c7n.policy module¶

class c7n.policy.ASGInstanceState(policy)[source]¶

Bases: c7n.policy.LambdaMode

a lambda policy that executes on an asg’s ec2 instance state changes.

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'enum': ['launch-success', 'launch-failure', 'terminate-success', 'terminate-failure']}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['asg-instance-state']}}, 'required': ['type'], 'type': 'object'}¶

type = 'asg-instance-state'¶

type_aliases = None¶

class c7n.policy.CloudTrailMode(policy)[source]¶

Bases: c7n.policy.LambdaMode

A lambda policy using cloudwatch events rules on cloudtrail api logs.

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'oneOf': [{'type': 'string'}, {'type': 'object', 'required': ['event', 'source', 'ids'], 'properties': {'source': {'type': 'string'}, 'ids': {'type': 'string'}, 'event': {'type': 'string'}}}]}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['cloudtrail']}}, 'required': ['type'], 'type': 'object'}¶

type = 'cloudtrail'¶

type_aliases = None¶

validate()[source]¶: Validate configuration settings for execution mode.

class c7n.policy.ConfigRuleMode(policy)[source]¶

Bases: c7n.policy.LambdaMode

a lambda policy that executes as a config service rule. http://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html

cfg_event = None¶

resolve_resources(event)[source]¶

run(event, lambda_context)[source]¶

Run policy in push mode against given event.

Lambda automatically generates cloud watch logs, and metrics for us, albeit with some deficienies, metrics no longer count against valid resources matches, but against execution.

If metrics execution option is enabled, custodian will generate metrics per normal.

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['config-rule']}}, 'required': ['type'], 'type': 'object'}¶

type = 'config-rule'¶

type_aliases = None¶

validate()[source]¶: Validate configuration settings for execution mode.

class c7n.policy.EC2InstanceState(policy)[source]¶

Bases: c7n.policy.LambdaMode

A lambda policy that executes on ec2 instance state changes.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'enum': ['pending', 'running', 'shutting-down', 'stopped', 'stopping', 'terminated']}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['ec2-instance-state']}}, 'required': ['type'], 'type': 'object'}¶

type = 'ec2-instance-state'¶

type_aliases = None¶

class c7n.policy.GuardDutyMode(policy)[source]¶

Bases: c7n.policy.LambdaMode

Incident Response for AWS Guard Duty.

This policy fires on guard duty events for the given resource type.

get_member_account_id(event)[source]¶

id_exprs = {'account': {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'detail'}, {'type': 'field', 'children': [], 'value': 'accountId'}]}, 'ec2': {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'detail'}, {'type': 'field', 'children': [], 'value': 'resource'}, {'type': 'field', 'children': [], 'value': 'instanceDetails'}, {'type': 'field', 'children': [], 'value': 'instanceId'}]}, 'iam-user': {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'detail'}, {'type': 'field', 'children': [], 'value': 'resource'}, {'type': 'field', 'children': [], 'value': 'accessKeyDetails'}, {'type': 'field', 'children': [], 'value': 'userName'}]}}¶

provision()[source]¶: Provision any resources needed for the policy.

resolve_resources(event)[source]¶

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['guard-duty']}}, 'required': ['type'], 'type': 'object'}¶

supported_resources = ('account', 'ec2', 'iam-user')¶

type = 'guard-duty'¶

type_aliases = None¶

validate()[source]¶: Validate configuration settings for execution mode.

class c7n.policy.LambdaMode(policy)[source]¶

Bases: c7n.policy.ServerlessExecutionMode

A policy that runs/executes in lambda.

POLICY_METRICS = ('ResourceCount',)¶

assume_member(event)[source]¶

get_logs(start, end)[source]¶: Retrieve logs for the policy

get_member_account_id(event)[source]¶

get_member_region(event)[source]¶

get_metrics(start, end, period)[source]¶: Retrieve any associated metrics for the policy.

provision()[source]¶: Provision any resources needed for the policy.

resolve_resources(event)[source]¶

run(event, lambda_context)[source]¶

Run policy in push mode against given event.

Lambda automatically generates cloud watch logs, and metrics for us, albeit with some deficienies, metrics no longer count against valid resources matches, but against execution.

If metrics execution option is enabled, custodian will generate metrics per normal.

run_resource_set(event, resources)[source]¶

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}}, 'type': 'object'}¶

setup_exec_environment(event)[source]¶

validate()[source]¶: Validate configuration settings for execution mode.

class c7n.policy.PHDMode(policy)[source]¶

Bases: c7n.policy.LambdaMode

Personal Health Dashboard event based policy execution.

static process_event_arns(client, event_arns)[source]¶

resolve_resources(event)[source]¶

schema = {'additionalProperties': False, 'properties': {'categories': {'items': {'enum': ['issue', 'accountNotification', 'scheduledChange']}, 'type': 'array'}, 'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'type': 'string'}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'security_groups': {'type': 'array'}, 'statuses': {'items': {'enum': ['open', 'upcoming', 'closed']}, 'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['phd']}}, 'required': ['type'], 'type': 'object'}¶

type = 'phd'¶

type_aliases = None¶

validate()[source]¶: Validate configuration settings for execution mode.

class c7n.policy.PeriodicMode(policy)[source]¶

Bases: c7n.policy.LambdaMode, c7n.policy.PullMode

A policy that runs in pull mode within lambda.

POLICY_METRICS = ('ResourceCount', 'ResourceTime', 'ActionTime')¶

run(event, lambda_context)[source]¶

Run policy in push mode against given event.

Lambda automatically generates cloud watch logs, and metrics for us, albeit with some deficienies, metrics no longer count against valid resources matches, but against execution.

If metrics execution option is enabled, custodian will generate metrics per normal.

schema = {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7', 'python3.8']}, 'schedule': {'type': 'string'}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['periodic']}}, 'required': ['type'], 'type': 'object'}¶

type = 'periodic'¶

type_aliases = None¶

class c7n.policy.Policy(data, options, session_factory=None)[source]¶

Bases: object

_write_file(rel_path, value)[source]¶

end¶

execution_mode¶

expand_variables(variables)[source]¶

Expand variables in policy data.

Updates the policy data in-place.

get_cache()[source]¶

get_execution_mode()[source]¶

get_logs(start, end)[source]¶

get_metrics(start, end, period)[source]¶

get_permissions()[source]¶: get permissions needed by this policy

get_variables(variables=None)[source]¶

Get runtime variables for policy interpolation.

Runtime variables are merged with the passed in variables if any.

is_lambda¶

load_resource_manager()[source]¶

log = <Logger custodian.policy (DEBUG)>¶

max_resources¶

max_resources_percent¶

name¶

poll()[source]¶: Query resources and apply policy.

provider_name¶

provision()[source]¶: Provision policy as a lambda function.

push(event, lambda_ctx)[source]¶

region¶

resource_type¶

run()¶: Run policy in default mode

start¶

tags¶

tz¶

validate()[source]¶

validate_policy_start_stop()[source]¶

class c7n.policy.PolicyCollection(policies, options)[source]¶

Bases: object

_filter_by_pattern(policies, pattern)[source]¶: Takes a list of policies and returns only those matching the given glob pattern

_filter_by_patterns(policies, patterns)[source]¶: Takes a list of policies and returns only those matching the given glob patterns

_filter_by_resource_type(policies, resource_type)[source]¶: Takes a list policies and returns only those matching the given resource type

_filter_by_resource_types(policies, resource_types)[source]¶: Takes a list of policies and returns only those matching the given resource types

filter(policy_patterns=[], resource_types=[])[source]¶

classmethod from_data(data, options)[source]¶

log = <Logger c7n.policies (DEBUG)>¶

resource_types¶: resource types used by the collection.

classmethod session_factory()[source]¶

class c7n.policy.PolicyExecutionMode(policy)[source]¶

Bases: object

Policy execution semantics

POLICY_METRICS = ('ResourceCount', 'ResourceTime', 'ActionTime')¶

get_logs(start, end)[source]¶: Retrieve logs for the policy

get_metrics(start, end, period)[source]¶: Retrieve any associated metrics for the policy.

provision()[source]¶: Provision any resources needed for the policy.

run(event=None, lambda_context=None)[source]¶: Run the actual policy.

validate()[source]¶: Validate configuration settings for execution mode.

class c7n.policy.PullMode(policy)[source]¶

Bases: c7n.policy.PolicyExecutionMode

Pull mode execution of a policy.

Queries resources from cloud provider for filtering and actions.

get_logs(start, end)[source]¶: Retrieve logs for the policy

is_runnable()[source]¶

run(*args, **kw)[source]¶: Run the actual policy.

schema = {'additionalProperties': False, 'properties': {'type': {'enum': ['pull']}}, 'required': ['type'], 'type': 'object'}¶

type = 'pull'¶

type_aliases = None¶

class c7n.policy.ServerlessExecutionMode(policy)[source]¶

Bases: c7n.policy.PolicyExecutionMode

get_logs(start, end)[source]¶: Retrieve logs for the policy

provision()[source]¶: Provision any resources needed for the policy.

run(event=None, lambda_context=None)[source]¶: Run the actual policy.

c7n.policy.get_session_factory(provider_name, options)[source]¶

c7n.policy.load(options, path, format=None, validate=True, vars=None)[source]¶