Cloud Custodian

Introduction

  • Getting Started
    • Install Cloud Custodian
      • Linux and Mac OS
      • Windows (CMD/PowerShell)
      • Docker
    • Explore Cloud Custodian
    • Cloud Provider Specific Help
      • Troubleshooting & Tinkering
    • Monitor resources
    • Editor Integration
    • Tab Completion
    • Community Resources
      • Troubleshooting
  • Generic Filters
    • Value Filter
    • Event Filter
    • Reduce Filter
      • Grouping resources
      • Sorting resources
      • Selecting resources
      • Combining resource groups
      • Attributes
      • Examples
  • Generic Actions
    • Webhook Action
  • Advanced Usage
    • Running against multiple regions
    • Reporting against multiple regions
    • Conditional Policy Execution
    • Limiting how many resources custodian affects
    • Adding custom fields to reports
  • Example tag compliance policy
  • Deployment
    • Compliance as Code
    • Continuous Integration of Policies
    • IAM Setup
    • Single Node Deployment
    • Monitoring Cloud Custodian
    • Mailer and Notifications Deployment
    • Multi Account Execution
    • Advanced Continuous Integration Tips
    • Additional Resources

AWS

  • Getting Started
    • Write your first policy
    • Run your policy
    • A 2nd Example Policy
    • Monitor AWS
      • Troubleshooting & Tinkering
  • Example Policies
    • Account - Login From Invalid IP Address
    • Account - Detect Root Logins
    • Account - Service Limit
    • AMI - Stop EC2 using Unapproved AMIs
    • AutoScaling Group - Verify ASGs have valid configurations
    • AMI - ASG Garbage Collector
    • ASG - Offhours Support
    • Block New Resources In Non-Standard Regions
    • DMS - DB Migration Service Endpoint - Enforce SSL
    • EBS - Garbage Collect Unattached Volumes
    • EBS - Create and Manage Snapshots
    • EBS - Delete Unencrypted
    • EC2 - auto-tag aws userName on resources
    • EC2 - Modify Instance Metadata Options
      • Examples:
    • EC2 - Offhours Support
    • EC2 - Old Instance Report
    • EC2 - Power On For Scheduled Patching
    • EC2 - Terminate Unpatchable Instances
    • EIP - Garbage Collect Unattached Elastic IPs
    • ELB - Delete New Internet-Facing ELBs
    • ELB - Delete Unused Elastic Load Balancers
    • ELB - SSL Blacklist
    • ELB - SSL Whitelist
    • IAM - Manage Whether A Specific IAM Policy is Attached to Roles
    • Lambda - Notify On Lambda Errors
    • Example offhours policy
      • Resource Scheduling Offhours
      • Features
      • Policy Configuration
      • Tag Based Configuration
        • ScheduleParser Time Specifications
      • Policy examples
      • Resume During Offhours
      • ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions
      • Public Holidays
    • RDS - Delete Unused Databases With No Connections
    • RDS - Terminate Unencrypted Public Instances
    • S3 - Configure New Buckets Settings and Standards
    • S3 - Block Public S3 Object ACLs
    • S3 - Encryption
      • Enable Bucket Encryption
      • Remediate Existing
        • Options
      • Remediate Incoming
        • Options
      • Bucket Policy
    • S3 - Global Grants
    • S3 - Add lifecycle policy on bucket delete
    • SageMaker Notebook - Delete Public or Unencrypted
    • Security Groups - add permission
    • Security Groups - Detect and Remediate Violations
    • Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)
    • VPC - Flow Log Configuration Check
    • VPC - Notify On Invalid External Peering Connections
  • Monitoring your environment
    • Metrics
    • CloudWatch Logs
    • S3 Logs & Records
    • Reports
  • Lambda Support
    • CloudWatch Events
      • Cloud Custodian Integration
        • CloudTrail API Calls
        • EC2 Instance State Events
        • Periodic Function
        • Event Pattern Filtering
    • Config Rules
    • Lambda Configuration
    • Execution Options
  • AWS Topics
    • AWS Config
      • Config Source
      • Config Rule
      • Filter
      • Config Poll Rule
    • Security Hub
      • Getting Started
      • Modes
    • AWS Systems Manager
      • EC2 Systems Manager
      • Ops Center
      • OmniSSM
    • AWS X-Ray Support
  • Developer Guide
  • Adding New AWS Resources
    • Create New AWS Resource
      • TypeInfo
    • Load New AWS Resource
    • Add New Filter
    • Add New Action
    • Testing
  • AWS Reference
    • AWS Execution Modes
      • pull
      • asg-instance-state
      • cloudtrail
      • config-poll-rule
      • config-rule
      • ec2-instance-state
      • guard-duty
      • hub-finding
      • hub-finding
      • periodic
      • phd
      • pull
    • AWS Common Actions
      • auto-tag-user
      • copy-related-tag
      • invoke-lambda
      • invoke-sfn
      • mark-for-op
      • modify-ecr-policy
      • modify-policy
      • modify-security-groups
      • normalize-tag
      • notify
      • post-finding
      • post-item
      • put-metric
      • remove-tag
      • rename-tag
      • tag
      • tag-trim
      • webhook
    • AWS Common Filters
      • alarm
      • api-cache
      • check-permissions
      • client-properties
      • config-compliance
      • connection-aliases
      • domain-options
      • engine
      • event
      • finding
      • health-event
      • iam-analyzer
      • image
      • instance-attribute
      • list-item
      • logging
      • login-profile
      • marked-for-op
      • metrics
      • network-location
      • offhour
      • onhour
      • ops-item
      • ownership
      • reduce
      • security-group
      • ses-agg-send-stats
      • shield-metrics
      • subnet
      • subscription-filter
      • tag-count
      • usage
      • usage-metric
      • value
      • vpc
    • account resources
      • aws.account
        • Filters
        • Actions
    • acm resources
      • aws.acm-certificate
        • Filters
        • Actions
    • apigateway resources
      • aws.apigw-domain-name
        • Filters
        • Actions
      • aws.rest-account
        • Filters
        • Actions
      • aws.rest-api
        • Filters
        • Actions
      • aws.rest-client-certificate
        • Filters
        • Actions
      • aws.rest-resource
        • Filters
        • Actions
      • aws.rest-stage
        • Filters
        • Actions
      • aws.rest-vpclink
        • Filters
        • Actions
    • apigatewayv2 resources
      • aws.apigwv2
        • Filters
        • Actions
    • appflow resources
      • aws.app-flow
        • Filters
        • Actions
    • appsync resources
      • aws.graphql-api
        • Filters
        • Actions
    • autoscaling resources
      • aws.asg
        • Filters
        • Actions
      • aws.launch-config
        • Filters
        • Actions
      • aws.scaling-policy
        • Filters
        • Actions
    • backup resources
      • aws.backup-plan
        • Filters
        • Actions
      • aws.backup-vault
        • Filters
        • Actions
    • batch resources
      • aws.batch-compute
        • Filters
        • Actions
      • aws.batch-definition
        • Filters
        • Actions
      • aws.batch-queue
        • Filters
        • Actions
    • clouddirectory resources
      • aws.cloud-directory
        • Filters
        • Actions
    • cloudformation resources
      • aws.cfn
        • Filters
        • Actions
    • cloudfront resources
      • aws.distribution
        • Filters
        • Actions
      • aws.streaming-distribution
        • Filters
        • Actions
    • cloudhsm resources
      • aws.hsm
        • Filters
        • Actions
      • aws.hsm-client
        • Filters
        • Actions
      • aws.hsm-hapg
        • Filters
        • Actions
    • cloudhsmv2 resources
      • aws.cloudhsm-cluster
        • Filters
        • Actions
    • cloudsearch resources
      • aws.cloudsearch
        • Filters
        • Actions
    • cloudtrail resources
      • aws.cloudtrail
        • Filters
        • Actions
    • cloudwatch resources
      • aws.alarm
        • Filters
        • Actions
      • aws.composite-alarm
        • Filters
        • Actions
      • aws.insight-rule
        • Filters
        • Actions
    • codeartifact resources
      • aws.artifact-domain
        • Filters
        • Actions
      • aws.artifact-repo
        • Filters
        • Actions
    • codebuild resources
      • aws.codebuild
        • Filters
        • Actions
    • codecommit resources
      • aws.codecommit
        • Filters
        • Actions
    • codedeploy resources
      • aws.codedeploy-app
        • Filters
        • Actions
      • aws.codedeploy-deployment
        • Filters
        • Actions
      • aws.codedeploy-group
        • Filters
        • Actions
    • codepipeline resources
      • aws.codepipeline
        • Filters
        • Actions
    • cognito-identity resources
      • aws.identity-pool
        • Filters
        • Actions
    • cognito-idp resources
      • aws.user-pool
        • Filters
        • Actions
    • config resources
      • aws.config-recorder
        • Filters
        • Actions
      • aws.config-rule
        • Filters
        • Actions
    • connect resources
      • aws.connect-instance
        • Filters
        • Actions
    • datapipeline resources
      • aws.datapipeline
        • Filters
        • Actions
    • dax resources
      • aws.dax
        • Filters
        • Actions
    • directconnect resources
      • aws.directconnect
        • Filters
        • Actions
    • dlm resources
      • aws.dlm-policy
        • Filters
        • Actions
    • dms resources
      • aws.dms-endpoint
        • Filters
        • Actions
      • aws.dms-instance
        • Filters
        • Actions
    • ds resources
      • aws.directory
        • Filters
        • Actions
    • dynamodb resources
      • aws.dynamodb-backup
        • Filters
        • Actions
      • aws.dynamodb-table
        • Filters
        • Actions
    • dynamodbstreams resources
      • aws.dynamodb-stream
        • Filters
        • Actions
    • ec2 resources
      • aws.ami
        • Filters
        • Actions
      • aws.customer-gateway
        • Filters
        • Actions
      • aws.ebs
        • Filters
        • Actions
      • aws.ebs-snapshot
        • Filters
        • Actions
      • aws.ec2
        • Filters
        • Actions
      • aws.ec2-host
        • Filters
        • Actions
      • aws.ec2-reserved
        • Filters
        • Actions
      • aws.ec2-spot-fleet-request
        • Filters
        • Actions
      • aws.elastic-ip
        • Filters
        • Actions
      • aws.eni
        • Filters
        • Actions
      • aws.internet-gateway
        • Filters
        • Actions
      • aws.key-pair
        • Filters
        • Actions
      • aws.launch-template-version
        • Filters
        • Actions
      • aws.mirror-session
        • Filters
        • Actions
      • aws.mirror-target
        • Filters
        • Actions
      • aws.nat-gateway
        • Filters
        • Actions
      • aws.network-acl
        • Filters
        • Actions
      • aws.peering-connection
        • Filters
        • Actions
      • aws.prefix-list
        • Filters
        • Actions
      • aws.route-table
        • Filters
        • Actions
      • aws.security-group
        • Filters
        • Actions
      • aws.subnet
        • Filters
        • Actions
      • aws.transit-attachment
        • Filters
        • Actions
      • aws.transit-gateway
        • Filters
        • Actions
      • aws.vpc
        • Filters
        • Actions
      • aws.vpc-endpoint
        • Filters
        • Actions
      • aws.vpn-connection
        • Filters
        • Actions
      • aws.vpn-gateway
        • Filters
        • Actions
    • ecr resources
      • aws.ecr
        • Filters
        • Actions
      • aws.ecr-image
        • Filters
        • Actions
    • ecs resources
      • aws.ecs
        • Filters
        • Actions
      • aws.ecs-container-instance
        • Filters
        • Actions
      • aws.ecs-service
        • Filters
        • Actions
      • aws.ecs-task
        • Filters
        • Actions
      • aws.ecs-task-definition
        • Filters
        • Actions
    • efs resources
      • aws.efs
        • Filters
        • Actions
      • aws.efs-mount-target
        • Filters
        • Actions
    • eks resources
      • aws.eks
        • Filters
        • Actions
      • aws.eks-nodegroup
        • Filters
        • Actions
    • elasticache resources
      • aws.cache-cluster
        • Filters
        • Actions
      • aws.cache-snapshot
        • Filters
        • Actions
      • aws.cache-subnet-group
        • Filters
        • Actions
      • aws.elasticache-group
        • Filters
        • Actions
    • elasticbeanstalk resources
      • aws.elasticbeanstalk
        • Filters
        • Actions
      • aws.elasticbeanstalk-environment
        • Filters
        • Actions
    • elb resources
      • aws.elb
        • Filters
        • Actions
    • elbv2 resources
      • aws.app-elb
        • Filters
        • Actions
      • aws.app-elb-target-group
        • Filters
        • Actions
    • emr resources
      • aws.emr
        • Filters
        • Actions
      • aws.emr-security-configuration
        • Filters
        • Actions
    • emr-serverless resources
      • aws.emr-serverless-app
        • Filters
        • Actions
    • es resources
      • aws.elasticsearch
        • Filters
        • Actions
      • aws.elasticsearch-reserved
        • Filters
        • Actions
    • events resources
      • aws.event-bus
        • Filters
        • Actions
      • aws.event-rule
        • Filters
        • Actions
      • aws.event-rule-target
        • Filters
        • Actions
    • firehose resources
      • aws.firehose
        • Filters
        • Actions
    • fis resources
      • aws.fis-template
        • Filters
        • Actions
    • fsx resources
      • aws.fsx
        • Filters
        • Actions
      • aws.fsx-backup
        • Filters
        • Actions
    • gamelift resources
      • aws.gamelift-build
        • Filters
        • Actions
      • aws.gamelift-fleet
        • Filters
        • Actions
    • glacier resources
      • aws.glacier
        • Filters
        • Actions
    • glue resources
      • aws.glue-catalog
        • Filters
        • Actions
      • aws.glue-classifier
        • Filters
        • Actions
      • aws.glue-connection
        • Filters
        • Actions
      • aws.glue-crawler
        • Filters
        • Actions
      • aws.glue-database
        • Filters
        • Actions
      • aws.glue-dev-endpoint
        • Filters
        • Actions
      • aws.glue-job
        • Filters
        • Actions
      • aws.glue-ml-transform
        • Filters
        • Actions
      • aws.glue-security-configuration
        • Filters
        • Actions
      • aws.glue-table
        • Filters
        • Actions
      • aws.glue-trigger
        • Filters
        • Actions
      • aws.glue-workflow
        • Filters
        • Actions
    • health resources
      • aws.health-event
        • Filters
        • Actions
    • iam resources
      • aws.iam-certificate
        • Filters
        • Actions
      • aws.iam-group
        • Filters
        • Actions
      • aws.iam-oidc-provider
        • Filters
        • Actions
      • aws.iam-policy
        • Filters
        • Actions
      • aws.iam-profile
        • Filters
        • Actions
      • aws.iam-role
        • Filters
        • Actions
      • aws.iam-saml-provider
        • Filters
        • Actions
      • aws.iam-user
        • Filters
        • Actions
    • iot resources
      • aws.iot
        • Filters
        • Actions
    • kafka resources
      • aws.kafka
        • Filters
        • Actions
    • kinesis resources
      • aws.kinesis
        • Filters
        • Actions
    • kinesisanalytics resources
      • aws.kinesis-analytics
        • Filters
        • Actions
    • kinesisanalyticsv2 resources
      • aws.kinesis-analyticsv2
        • Filters
        • Actions
    • kinesisvideo resources
      • aws.kinesis-video
        • Filters
        • Actions
    • kms resources
      • aws.kms
        • Filters
        • Actions
      • aws.kms-key
        • Filters
        • Actions
    • lakeformation resources
      • aws.datalake-location
        • Filters
        • Actions
    • lambda resources
      • aws.lambda
        • Filters
        • Actions
      • aws.lambda-layer
        • Filters
        • Actions
    • lightsail resources
      • aws.lightsail-db
        • Filters
        • Actions
      • aws.lightsail-elb
        • Filters
        • Actions
      • aws.lightsail-instance
        • Filters
        • Actions
    • logs resources
      • aws.log-group
        • Filters
        • Actions
      • aws.log-metric
        • Filters
        • Actions
    • machinelearning resources
      • aws.ml-model
        • Filters
        • Actions
    • mq resources
      • aws.message-broker
        • Filters
        • Actions
      • aws.message-config
        • Filters
        • Actions
    • mwaa resources
      • aws.airflow
        • Filters
        • Actions
    • network-firewall resources
      • aws.firewall
        • Filters
        • Actions
    • opsworks resources
      • aws.opswork-stack
        • Filters
        • Actions
    • opsworkscm resources
      • aws.opswork-cm
        • Filters
        • Actions
    • qldb resources
      • aws.qldb
        • Filters
        • Actions
    • rds resources
      • aws.rds
        • Filters
        • Actions
      • aws.rds-cluster
        • Filters
        • Actions
      • aws.rds-cluster-param-group
        • Filters
        • Actions
      • aws.rds-cluster-snapshot
        • Filters
        • Actions
      • aws.rds-param-group
        • Filters
        • Actions
      • aws.rds-proxy
        • Filters
        • Actions
      • aws.rds-reserved
        • Filters
        • Actions
      • aws.rds-snapshot
        • Filters
        • Actions
      • aws.rds-subnet-group
        • Filters
        • Actions
      • aws.rds-subscription
        • Filters
        • Actions
    • redshift resources
      • aws.redshift
        • Filters
        • Actions
      • aws.redshift-reserved
        • Filters
        • Actions
      • aws.redshift-snapshot
        • Filters
        • Actions
      • aws.redshift-subnet-group
        • Filters
        • Actions
    • route53 resources
      • aws.healthcheck
        • Filters
        • Actions
      • aws.hostedzone
        • Filters
        • Actions
      • aws.rrset
        • Filters
        • Actions
    • route53-recovery-control-config resources
      • aws.recovery-cluster
        • Filters
        • Actions
      • aws.recovery-control-panel
        • Filters
        • Actions
    • route53-recovery-readiness resources
      • aws.readiness-check
        • Filters
        • Actions
    • route53domains resources
      • aws.r53domain
        • Filters
        • Actions
    • route53resolver resources
      • aws.resolver-logs
        • Filters
        • Actions
    • s3 resources
      • aws.s3
        • Filters
        • Actions
    • s3control resources
      • aws.s3-access-point
        • Filters
        • Actions
      • aws.s3-access-point-multi
        • Filters
        • Actions
    • sagemaker resources
      • aws.sagemaker-endpoint
        • Filters
        • Actions
      • aws.sagemaker-endpoint-config
        • Filters
        • Actions
      • aws.sagemaker-job
        • Filters
        • Actions
      • aws.sagemaker-model
        • Filters
        • Actions
      • aws.sagemaker-notebook
        • Filters
        • Actions
      • aws.sagemaker-transform-job
        • Filters
        • Actions
    • sdb resources
      • aws.simpledb
        • Filters
        • Actions
    • secretsmanager resources
      • aws.secrets-manager
        • Filters
        • Actions
    • serverlessrepo resources
      • aws.serverless-app
        • Filters
        • Actions
    • service-quotas resources
      • aws.service-quota
        • Filters
        • Actions
      • aws.service-quota-request
        • Filters
        • Actions
    • servicecatalog resources
      • aws.catalog-portfolio
        • Filters
        • Actions
      • aws.catalog-product
        • Filters
        • Actions
    • shield resources
      • aws.shield-attack
        • Filters
        • Actions
      • aws.shield-protection
        • Filters
        • Actions
    • snowball resources
      • aws.snowball
        • Filters
        • Actions
      • aws.snowball-cluster
        • Filters
        • Actions
    • sns resources
      • aws.sns
        • Filters
        • Actions
      • aws.sns-subscription
        • Filters
        • Actions
    • sqs resources
      • aws.sqs
        • Filters
        • Actions
    • ssm resources
      • aws.ops-item
        • Filters
        • Actions
      • aws.ssm-activation
        • Filters
        • Actions
      • aws.ssm-data-sync
        • Filters
        • Actions
      • aws.ssm-document
        • Filters
        • Actions
      • aws.ssm-managed-instance
        • Filters
        • Actions
      • aws.ssm-parameter
        • Filters
        • Actions
    • stepfunctions resources
      • aws.step-machine
        • Filters
        • Actions
    • storagegateway resources
      • aws.storage-gateway
        • Filters
        • Actions
    • support resources
      • aws.support-case
        • Filters
        • Actions
    • swf resources
      • aws.swf-domain
        • Filters
        • Actions
    • timestream-write resources
      • aws.timestream-database
        • Filters
        • Actions
      • aws.timestream-table
        • Filters
        • Actions
    • transfer resources
      • aws.transfer-server
        • Filters
        • Actions
      • aws.transfer-user
        • Filters
        • Actions
    • waf resources
      • aws.waf
        • Filters
        • Actions
    • waf-regional resources
      • aws.waf-regional
        • Filters
        • Actions
    • wafv2 resources
      • aws.wafv2
        • Filters
        • Actions
    • workspaces resources
      • aws.workspaces
        • Filters
        • Actions
      • aws.workspaces-directory
        • Filters
        • Actions
      • aws.workspaces-image
        • Filters
        • Actions

Azure

  • Getting Started
    • Write your first policy
    • Run your policy
      • (Optional) Run your policy with Azure Monitoring
    • View policy results
      • Custodian Report
    • Next Steps
  • Configuring Azure Policies
    • Authentication & Access
      • Azure CLI
      • Service Principal
        • Azure Portal
        • Azure CLI
        • c7n-org
      • Access Token
      • Managed Service Identity
      • Azure Key Vault Integration
      • Azure Storage access
      • Azure Cloud Offerings
    • Logging, Metrics and Output
      • Writing Custodian Logs to Azure App Insights
      • Writing Custodian Metrics to Azure App Insights
      • Writing Custodian Output to Azure Blob Storage
      • Authentication to Storage
    • Hosting Options
      • Azure Functions Hosting
        • Overview
        • Azure Modes
        • Provision Options
        • Authentication Options
        • Execution Options
        • Event Grid Functions
        • Management Groups Support
      • Azure Container Hosting
        • Overview
        • Supported Policy Modes
        • Configuration
        • Running Locally
        • Deployment Options
      • Tutorial - ACI Deployment
        • 1. Create a Resource Group
        • 2. Create a Storage Account
        • 3. Create a Managed Identity
        • 4. Create an Application Insights Instance
        • 5. Create the ACI Container Host
        • 6. Upload a Custodian Policy
      • Tutorial - Helm Deployment
        • 1. Create a Resource Group
        • 2. Create a Storage Account
        • 3. Create a Service Principal
        • 4. Create an Application Insights Instance
        • 5. Create an AKS Cluster and Install Tiller
        • 6. Deploy the Helm Chart
        • 7. Upload a Custodian Policy
  • Examples
    • General
      • Monitor - Filter resources by metrics from Azure Monitor
      • Resource Groups - Delayed operations
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Resource Groups - Remove empty Resource Groups
      • Tags - Add tag to Virtual Machines
      • Tags - Automatically tag the creator of a resource or resource group
      • Tags - Remove tag From Virtual Machines
      • Tags - Trim tags From Virtual Machines
      • Resource Group - Generate a Teams Message on Create
    • Compute
      • App Services - Filter By CORS Configuration
      • App Service - Resize All Application Service Plans
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Tags - Add tag to Virtual Machines
      • Tags - Remove tag From Virtual Machines
      • Tags - Trim tags From Virtual Machines
      • Virtual Machines - Find Stopped Virtual Machines
      • Virtual Machines - Find Virtual Machines with public IP address
    • Storage and Databases
      • Cosmos DB Collections - Resize Throughput with On/Off Hours
      • SQL - Find databases with specific retention options
      • SQL - Update SQL Database retention policies
      • SQL - Find all SQL Databases with Premium SKU
      • Storage - Add storage firewall rules
      • Storage - Block public access
      • Storage - Monitor newly created Containers for public access
    • Identity
      • Tags - Automatically tag the creator of a resource or resource group
    • Networking
      • Firewall - Update CosmosDB Rules
      • Firewall - Filter Storage Accounts By Rules
      • Load Balancer - Filter load balancer by front end public ip
      • Network Security Groups - Deny access to Network Security Group
      • Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
      • Routes - Find route tables with a specific subnet
      • Storage - Add storage firewall rules
      • Storage - Block public access
      • Virtual Machines - Find Virtual Machines with public IP address
    • Notifications
      • Email - Use Azure Logic Apps to notify users of policy violations
        • Create and configure Azure Logic App
        • Author Cloud Custodian policy
        • Test the policy
      • Email - Send Users an Email
      • Resource Group - Generate a Teams Message on Create
  • Advanced Usage
    • Running against multiple subscriptions
    • Azure Policy Comparison
      • Examples
    • Developer Guide
      • Adding New Azure Resources
        • Install Azure Dependencies
        • Create New Azure Resource
        • Load New Azure Resource
      • Testing
        • Test framework
        • ARM templates
        • Cassettes
        • Running tests
  • Azure Reference
    • Azure Execution Modes
      • pull
      • azure-event-grid
      • azure-periodic
      • container-event
      • container-periodic
    • Azure Common Actions
      • auto-tag-date
      • auto-tag-user
      • delete
      • lock
      • logic-app
      • mark-for-op
      • notify
      • tag
      • tag-trim
      • untag
      • webhook
    • Azure Common Filters
      • authentication
      • azure-ad-administrators
      • blob-services
      • configuration
      • configuration-parameter
      • cost
      • diagnostic-settings
      • effective-route-table
      • event
      • firewall-rules
      • instance-view
      • list-item
      • marked-for-op
      • metric
      • offer
      • offhour
      • onhour
      • parent
      • policy-compliant
      • reduce
      • resource-lock
      • server-parameter
      • storage-diagnostic-settings
      • value
      • vm-extensions
      • vulnerability-assessment
    • AI + Machine Learning resources
      • azure.cognitiveservice
        • Filters
        • Actions
      • azure.databricks
        • Filters
        • Actions
      • azure.search
        • Filters
        • Actions
    • Active Directory resources
      • azure.roleassignment
        • Filters
        • Actions
      • azure.roledefinition
        • Filters
        • Actions
    • Alerts Management resources
      • azure.alert-logs
        • Filters
        • Actions
    • Analytics resources
      • azure.datafactory
        • Filters
        • Actions
      • azure.hdinsight
        • Filters
        • Actions
    • Compute resources
      • azure.aks
        • Filters
        • Actions
      • azure.appserviceplan
        • Filters
        • Actions
      • azure.batch
        • Filters
        • Actions
      • azure.image
        • Filters
        • Actions
      • azure.logic-app-workflow
        • Filters
        • Actions
      • azure.service-fabric-cluster
        • Filters
        • Actions
      • azure.service-fabric-cluster-managed
        • Filters
        • Actions
      • azure.vm
        • Filters
        • Actions
      • azure.vmss
        • Filters
        • Actions
      • azure.webapp
        • Filters
        • Actions
    • Containers resources
      • azure.aks
        • Filters
        • Actions
      • azure.container-group
        • Filters
        • Actions
      • azure.container-registry
        • Filters
        • Actions
      • azure.containerservice
        • Filters
        • Actions
    • Cost resources
      • azure.cost-management-export
        • Filters
        • Actions
    • Databases resources
      • azure.cosmosdb
        • Filters
        • Actions
      • azure.cosmosdb-collection
        • Filters
        • Actions
      • azure.cosmosdb-database
        • Filters
        • Actions
      • azure.mysql
        • Filters
        • Actions
      • azure.mysql-flexibleserver
        • Filters
        • Actions
      • azure.postgresql-database
        • Filters
        • Actions
      • azure.postgresql-server
        • Filters
        • Actions
      • azure.redis
        • Filters
        • Actions
      • azure.sql-database
        • Filters
        • Actions
      • azure.sql-server
        • Filters
        • Actions
    • Events resources
      • azure.eventhub
        • Filters
        • Actions
      • azure.eventsubscription
        • Filters
        • Actions
    • Generic resources
      • azure.armresource
        • Filters
        • Actions
      • azure.policyassignments
        • Filters
        • Actions
    • Integration resources
      • azure.api-management
        • Filters
        • Actions
    • Internet Of Things resources
      • azure.iothub
        • Filters
        • Actions
    • Media resources
      • azure.cdnprofile
        • Filters
        • Actions
    • Network resources
      • azure.application-gateway
        • Filters
        • Actions
      • azure.front-door
        • Filters
        • Actions
      • azure.networkwatcher
        • Filters
        • Actions
      • azure.traffic-manager-profile
        • Filters
        • Actions
    • Networking resources
      • azure.dnszone
        • Filters
        • Actions
      • azure.loadbalancer
        • Filters
        • Actions
      • azure.networkinterface
        • Filters
        • Actions
      • azure.networksecuritygroup
        • Filters
        • Actions
      • azure.publicip
        • Filters
        • Actions
      • azure.recordset
        • Filters
        • Actions
      • azure.routetable
        • Filters
        • Actions
      • azure.vnet
        • Filters
        • Actions
    • Resource Group resources
      • azure.resourcegroup
        • Filters
        • Actions
    • Security resources
      • azure.advisor-recommendation
        • Filters
        • Actions
      • azure.defender-alert
        • Filters
        • Actions
      • azure.defender-autoprovisioning
        • Filters
        • Actions
      • azure.defender-pricing
        • Filters
        • Actions
      • azure.defender-setting
        • Filters
        • Actions
      • azure.keyvault
        • Filters
        • Actions
      • azure.keyvault-certificate
        • Filters
        • Actions
      • azure.keyvault-key
        • Filters
        • Actions
      • azure.keyvault-secret
        • Filters
        • Actions
    • Storage resources
      • azure.datalake
        • Filters
        • Actions
      • azure.disk
        • Filters
        • Actions
      • azure.storage
        • Filters
        • Actions
      • azure.storage-container
        • Filters
        • Actions
    • Subscription resources
      • azure.policyassignments
        • Filters
        • Actions
      • azure.resourcegroup
        • Filters
        • Actions
      • azure.subscription
        • Filters
        • Actions
    • Web resources
      • azure.appserviceplan
        • Filters
        • Actions
      • azure.webapp
        • Filters
        • Actions

GCP

  • Getting Started (Beta)
    • Install GCP Plugin
      • Option 1: Install released packages to local Python Environment
      • Option 2: Install latest from the repository
    • Connect Your Authentication Credentials
      • GCP CLI
      • Environment Variables
    • Write Your First Policy
    • Run Your Policy
  • Examples
    • App Engine - Check if an SSL Certificate is About to Expire
    • App Engine - Check if a blacklisted domain is still in use
    • App Engine - Check if a Firewall Rule is in Place
    • Dataflow - Check for Hanged Jobs
    • Deployment Manager - Find expired deployments
    • DNS - Notify if DNS Managed Zone has no DNSSEC
    • DNS - Notify if Logging is Disabled in DNS Policy
    • Compute Engine - Enforce minimal CPU utilization target for autoscalers
    • Compute Engine - Delete Instance Templates with Wrong Settings
    • Key Management System - Audit Crypto Key protection level
    • Load Balancer - Delete backend buckets
    • Load Balancer - Network Tiers
    • Load Balancer - SSL Policies - Delete policies by TLS version
    • Pub/Sub - Early Detection of Obsolete Snapshots
    • Pub/Sub - Audit Subscriptions to Match Requirements
    • Spanner - Drop Databases
    • Spanner - Reduce Count of Instance Nodes
    • Spanner - Set IAM Policies
    • Cloud SQL - List Unsucessful Backups Older Than N Days
    • Cloud SQL - Check Regions of Instances and Their State
    • Cloud SQL - Notify on Certificates Which Are About to Expire
    • Cloud SQL - Check Users
  • Policies
    • Generic Actions
      • Notify
    • Load Balancer
  • Developer Guide
  • Adding New GCP Resources
    • Create New GCP Resource
    • Load New GCP Resource
  • Testing
    • Updating Existing Tests
  • GCP Reference
    • GCP Execution Modes
      • pull
      • gcp-audit
      • gcp-periodic
      • gcp-scc
    • GCP Common Actions
      • notify
      • post-finding
      • set-iam-policy
      • webhook
    • GCP Common Filters
      • access-approval
      • alerts
      • compute-meta
      • effective-firewall
      • essential-contacts
      • event
      • list-item
      • offhour
      • onhour
      • reduce
      • scc-findings
      • value
    • apikeys resources
      • gcp.api-key
        • Filters
        • Actions
    • appengine resources
      • gcp.app-engine
        • Filters
        • Actions
      • gcp.app-engine-certificate
        • Filters
        • Actions
      • gcp.app-engine-domain
        • Filters
        • Actions
      • gcp.app-engine-domain-mapping
        • Filters
        • Actions
      • gcp.app-engine-firewall-ingress-rule
        • Filters
        • Actions
    • bigquery resources
      • gcp.bq-dataset
        • Filters
        • Actions
      • gcp.bq-job
        • Filters
        • Actions
      • gcp.bq-table
        • Filters
        • Actions
    • cloudbilling resources
      • gcp.cloudbilling-account
        • Filters
        • Actions
    • cloudbuild resources
      • gcp.build
        • Filters
        • Actions
    • cloudfunctions resources
      • gcp.function
        • Filters
        • Actions
    • cloudkms resources
      • gcp.kms-cryptokey
        • Filters
        • Actions
      • gcp.kms-cryptokey-version
        • Filters
        • Actions
      • gcp.kms-keyring
        • Filters
        • Actions
    • cloudresourcemanager resources
      • gcp.folder
        • Filters
        • Actions
      • gcp.organization
        • Filters
        • Actions
      • gcp.project
        • Filters
        • Actions
    • compute resources
      • gcp.autoscaler
        • Filters
        • Actions
      • gcp.disk
        • Filters
        • Actions
      • gcp.firewall
        • Filters
        • Actions
      • gcp.image
        • Filters
        • Actions
      • gcp.instance
        • Filters
        • Actions
      • gcp.instance-template
        • Filters
        • Actions
      • gcp.interconnect
        • Filters
        • Actions
      • gcp.interconnect-attachment
        • Filters
        • Actions
      • gcp.loadbalancer-address
        • Filters
        • Actions
      • gcp.loadbalancer-backend-bucket
        • Filters
        • Actions
      • gcp.loadbalancer-backend-service
        • Filters
        • Actions
      • gcp.loadbalancer-forwarding-rule
        • Filters
        • Actions
      • gcp.loadbalancer-global-address
        • Filters
        • Actions
      • gcp.loadbalancer-global-forwarding-rule
        • Filters
        • Actions
      • gcp.loadbalancer-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-http-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-https-health-check
        • Filters
        • Actions
      • gcp.loadbalancer-ssl-certificate
        • Filters
        • Actions
      • gcp.loadbalancer-ssl-policy
        • Filters
        • Actions
      • gcp.loadbalancer-target-http-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-https-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-instance
        • Filters
        • Actions
      • gcp.loadbalancer-target-pool
        • Filters
        • Actions
      • gcp.loadbalancer-target-ssl-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-target-tcp-proxy
        • Filters
        • Actions
      • gcp.loadbalancer-url-map
        • Filters
        • Actions
      • gcp.route
        • Filters
        • Actions
      • gcp.router
        • Filters
        • Actions
      • gcp.snapshot
        • Filters
        • Actions
      • gcp.subnet
        • Filters
        • Actions
      • gcp.vpc
        • Filters
        • Actions
    • container resources
      • gcp.gke-cluster
        • Filters
        • Actions
      • gcp.gke-nodepool
        • Filters
        • Actions
    • dataflow resources
      • gcp.dataflow-job
        • Filters
        • Actions
    • deploymentmanager resources
      • gcp.dm-deployment
        • Filters
        • Actions
    • dns resources
      • gcp.dns-managed-zone
        • Filters
        • Actions
      • gcp.dns-policy
        • Filters
        • Actions
    • iam resources
      • gcp.iam-role
        • Filters
        • Actions
      • gcp.project-role
        • Filters
        • Actions
      • gcp.service-account
        • Filters
        • Actions
      • gcp.service-account-key
        • Filters
        • Actions
    • logging resources
      • gcp.log-exclusion
        • Filters
        • Actions
      • gcp.log-project-metric
        • Filters
        • Actions
      • gcp.log-project-sink
        • Filters
        • Actions
    • ml resources
      • gcp.ml-job
        • Filters
        • Actions
      • gcp.ml-model
        • Filters
        • Actions
    • pubsub resources
      • gcp.pubsub-snapshot
        • Filters
        • Actions
      • gcp.pubsub-subscription
        • Filters
        • Actions
      • gcp.pubsub-topic
        • Filters
        • Actions
    • serviceusage resources
      • gcp.service
        • Filters
        • Actions
    • sourcerepo resources
      • gcp.sourcerepo
        • Filters
        • Actions
    • spanner resources
      • gcp.spanner-database-instance
        • Filters
        • Actions
      • gcp.spanner-instance
        • Filters
        • Actions
    • sqladmin resources
      • gcp.sql-backup-run
        • Filters
        • Actions
      • gcp.sql-instance
        • Filters
        • Actions
      • gcp.sql-ssl-cert
        • Filters
        • Actions
      • gcp.sql-user
        • Filters
        • Actions
    • storage resources
      • gcp.bucket
        • Filters
        • Actions

Tencent Cloud

  • Tencent Cloud
  • Installation
  • Usage
  • Tencent Cloud Reference
    • Tencent Cloud Execution Modes
      • pull
    • Tencent Cloud Common Actions
      • copy-instance-tags
      • mark-for-op
      • remove-tag
      • rename-tag
      • start
      • stop
      • tag
      • terminate
      • webhook
    • Tencent Cloud Common Filters
      • check-permissions
      • event
      • list-item
      • marked-for-op
      • metrics
      • reduce
      • value
    • cam resources
      • tencentcloud.cam-policy
        • Filters
        • Actions
      • tencentcloud.cam-user
        • Filters
        • Actions
    • cbs resources
      • tencentcloud.cbs
        • Filters
        • Actions
      • tencentcloud.cbs-snapshot
        • Filters
        • Actions
    • cdb resources
      • tencentcloud.mysql
        • Filters
        • Actions
      • tencentcloud.mysql-backup
        • Filters
        • Actions
    • clb resources
      • tencentcloud.clb
        • Filters
        • Actions
    • cls resources
      • tencentcloud.cls
        • Filters
        • Actions
    • cos resources
      • tencentcloud.cos
        • Filters
        • Actions
    • cvm resources
      • tencentcloud.ami
        • Filters
        • Actions
      • tencentcloud.cvm
        • Filters
        • Actions
    • es resources
      • tencentcloud.elasticsearch
        • Filters
        • Actions
    • tcr resources
      • tencentcloud.tcr
        • Filters
        • Actions
    • vpc resources
      • tencentcloud.nat-gateway
        • Filters
        • Actions
      • tencentcloud.security-group
        • Filters
        • Actions
      • tencentcloud.vpc
        • Filters
        • Actions

Kubernetes

  • Getting Started (Alpha)
    • Install Kubernetes Plugin
      • Option 1: Install released packages to local Python Environment
      • Option 2: Install latest from the repository
    • Connecting to your Cluster
    • Write Your First Policy
    • Run Your Policy
  • Kubernetes Controller Mode
    • Install the Server
  • Option 1: Manual installation
  • Option 2: Helm chart
    • Testing
    • Authoring Policies
  • Examples
    • Denying Pod Exec or Attach
    • Require Labels on Resources on Creation or Update
    • Require Replicas on Deployments
    • Restrict Service Account Usage

Tools

  • c7n-org: Multi Account Custodian Execution
    • Installation
      • Config File Generation
    • Running a Policy with c7n-org
    • Selecting accounts, regions, policies for execution
    • Defining and using variables
    • Other commands
    • Additional Azure Instructions
  • c7n-mailer: Custodian Mailer
    • Message Relay
    • Tutorial
      • Email:
      • DataDog:
      • Slack:
      • Splunk HTTP Event Collector (HEC)
      • Now run:
    • Usage & Configuration
      • Standard Lambda Function Config
      • Standard Azure Functions Config
      • Mailer Infrastructure Config
      • SMTP Config
        • DataDog Config
      • Slack Config
      • SendGrid Config
      • Splunk HEC Config
      • SDK Config
      • Secured String
        • AWS
        • Azure
        • GCP
    • Configuring a policy to send email
    • Using on Azure
      • Deploying Azure Functions
      • Configuring Function Identity
    • Using on GCP
      • Deploying GCP Functions
    • Writing an email template
    • Developer Install (OS X El Capitan)
    • Testing Templates and Recipients
      • Testing Templates for Azure
  • Custodian policies for Infrastructure Code
    • Install
    • Usage
    • Filters
    • Outputs
  • Custodian Kubernetes Support
  • Running the server
  • Generate a MutatingWebhookConfiguration
  • Development
  • cask: easy custodian exec via docker
    • Install
    • Run
    • Build
  • c7n-log-exporter: Cloud watch log exporter automation
    • Features
    • Assumptions
    • Cli usage
    • Config format
      • Using S3 Bucket as destination
      • Using CloudWatch Destination as destination cross account
    • Multiple accounts via cli
    • Serverless Usage
  • c7n-trailcreator: Retroactive Resource Creator Tagging
    • Install
    • Config File
    • Athena Usage
    • Tagging
    • Multi Account / Multi Region
  • c7n-policystream: Policy Changes from Git
    • Install
    • Build
    • Usage
    • Options
  • OmniSSM - EC2 Systems Manager Automation
    • Client Configuration
    • Links
    • Todo
  • c7n-guardian: Automated multi-account Guard Duty setup
    • Accounts Credentials
    • Using custodian policies for remediation
  • c7n-salactus: Distributed Scale out S3 processing
    • Use Cases
    • Usage
    • Sample Configuration

Contributing

  • Contributing to Cloud Custodian
    • Developer install
    • Issues
    • Code of Conduct
    • Contributor agreement
  • Developer Guide
  • Installing for Developers
    • Installing Prerequisites
      • Install Python 3
        • On Ubuntu
        • On macOS with Homebrew
        • On Windows
        • Other Installation Methods
      • Install Poetry
        • On Mac/Linux
        • On Windows with Powershell
    • Installing Custodian
  • Testing for Developers
    • Running tests
    • Operating System Compatibility
    • Writing Tests for Cloud Controlled Resources
      • Creating Cloud Resources with Terraform
      • Recording Custodian Interactions
      • Controlling Resource Cleanup
    • Converting older functional tests
  • Documentation For Developers
    • Find the Documentation
    • Edit the Documentation
    • Render the Documentation
  • Packaging Custodian
    • Usage
    • Caveats
Cloud Custodian
  • Tencent Cloud Reference
Previous Next

Tencent Cloud ReferenceΒΆ

Reference information about provider resources and their actions and filters. See the Generic Filters reference for filters that can be applies for all resources.

  • Tencent Cloud Execution Modes
  • Tencent Cloud Common Actions
  • Tencent Cloud Common Filters
  • cam resources
    • tencentcloud.cam-policy
    • tencentcloud.cam-user
  • cbs resources
    • tencentcloud.cbs
    • tencentcloud.cbs-snapshot
  • cdb resources
    • tencentcloud.mysql
    • tencentcloud.mysql-backup
  • clb resources
    • tencentcloud.clb
  • cls resources
    • tencentcloud.cls
  • cos resources
    • tencentcloud.cos
  • cvm resources
    • tencentcloud.ami
    • tencentcloud.cvm
  • es resources
    • tencentcloud.elasticsearch
  • tcr resources
    • tencentcloud.tcr
  • vpc resources
    • tencentcloud.nat-gateway
    • tencentcloud.security-group
    • tencentcloud.vpc
Previous Next

© Copyright .

Built with Sphinx using a theme provided by Read the Docs.