src/c7n/log.py", line 182, in send
    self.send_group(k, messages)
  File "/src/c7n/log.py", line 188, in send_group
    if not self.create_stream(group, stream):
  File "/src/c7n/log.py", line 173, in create_stream
    logGroupName=group, logStreamName=stream)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 258, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 537, in _make_api_call
    operation_model, request_dict)
  File "/usr/local/lib/python2.7/site-packages/botocore/endpoint.py", line 117, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/site-packages/botocore/endpoint.py", line 142, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/site-packages/botocore/endpoint.py", line 126, in create_request
    operation_name=operation_model.name)
  File "/usr/local/lib/python2.7/site-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/usr/local/lib/python2.7/site-packages/botocore/signers.py", line 124, in sign
    signer.add_auth(request=request)
  File "/usr/local/lib/python2.7/site-packages/botocore/auth.py", line 313, in add_auth
    raise NoCredentialsError
NoCredentialsError: Unable to locate credentials

ami lineage tracking

cloudwatch resource filters

ideally a generic base filter class, with per resource realization around specific metrics

initial install issue & policy run issue

Thank you for this wonderful tool.

Perhaps there may be some ideas here for additional developer install instructions - I would be happy to contribute if helpful.

The below steps show my efforts at installing Cloud Custodian. Eventually, I successfully installed Cloud Custodian and ran tests/coverage. However - I ran into a traceback issue in running a custom policy. Any insight on where my environment is invalid would be greatly appreciated.

Using a blank Amazon linux distro, referencing the following install doc:
http://www.capitalone.io/cloud-custodian/quickstart/developer.html

I configured this new EC2 to run cloud custodian via CLI as follows:

Spin up Amazon linux distro EC2 nano instance: i-xxxxxxxx
ssh into this new instance
% yum update
% yum install gcc
% yum install git
% yum install install python python-dev python-pip python-virtualdev
% yum install emacs
% git clone https://github.com/capitalone/cloud-custodian.git
% make install

(have make output if needed)

% make test
./bin/nosetests -s -v --with-timer tests
make: ./bin/nosetests: Command not found
make: *** [test] Error 127

Looking @ the makefile - ran this additional command

% make develop

then - tried the following:

% make test

Progressed further - but my tests failed.

Performed another:

% make install

and looking at the output, noticed:

You are using pip version 6.0.8, however version 8.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command

so - performed the following:

% pip install --upgrade pip
% pip install -r requirements.txt
% pip install -r requirements-dev.txt
% make test -> failed.

Looking at the output, noticed that is was looking for a default AWS region.

Hence - ran:

% aws configure // inserted Access Keys and default region

% make test -> Successful!
% make coverage -> Successful!

Happy with my progress so far - copied the following default policy from the documentation:

name: ec2-old-instances
resource: ec2
comment: |
Report running instances older than 60 days
query:
- instance-state-name: running
  filters:
- type: instance-age
  days: 60

name: policy.yml

Ran the following command:

% ./bin/custodian run --dryrun -c policy.yml -s out

which produced quite a bit of verbose output. Of the relevant pieces, I believe, are the following:

Traceback (most recent call last):
File "./bin/custodian", line 9, in
load_entry_point('c7n==0.8.3', 'console_scripts', 'custodian')()
File "/home/ec2-user/cloud-custodian/c7n/cli.py", line 105, in main
config = policy.load(options, options.config)
File "/home/ec2-user/cloud-custodian/c7n/policy.py", line 45, in load
raise errors[0]
jsonschema.exceptions.ValidationError: [{'comment': 'Report running instances older than 60 days\n', 'query': [{'instance-state-name': 'running'}], 'resource': 'ec2', 'name': 'ec2-old-instances', 'filters': [{'type': 'instance-age', 'days': 60}]}] is not of type 'object'

Failed validating 'type' in schema:
{'$schema': 'http://json-schema.org/schema#',
'additionalProperties': False,

Now - stuck on diagnosing this "object" error.

Any suggestions?

[make output attached]
cloud_custodian_output.txt

Long-form filter operators (e.g. not-in) not supported

The long-form filter operators (e.g. not-in) listed here http://www.capitalone.io/cloud-custodian/policy/filters.html are not supported.
A JSON schema validation error

jsonschema.exceptions.ValidationError: 'not-in' is not one of ['gt', 'glob', 'ge', 'in', 'eq', 'regex', 'ni', 'le', 'gte', 'ne', 'lt', 'lte']`

is reported.

ssl listener filter should annotate which listener triggered

ec2 tag renaming support

currently exists for asg, should be made available for ec2 as well

include config file syntax

Should support url includes

Mark/Delete for all RDS and ELB resources

The EC2 capability to have actions that mark and delete an instance are useful to give warning to people before their instances are deleted.

This capability should be extended to RDS and ELB as well.

use lambda aliases for cwe targets

it was added in per request, after we had worked around the lack, we should remove the workarounds, this will give us potentially some better staging capabilties within an account.

s3 - record buckets which aren't scanned due to permissions / access denied

asg spin doctor

resize/suspend/email/etc

more specifically several accounts have autoscale groups that are spinning, ie. trying and failing to launch an instance, repeatedly due to invalid ami, subnets, elbs, etc.

s3 large file support

There was an old pull request for this from january but it got list in the mix, resurrect and merge.

s3 filter buckets that are log targets

need to scan elbs and s3 buckets for buckets which maybe log targets such that we can attach lambda encrypt.

cwe syntax change, when specifying ids/events/sources

at the moment its spec'd on the policy mode which is problematic if specifying multiple events in long form (not using shortcuts in cwe.py), unless they happen to have the same id selector. instead we should expand the event array entry to being either the short form string (ie. RunInstances) or a mapping with the cloud trail event, id selector, and event source.

policy tags

allow tags attribute on policies, so we can do better aggregate reporting across accounts regardless of individual policy name variations in accounts.

Ability to Blacklist/WhiteList AMIs in Launch Config

a request came in for the ability to shutdown ASGs if they're using an old AMI. If an EC2 policy to shutdown instances is based on a blacklist of amis, it could potentially cause ASGs to spin if ASG tag exception doesn't exist.

Extract policies from usecases to separate yml file

Right now it looks like policies are being embedded directory into .rst files. An example of this can be found here: https://github.com/capitalone/cloud-custodian/blob/master/docs/source/usecases/usecases/amicomp.rst

Can these be extracted into a separate yaml file and then inlined into the .rst file? This would be nice because then as a part of the tests you could validate that the examples are still valid for regression tests if cloud-custodian decides to implement a big change.

marked-for-op filter/action should allow explicit tz specification

Else we're at the mercy of execution environment tz, which causes some surprises between local time and utc

Docs on deploying as lambda function

I attempted to deploy as a lambda function the following policy:

policies:
  - name: tag-compliance
    resource: ec2
    mode:
      type: cloudtrail
      events:
        - RunInstances
    comment: |
       Stop instances that do not follow tagging policy
    filters:
      - State.Name: running
      - "tag:CustomerID": absent
    actions:
      - stop

This failed with the error:

2016-05-04 13:57:14,954: custodian.output:ERROR Error while executing policy
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/c7n/policy.py", line 162, in provision
    PolicyLambda(self), 'current', role=self.options.assume_role)
  File "/usr/local/lib/python2.7/dist-packages/c7n/mu.py", line 208, in publish
    result, changed = self._create_or_update(func, role, s3_uri, qualifier=alias)
  File "/usr/local/lib/python2.7/dist-packages/c7n/mu.py", line 270, in _create_or_update
    assert role, "Lambda function role must be specified"
AssertionError: Lambda function role must be specified

Is there a definition of a role that is required for this lambda function to work documentationed anywhere? I also couldn't find documentation on how to specify the role. The example didn't include or mention it.

Windows Compatability

I've noticed when using mu that it has a few lines of code that aren't windows compatible.

Specfically a call to os.uname() which is not available in windows (https://docs.python.org/dev/library/os.html#os.uname)

Using tempfile.NamedTempFile which cannot be opened a second time for reading bytes on windows (https://docs.python.org/2/library/tempfile.html)

Are there plans to support Windows? Or am I missing something that overcomes the aforementioned problems?

Custom offhours schedule

This would allow instances/asgs to define a custom off hours schedule via a tag (c7n_downtime).

Schedule format:

# up mon-fri from 7am-7pm; eastern time
off=(M-F,19); on=(M-F,7)
# up mon-fri from 6am-9pm; up sun from 10am-6pm; pacific time
off=[(M-F,21),(U,18)]; on=[(M-F,6),(U,10)];tz=pt

Possible values:

field	values
days	`M, T, W, H, F, S, U`
hours	`1, 2, 3, ..., 22, 23, 24`

Days can be specified in a range (ex. M-F).

If the timezone is not supplied, it's assumed et (eastern time), but this default could be configurable.

Parser output:

The schedule parser will return a dict or None (if the schedule is invalid):

# off=[(M-F,21),(U,18)],on=[(M-F,6),(U,10)],tz=pt
{
  off: [
    { days: "M-F", hour: 21 },
    { days: "U", hour: 18 }
  ],
  on: [
    { days: "M-F", hour: 6 },
    { days: "U", hour: 10 }
  ],
  tz: "pt"
}

Help wanted:

I was planning on working on the schedule parser, but I'd love to partner up with someone for the rest of it. Besides the schedule parser, what remains is determining the day and hour, taking the schedule dict, and determining if the instance/asg should be off.

notifications should include account short name

Global grants should allow choosing read and/or write

The global grants filter should be configurable as to whether you're checking read and/or write. In some cases, we want to allow global reads for example, but not global writes.

resource-gc subcommand to cleanup old lambdas

ie. policy lambdas no longer extant in config file should be automatically cleaned up. Sans state to diff the config files we'll need to use the prefix and extant policies resources as a guide to cleanup.

Lambda Function not detecting EC2 Instances

I have created a simple policy that creates a lambda function that runs every 5 minutes to shut down any EC2 Instances with no Owner tag.

The Policy passes validation and when I do a dryrun it logs that I have 11 Instances of which 3 of them does not have an Owner tag but when I do the official run it creates the lambda function and the function runs every 5 minutes as it should but it is logging that there are 0 EC2 Instances.

Policy:

policies:
  - name: ec2-tag-compliance-test
    resource: ec2
    mode:
      type: periodic
      events:
      - running
      schedule: "rate(5 minutes)"
    comment: |
       Stop instances that do not follow tagging policy
    filters:
      - tag:Owner: absent
    actions:
      - stop

Dry Run and Log:
custodian run --dryrun -c policies/policy_stop_ec2_with_no_owner.yml --region eu-west-1 -s out

2016-05-17 07:46:52,591: custodian.output:INFO Storing output with <DirectoryOutput to dir:out/ec2-tag-compliance-test>
2016-05-17 07:46:52,591: custodian.policy:INFO Running policy ec2-tag-compliance-test
2016-05-17 07:46:52,592: c7n.cache:INFO Using cache file /home/ec2-user/.cache/cloud-custodian.cache
2016-05-17 07:46:52,592: custodian.resources.ec2:INFO Querying ec2 instances with []
2016-05-17 07:46:52,943: custodian.resources.ec2:INFO Filtered from 11 to 3 ec2
2016-05-17 07:46:52,944: custodian.policy:INFO policy: ec2-tag-compliance-test resource:ec2 has count:3 time:0.35

Run and Log:
custodian run -c policies/policy_stop_ec2_with_no_owner.yml --region eu-west-1 --assume "<ROLE>" -s out

2016-05-17 07:47:07,098: custodian.output:INFO Storing output with <DirectoryOutput to dir:out/ec2-tag-compliance-test>
2016-05-17 07:47:07,098: custodian.policy:INFO Provisioning policy lambda ec2-tag-compliance-test
2016-05-17 07:47:07,601: custodian.lambda:INFO Publishing custodian policy lambda function custodian-ec2-tag-compliance-test

Lambda Log:

[INFO]  2016-05-17T07:52:39.765Z    Running policy ec2-tag-compliance-test 
[INFO]  2016-05-17T07:52:39.765Z    Querying ec2 instances with [] 
[DEBUG] 2016-05-17T07:52:40.800Z    Found 0 instances on 0 reservations 
[INFO]  2016-05-17T07:52:40.801Z    Filtered from 0 to 0 ec2 
[INFO]  2016-05-17T07:52:40.802Z    policy: ec2-tag-compliance-test resource:ec2 has count:0 time:1.04 
[DEBUG] 2016-05-17T07:52:40.802Z    metric:ResourceCount Count:0 policy:ec2-tag-compliance-test restype:ec2 scope:policy

The role I give to the lambda function has full access to lambda and ec2.

notify action should should chunk resources to stay under 264k

over ~650 ec2 instances, the notify action will tend to break down on sqs/sns size limits even with b64/zlib encoding. we should automatically chunk it into block around 500 and send multiple messages.

lambda functions need garbage collection if removed from policy file

The lambdas created by cloudtrail based notifications are not auto deleted when the notification is deleted from the policy file.

s3 record keys which can't be auto-remediated

asg ebs-snapshot filter (off launch config)

ie. rather than nuking instances, let's nuke an asg if it has unencrypted snaps.

Region problems - changing region doesn't update results

I'm giving Cloud Custodian a test run and ran into an issue. I'm not sure if it's a bug or expected behaviour, and if it's expected, how to workaround it.

I'm using the EC2 Old Instance Report (http://www.capitalone.io/cloud-custodian/usecases/usecases/ec2oldinstances.html) for my tests.

On the first run (custodian run -c ec2-old-instances.yaml -s out), I got the results I expected. It queried the EC2 resources in the us-east-1 region, filtered them and produced an appropriate output of 12 instances that have been running for more than 60 days.

I then tried to run the same query by specifying a different region (custodian run --region eu-west-1 -c ec2-old-instances.yaml -s out) and that didn't work. It simply reused the results from the previous run and the output continued to show the us-east-1 instances.

I deleted the cache file (~/.cache/cloud-custodian.cache) and ran it again in the eu-west-1 region and got updated results I expected, EC2 instances in the eu-west-1 region.

I thought if I waited the requisite cache period time (60 seconds by default), it would invalidate the cache, and it would produce updated results when querying on a different region from the previous run, but that didn't happen either.

SNS transport

Notifications capability should have an SNS transport option for real-time notifications.

an error on a policy execution should cause process to exit code 1

after all policies are run.

rds tagmap not populated

rds tags are not being collected as part public/unencrypted databases

s3 bucket remediation should only notify on buckets that had unencrypted objects

The encrypt all keys policy sends notifications that include all s3 buckets that were scanned. It should only include those that were remediated, or at least some indication of how many objects in each bucket were scanned and how many were not previously encrypted.