# C7n Community Meeting Minutes # June 6th 2022 :::info - **URL:** meet.google.com/mii-evqh-esh - **Date:** June 6th, 2022 (3:00 PM (ET) / 12:00 PM (PT) / 7PM (UTC)) - **[Timezone Converter (Click me)](https://www.timeanddate.com/worldclock/converter.html?iso=20210629T190000&p1=tz_et&p2=tz_pt&p3=22&p4=240&p5=136&p6=176&p7=37&p8=248)** - **Agenda** 1. Intros `10m` 1. Agenda Items `20m` 1. PR Party `30m` - **Meeting Contact:** Jorge: <jorge@stacklet.io> - **Video Archive and Transcripts**: https://mtngs.io/cloud-custodian/community-meetings/ ::: [](https://youtu.be/MnLhH7CSXRo) ## Agenda Item - We've turned on GitHub discussions - TODO: Jorge to scrub incoming discussions and present the hard ones as part of our discussions below: - [Kapil]: Move cask from tools into its own repo due to cve burden. - No comments afaict, Kapil's just gonna do it. - Release blocker - Datalake PR - switch from resources to s3 filter. - https://github.com/cloud-custodian/cloud-custodian/pull/7273 - https://aws.amazon.com/s3/features/access-points/ - Release Discussion - 14th is 2nd tuesday of this month ## Weekly Stats | | Opened this week| Closed this week| |--|---|-----| |Issues| 26 | 100| |PR's| 23 | 18| | | | |--|--| | New stars | 23| | New forks | 6| ## Things to discuss from the Community https://github.com/cloud-custodian/cloud-custodian/pull/7273 - [#7274](https://github.com/cloud-custodian/cloud-custodian/pull/7274): gcp - metrics - remove pytz dep as its not needed - [#6975](https://github.com/cloud-custodian/cloud-custodian/issues/6975): setting MinimumProtocolVersion in Cloudfront distribution fails - [#7468](https://github.com/cloud-custodian/cloud-custodian/discussions/7468) Easy Way to Automate Lambda roles? - https://gist.github.com/ajkerrigan/f7879cdbbb0a3d285567d8e07e26a723 - [#7461](https://github.com/cloud-custodian/cloud-custodian/discussions/7461): offhours instance filtering - [#7216](https://github.com/cloud-custodian/cloud-custodian/pull/7216): releng - specify subprojects as dev dependencies - [#5971](https://github.com/cloud-custodian/cloud-custodian/pull/5971): cidr list support - Faan: https://github.com/cloud-custodian/cloud-custodian/discussions/7444 - Kapil: Leave a comment here ^ Add a `:boom:` to any of these if you want eyeballs/discussion during the public meeting ## PR's Opened * [#7466](https://github.com/cloud-custodian/cloud-custodian/pull/7466): aws - sqs - deadletter filter * [#7465](https://github.com/cloud-custodian/cloud-custodian/pull/7465): feat: support policy interpolation with environment variables * [#7464](https://github.com/cloud-custodian/cloud-custodian/pull/7464): aws-create filter for cross-az-nat-gateway-route from vpc route table * [#7460](https://github.com/cloud-custodian/cloud-custodian/pull/7460): AWS - Workspaces - Create filter for workspaces directory connection aliases * [#7310](https://github.com/cloud-custodian/cloud-custodian/pull/7310): AWS - IAM - Update cross account filter to evaluate service principals * :boom: [#7308](https://github.com/cloud-custodian/cloud-custodian/pull/7308): Link to discussions instead of using issue templates * [#7307](https://github.com/cloud-custodian/cloud-custodian/pull/7307): aws - metrics - ensure that period is an even number of hours * [#7280](https://github.com/cloud-custodian/cloud-custodian/pull/7280): aws - cloudsearch Added enable-https action * [#7279](https://github.com/cloud-custodian/cloud-custodian/pull/7279): Added enable-https action for cloudsearch. * [#7278](https://github.com/cloud-custodian/cloud-custodian/pull/7278): Bump pyjwt from 1.7.1 to 2.4.0 in /tools/c7n_azure * :boom: [#7277](https://github.com/cloud-custodian/cloud-custodian/pull/7277): aws - wafv2 support for ELB, APIGateway and CloudFront resources * [#7275](https://github.com/cloud-custodian/cloud-custodian/pull/7275): aws - ebs - preserve tags across encrypt-instance-volumes action * :boom: [#7274](https://github.com/cloud-custodian/cloud-custodian/pull/7274): gcp - metrics - remove pytz dep as its not needed * :boom: [#7273](https://github.com/cloud-custodian/cloud-custodian/pull/7273): aws - rename and update lakeformation resource * [#7269](https://github.com/cloud-custodian/cloud-custodian/pull/7269): releng - patch c7n_gcp and c7n_azure to address dependency conflicts * [#7267](https://github.com/cloud-custodian/cloud-custodian/pull/7267): gcp - sourcerepo - fix typo in scope_template * [#7263](https://github.com/cloud-custodian/cloud-custodian/pull/7263): aws - glue-catalog - Use the QueryResourceManager * [#7261](https://github.com/cloud-custodian/cloud-custodian/pull/7261): aws - kinesis - add force parameter for deleting kinesis streams (#7260) * [#7255](https://github.com/cloud-custodian/cloud-custodian/pull/7255): Aws lakeformation * :boom: [#7254](https://github.com/cloud-custodian/cloud-custodian/pull/7254): Shiney aws/lakeformation * [#7252](https://github.com/cloud-custodian/cloud-custodian/pull/7252): Fsx backup checks * :boom: [#7251](https://github.com/cloud-custodian/cloud-custodian/pull/7251): Added aws-lakeformation support * [#7250](https://github.com/cloud-custodian/cloud-custodian/pull/7250): Fsx backup count ## PR's Closed * [#7308](https://github.com/cloud-custodian/cloud-custodian/pull/7308): Link to discussions instead of using issue templates * [#7279](https://github.com/cloud-custodian/cloud-custodian/pull/7279): Added enable-https action for cloudsearch. * [#7278](https://github.com/cloud-custodian/cloud-custodian/pull/7278): Bump pyjwt from 1.7.1 to 2.4.0 in /tools/c7n_azure * [#7277](https://github.com/cloud-custodian/cloud-custodian/pull/7277): aws - wafv2 support for ELB, APIGateway and CloudFront resources * [#7275](https://github.com/cloud-custodian/cloud-custodian/pull/7275): aws - ebs - preserve tags across encrypt-instance-volumes action * [#7274](https://github.com/cloud-custodian/cloud-custodian/pull/7274): gcp - metrics - remove pytz dep as its not needed * [#7267](https://github.com/cloud-custodian/cloud-custodian/pull/7267): gcp - sourcerepo - fix typo in scope_template * [#7261](https://github.com/cloud-custodian/cloud-custodian/pull/7261): aws - kinesis - add force parameter for deleting kinesis streams (#7260) * [#7255](https://github.com/cloud-custodian/cloud-custodian/pull/7255): Aws lakeformation * [#7254](https://github.com/cloud-custodian/cloud-custodian/pull/7254): Shiney aws/lakeformation * [#7251](https://github.com/cloud-custodian/cloud-custodian/pull/7251): Added aws-lakeformation support * [#7250](https://github.com/cloud-custodian/cloud-custodian/pull/7250): Fsx backup count * [#7241](https://github.com/cloud-custodian/cloud-custodian/pull/7241): aws - config-rule - support tag-based filtering for `config-rule` * [#7235](https://github.com/cloud-custodian/cloud-custodian/pull/7235): releng - cask dep security updates * [#7222](https://github.com/cloud-custodian/cloud-custodian/pull/7222): aws - rds - add engine filter * [#7215](https://github.com/cloud-custodian/cloud-custodian/pull/7215): Added waiter for set-public-access action before modifying instance. * [#7181](https://github.com/cloud-custodian/cloud-custodian/pull/7181): Fix a defect where Tag filters don't work on IAM Profiles * [#7129](https://github.com/cloud-custodian/cloud-custodian/pull/7129): Expand self.vtype == 'cidr' to support cidr range in filters/core.py ## Issues Opened * [#7467](https://github.com/cloud-custodian/cloud-custodian/issues/7467): EDUCATION SECTOR * [#7463](https://github.com/cloud-custodian/cloud-custodian/issues/7463): Add a way to filter out dead-letter-queues from list of SQS queues * [#7462](https://github.com/cloud-custodian/cloud-custodian/issues/7462): Allow config-poll-rules to support resources without a CFN template * [#7459](https://github.com/cloud-custodian/cloud-custodian/issues/7459): Add filter for Workspaces directories based on existence of connection aliases * [#7309](https://github.com/cloud-custodian/cloud-custodian/issues/7309): c7n-org cannot deploy policies in multiple account same error occurring * [#7276](https://github.com/cloud-custodian/cloud-custodian/issues/7276): Setting up Docker Custodian * [#7272](https://github.com/cloud-custodian/cloud-custodian/issues/7272): c7n_mailer - allow additional parameters to be passed via mailer.yml to use AWS SES * [#7271](https://github.com/cloud-custodian/cloud-custodian/issues/7271): Azure: Not able to see any Functions Within the Function App * [#7270](https://github.com/cloud-custodian/cloud-custodian/issues/7270): No format called txt - need to update the documentation * [#7268](https://github.com/cloud-custodian/cloud-custodian/issues/7268): c7n_org Error running policy global exception: azure provider not installed using c7n-org docker * [#7266](https://github.com/cloud-custodian/cloud-custodian/issues/7266): Do you have sample output for below policies? * [#7265](https://github.com/cloud-custodian/cloud-custodian/issues/7265): How do you deal with "Rate exceeded"? * [#7264](https://github.com/cloud-custodian/cloud-custodian/issues/7264): 1.13 – Ensure MFA is enabled for the root user (CIS Benchmark) * [#7262](https://github.com/cloud-custodian/cloud-custodian/issues/7262): GCP - creation of cloud function for event based policies unable to use artifact registry via cloud build * [#7260](https://github.com/cloud-custodian/cloud-custodian/issues/7260): AWS - Kinesis Streams - Support `EnforceConsumerDeletion` parameter when deleting to bypass `ResourceInUseException` * [#7259](https://github.com/cloud-custodian/cloud-custodian/issues/7259): Cloud Custodian Only Performs Scans in Us-East-1 and Us-West-2 * [#7258](https://github.com/cloud-custodian/cloud-custodian/issues/7258): Attach Boundary Policy questions * [#7257](https://github.com/cloud-custodian/cloud-custodian/issues/7257): Add Owner Tag to AWS Accounts * [#7256](https://github.com/cloud-custodian/cloud-custodian/issues/7256): ERROR: Could not build wheels for backports.zoneinfo, which is required to install pyproject.toml-based projects * [#7253](https://github.com/cloud-custodian/cloud-custodian/issues/7253): AWS China Lambda Not Triggering * [#7249](https://github.com/cloud-custodian/cloud-custodian/issues/7249): Azure Deployment via Helm "repo tools not found" * [#7248](https://github.com/cloud-custodian/cloud-custodian/issues/7248): AWS Workspaces 'c7n:ConnectionStatus' Failing * [#7247](https://github.com/cloud-custodian/cloud-custodian/issues/7247): [GCP] sourcerepo resource type fails to scan * [#7246](https://github.com/cloud-custodian/cloud-custodian/issues/7246): Conflicting versions of python packages across providers * [#7245](https://github.com/cloud-custodian/cloud-custodian/issues/7245): Where can I find docs for all types of keys that I can use in my policies? * [#7244](https://github.com/cloud-custodian/cloud-custodian/issues/7244): How do you deal with 'false positives'? ## Issues Closed * [#7467](https://github.com/cloud-custodian/cloud-custodian/issues/7467): EDUCATION SECTOR * [#7309](https://github.com/cloud-custodian/cloud-custodian/issues/7309): c7n-org cannot deploy policies in multiple account same error occurring * [#7276](https://github.com/cloud-custodian/cloud-custodian/issues/7276): Setting up Docker Custodian * [#7272](https://github.com/cloud-custodian/cloud-custodian/issues/7272): c7n_mailer - allow additional parameters to be passed via mailer.yml to use AWS SES * [#7266](https://github.com/cloud-custodian/cloud-custodian/issues/7266): Do you have sample output for below policies? * [#7265](https://github.com/cloud-custodian/cloud-custodian/issues/7265): How do you deal with "Rate exceeded"? * [#7264](https://github.com/cloud-custodian/cloud-custodian/issues/7264): 1.13 – Ensure MFA is enabled for the root user (CIS Benchmark) * [#7260](https://github.com/cloud-custodian/cloud-custodian/issues/7260): AWS - Kinesis Streams - Support `EnforceConsumerDeletion` parameter when deleting to bypass `ResourceInUseException` * [#7259](https://github.com/cloud-custodian/cloud-custodian/issues/7259): Cloud Custodian Only Performs Scans in Us-East-1 and Us-West-2 * [#7258](https://github.com/cloud-custodian/cloud-custodian/issues/7258): Attach Boundary Policy questions * [#7257](https://github.com/cloud-custodian/cloud-custodian/issues/7257): Add Owner Tag to AWS Accounts * [#7253](https://github.com/cloud-custodian/cloud-custodian/issues/7253): AWS China Lambda Not Triggering * [#7247](https://github.com/cloud-custodian/cloud-custodian/issues/7247): [GCP] sourcerepo resource type fails to scan * [#7245](https://github.com/cloud-custodian/cloud-custodian/issues/7245): Where can I find docs for all types of keys that I can use in my policies? * [#7244](https://github.com/cloud-custodian/cloud-custodian/issues/7244): How do you deal with 'false positives'? * [#7233](https://github.com/cloud-custodian/cloud-custodian/issues/7233): What permissions/roles does cloud-custodian require for each cloud type? * [#7208](https://github.com/cloud-custodian/cloud-custodian/issues/7208): Add `deprecated` option to RDS `upgrade-available` filter * [#7204](https://github.com/cloud-custodian/cloud-custodian/issues/7204): Custodian policy for S3 buckets which are unused * [#7202](https://github.com/cloud-custodian/cloud-custodian/issues/7202): Generate docs from the awscc provider * [#7201](https://github.com/cloud-custodian/cloud-custodian/issues/7201): Keep track of resources that Cloud Custodian removes due to violations? * [#7199](https://github.com/cloud-custodian/cloud-custodian/issues/7199): One lambda function multiple ec2 instance stop automatically different time cron scheduler possible ? * [#7195](https://github.com/cloud-custodian/cloud-custodian/issues/7195): Filter on EC2s in public subnet * [#7187](https://github.com/cloud-custodian/cloud-custodian/issues/7187): Security Group Ingress Rule Policy Does Not Scan Other Regions But us-east-1 * [#7180](https://github.com/cloud-custodian/cloud-custodian/issues/7180): External IDs when run cross-account audit policy * [#7179](https://github.com/cloud-custodian/cloud-custodian/issues/7179): using cross account eventbridge * [#7178](https://github.com/cloud-custodian/cloud-custodian/issues/7178): Search for more specific AWS unused policies * [#7176](https://github.com/cloud-custodian/cloud-custodian/issues/7176): Check Load balancers for CIDR range * [#7164](https://github.com/cloud-custodian/cloud-custodian/issues/7164): alert on changed items * [#7136](https://github.com/cloud-custodian/cloud-custodian/issues/7136): c7n-org for AWS no longer recording account tags and vars to resources.json * [#7124](https://github.com/cloud-custodian/cloud-custodian/issues/7124): GCP saving resource details to GCS bucket * [#7123](https://github.com/cloud-custodian/cloud-custodian/issues/7123): Cloudcustodian as a wrapper around ansible * [#7119](https://github.com/cloud-custodian/cloud-custodian/issues/7119): GCP c7n-org with resource gcp.project and iam-policy filter runs against all projects in org when single project is specified * [#7096](https://github.com/cloud-custodian/cloud-custodian/issues/7096): Adding varible to GCP action URL * [#7095](https://github.com/cloud-custodian/cloud-custodian/issues/7095): Question: Add tag to custodian lambda function * [#7085](https://github.com/cloud-custodian/cloud-custodian/issues/7085): C7n email policy action to email calculated from iam resource[username] * [#7067](https://github.com/cloud-custodian/cloud-custodian/issues/7067): AWS.ECS-SERVICE Resize operation * [#7054](https://github.com/cloud-custodian/cloud-custodian/issues/7054): Add ability for a policy to say if it is restricted to some regions * [#7045](https://github.com/cloud-custodian/cloud-custodian/issues/7045): c7n-org: Nothing gets executed when specifying "-t" / "--tags" multiple times. * [#7039](https://github.com/cloud-custodian/cloud-custodian/issues/7039): Use of md5 which is an unsecure hash algorithm * [#7035](https://github.com/cloud-custodian/cloud-custodian/issues/7035): AWS.EKS onhour/offhour filtering * [#7034](https://github.com/cloud-custodian/cloud-custodian/issues/7034): How to delete azure image if it not tagged in 24 hours from creation * [#7024](https://github.com/cloud-custodian/cloud-custodian/issues/7024): Cross region event sending * [#7003](https://github.com/cloud-custodian/cloud-custodian/issues/7003): Scanning EventBridge rules in custom event buses * [#6961](https://github.com/cloud-custodian/cloud-custodian/issues/6961): setting MinimumProtocolVersion in Cloudfront distribution * [#6957](https://github.com/cloud-custodian/cloud-custodian/issues/6957): Api Gateway Rest-resource exception flow * [#6954](https://github.com/cloud-custodian/cloud-custodian/issues/6954): Filter condition not removing offending security group rule when another rule already satisfies the condition * [#6946](https://github.com/cloud-custodian/cloud-custodian/issues/6946): How can I check my AWS account for HIPAA compliance via Cloud Custodian? * [#6944](https://github.com/cloud-custodian/cloud-custodian/issues/6944): Remassage the output logs to s3 for AWS glue * [#6941](https://github.com/cloud-custodian/cloud-custodian/issues/6941): how to do c7n-mailer logs integration with AWS Cloudwatch, so I can see c7n-mailer logs in Cloudwatch for all metrics * [#6926](https://github.com/cloud-custodian/cloud-custodian/issues/6926): mailer doesn't declare dependency on c7n * [#6922](https://github.com/cloud-custodian/cloud-custodian/issues/6922): Getting error after enabling MFA - DescribeInstances operation: AWS was not able to validate the provided access credentials * [#6913](https://github.com/cloud-custodian/cloud-custodian/issues/6913): Cloud Custodian: Unpredictable output - custodian.actions:WARNING stop implicitly filtered 0 of 1 resources key * [#6906](https://github.com/cloud-custodian/cloud-custodian/issues/6906): iam-role cross-account flagging cognito-identities within own account * [#6901](https://github.com/cloud-custodian/cloud-custodian/issues/6901): c7n-org report does not show me stopped or started instances * [#6874](https://github.com/cloud-custodian/cloud-custodian/issues/6874): Document support for server-side filters via the query block * [#6872](https://github.com/cloud-custodian/cloud-custodian/issues/6872): multiple whitelist_from urls in cross-account filter * [#6862](https://github.com/cloud-custodian/cloud-custodian/issues/6862): Does Value filter support joint value of multiple AWS resources tags * [#6850](https://github.com/cloud-custodian/cloud-custodian/issues/6850): Documentation should be updated for correct reference * [#6849](https://github.com/cloud-custodian/cloud-custodian/issues/6849): How to delete GCF function or How to change trigger type of existing one? * [#6848](https://github.com/cloud-custodian/cloud-custodian/issues/6848): GC function is not running if we create periodic rules of pubsub type * [#6740](https://github.com/cloud-custodian/cloud-custodian/issues/6740): c7n lamdba deployment with additional packages * [#6739](https://github.com/cloud-custodian/cloud-custodian/issues/6739): Purging the (legacy) 'current' Lambda function aliases * [#6708](https://github.com/cloud-custodian/cloud-custodian/issues/6708): Azure my first event based policy deployment failure * [#6686](https://github.com/cloud-custodian/cloud-custodian/issues/6686): GCP {account_id} get value of project_id * [#6683](https://github.com/cloud-custodian/cloud-custodian/issues/6683): chat.postMessage webhook gives 200 OK but no message received * [#6662](https://github.com/cloud-custodian/cloud-custodian/issues/6662): Is it possible to send email notification to AWS Account owner? * [#6660](https://github.com/cloud-custodian/cloud-custodian/issues/6660): botocore.exceptions.ParamValidationError: Parameter validation failed: * [#6658](https://github.com/cloud-custodian/cloud-custodian/issues/6658): api gateway version 2 support * [#6594](https://github.com/cloud-custodian/cloud-custodian/issues/6594): Filter to verify custom domain TLS version (API Gateway) * [#6582](https://github.com/cloud-custodian/cloud-custodian/issues/6582): How do I execute a policy on creation, in addition to the criteria of the mode parameter? * [#6534](https://github.com/cloud-custodian/cloud-custodian/issues/6534): Send custodian logs to datadog * [#6531](https://github.com/cloud-custodian/cloud-custodian/issues/6531): Azure - "All Resources" Support required for Inventory * [#6526](https://github.com/cloud-custodian/cloud-custodian/issues/6526): Azure: Filter Configuration - Need Examples * [#6515](https://github.com/cloud-custodian/cloud-custodian/issues/6515): aws - tagging - universal_augment backwards compatibility * [#6476](https://github.com/cloud-custodian/cloud-custodian/issues/6476): c7n Discussions * [#6409](https://github.com/cloud-custodian/cloud-custodian/issues/6409): EMR - Not able to Terminate EMR cluster as Job flows are termination protected * [#6373](https://github.com/cloud-custodian/cloud-custodian/issues/6373): Testing for list difference * [#6346](https://github.com/cloud-custodian/cloud-custodian/issues/6346): AWS - aws.rest-api and aws.distribution filters are not being interpreted * [#6336](https://github.com/cloud-custodian/cloud-custodian/issues/6336): c7n-mailer - Possible to set SES Endpoint URL? * [#6307](https://github.com/cloud-custodian/cloud-custodian/issues/6307): Feature to support role / resource specific whitelisting for cross account access validation * [#6264](https://github.com/cloud-custodian/cloud-custodian/issues/6264): Documenting Code Contribution * [#6252](https://github.com/cloud-custodian/cloud-custodian/issues/6252): AWS Cloudwatch Logstream Subscription filter check * [#6246](https://github.com/cloud-custodian/cloud-custodian/issues/6246): Compare two lists in custodian policy * [#6234](https://github.com/cloud-custodian/cloud-custodian/issues/6234): How to CleanUp Resources Created by Executing Custodian Policies * [#6193](https://github.com/cloud-custodian/cloud-custodian/issues/6193): Run custodian across multiple tenants * [#6179](https://github.com/cloud-custodian/cloud-custodian/issues/6179): How to interpolate date variable during runtime * [#6147](https://github.com/cloud-custodian/cloud-custodian/issues/6147): possible to copy-related-tag from AMI to ebs-snapshot? * [#6145](https://github.com/cloud-custodian/cloud-custodian/issues/6145): remove statements from s3 * [#6143](https://github.com/cloud-custodian/cloud-custodian/issues/6143): How to contribute aws resource type. * [#6139](https://github.com/cloud-custodian/cloud-custodian/issues/6139): Retrieve all open ports of AWS ec2 ,application load balancer, network load balancer and azure vm * [#6138](https://github.com/cloud-custodian/cloud-custodian/issues/6138): Local testing cloudtrail events against a policy * [#6125](https://github.com/cloud-custodian/cloud-custodian/issues/6125): Security Group : Want to filter the "Default" security group which is having any rule either egress or ingress * [#6093](https://github.com/cloud-custodian/cloud-custodian/issues/6093): aws:SecureTransport S3 cloud custodian * [#6065](https://github.com/cloud-custodian/cloud-custodian/issues/6065): Problem using template field 'slack_msg_color' * [#6061](https://github.com/cloud-custodian/cloud-custodian/issues/6061): EBS fault-tolerant filter doesn't filter as expected * [#6058](https://github.com/cloud-custodian/cloud-custodian/issues/6058): Allow inspection of lambda aliases and versions * [#6055](https://github.com/cloud-custodian/cloud-custodian/issues/6055): Possible Documentation Typo - Offhours "weekend-only" should be "weekends-only" * [#6053](https://github.com/cloud-custodian/cloud-custodian/issues/6053): Filter gke-clusters by labels * [#6037](https://github.com/cloud-custodian/cloud-custodian/issues/6037): Should the tag action default to using UTC? * [#6029](https://github.com/cloud-custodian/cloud-custodian/issues/6029): Default value filters do not seem to work properly for app-elb matching