Cloud Custodian

Introduction

  • Getting Started
    • Install Cloud Custodian
      • Linux and Mac OS
      • Windows (CMD/PowerShell)
      • Docker
    • Explore Cloud Custodian
    • Cloud Provider Specific Help
      • Troubleshooting & Tinkering
    • Monitor resources
    • Editor Integration
    • Tab Completion
    • Community Resources
      • Troubleshooting
  • Generic Filters
    • Value Filter
    • Event Filter
    • Reduce Filter
      • Grouping resources
      • Sorting resources
      • Selecting resources
      • Combining resource groups
      • Attributes
      • Examples
  • Generic Actions
    • Webhook Action
  • Advanced Usage
    • Running against multiple regions
    • Reporting against multiple regions
    • Conditional Policy Execution
    • Limiting how many resources custodian affects
    • Adding custom fields to reports
  • Example tag compliance policy
  • Deployment
    • Compliance as Code
    • Continuous Integration of Policies
    • IAM Setup
    • Single Node Deployment
    • Monitoring Cloud Custodian
    • Mailer and Notifications Deployment
    • Multi Account Execution
    • Advanced Continuous Integration Tips
    • Additional Resources

AWS

  • Getting Started
    • Write your first policy
    • Run your policy
    • A 2nd Example Policy
    • Monitor AWS
      • Troubleshooting & Tinkering
  • Example Policies
    • Account - Login From Invalid IP Address
    • Account - Detect Root Logins
    • Account - Service Limit
    • AMI - Stop EC2 using Unapproved AMIs
    • AutoScaling Group - Verify ASGs have valid configurations
    • AMI - ASG Garbage Collector
    • ASG - Offhours Support
    • Block New Resources In Non-Standard Regions
    • DMS - DB Migration Service Endpoint - Enforce SSL
    • EBS - Garbage Collect Unattached Volumes
    • EBS - Create and Manage Snapshots
    • EBS - Delete Unencrypted
    • EC2 - auto-tag aws userName on resources
    • EC2 - Modify Instance Metadata Options
      • Examples:
    • EC2 - Offhours Support
    • EC2 - Old Instance Report
    • EC2 - Power On For Scheduled Patching
    • EC2 - Terminate Unpatchable Instances
    • EIP - Garbage Collect Unattached Elastic IPs
    • ELB - Delete New Internet-Facing ELBs
    • ELB - Delete Unused Elastic Load Balancers
    • ELB - SSL Blacklist
    • ELB - SSL Whitelist
    • IAM - Manage Whether A Specific IAM Policy is Attached to Roles
    • Lambda - Notify On Lambda Errors
    • Example offhours policy
      • Resource Scheduling Offhours
      • Features
      • Policy Configuration
      • Tag Based Configuration
        • ScheduleParser Time Specifications
      • Policy examples
      • Resume During Offhours
      • ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions
      • Public Holidays
    • RDS - Delete Unused Databases With No Connections
    • RDS - Terminate Unencrypted Public Instances
    • S3 - Configure New Buckets Settings and Standards
    • S3 - Block Public S3 Object ACLs
    • S3 - Encryption
      • Enable Bucket Encryption
      • Remediate Existing
        • Options
      • Remediate Incoming
        • Options
      • Bucket Policy
    • S3 - Global Grants
    • SageMaker Notebook - Delete Public or Unencrypted
    • Security Groups - add permission
    • Security Groups - Detect and Remediate Violations
    • Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)
    • VPC - Flow Log Configuration Check
    • VPC - Notify On Invalid External Peering Connections
  • Monitoring your environment
    • Metrics
    • CloudWatch Logs
    • S3 Logs & Records
    • Reports
  • Lambda Support
    • CloudWatch Events
      • Cloud Custodian Integration
        • CloudTrail API Calls
        • EC2 Instance State Events
        • Periodic Function
        • Event Pattern Filtering
    • Config Rules
    • Lambda Configuration
    • Execution Options
  • AWS Topics
    • AWS Config
      • Config Source
      • Config Rule
      • Filter
      • Config Poll Rule
    • Security Hub
      • Getting Started
      • Modes
    • AWS Systems Manager
      • EC2 Systems Manager
      • Ops Center
      • OmniSSM
    • AWS X-Ray Support
  • Developer Guide
  • Adding New AWS Resources
    • Create New AWS Resource
    • Load New AWS Resource
    • Add New Filter
    • Add New Action
    • Testing
  • AWS Reference
    • AWS Execution Modes
      • pull
      • asg-instance-state
      • cloudtrail
      • config-poll-rule
      • config-rule
      • ec2-instance-state
      • guard-duty
      • hub-finding
      • hub-finding
      • periodic
      • phd
      • pull
    • AWS Common Actions
      • auto-tag-user
      • copy-related-tag
      • invoke-lambda
      • invoke-sfn
      • mark-for-op
      • modify-ecr-policy
      • modify-policy
      • modify-security-groups
      • normalize-tag
      • notify
      • post-finding
      • post-item
      • put-metric
      • remove-tag
      • rename-tag
      • tag
      • tag-trim
      • webhook
    • AWS Common Filters
      • alarm
      • api-cache
      • check-permissions
      • client-properties
      • config-compliance
      • connection-aliases
      • domain-options
      • engine
      • event
      • finding
      • health-event
      • iam-analyzer
      • image
      • instance-attribute
      • logging
      • login-profile
      • marked-for-op
      • metrics
      • network-location
      • offhour
      • onhour
      • ops-item
      • ownership
      • reduce
      • security-group
      • ses-agg-send-stats
      • shield-metrics
      • subnet
      • subscription-filter
      • tag-count
      • usage
      • usage-metric
      • value
      • vpc
    • account resources
      • aws.account
        • Filters
        • Actions
    • acm resources
      • aws.acm-certificate
        • Filters
        • Actions
    • apigateway resources
      • aws.apigw-domain-name
        • Filters
        • Actions
      • aws.rest-account
        • Filters
        • Actions
      • aws.rest-api
        • Filters
        • Actions
      • aws.rest-client-certificate
        • Filters
        • Actions
      • aws.rest-resource
        • Filters
        • Actions
      • aws.rest-stage
        • Filters
        • Actions
      • aws.rest-vpclink
        • Filters
        • Actions
    • apigatewayv2 resources
      • aws.apigwv2
        • Filters
        • Actions
    • appflow resources
      • aws.app-flow
        • Filters
        • Actions
    • appsync resources
      • aws.graphql-api
        • Filters
        • Actions
    • autoscaling resources
      • aws.asg
        • Filters
        • Actions
      • aws.launch-config
        • Filters
        • Actions
      • aws.scaling-policy
        • Filters
        • Actions
    • backup resources
      • aws.backup-plan
        • Filters
        • Actions
      • aws.backup-vault
        • Filters
        • Actions
    • batch resources
      • aws.batch-compute
        • Filters
        • Actions
      • aws.batch-definition
        • Filters
        • Actions
      • aws.batch-queue
        • Filters
        • Actions
    • clouddirectory resources
      • aws.cloud-directory
        • Filters
        • Actions
    • cloudformation resources
      • aws.cfn
        • Filters
        • Actions
    • cloudfront resources
      • aws.distribution
        • Filters
        • Actions
      • aws.streaming-distribution
        • Filters
        • Actions
    • cloudhsm resources
      • aws.hsm
        • Filters
        • Actions
      • aws.hsm-client
        • Filters
        • Actions
      • aws.hsm-hapg
        • Filters
        • Actions
    • cloudhsmv2 resources
      • aws.cloudhsm-cluster
        • Filters
        • Actions
    • cloudsearch resources
      • aws.cloudsearch
        • Filters
        • Actions
    • cloudtrail resources
      • aws.cloudtrail
        • Filters
        • Actions
    • cloudwatch resources
      • aws.alarm
        • Filters
        • Actions
      • aws.composite-alarm
        • Filters
        • Actions
      • aws.insight-rule
        • Filters
        • Actions
    • codeartifact resources
      • aws.artifact-domain
        • Filters
        • Actions
      • aws.artifact-repo
        • Filters
        • Actions
    • codebuild resources
      • aws.codebuild
        • Filters
        • Actions
    • codecommit resources
      • aws.codecommit
        • Filters
        • Actions
    • codedeploy resources
      • aws.codedeploy-app
        • Filters
        • Actions
      • aws.codedeploy-deployment
        • Filters
        • Actions
      • aws.codedeploy-group
        • Filters
        • Actions
    • codepipeline resources
      • aws.codepipeline
        • Filters
        • Actions
    • cognito-identity resources
      • aws.identity-pool
        • Filters
        • Actions
    • cognito-idp resources
      • aws.user-pool
        • Filters
        • Actions
    • config resources
      • aws.config-recorder
        • Filters
        • Actions
      • aws.config-rule
        • Filters
        • Actions
    • connect resources
      • aws.connect-instance
        • Filters
        • Actions
    • datapipeline resources
      • aws.datapipeline
        • Filters
        • Actions
    • dax resources
      • aws.dax
        • Filters
        • Actions
    • directconnect resources
      • aws.directconnect
        • Filters
        • Actions
    • dlm resources
      • aws.dlm-policy
        • Filters
        • Actions
    • dms resources
      • aws.dms-endpoint
        • Filters
        • Actions
      • aws.dms-instance
        • Filters
        • Actions
    • ds resources
      • aws.directory
        • Filters
        • Actions
    • dynamodb resources
      • aws.dynamodb-backup
        • Filters
        • Actions
      • aws.dynamodb-table
        • Filters
        • Actions
    • dynamodbstreams resources
      • aws.dynamodb-stream
        • Filters
        • Actions
    • ec2 resources
      • aws.ami
        • Filters
        • Actions
      • aws.customer-gateway
        • Filters
        • Actions
      • aws.ebs
        • Filters
        • Actions
      • aws.ebs-snapshot
        • Filters
        • Actions
      • aws.ec2
        • Filters
        • Actions
      • aws.ec2-host
        • Filters
        • Actions
      • aws.ec2-reserved
        • Filters
        • Actions
      • aws.ec2-spot-fleet-request
        • Filters
        • Actions
      • aws.elastic-ip
        • Filters
        • Actions
      • aws.eni
        • Filters
        • Actions
      • aws.internet-gateway
        • Filters
        • Actions
      • aws.key-pair
        • Filters
        • Actions
      • aws.launch-template-version
        • Filters
        • Actions
      • aws.mirror-session
        • Filters
        • Actions
      • aws.mirror-target
        • Filters
        • Actions
      • aws.nat-gateway
        • Filters
        • Actions
      • aws.network-acl
        • Filters
        • Actions
      • aws.peering-connection
        • Filters
        • Actions
      • aws.prefix-list
        • Filters
        • Actions
      • aws.route-table
        • Filters
        • Actions
      • aws.security-group
        • Filters
        • Actions
      • aws.subnet
        • Filters
        • Actions
      • aws.transit-attachment
        • Filters
        • Actions
      • aws.transit-gateway
        • Filters
        • Actions
      • aws.vpc
        • Filters
        • Actions
      • aws.vpc-endpoint
        • Filters
        • Actions
      • aws.vpn-connection
        • Filters
        • Actions
      • aws.vpn-gateway
        • Filters
        • Actions
    • ecr resources
      • aws.ecr
        • Filters
        • Actions
      • aws.ecr-image
        • Filters
        • Actions
    • ecs resources
      • aws.ecs
        • Filters
        • Actions
      • aws.ecs-container-instance
        • Filters
        • Actions
      • aws.ecs-service
        • Filters
        • Actions
      • aws.ecs-task
        • Filters
        • Actions
      • aws.ecs-task-definition
        • Filters
        • Actions
    • efs resources
      • aws.efs
        • Filters
        • Actions
      • aws.efs-mount-target
        • Filters
        • Actions
    • eks resources
      • aws.eks
        • Filters
        • Actions
      • aws.eks-nodegroup
        • Filters
        • Actions
    • elasticache resources
      • aws.cache-cluster
        • Filters
        • Actions
      • aws.cache-snapshot
        • Filters
        • Actions
      • aws.cache-subnet-group
        • Filters
        • Actions
      • aws.elasticache-group
        • Filters
        • Actions
    • elasticbeanstalk resources
      • aws.elasticbeanstalk
        • Filters
        • Actions
      • aws.elasticbeanstalk-environment
        • Filters
        • Actions
    • elb resources
      • aws.elb
        • Filters
        • Actions
    • elbv2 resources
      • aws.app-elb
        • Filters
        • Actions
      • aws.app-elb-target-group
        • Filters
        • Actions
    • emr resources
      • aws.emr
        • Filters
        • Actions
      • aws.emr-security-configuration
        • Filters
        • Actions
    • es resources
      • aws.elasticsearch
        • Filters
        • Actions
      • aws.elasticsearch-reserved
        • Filters
        • Actions
    • events resources
      • aws.event-bus
        • Filters
        • Actions
      • aws.event-rule
        • Filters
        • Actions
      • aws.event-rule-target
        • Filters
        • Actions
    • firehose resources
      • aws.firehose
        • Filters
        • Actions
    • fis resources
      • aws.fis-template
        • Filters
        • Actions
    • fsx resources
      • aws.fsx
        • Filters
        • Actions
      • aws.fsx-backup
        • Filters
        • Actions
    • gamelift resources
      • aws.gamelift-build
        • Filters
        • Actions
      • aws.gamelift-fleet
        • Filters
        • Actions
    • glacier resources
      • aws.glacier
        • Filters
        • Actions
    • glue resources
      • aws.glue-catalog
        • Filters
        • Actions
      • aws.glue-classifier
        • Filters
        • Actions
      • aws.glue-connection
        • Filters
        • Actions
      • aws.glue-crawler
        • Filters
        • Actions
      • aws.glue-database
        • Filters
        • Actions
      • aws.glue-dev-endpoint
        • Filters
        • Actions
      • aws.glue-job
        • Filters
        • Actions
      • aws.glue-ml-transform
        • Filters
        • Actions
      • aws.glue-security-configuration
        • Filters
        • Actions
      • aws.glue-table
        • Filters
        • Actions
      • aws.glue-trigger
        • Filters
        • Actions
      • aws.glue-workflow
        • Filters
        • Actions
    • health resources
      • aws.health-event
        • Filters
        • Actions
    • iam resources
      • aws.iam-certificate
        • Filters
        • Actions
      • aws.iam-group
        • Filters
        • Actions
      • aws.iam-oidc-provider
        • Filters
        • Actions
      • aws.iam-policy
        • Filters
        • Actions
      • aws.iam-profile
        • Filters
        • Actions
      • aws.iam-role
        • Filters
        • Actions
      • aws.iam-saml-provider
        • Filters
        • Actions
      • aws.iam-user
        • Filters
        • Actions
    • iot resources
      • aws.iot
        • Filters
        • Actions
    • kafka resources
      • aws.kafka
        • Filters
        • Actions
    • kinesis resources
      • aws.kinesis
        • Filters
        • Actions
    • kinesisanalytics resources
      • aws.kinesis-analytics
        • Filters
        • Actions
    • kinesisanalyticsv2 resources
      • aws.kinesis-analyticsv2
        • Filters
        • Actions
    • kinesisvideo resources
      • aws.kinesis-video
        • Filters
        • Actions
    • kms resources
      • aws.kms
        • Filters
        • Actions
      • aws.kms-key
        • Filters
        • Actions
    • lakeformation resources
      • aws.datalake-location
        • Filters
        • Actions
    • lambda resources
      • aws.lambda
        • Filters
        • Actions
      • aws.lambda-layer
        • Filters
        • Actions
    • lightsail resources
      • aws.lightsail-db
        • Filters
        • Actions
      • aws.lightsail-elb
        • Filters
        • Actions
      • aws.lightsail-instance
        • Filters
        • Actions
    • logs resources
      • aws.log-group
        • Filters
        • Actions
      • aws.log-metric
        • Filters
        • Actions
    • machinelearning resources
      • aws.ml-model
        • Filters
        • Actions
    • mq resources
      • aws.message-broker
        • Filters
        • Actions
      • aws.message-config
        • Filters
        • Actions
    • mwaa resources
      • aws.airflow
        • Filters
        • Actions
    • network-firewall resources
      • aws.firewall
        • Filters
        • Actions
    • opsworks resources
      • aws.opswork-stack
        • Filters
        • Actions
    • opsworkscm resources
      • aws.opswork-cm
        • Filters
        • Actions
    • qldb resources
      • aws.qldb
        • Filters
        • Actions
    • rds resources
      • aws.rds
        • Filters
        • Actions
      • aws.rds-cluster
        • Filters
        • Actions
      • aws.rds-cluster-param-group
        • Filters
        • Actions
      • aws.rds-cluster-snapshot
        • Filters
        • Actions
      • aws.rds-param-group
        • Filters
        • Actions
      • aws.rds-proxy
        • Filters
        • Actions
      • aws.rds-reserved
        • Filters
        • Actions
      • aws.rds-snapshot
        • Filters
        • Actions
      • aws.rds-subnet-group
        • Filters
        • Actions
      • aws.rds-subscription
        • Filters
        • Actions
    • redshift resources
      • aws.redshift
        • Filters
        • Actions
      • aws.redshift-reserved
        • Filters
        • Actions
      • aws.redshift-snapshot
        • Filters
        • Actions
      • aws.redshift-subnet-group
        • Filters
        • Actions
    • route53 resources
      • aws.healthcheck
        • Filters
        • Actions
      • aws.hostedzone
        • Filters
        • Actions
      • aws.rrset
        • Filters
        • Actions
    • route53-recovery-readiness resources
      • aws.readiness-check
        • Filters
        • Actions
    • route53domains resources
      • aws.r53domain
        • Filters
        • Actions
    • route53resolver resources
      • aws.resolver-logs
        • Filters
        • Actions
    • s3 resources
      • aws.s3
        • Filters
        • Actions
    • s3control resources
      • aws.s3-access-point
        • Filters
        • Actions
      • aws.s3-access-point-multi
        • Filters
        • Actions
    • sagemaker resources
      • aws.sagemaker-endpoint
        • Filters
        • Actions
      • aws.sagemaker-endpoint-config
        • Filters
        • Actions
      • aws.sagemaker-job
        • Filters
        • Actions
      • aws.sagemaker-model
        • Filters
        • Actions
      • aws.sagemaker-notebook
        • Filters
        • Actions
      • aws.sagemaker-transform-job
        • Filters
        • Actions
    • sdb resources
      • aws.simpledb
        • Filters
        • Actions
    • secretsmanager resources
      • aws.secrets-manager
        • Filters
        • Actions
    • serverlessrepo resources
      • aws.serverless-app
        • Filters
        • Actions
    • service-quotas resources
      • aws.service-quota
        • Filters
        • Actions
      • aws.service-quota-request
        • Filters
        • Actions
    • servicecatalog resources
      • aws.catalog-portfolio
        • Filters
        • Actions
      • aws.catalog-product
        • Filters
        • Actions
    • shield resources
      • aws.shield-attack
        • Filters
        • Actions
      • aws.shield-protection
        • Filters
        • Actions
    • snowball resources
      • aws.snowball
        • Filters
        • Actions
      • aws.snowball-cluster
        • Filters
        • Actions
    • sns resources
      • aws.sns
        • Filters
        • Actions
      • aws.sns-subscription
        • Filters
        • Actions
    • sqs resources
      • aws.sqs
        • Filters
        • Actions
    • ssm resources
      • aws.ops-item
        • Filters
        • Actions
      • aws.ssm-activation
        • Filters
        • Actions
      • aws.ssm-data-sync
        • Filters
        • Actions
      • aws.ssm-document
        • Filters
        • Actions
      • aws.ssm-managed-instance
        • Filters
        • Actions
      • aws.ssm-parameter
        • Filters
        • Actions
    • stepfunctions resources
      • aws.step-machine
        • Filters
        • Actions
    • storagegateway resources
      • aws.storage-gateway
        • Filters
        • Actions
    • support resources
      • aws.support-case
        • Filters
        • Actions
    • swf resources
      • aws.swf-domain
        • Filters
        • Actions
    • transfer resources
      • aws.transfer-server
        • Filters
        • Actions
      • aws.transfer-user
        • Filters
        • Actions
    • waf resources
      • aws.waf
        • Filters
        • Actions
    • waf-regional resources
      • aws.waf-regional
        • Filters
        • Actions
    • wafv2 resources
      • aws.wafv2
        • Filters
        • Actions
    • workspaces resources
      • aws.workspaces
        • Filters
        • Actions
      • aws.workspaces-directory
        • Filters
        • Actions
      • aws.workspaces-image
        • Filters
        • Actions

Azure

  • Getting Started
    • Write your first policy
    • Run your policy
      • (Optional) Run your policy with Azure Monitoring
    • View policy results
      • Custodian Report
    • Next Steps
  • Configuring Azure Policies
    • Authentication & Access
      • Azure CLI
      • Service Principal
        • Azure Portal
        • Azure CLI
        • c7n-org
      • Access Token
      • Managed Service Identity
      • Azure Key Vault Integration
      • Azure Storage access
      • Azure Cloud Offerings
    • Logging, Metrics and Output
      • Writing Custodian Logs to Azure App Insights
      • Writing Custodian Metrics to Azure App Insights
      • Writing Custodian Output to Azure Blob Storage
      • Authentication to Storage
    • Hosting Options
      • Azure Functions Hosting
        • Overview
        • Azure Modes
        • Provision Options
        • Authentication Options
        • Execution Options
        • Event Grid Functions
        • Management Groups Support
      • Azure Container Hosting
        • Overview
        • Supported Policy Modes
        • Configuration
        • Running Locally
        • Deployment Options
      • Tutorial - ACI Deployment
        • 1. Create a Resource Group
        • 2. Create a Storage Account
        • 3. Create a Managed Identity
        • 4. Create an Application Insights Instance
        • 5. Create the ACI Container Host
        • 6. Upload a Custodian Policy
      • Tutorial - Helm Deployment
        • 1. Create a Resource Group
        • 2. Create a Storage Account
        • 3. Create a Service Principal
        • 4. Create an Application Insights Instance
        • 5. Create an AKS Cluster and Install Tiller
        • 6. Deploy the Helm Chart
        • 7. Upload a Custodian Policy
  • Examples
    • General
      • Monitor - Filter resources by metrics from Azure Monitor
      • Resource Groups - Delayed operations
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Resource Groups - Remove empty Resource Groups
      • Tags - Add tag to Virtual Machines
      • Tags - Automatically tag the creator of a resource or resource group
      • Tags - Remove tag From Virtual Machines
      • Tags - Trim tags From Virtual Machines
      • Resource Group - Generate a Teams Message on Create
    • Compute
      • App Services - Filter By CORS Configuration
      • App Service - Resize All Application Service Plans
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Tags - Add tag to Virtual Machines
      • Tags - Remove tag From Virtual Machines
      • Tags - Trim tags From Virtual Machines
      • Virtual Machines - Find Stopped Virtual Machines
      • Virtual Machines - Find Virtual Machines with public IP address
    • Storage and Databases
      • Cosmos DB Collections - Resize Throughput with On/Off Hours
      • SQL - Find databases with specific retention options
      • SQL - Update SQL Database retention policies
      • SQL - Find all SQL Databases with Premium SKU
      • Storage - Add storage firewall rules
      • Storage - Block public access
      • Storage - Monitor newly created Containers for public access
    • Identity
      • Tags - Automatically tag the creator of a resource or resource group
    • Networking
      • Firewall - Update CosmosDB Rules
      • Firewall - Filter Storage Accounts By Rules
      • Load Balancer - Filter load balancer by front end public ip
      • Network Security Groups - Deny access to Network Security Group
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Routes - Find route tables with a specific subnet
      • Storage - Add storage firewall rules
      • Storage - Block public access
      • Virtual Machines - Find Virtual Machines with public IP address
    • Notifications
      • Email - Use Azure Logic Apps to notify users of policy violations
        • Create and configure Azure Logic App
        • Author Cloud Custodian policy
        • Test the policy
      • Email - Send Users an Email
      • Resource Group - Generate a Teams Message on Create
  • Advanced Usage
    • Running against multiple subscriptions
    • Azure Policy Comparison
      • Examples
    • Developer Guide
      • Adding New Azure Resources
        • Install Azure Dependencies
        • Create New Azure Resource
        • Load New Azure Resource
      • Testing
        • Test framework
        • ARM templates
        • Cassettes
        • Running tests
  • Azure Reference
    • Azure Execution Modes
      • pull
      • azure-event-grid
      • azure-periodic
      • container-event
      • container-periodic
    • Azure Common Actions
      • auto-tag-date
      • auto-tag-user
      • delete
      • lock
      • logic-app
      • mark-for-op
      • notify
      • tag
      • tag-trim
      • untag
      • webhook
    • Azure Common Filters
      • authentication
      • azure-ad-administrators
      • blob-services
      • configuration
      • configuration-parameter
      • cost
      • diagnostic-settings
      • effective-route-table
      • event
      • firewall-rules
      • instance-view
      • marked-for-op
      • metric
      • offer
      • offhour
      • onhour
      • parent
      • policy-compliant
      • reduce
      • resource-lock
      • storage-diagnostic-settings
      • value
      • vm-extensions
      • vulnerability-assessment
    • AI + Machine Learning resources
      • azure.cognitiveservice
        • Filters
        • Actions
      • azure.databricks
        • Filters
        • Actions
      • azure.search
        • Filters
        • Actions
    • Active Directory resources
      • azure.roleassignment
        • Filters
        • Actions
      • azure.roledefinition
        • Filters
        • Actions
    • Analytics resources
      • azure.datafactory
        • Filters
        • Actions
      • azure.hdinsight
        • Filters
        • Actions
    • Compute resources
      • azure.aks
        • Filters
        • Actions
      • azure.appserviceplan
        • Filters
        • Actions
      • azure.batch
        • Filters
        • Actions
      • azure.image
        • Filters
        • Actions
      • azure.logic-app-workflow
        • Filters
        • Actions
      • azure.service-fabric-cluster
        • Filters
        • Actions
      • azure.service-fabric-cluster-managed
        • Filters
        • Actions
      • azure.vm
        • Filters
        • Actions
      • azure.vmss
        • Filters
        • Actions
      • azure.webapp
        • Filters
        • Actions
    • Containers resources
      • azure.aks
        • Filters
        • Actions
      • azure.container-group
        • Filters
        • Actions
      • azure.container-registry
        • Filters
        • Actions
      • azure.containerservice
        • Filters
        • Actions
    • Cost resources
      • azure.cost-management-export
        • Filters
        • Actions
    • Databases resources
      • azure.cosmosdb
        • Filters
        • Actions
      • azure.cosmosdb-collection
        • Filters
        • Actions
      • azure.cosmosdb-database
        • Filters
        • Actions
      • azure.mysql
        • Filters
        • Actions
      • azure.postgresql-database
        • Filters
        • Actions
      • azure.postgresql-server
        • Filters
        • Actions
      • azure.redis
        • Filters
        • Actions
      • azure.sql-database
        • Filters
        • Actions
      • azure.sql-server
        • Filters
        • Actions
    • Events resources
      • azure.eventhub
        • Filters
        • Actions
      • azure.eventsubscription
        • Filters
        • Actions
    • Generic resources
      • azure.armresource
        • Filters
        • Actions
      • azure.policyassignments
        • Filters
        • Actions
    • Integration resources
      • azure.api-management
        • Filters
        • Actions
    • Internet Of Things resources
      • azure.iothub
        • Filters
        • Actions
    • Media resources
      • azure.cdnprofile
        • Filters
        • Actions
    • Network resources
      • azure.application-gateway
        • Filters
        • Actions
      • azure.front-door
        • Filters
        • Actions
      • azure.traffic-manager-profile
        • Filters
        • Actions
    • Networking resources
      • azure.dnszone
        • Filters
        • Actions
      • azure.loadbalancer
        • Filters
        • Actions
      • azure.networkinterface
        • Filters
        • Actions
      • azure.networksecuritygroup
        • Filters
        • Actions
      • azure.publicip
        • Filters
        • Actions
      • azure.recordset
        • Filters
        • Actions
      • azure.routetable
        • Filters
        • Actions
      • azure.vnet
        • Filters
        • Actions
    • Resource Group resources
      • azure.resourcegroup
        • Filters
        • Actions
    • Security resources
      • azure.advisor-recommendation
        • Filters
        • Actions
      • azure.defender-alert
        • Filters
        • Actions
      • azure.defender-autoprovisioning
        • Filters
        • Actions
      • azure.defender-pricing
        • Filters
        • Actions
      • azure.defender-setting
        • Filters
        • Actions
      • azure.keyvault
        • Filters
        • Actions
      • azure.keyvault-certificate
        • Filters
        • Actions
      • azure.keyvault-key
        • Filters
        • Actions
    • Storage resources
      • azure.datalake
        • Filters
        • Actions
      • azure.disk
        • Filters
        • Actions
      • azure.storage
        • Filters
        • Actions
      • azure.storage-container
        • Filters
        • Actions
    • Subscription resources
      • azure.policyassignments
        • Filters
        • Actions
      • azure.resourcegroup
        • Filters
        • Actions
      • azure.subscription
        • Filters
        • Actions
    • Web resources
      • azure.appserviceplan
        • Filters
        • Actions
      • azure.webapp
        • Filters
        • Actions

GCP

  • Getting Started (Beta)
    • Install GCP Plugin
      • Option 1: Install released packages to local Python Environment
      • Option 2: Install latest from the repository
    • Connect Your Authentication Credentials
      • GCP CLI
      • Environment Variables
    • Write Your First Policy
    • Run Your Policy
  • Examples
    • App Engine - Check if an SSL Certificate is About to Expire
    • App Engine - Check if a blacklisted domain is still in use
    • App Engine - Check if a Firewall Rule is in Place
    • Dataflow - Check for Hanged Jobs
    • Deployment Manager - Find expired deployments
    • DNS - Notify if DNS Managed Zone has no DNSSEC
    • DNS - Notify if Logging is Disabled in DNS Policy
    • Compute Engine - Enforce minimal CPU utilization target for autoscalers
    • Compute Engine - Delete Instance Templates with Wrong Settings
    • Key Management System - Audit Crypto Key protection level
    • Load Balancer - Delete backend buckets
    • Load Balancer - Network Tiers
    • Load Balancer - SSL Policies - Delete policies by TLS version
    • Pub/Sub - Early Detection of Obsolete Snapshots
    • Pub/Sub - Audit Subscriptions to Match Requirements
    • Spanner - Drop Databases
    • Spanner - Reduce Count of Instance Nodes
    • Spanner - Set IAM Policies
    • Cloud SQL - List Unsucessful Backups Older Than N Days
    • Cloud SQL - Check Regions of Instances and Their State
    • Cloud SQL - Notify on Certificates Which Are About to Expire
    • Cloud SQL - Check Users
  • Policies
    • Generic Actions
      • Notify
    • Load Balancer
  • Developer Guide
  • Adding New GCP Resources
    • Create New GCP Resource
    • Load New GCP Resource
  • Testing
    • Updating Existing Tests
  • GCP Reference
    • GCP Execution Modes
      • pull
      • gcp-audit
      • gcp-periodic
      • gcp-scc
    • GCP Common Actions
      • notify
      • post-finding
      • set-iam-policy
      • webhook
    • GCP Common Filters
      • compute-meta
      • effective-firewall
      • event
      • offhour
      • onhour
      • reduce
      • scc-findings
      • value
    • apikeys resources
      • gcp.api-key
        • Filters
        • Actions
    • appengine resources
      • gcp.app-engine
        • Filters
        • Actions
      • gcp.app-engine-certificate
        • Filters
        • Actions
      • gcp.app-engine-domain
        • Filters
        • Actions
      • gcp.app-engine-domain-mapping
        • Filters
        • Actions
      • gcp.app-engine-firewall-ingress-rule
        • Filters
        • Actions
    • bigquery resources
      • gcp.bq-dataset
        • Filters
        • Actions
      • gcp.bq-job
        • Filters
        • Actions
      • gcp.bq-table
        • Filters
        • Actions
    • cloudbilling resources
      • gcp.cloudbilling-account
        • Filters
        • Actions
    • cloudbuild resources
      • gcp.build
        • Filters
        • Actions
    • cloudfunctions resources
      • gcp.function
        • Filters
        • Actions
    • cloudkms resources
      • gcp.kms-cryptokey
        • Filters
        • Actions
      • gcp.kms-cryptokey-version
        • Filters
        • Actions
      • gcp.kms-keyring
        • Filters
        • Actions
    • cloudresourcemanager resources
      • gcp.folder
        • Filters
        • Actions
      • gcp.organization
        • Filters
        • Actions
      • gcp.project
        • Filters
        • Actions
    • compute resources
      • gcp.autoscaler
        • Filters
        • Actions
      • gcp.disk
        • Filters
        • Actions
      • gcp.firewall
        • Filters
        • Actions
      • gcp.image
        • Filters
        • Actions
      • gcp.instance
        • Filters
        • Actions
      • gcp.instance-template
        • Filters
        • Actions
      • gcp.interconnect
        • Filters
        • Actions
      • gcp.interconnect-attachment
        • Filters
        • Actions
      • gcp.loadbalancer-address
        • Filters
        • Actions
      • gcp.loadbalancer-backend-bucket
        • Filters
        • Actions
      • gcp.loadbalancer-backend-service
        • Filters
        • Actions
      • gcp.loadbalancer-forwarding-rule
        • Filters
        • Actions
      • gcp.loadbalancer-global-address
        • Filters
        • Actions
      • gcp.loadbalancer-global-forwarding-rule
        • Filters
        • Actions
      • gcp.loadbalancer-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-http-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-https-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-ssl-certificate
        • Filters
        • Actions
      • gcp.loadbalancer-ssl-policy
        • Filters
        • Actions
      • gcp.loadbalancer-target-http-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-https-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-instance
        • Filters
        • Actions
      • gcp.loadbalancer-target-pool
        • Filters
        • Actions
      • gcp.loadbalancer-target-ssl-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-tcp-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-url-map
        • Filters
        • Actions
      • gcp.route
        • Filters
        • Actions
      • gcp.router
        • Filters
        • Actions
      • gcp.snapshot
        • Filters
        • Actions
      • gcp.subnet
        • Filters
        • Actions
      • gcp.vpc
        • Filters
        • Actions
    • container resources
      • gcp.gke-cluster
        • Filters
        • Actions
      • gcp.gke-nodepool
        • Filters
        • Actions
    • dataflow resources
      • gcp.dataflow-job
        • Filters
        • Actions
    • deploymentmanager resources
      • gcp.dm-deployment
        • Filters
        • Actions
    • dns resources
      • gcp.dns-managed-zone
        • Filters
        • Actions
      • gcp.dns-policy
        • Filters
        • Actions
    • iam resources
      • gcp.iam-role
        • Filters
        • Actions
      • gcp.project-role
        • Filters
        • Actions
      • gcp.service-account
        • Filters
        • Actions
      • gcp.service-account-key
        • Filters
        • Actions
    • logging resources
      • gcp.log-exclusion
        • Filters
        • Actions
      • gcp.log-project-metric
        • Filters
        • Actions
      • gcp.log-project-sink
        • Filters
        • Actions
    • ml resources
      • gcp.ml-job
        • Filters
        • Actions
      • gcp.ml-model
        • Filters
        • Actions
    • pubsub resources
      • gcp.pubsub-snapshot
        • Filters
        • Actions
      • gcp.pubsub-subscription
        • Filters
        • Actions
      • gcp.pubsub-topic
        • Filters
        • Actions
    • serviceusage resources
      • gcp.service
        • Filters
        • Actions
    • sourcerepo resources
      • gcp.sourcerepo
        • Filters
        • Actions
    • spanner resources
      • gcp.spanner-database-instance
        • Filters
        • Actions
      • gcp.spanner-instance
        • Filters
        • Actions
    • sqladmin resources
      • gcp.sql-backup-run
        • Filters
        • Actions
      • gcp.sql-instance
        • Filters
        • Actions
      • gcp.sql-ssl-cert
        • Filters
        • Actions
      • gcp.sql-user
        • Filters
        • Actions
    • storage resources
      • gcp.bucket
        • Filters
        • Actions

Tencent Cloud

  • Tencent Cloud
  • Installation
  • Usage
  • Tencent Cloud Reference
    • Tencent Cloud Execution Modes
      • pull
    • Tencent Cloud Common Actions
      • copy-instance-tags
      • mark-for-op
      • remove-tag
      • rename-tag
      • start
      • stop
      • tag
      • terminate
      • webhook
    • Tencent Cloud Common Filters
      • check-permissions
      • event
      • marked-for-op
      • metrics
      • reduce
      • value
    • cam resources
      • tencentcloud.cam-policy
        • Filters
        • Actions
      • tencentcloud.cam-user
        • Filters
        • Actions
    • cbs resources
      • tencentcloud.cbs
        • Filters
        • Actions
      • tencentcloud.cbs-snapshot
        • Filters
        • Actions
    • cdb resources
      • tencentcloud.mysql
        • Filters
        • Actions
      • tencentcloud.mysql-backup
        • Filters
        • Actions
    • clb resources
      • tencentcloud.clb
        • Filters
        • Actions
    • cls resources
      • tencentcloud.cls
        • Filters
        • Actions
    • cos resources
      • tencentcloud.cos
        • Filters
        • Actions
    • cvm resources
      • tencentcloud.ami
        • Filters
        • Actions
      • tencentcloud.cvm
        • Filters
        • Actions
    • es resources
      • tencentcloud.elasticsearch
        • Filters
        • Actions
    • tcr resources
      • tencentcloud.tcr
        • Filters
        • Actions
    • vpc resources
      • tencentcloud.nat-gateway
        • Filters
        • Actions
      • tencentcloud.security-group
        • Filters
        • Actions
      • tencentcloud.vpc
        • Filters
        • Actions

AWS Cloud Control

  • AWS Cloud Control Reference
    • AWS Cloud Control Execution Modes
      • pull
    • AWS Cloud Control Common Actions
      • auto-tag-user
      • mark-for-op
      • normalize-tag
      • remove-tag
      • rename-tag
      • tag
      • tag-trim
      • webhook
    • AWS Cloud Control Common Filters
      • event
      • marked-for-op
      • reduce
      • tag-count
      • value
    • awscc.cassandra_keyspace
      • Filters
      • Actions
        • delete
        • update
    • awscc.cassandra_table
      • Filters
      • Actions
        • delete
        • update
    • awscc.chatbot_slackchannelconfiguration
      • Filters
      • Actions
        • delete
        • update
    • awscc.codestarnotifications_notificationrule
      • Filters
      • Actions
        • delete
        • update
    • awscc.timestream_database
      • Filters
      • Actions
        • delete
        • update
    • awscc.timestream_scheduledquery
      • Filters
      • Actions
        • delete
        • update
    • awscc.timestream_table
      • Filters
      • Actions
        • delete
        • update
    • accessanalyzer resources
      • awscc.accessanalyzer_analyzer
        • Filters
        • Actions
    • acm resources
      • awscc.certificatemanager_account
        • Filters
        • Actions
    • acm-pca resources
      • awscc.acmpca_certificate
        • Filters
        • Actions
      • awscc.acmpca_certificateauthority
        • Filters
        • Actions
      • awscc.acmpca_certificateauthorityactivation
        • Filters
        • Actions
    • amp resources
      • awscc.aps_rulegroupsnamespace
        • Filters
        • Actions
      • awscc.aps_workspace
        • Filters
        • Actions
    • amplify resources
      • awscc.amplify_app
        • Filters
        • Actions
      • awscc.amplify_branch
        • Filters
        • Actions
      • awscc.amplify_domain
        • Filters
        • Actions
    • amplifyuibuilder resources
    • apigateway resources
      • awscc.apigateway_account
        • Filters
        • Actions
      • awscc.apigateway_apikey
        • Filters
        • Actions
      • awscc.apigateway_authorizer
        • Filters
        • Actions
      • awscc.apigateway_basepathmapping
        • Filters
        • Actions
      • awscc.apigateway_clientcertificate
        • Filters
        • Actions
      • awscc.apigateway_deployment
        • Filters
        • Actions
      • awscc.apigateway_documentationversion
        • Filters
        • Actions
      • awscc.apigateway_domainname
        • Filters
        • Actions
      • awscc.apigateway_method
        • Filters
        • Actions
      • awscc.apigateway_model
        • Filters
        • Actions
      • awscc.apigateway_requestvalidator
        • Filters
        • Actions
      • awscc.apigateway_stage
        • Filters
        • Actions
      • awscc.apigateway_usageplan
        • Filters
        • Actions
    • appflow resources
      • awscc.appflow_connectorprofile
        • Filters
        • Actions
      • awscc.appflow_flow
        • Filters
        • Actions
    • appintegrations resources
      • awscc.appintegrations_eventintegration
        • Filters
        • Actions
    • application-insights resources
      • awscc.applicationinsights_application
        • Filters
        • Actions
    • apprunner resources
      • awscc.apprunner_service
        • Filters
        • Actions
    • appstream resources
      • awscc.appstream_application
        • Filters
        • Actions
      • awscc.appstream_entitlement
        • Filters
        • Actions
    • appsync resources
      • awscc.appsync_domainname
        • Filters
        • Actions
      • awscc.appsync_domainnameapiassociation
        • Filters
        • Actions
    • athena resources
      • awscc.athena_datacatalog
        • Filters
        • Actions
      • awscc.athena_namedquery
        • Filters
        • Actions
      • awscc.athena_preparedstatement
        • Filters
        • Actions
      • awscc.athena_workgroup
        • Filters
        • Actions
    • auditmanager resources
      • awscc.auditmanager_assessment
        • Filters
        • Actions
    • autoscaling resources
      • awscc.autoscaling_lifecyclehook
        • Filters
        • Actions
      • awscc.autoscaling_warmpool
        • Filters
        • Actions
    • backup resources
      • awscc.backup_backupplan
        • Filters
        • Actions
      • awscc.backup_backupvault
        • Filters
        • Actions
      • awscc.backup_framework
        • Filters
        • Actions
      • awscc.backup_reportplan
        • Filters
        • Actions
    • batch resources
      • awscc.batch_schedulingpolicy
        • Filters
        • Actions
    • budgets resources
      • awscc.budgets_budgetsaction
        • Filters
        • Actions
    • ce resources
      • awscc.ce_anomalymonitor
        • Filters
        • Actions
      • awscc.ce_anomalysubscription
        • Filters
        • Actions
      • awscc.ce_costcategory
        • Filters
        • Actions
    • cloudformation resources
      • awscc.cloudformation_resourcedefaultversion
        • Filters
        • Actions
      • awscc.cloudformation_stackset
        • Filters
        • Actions
      • awscc.cloudformation_typeactivation
        • Filters
        • Actions
    • cloudfront resources
      • awscc.cloudfront_cachepolicy
        • Filters
        • Actions
      • awscc.cloudfront_cloudfrontoriginaccessidentity
        • Filters
        • Actions
      • awscc.cloudfront_distribution
        • Filters
        • Actions
      • awscc.cloudfront_function
        • Filters
        • Actions
      • awscc.cloudfront_keygroup
        • Filters
        • Actions
      • awscc.cloudfront_originrequestpolicy
        • Filters
        • Actions
      • awscc.cloudfront_publickey
        • Filters
        • Actions
      • awscc.cloudfront_realtimelogconfig
        • Filters
        • Actions
      • awscc.cloudfront_responseheaderspolicy
        • Filters
        • Actions
    • cloudtrail resources
      • awscc.cloudtrail_trail
        • Filters
        • Actions
    • cloudwatch resources
      • awscc.cloudwatch_compositealarm
        • Filters
        • Actions
      • awscc.cloudwatch_metricstream
        • Filters
        • Actions
    • codeartifact resources
      • awscc.codeartifact_domain
        • Filters
        • Actions
      • awscc.codeartifact_repository
        • Filters
        • Actions
    • codeguruprofiler resources
      • awscc.codeguruprofiler_profilinggroup
        • Filters
        • Actions
    • codestar-connections resources
      • awscc.codestarconnections_connection
        • Filters
        • Actions
    • config resources
      • awscc.config_aggregationauthorization
        • Filters
        • Actions
      • awscc.config_configurationaggregator
        • Filters
        • Actions
      • awscc.config_conformancepack
        • Filters
        • Actions
      • awscc.config_organizationconformancepack
        • Filters
        • Actions
      • awscc.config_storedquery
        • Filters
        • Actions
    • connect resources
      • awscc.connect_contactflow
        • Filters
        • Actions
      • awscc.connect_contactflowmodule
        • Filters
        • Actions
      • awscc.connect_hoursofoperation
        • Filters
        • Actions
      • awscc.connect_quickconnect
        • Filters
        • Actions
      • awscc.connect_user
        • Filters
        • Actions
      • awscc.connect_userhierarchygroup
        • Filters
        • Actions
    • cur resources
      • awscc.cur_reportdefinition
        • Filters
        • Actions
    • customer-profiles resources
      • awscc.customerprofiles_domain
        • Filters
        • Actions
      • awscc.customerprofiles_integration
        • Filters
        • Actions
      • awscc.customerprofiles_objecttype
        • Filters
        • Actions
    • databrew resources
      • awscc.databrew_dataset
        • Filters
        • Actions
      • awscc.databrew_job
        • Filters
        • Actions
      • awscc.databrew_project
        • Filters
        • Actions
      • awscc.databrew_recipe
        • Filters
        • Actions
      • awscc.databrew_ruleset
        • Filters
        • Actions
      • awscc.databrew_schedule
        • Filters
        • Actions
    • datasync resources
      • awscc.datasync_agent
        • Filters
        • Actions
      • awscc.datasync_locationefs
        • Filters
        • Actions
      • awscc.datasync_locationfsxwindows
        • Filters
        • Actions
      • awscc.datasync_locationhdfs
        • Filters
        • Actions
      • awscc.datasync_locationnfs
        • Filters
        • Actions
      • awscc.datasync_locationobjectstorage
        • Filters
        • Actions
      • awscc.datasync_locations3
        • Filters
        • Actions
      • awscc.datasync_locationsmb
        • Filters
        • Actions
      • awscc.datasync_task
        • Filters
        • Actions
    • detective resources
      • awscc.detective_graph
        • Filters
        • Actions
      • awscc.detective_memberinvitation
        • Filters
        • Actions
    • devops-guru resources
      • awscc.devopsguru_resourcecollection
        • Filters
        • Actions
    • dynamodb resources
      • awscc.dynamodb_globaltable
        • Filters
        • Actions
    • ec2 resources
      • awscc.ec2_capacityreservationfleet
        • Filters
        • Actions
      • awscc.ec2_carriergateway
        • Filters
        • Actions
      • awscc.ec2_dhcpoptions
        • Filters
        • Actions
      • awscc.ec2_ec2fleet
        • Filters
        • Actions
      • awscc.ec2_flowlog
        • Filters
        • Actions
      • awscc.ec2_gatewayroutetableassociation
        • Filters
        • Actions
      • awscc.ec2_host
        • Filters
        • Actions
      • awscc.ec2_internetgateway
        • Filters
        • Actions
      • awscc.ec2_ipam
        • Filters
        • Actions
      • awscc.ec2_ipampool
        • Filters
        • Actions
      • awscc.ec2_ipamscope
        • Filters
        • Actions
      • awscc.ec2_localgatewayroutetablevpcassociation
        • Filters
        • Actions
      • awscc.ec2_networkacl
        • Filters
        • Actions
      • awscc.ec2_networkinsightsaccessscope
        • Filters
        • Actions
      • awscc.ec2_networkinsightsaccessscopeanalysis
        • Filters
        • Actions
      • awscc.ec2_networkinsightsanalysis
        • Filters
        • Actions
      • awscc.ec2_networkinsightspath
        • Filters
        • Actions
      • awscc.ec2_networkinterface
        • Filters
        • Actions
      • awscc.ec2_prefixlist
        • Filters
        • Actions
      • awscc.ec2_routetable
        • Filters
        • Actions
      • awscc.ec2_spotfleet
        • Filters
        • Actions
      • awscc.ec2_subnet
        • Filters
        • Actions
      • awscc.ec2_transitgateway
        • Filters
        • Actions
      • awscc.ec2_transitgatewayconnect
        • Filters
        • Actions
      • awscc.ec2_transitgatewaymulticastdomain
        • Filters
        • Actions
      • awscc.ec2_transitgatewaypeeringattachment
        • Filters
        • Actions
      • awscc.ec2_transitgatewayvpcattachment
        • Filters
        • Actions
      • awscc.ec2_vpc
        • Filters
        • Actions
      • awscc.ec2_vpcdhcpoptionsassociation
        • Filters
        • Actions
      • awscc.ec2_vpcendpoint
        • Filters
        • Actions
    • ecr resources
      • awscc.ecr_publicrepository
        • Filters
        • Actions
      • awscc.ecr_registrypolicy
        • Filters
        • Actions
      • awscc.ecr_replicationconfiguration
        • Filters
        • Actions
      • awscc.ecr_repository
        • Filters
        • Actions
    • ecs resources
      • awscc.ecs_capacityprovider
        • Filters
        • Actions
      • awscc.ecs_cluster
        • Filters
        • Actions
      • awscc.ecs_clustercapacityproviderassociations
        • Filters
        • Actions
      • awscc.ecs_primarytaskset
        • Filters
        • Actions
      • awscc.ecs_service
        • Filters
        • Actions
      • awscc.ecs_taskdefinition
        • Filters
        • Actions
      • awscc.ecs_taskset
        • Filters
        • Actions
    • efs resources
      • awscc.efs_accesspoint
        • Filters
        • Actions
      • awscc.efs_filesystem
        • Filters
        • Actions
      • awscc.efs_mounttarget
        • Filters
        • Actions
    • eks resources
      • awscc.eks_addon
        • Filters
        • Actions
      • awscc.eks_cluster
        • Filters
        • Actions
      • awscc.eks_fargateprofile
        • Filters
        • Actions
    • elasticache resources
      • awscc.elasticache_globalreplicationgroup
        • Filters
        • Actions
      • awscc.elasticache_user
        • Filters
        • Actions
      • awscc.elasticache_usergroup
        • Filters
        • Actions
    • elbv2 resources
      • awscc.elasticloadbalancingv2_listener
        • Filters
        • Actions
      • awscc.elasticloadbalancingv2_listenerrule
        • Filters
        • Actions
    • emr resources
      • awscc.emr_studio
        • Filters
        • Actions
      • awscc.emr_studiosessionmapping
        • Filters
        • Actions
    • emr-containers resources
      • awscc.emrcontainers_virtualcluster
        • Filters
        • Actions
    • es resources
      • awscc.opensearchservice_domain
        • Filters
        • Actions
    • events resources
      • awscc.events_apidestination
        • Filters
        • Actions
      • awscc.events_archive
        • Filters
        • Actions
      • awscc.events_connection
        • Filters
        • Actions
    • evidently resources
      • awscc.evidently_experiment
        • Filters
        • Actions
      • awscc.evidently_feature
        • Filters
        • Actions
      • awscc.evidently_launch
        • Filters
        • Actions
      • awscc.evidently_project
        • Filters
        • Actions
    • finspace resources
      • awscc.finspace_environment
        • Filters
        • Actions
    • fis resources
      • awscc.fis_experimenttemplate
        • Filters
        • Actions
    • fms resources
      • awscc.fms_notificationchannel
        • Filters
        • Actions
      • awscc.fms_policy
        • Filters
        • Actions
    • forecast resources
      • awscc.forecast_datasetgroup
        • Filters
        • Actions
    • frauddetector resources
      • awscc.frauddetector_detector
        • Filters
        • Actions
      • awscc.frauddetector_entitytype
        • Filters
        • Actions
      • awscc.frauddetector_eventtype
        • Filters
        • Actions
      • awscc.frauddetector_label
        • Filters
        • Actions
      • awscc.frauddetector_outcome
        • Filters
        • Actions
      • awscc.frauddetector_variable
        • Filters
        • Actions
    • gamelift resources
      • awscc.gamelift_alias
        • Filters
        • Actions
      • awscc.gamelift_fleet
        • Filters
        • Actions
      • awscc.gamelift_gameservergroup
        • Filters
        • Actions
    • globalaccelerator resources
      • awscc.globalaccelerator_accelerator
        • Filters
        • Actions
      • awscc.globalaccelerator_endpointgroup
        • Filters
        • Actions
      • awscc.globalaccelerator_listener
        • Filters
        • Actions
    • glue resources
      • awscc.glue_registry
        • Filters
        • Actions
      • awscc.glue_schema
        • Filters
        • Actions
    • greengrassv2 resources
      • awscc.greengrassv2_componentversion
        • Filters
        • Actions
    • groundstation resources
      • awscc.groundstation_config
        • Filters
        • Actions
      • awscc.groundstation_missionprofile
        • Filters
        • Actions
    • healthlake resources
      • awscc.healthlake_fhirdatastore
        • Filters
        • Actions
    • iam resources
      • awscc.iam_oidcprovider
        • Filters
        • Actions
      • awscc.iam_role
        • Filters
        • Actions
      • awscc.iam_samlprovider
        • Filters
        • Actions
      • awscc.iam_servercertificate
        • Filters
        • Actions
      • awscc.iam_virtualmfadevice
        • Filters
        • Actions
    • imagebuilder resources
      • awscc.imagebuilder_distributionconfiguration
        • Filters
        • Actions
      • awscc.imagebuilder_image
        • Filters
        • Actions
      • awscc.imagebuilder_imagepipeline
        • Filters
        • Actions
      • awscc.imagebuilder_infrastructureconfiguration
        • Filters
        • Actions
    • inspector2 resources
      • awscc.inspectorv2_filter
        • Filters
        • Actions
    • iot resources
      • awscc.iot_accountauditconfiguration
        • Filters
        • Actions
      • awscc.iot_authorizer
        • Filters
        • Actions
      • awscc.iot_certificate
        • Filters
        • Actions
      • awscc.iot_custommetric
        • Filters
        • Actions
      • awscc.iot_dimension
        • Filters
        • Actions
      • awscc.iot_domainconfiguration
        • Filters
        • Actions
      • awscc.iot_fleetmetric
        • Filters
        • Actions
      • awscc.iot_logging
        • Filters
        • Actions
      • awscc.iot_mitigationaction
        • Filters
        • Actions
      • awscc.iot_provisioningtemplate
        • Filters
        • Actions
      • awscc.iot_resourcespecificlogging
        • Filters
        • Actions
      • awscc.iot_scheduledaudit
        • Filters
        • Actions
      • awscc.iot_securityprofile
        • Filters
        • Actions
      • awscc.iot_topicrule
        • Filters
        • Actions
      • awscc.iot_topicruledestination
        • Filters
        • Actions
    • iotanalytics resources
      • awscc.iotanalytics_dataset
        • Filters
        • Actions
      • awscc.iotanalytics_datastore
        • Filters
        • Actions
      • awscc.iotanalytics_pipeline
        • Filters
        • Actions
    • iotdeviceadvisor resources
      • awscc.iotcoredeviceadvisor_suitedefinition
        • Filters
        • Actions
    • iotevents resources
      • awscc.iotevents_detectormodel
        • Filters
        • Actions
      • awscc.iotevents_input
        • Filters
        • Actions
    • iotfleethub resources
      • awscc.iotfleethub_application
        • Filters
        • Actions
    • iotsitewise resources
      • awscc.iotsitewise_accesspolicy
        • Filters
        • Actions
      • awscc.iotsitewise_asset
        • Filters
        • Actions
      • awscc.iotsitewise_assetmodel
        • Filters
        • Actions
      • awscc.iotsitewise_dashboard
        • Filters
        • Actions
      • awscc.iotsitewise_gateway
        • Filters
        • Actions
      • awscc.iotsitewise_portal
        • Filters
        • Actions
      • awscc.iotsitewise_project
        • Filters
        • Actions
    • iotwireless resources
      • awscc.iotwireless_destination
        • Filters
        • Actions
      • awscc.iotwireless_fuotatask
        • Filters
        • Actions
      • awscc.iotwireless_multicastgroup
        • Filters
        • Actions
      • awscc.iotwireless_partneraccount
        • Filters
        • Actions
      • awscc.iotwireless_wirelessdevice
        • Filters
        • Actions
      • awscc.iotwireless_wirelessgateway
        • Filters
        • Actions
    • ivs resources
      • awscc.ivs_channel
        • Filters
        • Actions
      • awscc.ivs_playbackkeypair
        • Filters
        • Actions
      • awscc.ivs_recordingconfiguration
        • Filters
        • Actions
      • awscc.ivs_streamkey
        • Filters
        • Actions
    • kendra resources
      • awscc.kendra_datasource
        • Filters
        • Actions
      • awscc.kendra_faq
        • Filters
        • Actions
      • awscc.kendra_index
        • Filters
        • Actions
    • kinesis resources
      • awscc.kinesis_stream
        • Filters
        • Actions
    • kinesis-firehose resources
      • awscc.kinesisfirehose_deliverystream
        • Filters
        • Actions
    • kinesisvideo resources
      • awscc.kinesisvideo_signalingchannel
        • Filters
        • Actions
      • awscc.kinesisvideo_stream
        • Filters
        • Actions
    • kms resources
      • awscc.kms_alias
        • Filters
        • Actions
      • awscc.kms_key
        • Filters
        • Actions
      • awscc.kms_replicakey
        • Filters
        • Actions
    • lambda resources
      • awscc.lambda_codesigningconfig
        • Filters
        • Actions
      • awscc.lambda_eventsourcemapping
        • Filters
        • Actions
      • awscc.lambda_function
        • Filters
        • Actions
    • lexv2-models resources
      • awscc.lex_bot
        • Filters
        • Actions
      • awscc.lex_botalias
        • Filters
        • Actions
      • awscc.lex_resourcepolicy
        • Filters
        • Actions
    • license-manager resources
      • awscc.licensemanager_grant
        • Filters
        • Actions
      • awscc.licensemanager_license
        • Filters
        • Actions
    • lightsail resources
      • awscc.lightsail_alarm
        • Filters
        • Actions
      • awscc.lightsail_bucket
        • Filters
        • Actions
      • awscc.lightsail_database
        • Filters
        • Actions
      • awscc.lightsail_disk
        • Filters
        • Actions
      • awscc.lightsail_instance
        • Filters
        • Actions
      • awscc.lightsail_loadbalancer
        • Filters
        • Actions
      • awscc.lightsail_loadbalancertlscertificate
        • Filters
        • Actions
      • awscc.lightsail_staticip
        • Filters
        • Actions
    • logs resources
      • awscc.logs_loggroup
        • Filters
        • Actions
      • awscc.logs_querydefinition
        • Filters
        • Actions
      • awscc.logs_resourcepolicy
        • Filters
        • Actions
    • lookoutequipment resources
      • awscc.lookoutequipment_inferencescheduler
        • Filters
        • Actions
    • lookoutmetrics resources
      • awscc.lookoutmetrics_anomalydetector
        • Filters
        • Actions
    • lookoutvision resources
      • awscc.lookoutvision_project
        • Filters
        • Actions
    • macie resources
      • awscc.macie_customdataidentifier
        • Filters
        • Actions
      • awscc.macie_findingsfilter
        • Filters
        • Actions
      • awscc.macie_session
        • Filters
        • Actions
    • mediaconnect resources
      • awscc.mediaconnect_flow
        • Filters
        • Actions
      • awscc.mediaconnect_flowentitlement
        • Filters
        • Actions
      • awscc.mediaconnect_flowoutput
        • Filters
        • Actions
      • awscc.mediaconnect_flowsource
        • Filters
        • Actions
      • awscc.mediaconnect_flowvpcinterface
        • Filters
        • Actions
    • mediapackage resources
      • awscc.mediapackage_channel
        • Filters
        • Actions
      • awscc.mediapackage_originendpoint
        • Filters
        • Actions
      • awscc.mediapackage_packaginggroup
        • Filters
        • Actions
    • memorydb resources
      • awscc.memorydb_acl
        • Filters
        • Actions
      • awscc.memorydb_cluster
        • Filters
        • Actions
      • awscc.memorydb_parametergroup
        • Filters
        • Actions
      • awscc.memorydb_subnetgroup
        • Filters
        • Actions
      • awscc.memorydb_user
        • Filters
        • Actions
    • mwaa resources
      • awscc.mwaa_environment
        • Filters
        • Actions
    • network-firewall resources
      • awscc.networkfirewall_firewall
        • Filters
        • Actions
      • awscc.networkfirewall_firewallpolicy
        • Filters
        • Actions
      • awscc.networkfirewall_loggingconfiguration
        • Filters
        • Actions
      • awscc.networkfirewall_rulegroup
        • Filters
        • Actions
    • networkmanager resources
      • awscc.networkmanager_device
        • Filters
        • Actions
      • awscc.networkmanager_globalnetwork
        • Filters
        • Actions
      • awscc.networkmanager_link
        • Filters
        • Actions
      • awscc.networkmanager_site
        • Filters
        • Actions
    • nimble resources
      • awscc.nimblestudio_launchprofile
        • Filters
        • Actions
      • awscc.nimblestudio_streamingimage
        • Filters
        • Actions
      • awscc.nimblestudio_studio
        • Filters
        • Actions
      • awscc.nimblestudio_studiocomponent
        • Filters
        • Actions
    • opsworkscm resources
      • awscc.opsworkscm_server
        • Filters
        • Actions
    • panorama resources
      • awscc.panorama_applicationinstance
        • Filters
        • Actions
      • awscc.panorama_package
        • Filters
        • Actions
      • awscc.panorama_packageversion
        • Filters
        • Actions
    • pinpoint resources
      • awscc.pinpoint_inapptemplate
        • Filters
        • Actions
    • qldb resources
      • awscc.qldb_stream
        • Filters
        • Actions
    • quicksight resources
      • awscc.quicksight_analysis
        • Filters
        • Actions
      • awscc.quicksight_dashboard
        • Filters
        • Actions
      • awscc.quicksight_dataset
        • Filters
        • Actions
      • awscc.quicksight_datasource
        • Filters
        • Actions
      • awscc.quicksight_template
        • Filters
        • Actions
      • awscc.quicksight_theme
        • Filters
        • Actions
    • rds resources
      • awscc.rds_dbproxy
        • Filters
        • Actions
      • awscc.rds_dbproxyendpoint
        • Filters
        • Actions
      • awscc.rds_dbproxytargetgroup
        • Filters
        • Actions
      • awscc.rds_globalcluster
        • Filters
        • Actions
    • redshift resources
      • awscc.redshift_cluster
        • Filters
        • Actions
      • awscc.redshift_endpointaccess
        • Filters
        • Actions
      • awscc.redshift_endpointauthorization
        • Filters
        • Actions
      • awscc.redshift_eventsubscription
        • Filters
        • Actions
      • awscc.redshift_scheduledaction
        • Filters
        • Actions
    • rekognition resources
      • awscc.rekognition_project
        • Filters
        • Actions
    • resiliencehub resources
      • awscc.resiliencehub_app
        • Filters
        • Actions
      • awscc.resiliencehub_resiliencypolicy
        • Filters
        • Actions
    • resource-groups resources
      • awscc.resourcegroups_group
        • Filters
        • Actions
    • robomaker resources
      • awscc.robomaker_fleet
        • Filters
        • Actions
      • awscc.robomaker_robot
        • Filters
        • Actions
      • awscc.robomaker_simulationapplication
        • Filters
        • Actions
    • route53 resources
      • awscc.route53_healthcheck
        • Filters
        • Actions
      • awscc.route53_hostedzone
        • Filters
        • Actions
      • awscc.route53_keysigningkey
        • Filters
        • Actions
    • route53-recovery-control-config resources
      • awscc.route53recoverycontrol_controlpanel
        • Filters
        • Actions
      • awscc.route53recoverycontrol_routingcontrol
        • Filters
        • Actions
      • awscc.route53recoverycontrol_safetyrule
        • Filters
        • Actions
    • route53-recovery-readiness resources
      • awscc.route53recoveryreadiness_cell
        • Filters
        • Actions
      • awscc.route53recoveryreadiness_readinesscheck
        • Filters
        • Actions
      • awscc.route53recoveryreadiness_recoverygroup
        • Filters
        • Actions
      • awscc.route53recoveryreadiness_resourceset
        • Filters
        • Actions
    • route53resolver resources
      • awscc.route53resolver_firewalldomainlist
        • Filters
        • Actions
      • awscc.route53resolver_firewallrulegroup
        • Filters
        • Actions
      • awscc.route53resolver_firewallrulegroupassociation
        • Filters
        • Actions
      • awscc.route53resolver_resolverrule
        • Filters
        • Actions
    • rum resources
      • awscc.rum_appmonitor
        • Filters
        • Actions
    • s3 resources
      • awscc.s3_accesspoint
        • Filters
        • Actions
      • awscc.s3_bucket
        • Filters
        • Actions
      • awscc.s3_multiregionaccesspoint
        • Filters
        • Actions
      • awscc.s3_multiregionaccesspointpolicy
        • Filters
        • Actions
      • awscc.s3_storagelens
        • Filters
        • Actions
    • s3control resources
      • awscc.s3objectlambda_accesspoint
        • Filters
        • Actions
      • awscc.s3objectlambda_accesspointpolicy
        • Filters
        • Actions
    • s3outposts resources
      • awscc.s3outposts_accesspoint
        • Filters
        • Actions
      • awscc.s3outposts_bucket
        • Filters
        • Actions
      • awscc.s3outposts_bucketpolicy
        • Filters
        • Actions
    • sagemaker resources
      • awscc.sagemaker_appimageconfig
        • Filters
        • Actions
      • awscc.sagemaker_device
        • Filters
        • Actions
      • awscc.sagemaker_devicefleet
        • Filters
        • Actions
      • awscc.sagemaker_domain
        • Filters
        • Actions
      • awscc.sagemaker_image
        • Filters
        • Actions
      • awscc.sagemaker_modelpackagegroup
        • Filters
        • Actions
      • awscc.sagemaker_monitoringschedule
        • Filters
        • Actions
      • awscc.sagemaker_pipeline
        • Filters
        • Actions
      • awscc.sagemaker_project
        • Filters
        • Actions
      • awscc.sagemaker_userprofile
        • Filters
        • Actions
    • schemas resources
      • awscc.eventschemas_registrypolicy
        • Filters
        • Actions
    • servicecatalog resources
      • awscc.servicecatalog_cloudformationprovisionedproduct
        • Filters
        • Actions
      • awscc.servicecatalog_serviceaction
        • Filters
        • Actions
    • servicecatalog-appregistry resources
      • awscc.servicecatalogappregistry_application
        • Filters
        • Actions
      • awscc.servicecatalogappregistry_attributegroup
        • Filters
        • Actions
    • ses resources
      • awscc.ses_contactlist
        • Filters
        • Actions
    • signer resources
      • awscc.signer_signingprofile
        • Filters
        • Actions
    • ssm resources
      • awscc.ssm_association
        • Filters
        • Actions
      • awscc.ssm_document
        • Filters
        • Actions
      • awscc.ssm_resourcedatasync
        • Filters
        • Actions
    • ssm-contacts resources
      • awscc.ssmcontacts_contact
        • Filters
        • Actions
      • awscc.ssmcontacts_contactchannel
        • Filters
        • Actions
    • ssm-incidents resources
      • awscc.ssmincidents_replicationset
        • Filters
        • Actions
      • awscc.ssmincidents_responseplan
        • Filters
        • Actions
    • sso resources
      • awscc.sso_instanceaccesscontrolattributeconfiguration
        • Filters
        • Actions
      • awscc.sso_permissionset
        • Filters
        • Actions
    • stepfunctions resources
      • awscc.stepfunctions_activity
        • Filters
        • Actions
      • awscc.stepfunctions_statemachine
        • Filters
        • Actions
    • synthetics resources
      • awscc.synthetics_canary
        • Filters
        • Actions
    • transfer resources
      • awscc.transfer_workflow
        • Filters
        • Actions
    • wafv2 resources
      • awscc.wafv2_ipset
        • Filters
        • Actions
      • awscc.wafv2_loggingconfiguration
        • Filters
        • Actions
      • awscc.wafv2_regexpatternset
        • Filters
        • Actions
      • awscc.wafv2_webaclassociation
        • Filters
        • Actions
    • xray resources
      • awscc.xray_group
        • Filters
        • Actions
      • awscc.xray_samplingrule
        • Filters
        • Actions

Kubernetes

  • Getting Started (Alpha)
    • Install Kubernetes Plugin
      • Option 1: Install released packages to local Python Environment
      • Option 2: Install latest from the repository
    • Connecting to your Cluster
    • Write Your First Policy
    • Run Your Policy
  • Kubernetes Controller Mode
    • Install the Server
  • Option 1: Manual installation
  • Option 2: Helm chart
    • Testing
    • Authoring Policies
  • Examples
    • Denying Pod Exec or Attach
    • Require Labels on Resources on Creation or Update
    • Require Replicas on Deployments
    • Restrict Service Account Usage

Tools

  • c7n-org: Multi Account Custodian Execution
    • Installation
      • Config File Generation
    • Running a Policy with c7n-org
    • Selecting accounts, regions, policies for execution
    • Defining and using variables
    • Other commands
    • Additional Azure Instructions
  • c7n-mailer: Custodian Mailer
    • Message Relay
    • Tutorial
      • Email:
      • DataDog:
      • Slack:
      • Splunk HTTP Event Collector (HEC)
      • Now run:
    • Usage & Configuration
      • Standard Lambda Function Config
      • Standard Azure Functions Config
      • Mailer Infrastructure Config
      • SMTP Config
        • DataDog Config
      • Slack Config
      • SendGrid Config
      • Splunk HEC Config
      • SDK Config
      • Secured String
        • AWS
        • Azure
        • GCP
    • Configuring a policy to send email
    • Using on Azure
      • Deploying Azure Functions
      • Configuring Function Identity
    • Using on GCP
      • Deploying GCP Functions
    • Writing an email template
    • Developer Install (OS X El Capitan)
    • Testing Templates and Recipients
      • Testing Templates for Azure
  • Custodian policies for Infrastructure Code
  • Install
  • Usage
  • Outputs
  • c7n-log-exporter: Cloud watch log exporter automation
    • Features
    • Assumptions
    • Cli usage
    • Config format
      • Using S3 Bucket as destination
      • Using CloudWatch Destination as destination cross account
    • Multiple accounts via cli
    • Serverless Usage
  • c7n-trailcreator: Retroactive Resource Creator Tagging
    • Install
    • Config File
    • Athena Usage
    • Tagging
    • Multi Account / Multi Region
  • c7n-policystream: Policy Changes from Git
    • Install
    • Build
    • Usage
    • Options
  • OmniSSM - EC2 Systems Manager Automation
    • Client Configuration
    • Links
    • Todo
  • c7n-guardian: Automated multi-account Guard Duty setup
    • Accounts Credentials
    • Using custodian policies for remediation
  • c7n-salactus: Distributed Scale out S3 processing
    • Use Cases
    • Usage
    • Sample Configuration

Contributing

  • Contributing to Cloud Custodian
    • Developer install
    • Issues
    • Code of Conduct
    • Contributor agreement
  • Developer Guide
  • Installing for Developers
    • Installing Prerequisites
      • Install Python 3
        • On Ubuntu
        • On macOS with Homebrew
        • On Windows
        • Other Installation Methods
      • Install Poetry
        • On Mac/Linux
        • On Windows with Powershell
    • Installing Custodian
  • Testing for Developers
    • Running tests
    • Operating System Compatibility
    • Writing Tests for Cloud Controlled Resources
      • Creating Cloud Resources with Terraform
      • Recording Custodian Interactions
      • Controlling Resource Cleanup
    • Converting older functional tests
  • Documentation For Developers
    • Find the Documentation
    • Edit the Documentation
    • Render the Documentation
  • Packaging Custodian
    • Usage
    • Caveats
Cloud Custodian
  • AWS Reference
  • iam resources
  • aws.iam-oidc-provider
Previous Next

aws.iam-oidc-provider¶

Filters¶

  • event

  • finding

  • ops-item

  • reduce

  • value

Actions¶

  • invoke-lambda

  • invoke-sfn

  • notify

  • post-finding

  • post-item

  • put-metric

  • webhook

Previous Next

© Copyright .

Built with Sphinx using a theme provided by Read the Docs.