Cloud Custodian

Introduction

  • Getting Started
    • Install Cloud Custodian
      • Linux and Mac OS
      • Windows (CMD/PowerShell)
      • Docker
    • Explore Cloud Custodian
    • Cloud Provider Specific Help
      • Troubleshooting & Tinkering
    • Monitor resources
    • Editor Integration
    • Tab Completion
    • Community Resources
      • Troubleshooting
  • Generic Filters
    • Value Filter
      • Special Values
      • Comparison Operators
      • Logical Operators
      • List Operators
      • Pattern Matching Operators
      • Value Type Transformations
      • Additional JMESPath Functions
      • Value Regex
      • Value From
      • Value Path
    • Event Filter
    • Reduce Filter
      • Grouping resources
      • Sorting resources
      • Selecting resources
      • Combining resource groups
      • Attributes
      • Examples
  • Generic Actions
    • Webhook Action
  • Advanced Usage
    • Running against multiple regions
    • Reporting against multiple regions
    • Conditional Policy Execution
    • Limiting how many resources custodian affects
    • Adding custom fields to reports
  • Example tag compliance policy
  • Deployment
    • Compliance as Code
    • Continuous Integration of Policies
    • IAM Setup
    • Single Node Deployment
    • Monitoring Cloud Custodian
    • Mailer and Notifications Deployment
    • Multi Account Execution
    • Advanced Continuous Integration Tips
    • Additional Resources

AWS

  • Getting Started
    • Write your first policy
    • Run your policy
    • A 2nd Example Policy
    • Monitor AWS
      • Troubleshooting & Tinkering
  • Example Policies
    • Account - Login From Invalid IP Address
    • Account - Detect Root Logins
    • Account - Service Limit
    • AMI - Stop EC2 using Unapproved AMIs
    • AutoScaling Group - Verify ASGs have valid configurations
    • AMI - ASG Garbage Collector
    • ASG - Offhours Support
    • Block New Resources In Non-Standard Regions
    • DMS - DB Migration Service Endpoint - Enforce SSL
    • EBS - Garbage Collect Unattached Volumes
    • EBS - Create and Manage Snapshots
    • EBS - Delete Unencrypted
    • EC2 - auto-tag aws userName on resources
    • EC2 - Modify Instance Metadata Options
      • Examples:
    • EC2 - Offhours Support
    • EC2 - Old Instance Report
    • EC2 - Power On For Scheduled Patching
    • EC2 - Terminate Unpatchable Instances
    • EIP - Garbage Collect Unattached Elastic IPs
    • ELB - Delete New Internet-Facing ELBs
    • ELB - Delete Unused Elastic Load Balancers
    • ELB - SSL Blacklist
    • ELB - SSL Whitelist
    • IAM - Manage Whether A Specific IAM Policy is Attached to Roles
    • Lambda - Notify On Lambda Errors
    • Example offhours policy
      • Resource Scheduling Offhours
      • Features
      • Policy Configuration
      • Tag Based Configuration
        • ScheduleParser Time Specifications
      • Policy examples
      • Resume During Offhours
      • ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions
      • Public Holidays
    • RDS - Delete Unused Databases With No Connections
    • RDS - Terminate Unencrypted Public Instances
    • S3 - Configure New Buckets Settings and Standards
    • S3 - Block Public S3 Object ACLs
    • S3 - Encryption
      • Enable Bucket Encryption
      • Remediate Existing
        • Options
      • Remediate Incoming
        • Options
      • Bucket Policy
    • S3 - Global Grants
    • S3 - Add lifecycle policy on bucket delete
    • SageMaker Notebook - Delete Public or Unencrypted
    • Security Groups - add permission
    • Security Groups - Detect and Remediate Violations
    • Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)
    • VPC - Flow Log Configuration Check
    • VPC - Notify On Invalid External Peering Connections
  • Monitoring your environment
    • Metrics
    • CloudWatch Logs
    • S3 Logs & Records
    • Reports
  • Lambda Support
    • CloudWatch Events
      • Cloud Custodian Integration
        • CloudTrail API Calls
        • EC2 Instance State Events
        • Periodic Function
        • Event Pattern Filtering
    • Config Rules
    • Lambda Configuration
    • Execution Options
  • AWS Topics
    • AWS Config
      • Config Source
      • Config Rule
      • Filter
      • Config Poll Rule
    • Security Hub
      • Getting Started
      • Modes
    • AWS Systems Manager
      • EC2 Systems Manager
      • Ops Center
      • OmniSSM
    • AWS X-Ray Support
  • Developer Guide
  • Adding New AWS Resources
    • Create New AWS Resource
      • TypeInfo
    • Load New AWS Resource
    • Add New Filter
    • Add New Action
    • Testing
  • AWS Reference
    • AWS Execution Modes
      • pull
      • asg-instance-state
      • cloudtrail
      • config-poll-rule
      • config-rule
      • ec2-instance-state
      • guard-duty
      • hub-finding
      • hub-finding
      • periodic
      • phd
      • pull
    • AWS Common Actions
      • auto-tag-user
      • copy-related-tag
      • invoke-lambda
      • invoke-sfn
      • mark-for-op
      • modify-ecr-policy
      • modify-policy
      • modify-security-groups
      • normalize-tag
      • notify
      • post-finding
      • post-item
      • put-metric
      • remove-tag
      • rename-tag
      • tag
      • tag-trim
      • webhook
    • AWS Common Filters
      • alarm
      • api-cache
      • check-permissions
      • client-properties
      • config-compliance
      • connection-aliases
      • domain-options
      • engine
      • event
      • finding
      • health-event
      • iam-analyzer
      • image
      • instance-attribute
      • list-item
      • logging
      • login-profile
      • marked-for-op
      • metrics
      • network-location
      • offhour
      • onhour
      • ops-item
      • ownership
      • reduce
      • safety-rule
      • security-group
      • ses-agg-send-stats
      • shield-metrics
      • subnet
      • subscription-filter
      • tag-count
      • usage
      • usage-metric
      • value
      • vpc
    • account resources
      • aws.account
        • Filters
        • Actions
    • acm resources
      • aws.acm-certificate
        • Filters
        • Actions
    • apigateway resources
      • aws.apigw-domain-name
        • Filters
        • Actions
      • aws.rest-account
        • Filters
        • Actions
      • aws.rest-api
        • Filters
        • Actions
      • aws.rest-client-certificate
        • Filters
        • Actions
      • aws.rest-resource
        • Filters
        • Actions
      • aws.rest-stage
        • Filters
        • Actions
      • aws.rest-vpclink
        • Filters
        • Actions
    • apigatewayv2 resources
      • aws.apigwv2
        • Filters
        • Actions
    • appflow resources
      • aws.app-flow
        • Filters
        • Actions
    • appsync resources
      • aws.graphql-api
        • Filters
        • Actions
    • autoscaling resources
      • aws.asg
        • Filters
        • Actions
      • aws.launch-config
        • Filters
        • Actions
      • aws.scaling-policy
        • Filters
        • Actions
    • backup resources
      • aws.backup-plan
        • Filters
        • Actions
      • aws.backup-vault
        • Filters
        • Actions
    • batch resources
      • aws.batch-compute
        • Filters
        • Actions
      • aws.batch-definition
        • Filters
        • Actions
      • aws.batch-queue
        • Filters
        • Actions
    • clouddirectory resources
      • aws.cloud-directory
        • Filters
        • Actions
    • cloudformation resources
      • aws.cfn
        • Filters
        • Actions
    • cloudfront resources
      • aws.distribution
        • Filters
        • Actions
      • aws.streaming-distribution
        • Filters
        • Actions
    • cloudhsm resources
      • aws.hsm
        • Filters
        • Actions
      • aws.hsm-client
        • Filters
        • Actions
      • aws.hsm-hapg
        • Filters
        • Actions
    • cloudhsmv2 resources
      • aws.cloudhsm-cluster
        • Filters
        • Actions
    • cloudsearch resources
      • aws.cloudsearch
        • Filters
        • Actions
    • cloudtrail resources
      • aws.cloudtrail
        • Filters
        • Actions
    • cloudwatch resources
      • aws.alarm
        • Filters
        • Actions
      • aws.composite-alarm
        • Filters
        • Actions
      • aws.insight-rule
        • Filters
        • Actions
    • codeartifact resources
      • aws.artifact-domain
        • Filters
        • Actions
      • aws.artifact-repo
        • Filters
        • Actions
    • codebuild resources
      • aws.codebuild
        • Filters
        • Actions
    • codecommit resources
      • aws.codecommit
        • Filters
        • Actions
    • codedeploy resources
      • aws.codedeploy-app
        • Filters
        • Actions
      • aws.codedeploy-deployment
        • Filters
        • Actions
      • aws.codedeploy-group
        • Filters
        • Actions
    • codepipeline resources
      • aws.codepipeline
        • Filters
        • Actions
    • cognito-identity resources
      • aws.identity-pool
        • Filters
        • Actions
    • cognito-idp resources
      • aws.user-pool
        • Filters
        • Actions
    • config resources
      • aws.config-recorder
        • Filters
        • Actions
      • aws.config-rule
        • Filters
        • Actions
    • connect resources
      • aws.connect-instance
        • Filters
        • Actions
    • datapipeline resources
      • aws.datapipeline
        • Filters
        • Actions
    • dax resources
      • aws.dax
        • Filters
        • Actions
    • directconnect resources
      • aws.directconnect
        • Filters
        • Actions
    • dlm resources
      • aws.dlm-policy
        • Filters
        • Actions
    • dms resources
      • aws.dms-endpoint
        • Filters
        • Actions
      • aws.dms-instance
        • Filters
        • Actions
    • ds resources
      • aws.directory
        • Filters
        • Actions
    • dynamodb resources
      • aws.dynamodb-backup
        • Filters
        • Actions
      • aws.dynamodb-table
        • Filters
        • Actions
    • dynamodbstreams resources
      • aws.dynamodb-stream
        • Filters
        • Actions
    • ec2 resources
      • aws.ami
        • Filters
        • Actions
      • aws.customer-gateway
        • Filters
        • Actions
      • aws.ebs
        • Filters
        • Actions
      • aws.ebs-snapshot
        • Filters
        • Actions
      • aws.ec2
        • Filters
        • Actions
      • aws.ec2-host
        • Filters
        • Actions
      • aws.ec2-reserved
        • Filters
        • Actions
      • aws.ec2-spot-fleet-request
        • Filters
        • Actions
      • aws.elastic-ip
        • Filters
        • Actions
      • aws.eni
        • Filters
        • Actions
      • aws.internet-gateway
        • Filters
        • Actions
      • aws.key-pair
        • Filters
        • Actions
      • aws.launch-template-version
        • Filters
        • Actions
      • aws.mirror-session
        • Filters
        • Actions
      • aws.mirror-target
        • Filters
        • Actions
      • aws.nat-gateway
        • Filters
        • Actions
      • aws.network-acl
        • Filters
        • Actions
      • aws.peering-connection
        • Filters
        • Actions
      • aws.prefix-list
        • Filters
        • Actions
      • aws.route-table
        • Filters
        • Actions
      • aws.security-group
        • Filters
        • Actions
      • aws.subnet
        • Filters
        • Actions
      • aws.transit-attachment
        • Filters
        • Actions
      • aws.transit-gateway
        • Filters
        • Actions
      • aws.vpc
        • Filters
        • Actions
      • aws.vpc-endpoint
        • Filters
        • Actions
      • aws.vpn-connection
        • Filters
        • Actions
      • aws.vpn-gateway
        • Filters
        • Actions
    • ecr resources
      • aws.ecr
        • Filters
        • Actions
      • aws.ecr-image
        • Filters
        • Actions
    • ecs resources
      • aws.ecs
        • Filters
        • Actions
      • aws.ecs-container-instance
        • Filters
        • Actions
      • aws.ecs-service
        • Filters
        • Actions
      • aws.ecs-task
        • Filters
        • Actions
      • aws.ecs-task-definition
        • Filters
        • Actions
    • efs resources
      • aws.efs
        • Filters
        • Actions
      • aws.efs-mount-target
        • Filters
        • Actions
    • eks resources
      • aws.eks
        • Filters
        • Actions
      • aws.eks-nodegroup
        • Filters
        • Actions
    • elasticache resources
      • aws.cache-cluster
        • Filters
        • Actions
      • aws.cache-snapshot
        • Filters
        • Actions
      • aws.cache-subnet-group
        • Filters
        • Actions
      • aws.elasticache-group
        • Filters
        • Actions
    • elasticbeanstalk resources
      • aws.elasticbeanstalk
        • Filters
        • Actions
      • aws.elasticbeanstalk-environment
        • Filters
        • Actions
    • elb resources
      • aws.elb
        • Filters
        • Actions
    • elbv2 resources
      • aws.app-elb
        • Filters
        • Actions
      • aws.app-elb-target-group
        • Filters
        • Actions
    • emr resources
      • aws.emr
        • Filters
        • Actions
      • aws.emr-security-configuration
        • Filters
        • Actions
    • emr-serverless resources
      • aws.emr-serverless-app
        • Filters
        • Actions
    • es resources
      • aws.elasticsearch
        • Filters
        • Actions
      • aws.elasticsearch-reserved
        • Filters
        • Actions
    • events resources
      • aws.event-bus
        • Filters
        • Actions
      • aws.event-rule
        • Filters
        • Actions
      • aws.event-rule-target
        • Filters
        • Actions
    • firehose resources
      • aws.firehose
        • Filters
        • Actions
    • fis resources
      • aws.fis-experiment
        • Filters
        • Actions
      • aws.fis-template
        • Filters
        • Actions
    • fsx resources
      • aws.fsx
        • Filters
        • Actions
      • aws.fsx-backup
        • Filters
        • Actions
    • gamelift resources
      • aws.gamelift-build
        • Filters
        • Actions
      • aws.gamelift-fleet
        • Filters
        • Actions
    • glacier resources
      • aws.glacier
        • Filters
        • Actions
    • glue resources
      • aws.glue-catalog
        • Filters
        • Actions
      • aws.glue-classifier
        • Filters
        • Actions
      • aws.glue-connection
        • Filters
        • Actions
      • aws.glue-crawler
        • Filters
        • Actions
      • aws.glue-database
        • Filters
        • Actions
      • aws.glue-dev-endpoint
        • Filters
        • Actions
      • aws.glue-job
        • Filters
        • Actions
      • aws.glue-ml-transform
        • Filters
        • Actions
      • aws.glue-security-configuration
        • Filters
        • Actions
      • aws.glue-table
        • Filters
        • Actions
      • aws.glue-trigger
        • Filters
        • Actions
      • aws.glue-workflow
        • Filters
        • Actions
    • health resources
      • aws.health-event
        • Filters
        • Actions
    • iam resources
      • aws.iam-certificate
        • Filters
        • Actions
      • aws.iam-group
        • Filters
        • Actions
      • aws.iam-oidc-provider
        • Filters
        • Actions
      • aws.iam-policy
        • Filters
        • Actions
      • aws.iam-profile
        • Filters
        • Actions
      • aws.iam-role
        • Filters
        • Actions
      • aws.iam-saml-provider
        • Filters
        • Actions
      • aws.iam-user
        • Filters
        • Actions
    • iot resources
      • aws.iot
        • Filters
        • Actions
    • kafka resources
      • aws.kafka
        • Filters
        • Actions
    • kinesis resources
      • aws.kinesis
        • Filters
        • Actions
    • kinesisanalytics resources
      • aws.kinesis-analytics
        • Filters
        • Actions
    • kinesisanalyticsv2 resources
      • aws.kinesis-analyticsv2
        • Filters
        • Actions
    • kinesisvideo resources
      • aws.kinesis-video
        • Filters
        • Actions
    • kms resources
      • aws.kms
        • Filters
        • Actions
      • aws.kms-key
        • Filters
        • Actions
    • lakeformation resources
      • aws.datalake-location
        • Filters
        • Actions
    • lambda resources
      • aws.lambda
        • Filters
        • Actions
      • aws.lambda-layer
        • Filters
        • Actions
    • lightsail resources
      • aws.lightsail-db
        • Filters
        • Actions
      • aws.lightsail-elb
        • Filters
        • Actions
      • aws.lightsail-instance
        • Filters
        • Actions
    • logs resources
      • aws.log-group
        • Filters
        • Actions
      • aws.log-metric
        • Filters
        • Actions
    • machinelearning resources
      • aws.ml-model
        • Filters
        • Actions
    • mq resources
      • aws.message-broker
        • Filters
        • Actions
      • aws.message-config
        • Filters
        • Actions
    • mwaa resources
      • aws.airflow
        • Filters
        • Actions
    • network-firewall resources
      • aws.firewall
        • Filters
        • Actions
    • opsworks resources
      • aws.opswork-stack
        • Filters
        • Actions
    • opsworkscm resources
      • aws.opswork-cm
        • Filters
        • Actions
    • pinpoint resources
      • aws.pinpoint-app
        • Filters
        • Actions
    • qldb resources
      • aws.qldb
        • Filters
        • Actions
    • rds resources
      • aws.rds
        • Filters
        • Actions
      • aws.rds-cluster
        • Filters
        • Actions
      • aws.rds-cluster-param-group
        • Filters
        • Actions
      • aws.rds-cluster-snapshot
        • Filters
        • Actions
      • aws.rds-param-group
        • Filters
        • Actions
      • aws.rds-proxy
        • Filters
        • Actions
      • aws.rds-reserved
        • Filters
        • Actions
      • aws.rds-snapshot
        • Filters
        • Actions
      • aws.rds-subnet-group
        • Filters
        • Actions
      • aws.rds-subscription
        • Filters
        • Actions
    • redshift resources
      • aws.redshift
        • Filters
        • Actions
      • aws.redshift-reserved
        • Filters
        • Actions
      • aws.redshift-snapshot
        • Filters
        • Actions
      • aws.redshift-subnet-group
        • Filters
        • Actions
    • route53 resources
      • aws.healthcheck
        • Filters
        • Actions
      • aws.hostedzone
        • Filters
        • Actions
      • aws.rrset
        • Filters
        • Actions
    • route53-recovery-control-config resources
      • aws.recovery-cluster
        • Filters
        • Actions
      • aws.recovery-control-panel
        • Filters
        • Actions
    • route53-recovery-readiness resources
      • aws.readiness-check
        • Filters
        • Actions
    • route53domains resources
      • aws.r53domain
        • Filters
        • Actions
    • route53resolver resources
      • aws.resolver-logs
        • Filters
        • Actions
    • s3 resources
      • aws.s3
        • Filters
        • Actions
    • s3control resources
      • aws.s3-access-point
        • Filters
        • Actions
      • aws.s3-access-point-multi
        • Filters
        • Actions
    • sagemaker resources
      • aws.sagemaker-endpoint
        • Filters
        • Actions
      • aws.sagemaker-endpoint-config
        • Filters
        • Actions
      • aws.sagemaker-job
        • Filters
        • Actions
      • aws.sagemaker-model
        • Filters
        • Actions
      • aws.sagemaker-notebook
        • Filters
        • Actions
      • aws.sagemaker-transform-job
        • Filters
        • Actions
    • sdb resources
      • aws.simpledb
        • Filters
        • Actions
    • secretsmanager resources
      • aws.secrets-manager
        • Filters
        • Actions
    • serverlessrepo resources
      • aws.serverless-app
        • Filters
        • Actions
    • service-quotas resources
      • aws.service-quota
        • Filters
        • Actions
      • aws.service-quota-request
        • Filters
        • Actions
    • servicecatalog resources
      • aws.catalog-portfolio
        • Filters
        • Actions
      • aws.catalog-product
        • Filters
        • Actions
    • ses resources
      • aws.ses-configuration-set
        • Filters
        • Actions
    • shield resources
      • aws.shield-attack
        • Filters
        • Actions
      • aws.shield-protection
        • Filters
        • Actions
    • snowball resources
      • aws.snowball
        • Filters
        • Actions
      • aws.snowball-cluster
        • Filters
        • Actions
    • sns resources
      • aws.sns
        • Filters
        • Actions
      • aws.sns-subscription
        • Filters
        • Actions
    • sqs resources
      • aws.sqs
        • Filters
        • Actions
    • ssm resources
      • aws.ops-item
        • Filters
        • Actions
      • aws.ssm-activation
        • Filters
        • Actions
      • aws.ssm-data-sync
        • Filters
        • Actions
      • aws.ssm-document
        • Filters
        • Actions
      • aws.ssm-managed-instance
        • Filters
        • Actions
      • aws.ssm-parameter
        • Filters
        • Actions
    • stepfunctions resources
      • aws.step-machine
        • Filters
        • Actions
    • storagegateway resources
      • aws.storage-gateway
        • Filters
        • Actions
    • support resources
      • aws.support-case
        • Filters
        • Actions
    • swf resources
      • aws.swf-domain
        • Filters
        • Actions
    • timestream-write resources
      • aws.timestream-database
        • Filters
        • Actions
      • aws.timestream-table
        • Filters
        • Actions
    • transfer resources
      • aws.transfer-server
        • Filters
        • Actions
      • aws.transfer-user
        • Filters
        • Actions
    • waf resources
      • aws.waf
        • Filters
        • Actions
    • waf-regional resources
      • aws.waf-regional
        • Filters
        • Actions
    • wafv2 resources
      • aws.wafv2
        • Filters
        • Actions
    • workspaces resources
      • aws.workspaces
        • Filters
        • Actions
      • aws.workspaces-directory
        • Filters
        • Actions
      • aws.workspaces-image
        • Filters
        • Actions

Azure

  • Getting Started
    • Write your first policy
    • Run your policy
      • (Optional) Run your policy with Azure Monitoring
    • View policy results
      • Custodian Report
    • Next Steps
  • Configuring Azure Policies
    • Authentication & Access
      • Azure CLI
      • Service Principal
        • Azure Portal
        • Azure CLI
        • c7n-org
      • Access Token
      • Managed Service Identity
      • Azure Key Vault Integration
      • Azure Storage access
      • Azure Cloud Offerings
    • Logging, Metrics and Output
      • Writing Custodian Logs to Azure App Insights
      • Writing Custodian Metrics to Azure App Insights
      • Writing Custodian Output to Azure Blob Storage
      • Authentication to Storage
    • Hosting Options
      • Azure Functions Hosting
        • Overview
        • Azure Modes
        • Provision Options
        • Authentication Options
        • Execution Options
        • Event Grid Functions
        • Management Groups Support
      • Azure Container Hosting
        • Overview
        • Supported Policy Modes
        • Configuration
        • Running Locally
        • Deployment Options
      • Tutorial - ACI Deployment
        • 1. Create a Resource Group
        • 2. Create a Storage Account
        • 3. Create a Managed Identity
        • 4. Create an Application Insights Instance
        • 5. Create the ACI Container Host
        • 6. Upload a Custodian Policy
      • Tutorial - Helm Deployment
        • 1. Create a Resource Group
        • 2. Create a Storage Account
        • 3. Create a Service Principal
        • 4. Create an Application Insights Instance
        • 5. Create an AKS Cluster and Install Tiller
        • 6. Deploy the Helm Chart
        • 7. Upload a Custodian Policy
  • Examples
    • General
      • Monitor - Filter resources by metrics from Azure Monitor
      • Resource Groups - Delayed operations
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Resource Groups - Remove empty Resource Groups
      • Tags - Add tag to Virtual Machines
      • Tags - Automatically tag the creator of a resource or resource group
      • Tags - Remove tag From Virtual Machines
      • Tags - Trim tags From Virtual Machines
      • Resource Group - Generate a Teams Message on Create
    • Compute
      • App Services - Filter By CORS Configuration
      • App Service - Resize All Application Service Plans
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Tags - Add tag to Virtual Machines
      • Tags - Remove tag From Virtual Machines
      • Tags - Trim tags From Virtual Machines
      • Virtual Machines - Find Stopped Virtual Machines
      • Virtual Machines - Find Virtual Machines with public IP address
    • Storage and Databases
      • Cosmos DB Collections - Resize Throughput with On/Off Hours
      • SQL - Find databases with specific retention options
      • SQL - Update SQL Database retention policies
      • SQL - Find all SQL Databases with Premium SKU
      • Storage - Add storage firewall rules
      • Storage - Block public access
      • Storage - Monitor newly created Containers for public access
    • Identity
      • Tags - Automatically tag the creator of a resource or resource group
    • Networking
      • Firewall - Update CosmosDB Rules
      • Firewall - Filter Storage Accounts By Rules
      • Load Balancer - Filter load balancer by front end public ip
      • Network Security Groups - Deny access to Network Security Group
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Routes - Find route tables with a specific subnet
      • Storage - Add storage firewall rules
      • Storage - Block public access
      • Virtual Machines - Find Virtual Machines with public IP address
    • Notifications
      • Email - Use Azure Logic Apps to notify users of policy violations
        • Create and configure Azure Logic App
        • Author Cloud Custodian policy
        • Test the policy
      • Email - Send Users an Email
      • Resource Group - Generate a Teams Message on Create
  • Advanced Usage
    • Running against multiple subscriptions
    • Azure Policy Comparison
      • Examples
    • Developer Guide
      • Adding New Azure Resources
        • Install Azure Dependencies
        • Create New Azure Resource
        • Load New Azure Resource
      • Testing
        • Test framework
        • ARM templates
        • Cassettes
        • Running tests
  • Azure Reference
    • Azure Execution Modes
      • pull
      • azure-event-grid
      • azure-periodic
      • container-event
      • container-periodic
    • Azure Common Actions
      • auto-tag-date
      • auto-tag-user
      • delete
      • lock
      • logic-app
      • mark-for-op
      • notify
      • tag
      • tag-trim
      • untag
      • webhook
    • Azure Common Filters
      • auditing
      • authentication
      • azure-ad-administrators
      • blob-services
      • configuration
      • configuration-parameter
      • cost
      • diagnostic-settings
      • effective-route-table
      • event
      • firewall-rules
      • flow-logs
      • instance-view
      • list-item
      • marked-for-op
      • metric
      • offer
      • offhour
      • onhour
      • parent
      • policy-compliant
      • reduce
      • resource-lock
      • server-parameter
      • storage-diagnostic-settings
      • value
      • vm-extensions
      • vulnerability-assessment
    • AI + Machine Learning resources
      • azure.cognitiveservice
        • Filters
        • Actions
      • azure.databricks
        • Filters
        • Actions
      • azure.search
        • Filters
        • Actions
    • Active Directory resources
      • azure.roleassignment
        • Filters
        • Actions
      • azure.roledefinition
        • Filters
        • Actions
    • Alerts Management resources
      • azure.alert-logs
        • Filters
        • Actions
    • Analytics resources
      • azure.datafactory
        • Filters
        • Actions
      • azure.hdinsight
        • Filters
        • Actions
    • Backup and Recovery resources
      • azure.recovery-services
        • Filters
        • Actions
    • Compute resources
      • azure.aks
        • Filters
        • Actions
      • azure.appserviceplan
        • Filters
        • Actions
      • azure.batch
        • Filters
        • Actions
      • azure.image
        • Filters
        • Actions
      • azure.logic-app-workflow
        • Filters
        • Actions
      • azure.open-shift
        • Filters
        • Actions
      • azure.service-fabric-cluster
        • Filters
        • Actions
      • azure.service-fabric-cluster-managed
        • Filters
        • Actions
      • azure.spring-app
        • Filters
        • Actions
      • azure.spring-service-instance
        • Filters
        • Actions
      • azure.vm
        • Filters
        • Actions
      • azure.vmss
        • Filters
        • Actions
      • azure.webapp
        • Filters
        • Actions
    • Containers resources
      • azure.aks
        • Filters
        • Actions
      • azure.container-group
        • Filters
        • Actions
      • azure.container-registry
        • Filters
        • Actions
      • azure.containerservice
        • Filters
        • Actions
      • azure.open-shift
        • Filters
        • Actions
    • Cost resources
      • azure.cost-management-export
        • Filters
        • Actions
    • Databases resources
      • azure.cosmosdb
        • Filters
        • Actions
      • azure.cosmosdb-collection
        • Filters
        • Actions
      • azure.cosmosdb-database
        • Filters
        • Actions
      • azure.mariadb
        • Filters
        • Actions
      • azure.mysql
        • Filters
        • Actions
      • azure.mysql-flexibleserver
        • Filters
        • Actions
      • azure.postgresql-database
        • Filters
        • Actions
      • azure.postgresql-server
        • Filters
        • Actions
      • azure.redis
        • Filters
        • Actions
      • azure.sql-database
        • Filters
        • Actions
      • azure.sql-server
        • Filters
        • Actions
    • Events resources
      • azure.eventhub
        • Filters
        • Actions
      • azure.eventsubscription
        • Filters
        • Actions
      • azure.servicebus-namespace
        • Filters
        • Actions
      • azure.servicebus-namespace-authrules
        • Filters
        • Actions
      • azure.servicebus-namespace-networkrules
        • Filters
        • Actions
    • Generic resources
      • azure.armresource
        • Filters
        • Actions
      • azure.policyassignments
        • Filters
        • Actions
    • Integration resources
      • azure.api-management
        • Filters
        • Actions
    • Internet Of Things resources
      • azure.iothub
        • Filters
        • Actions
    • Media resources
      • azure.cdn-custom-domain
        • Filters
        • Actions
      • azure.cdn-endpoint
        • Filters
        • Actions
      • azure.cdnprofile
        • Filters
        • Actions
    • Monitoring resources
      • azure.monitor-log-profile
        • Filters
        • Actions
    • Network resources
      • azure.application-gateway
        • Filters
        • Actions
      • azure.front-door
        • Filters
        • Actions
      • azure.networkwatcher
        • Filters
        • Actions
      • azure.traffic-manager-profile
        • Filters
        • Actions
    • Networking resources
      • azure.dnszone
        • Filters
        • Actions
      • azure.loadbalancer
        • Filters
        • Actions
      • azure.networkinterface
        • Filters
        • Actions
      • azure.networksecuritygroup
        • Filters
        • Actions
      • azure.publicip
        • Filters
        • Actions
      • azure.recordset
        • Filters
        • Actions
      • azure.routetable
        • Filters
        • Actions
      • azure.vnet
        • Filters
        • Actions
    • Resource Group resources
      • azure.resourcegroup
        • Filters
        • Actions
    • Security resources
      • azure.advisor-recommendation
        • Filters
        • Actions
      • azure.defender-alert
        • Filters
        • Actions
      • azure.defender-autoprovisioning
        • Filters
        • Actions
      • azure.defender-pricing
        • Filters
        • Actions
      • azure.defender-setting
        • Filters
        • Actions
      • azure.keyvault
        • Filters
        • Actions
      • azure.keyvault-certificate
        • Filters
        • Actions
      • azure.keyvault-key
        • Filters
        • Actions
      • azure.keyvault-secret
        • Filters
        • Actions
    • Storage resources
      • azure.datalake
        • Filters
        • Actions
      • azure.disk
        • Filters
        • Actions
      • azure.storage
        • Filters
        • Actions
      • azure.storage-container
        • Filters
        • Actions
    • Subscription resources
      • azure.policyassignments
        • Filters
        • Actions
      • azure.resourcegroup
        • Filters
        • Actions
      • azure.subscription
        • Filters
        • Actions
    • Web resources
      • azure.appserviceplan
        • Filters
        • Actions
      • azure.webapp
        • Filters
        • Actions

GCP

  • Getting Started (Beta)
    • Install GCP Plugin
      • Option 1: Install released packages to local Python Environment
      • Option 2: Install latest from the repository
    • Connect Your Authentication Credentials
      • GCP CLI
      • Environment Variables
    • Write Your First Policy
    • Run Your Policy
  • Examples
    • App Engine - Check if an SSL Certificate is About to Expire
    • App Engine - Check if a blacklisted domain is still in use
    • App Engine - Check if a Firewall Rule is in Place
    • Dataflow - Check for Hanged Jobs
    • Deployment Manager - Find expired deployments
    • DNS - Notify if DNS Managed Zone has no DNSSEC
    • DNS - Notify if Logging is Disabled in DNS Policy
    • Compute Engine - Enforce minimal CPU utilization target for autoscalers
    • Compute Engine - Delete Instance Templates with Wrong Settings
    • Key Management System - Audit Crypto Key protection level
    • Load Balancer - Delete backend buckets
    • Load Balancer - Network Tiers
    • Load Balancer - SSL Policies - Delete policies by TLS version
    • Pub/Sub - Early Detection of Obsolete Snapshots
    • Pub/Sub - Audit Subscriptions to Match Requirements
    • Spanner - Drop Databases
    • Spanner - Reduce Count of Instance Nodes
    • Spanner - Set IAM Policies
    • Cloud SQL - List Unsucessful Backups Older Than N Days
    • Cloud SQL - Check Regions of Instances and Their State
    • Cloud SQL - Notify on Certificates Which Are About to Expire
    • Cloud SQL - Check Users
  • Policies
    • Generic Actions
      • Notify
    • Load Balancer
  • Developer Guide
  • Adding New GCP Resources
    • Create New GCP Resource
    • Load New GCP Resource
  • Testing
    • Updating Existing Tests
  • GCP Reference
    • GCP Execution Modes
      • pull
      • gcp-audit
      • gcp-periodic
      • gcp-scc
    • GCP Common Actions
      • notify
      • post-finding
      • set-iam-policy
      • webhook
    • GCP Common Filters
      • access-approval
      • alerts
      • bucket
      • compute-meta
      • effective-firewall
      • essential-contacts
      • event
      • list-item
      • offhour
      • onhour
      • recommend
      • reduce
      • scc-findings
      • value
    • apikeys resources
      • gcp.api-key
        • Filters
        • Actions
    • appengine resources
      • gcp.app-engine
        • Filters
        • Actions
      • gcp.app-engine-certificate
        • Filters
        • Actions
      • gcp.app-engine-domain
        • Filters
        • Actions
      • gcp.app-engine-domain-mapping
        • Filters
        • Actions
      • gcp.app-engine-firewall-ingress-rule
        • Filters
        • Actions
      • gcp.app-engine-service
        • Filters
        • Actions
      • gcp.app-engine-service-version
        • Filters
        • Actions
    • artifactregistry resources
      • gcp.artifact-repository
        • Filters
        • Actions
    • bigquery resources
      • gcp.bq-dataset
        • Filters
        • Actions
      • gcp.bq-job
        • Filters
        • Actions
      • gcp.bq-table
        • Filters
        • Actions
    • bigtableadmin resources
      • gcp.bigtable-instance
        • Filters
        • Actions
      • gcp.bigtable-instance-cluster
        • Filters
        • Actions
      • gcp.bigtable-instance-cluster-backup
        • Filters
        • Actions
      • gcp.bigtable-instance-table
        • Filters
        • Actions
    • cloudbilling resources
      • gcp.cloudbilling-account
        • Filters
        • Actions
    • cloudbuild resources
      • gcp.build
        • Filters
        • Actions
    • cloudfunctions resources
      • gcp.function
        • Filters
        • Actions
    • cloudkms resources
      • gcp.kms-cryptokey
        • Filters
        • Actions
      • gcp.kms-cryptokey-version
        • Filters
        • Actions
      • gcp.kms-keyring
        • Filters
        • Actions
    • cloudresourcemanager resources
      • gcp.folder
        • Filters
        • Actions
      • gcp.organization
        • Filters
        • Actions
      • gcp.project
        • Filters
        • Actions
    • compute resources
      • gcp.autoscaler
        • Filters
        • Actions
      • gcp.compute-project
        • Filters
        • Actions
      • gcp.disk
        • Filters
        • Actions
      • gcp.firewall
        • Filters
        • Actions
      • gcp.image
        • Filters
        • Actions
      • gcp.instance
        • Filters
        • Actions
      • gcp.instance-template
        • Filters
        • Actions
      • gcp.interconnect
        • Filters
        • Actions
      • gcp.interconnect-attachment
        • Filters
        • Actions
      • gcp.loadbalancer-address
        • Filters
        • Actions
      • gcp.loadbalancer-backend-bucket
        • Filters
        • Actions
      • gcp.loadbalancer-backend-service
        • Filters
        • Actions
      • gcp.loadbalancer-forwarding-rule
        • Filters
        • Actions
      • gcp.loadbalancer-global-address
        • Filters
        • Actions
      • gcp.loadbalancer-global-forwarding-rule
        • Filters
        • Actions
      • gcp.loadbalancer-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-http-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-https-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-ssl-certificate
        • Filters
        • Actions
      • gcp.loadbalancer-ssl-policy
        • Filters
        • Actions
      • gcp.loadbalancer-target-http-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-https-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-instance
        • Filters
        • Actions
      • gcp.loadbalancer-target-pool
        • Filters
        • Actions
      • gcp.loadbalancer-target-ssl-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-tcp-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-url-map
        • Filters
        • Actions
      • gcp.route
        • Filters
        • Actions
      • gcp.router
        • Filters
        • Actions
      • gcp.snapshot
        • Filters
        • Actions
      • gcp.subnet
        • Filters
        • Actions
      • gcp.vpc
        • Filters
        • Actions
    • container resources
      • gcp.gke-cluster
        • Filters
        • Actions
      • gcp.gke-nodepool
        • Filters
        • Actions
    • dataflow resources
      • gcp.dataflow-job
        • Filters
        • Actions
    • deploymentmanager resources
      • gcp.dm-deployment
        • Filters
        • Actions
    • dns resources
      • gcp.dns-managed-zone
        • Filters
        • Actions
      • gcp.dns-policy
        • Filters
        • Actions
    • iam resources
      • gcp.iam-role
        • Filters
        • Actions
      • gcp.project-role
        • Filters
        • Actions
      • gcp.service-account
        • Filters
        • Actions
      • gcp.service-account-key
        • Filters
        • Actions
    • logging resources
      • gcp.log-exclusion
        • Filters
        • Actions
      • gcp.log-project-metric
        • Filters
        • Actions
      • gcp.log-project-sink
        • Filters
        • Actions
    • ml resources
      • gcp.ml-job
        • Filters
        • Actions
      • gcp.ml-model
        • Filters
        • Actions
    • pubsub resources
      • gcp.pubsub-snapshot
        • Filters
        • Actions
      • gcp.pubsub-subscription
        • Filters
        • Actions
      • gcp.pubsub-topic
        • Filters
        • Actions
    • regions resources
      • gcp.region
        • Filters
        • Actions
    • run resources
      • gcp.cloud-run-job
        • Filters
        • Actions
      • gcp.cloud-run-service
        • Filters
        • Actions
    • secretmanager resources
      • gcp.secret
        • Filters
        • Actions
    • serviceusage resources
      • gcp.service
        • Filters
        • Actions
    • sourcerepo resources
      • gcp.sourcerepo
        • Filters
        • Actions
    • spanner resources
      • gcp.spanner-database-instance
        • Filters
        • Actions
      • gcp.spanner-instance
        • Filters
        • Actions
    • sqladmin resources
      • gcp.sql-backup-run
        • Filters
        • Actions
      • gcp.sql-instance
        • Filters
        • Actions
      • gcp.sql-ssl-cert
        • Filters
        • Actions
      • gcp.sql-user
        • Filters
        • Actions
    • storage resources
      • gcp.bucket
        • Filters
        • Actions

Tencent Cloud

  • Tencent Cloud
  • Installation
  • Usage
  • Tencent Cloud Reference
    • Tencent Cloud Execution Modes
      • pull
    • Tencent Cloud Common Actions
      • copy-instance-tags
      • mark-for-op
      • remove-tag
      • rename-tag
      • start
      • stop
      • tag
      • terminate
      • webhook
    • Tencent Cloud Common Filters
      • check-permissions
      • event
      • list-item
      • marked-for-op
      • metrics
      • reduce
      • used
      • value
    • cam resources
      • tencentcloud.cam-policy
        • Filters
        • Actions
      • tencentcloud.cam-user
        • Filters
        • Actions
    • cbs resources
      • tencentcloud.cbs
        • Filters
        • Actions
      • tencentcloud.cbs-snapshot
        • Filters
        • Actions
    • cdb resources
      • tencentcloud.mysql
        • Filters
        • Actions
      • tencentcloud.mysql-backup
        • Filters
        • Actions
    • clb resources
      • tencentcloud.clb
        • Filters
        • Actions
    • cls resources
      • tencentcloud.cls
        • Filters
        • Actions
    • cos resources
      • tencentcloud.cos
        • Filters
        • Actions
    • cvm resources
      • tencentcloud.ami
        • Filters
        • Actions
      • tencentcloud.cvm
        • Filters
        • Actions
    • es resources
      • tencentcloud.elasticsearch
        • Filters
        • Actions
    • tcr resources
      • tencentcloud.tcr
        • Filters
        • Actions
    • vpc resources
      • tencentcloud.nat-gateway
        • Filters
        • Actions
      • tencentcloud.security-group
        • Filters
        • Actions
      • tencentcloud.vpc
        • Filters
        • Actions

Kubernetes

  • Getting Started (Alpha)
    • Install Kubernetes Plugin
      • Option 1: Install released packages to local Python Environment
      • Option 2: Install latest from the repository
    • Connecting to your Cluster
    • Write Your First Policy
    • Run Your Policy
  • Kubernetes Controller Mode
    • Install the Server
  • Option 1: Manual installation
  • Option 2: Helm chart
    • Testing
    • Authoring Policies
  • Examples
    • Denying Pod Exec or Attach
    • Require Labels on Resources on Creation or Update
    • Require Replicas on Deployments
    • Restrict Service Account Usage

Tools

  • c7n-org: Multi Account Custodian Execution
    • Installation
      • Config File Generation
    • Running a Policy with c7n-org
    • Selecting accounts, regions, policies for execution
    • Defining and using variables
    • Other commands
    • Additional Azure Instructions
  • c7n-mailer: Custodian Mailer
    • Message Relay
    • Tutorial
      • Email:
      • DataDog:
      • Slack:
      • Splunk HTTP Event Collector (HEC)
      • Now run:
    • Usage & Configuration
      • Standard Lambda Function Config
      • Standard Azure Functions Config
      • Mailer Infrastructure Config
      • SMTP Config
        • DataDog Config
      • Slack Config
      • SendGrid Config
      • Splunk HEC Config
      • SDK Config
      • Secured String
        • AWS
        • Azure
        • GCP
    • Configuring a policy to send email
    • Using on Azure
      • Deploying Azure Functions
      • Configuring Function Identity
    • Using on GCP
      • Deploying GCP Functions
    • Writing an email template
    • Developer Install (OS X El Capitan)
    • Testing Templates and Recipients
      • Testing Templates for Azure
  • Custodian policies for Infrastructure Code
    • Install
    • Usage
    • CLI Filters
    • Outputs
    • Policy Language
    • Policy Testing
  • Custodian Kubernetes Support
    • Running the server
    • Generate a MutatingWebhookConfiguration
    • Development
  • cask: easy custodian exec via docker
    • Install
    • Run
    • Build
  • c7n-log-exporter: Cloud watch log exporter automation
    • Features
    • Assumptions
    • Cli usage
    • Config format
      • Using S3 Bucket as destination
      • Using CloudWatch Destination as destination cross account
    • Multiple accounts via cli
    • Serverless Usage
  • c7n-trailcreator: Retroactive Resource Creator Tagging
    • Install
    • Config File
    • Athena Usage
    • Tagging
    • Multi Account / Multi Region
  • c7n-policystream: Policy Changes from Git
    • Install
    • Build
    • Usage
    • Options
  • OmniSSM - EC2 Systems Manager Automation
    • Client Configuration
    • Links
    • Todo
  • c7n-guardian: Automated multi-account Guard Duty setup
    • Accounts Credentials
    • Using custodian policies for remediation
  • c7n-salactus: Distributed Scale out S3 processing
    • Use Cases
    • Usage
    • Sample Configuration

Contributing

  • Contributing to Cloud Custodian
    • Developer install
    • Issues
    • Code of Conduct
    • Contributor agreement
  • Developer Guide
  • Installing for Developers
    • Installing Prerequisites
      • Install Python 3
        • On Ubuntu
        • On macOS with Homebrew
        • On Windows
        • Other Installation Methods
      • Install Poetry
        • On Mac/Linux
        • On Windows with Powershell
    • Installing Custodian
  • Testing for Developers
    • Running tests
    • Operating System Compatibility
    • Writing Tests for Cloud Controlled Resources
      • Creating Cloud Resources with Terraform
      • Recording Custodian Interactions
      • Controlling Resource Cleanup
    • Converting older functional tests
  • Documentation For Developers
    • Find the Documentation
    • Edit the Documentation
    • Render the Documentation
  • Packaging Custodian
    • Usage
    • Caveats
Cloud Custodian
  • AWS Reference
  • iam resources
  • aws.iam-oidc-provider
Previous Next

aws.iam-oidc-provider¶

Filters¶

  • event

  • finding

  • list-item

  • ops-item

  • reduce

  • value

Actions¶

  • invoke-lambda

  • invoke-sfn

  • notify

  • post-finding

  • post-item

  • put-metric

  • webhook

Previous Next

© Copyright .

Built with Sphinx using a theme provided by Read the Docs.