Skip to content

Instantly share code, notes, and snippets.

@jtroberts83

jtroberts83/c7n-iam-user-tag-enforce-policies.yaml

Last active August 21, 2020 12:47
Show Gist options
  • Save jtroberts83/0655d20c128c02fe6968536678156e0a to your computer and use it in GitHub Desktop.
Save jtroberts83/0655d20c128c02fe6968536678156e0a to your computer and use it in GitHub Desktop.
Download ZIP
Cloud Custodian IAM User Tag Enforcement Example
Raw
c7n-iam-user-tag-enforce-policies.yaml
policies:
###################################################
### First Tag the Creator of the IAM User #####
###################################################
- name: iam-auto-tag-user
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: cloudtrail
events:
- source: iam.amazonaws.com
event: "CreateUser"
ids: "responseElements.user.userName"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "###############"
Division: ourdiv
Environment: prd
description: |
Tags the Creator of new IAM users to the CreatorName tag
filters:
- "tag:CreatorName": absent
actions:
- type: auto-tag-user
tag: CreatorName
#######################################################################################################################
##### Now start tag enforcement process which gives customer a 2 hour window to tag their resources properly #####
##### #####
##### The csv files in the polcies are just in the format of : #####
##### #####
##### "Value1","Value2","Value3","Value4" #####
##### All values on 1 line and saved as UTF8 encoding #####
##### #####
#######################################################################################################################
- name: iam-user-tag-compliance-mark-step1
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: cloudtrail
events:
- source: "iam.amazonaws.com"
event: CreateUser
ids: "requestParameters.userName"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
Triggered on the creation of a new IAM User, this policy will verify that proper tags
and values have been applied to the new user and if any of the tags are missing or incorrect
then they get tagged for deletion in 2 hours and the customer is emailed.
filters:
- or:
- "tag:ResourceContact": absent
- not:
- type: value
key: "tag:ResourceContact"
op: regex
value: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
- type: value
key: "tag:ResourceContact"
op: in
value_from:
url: s3://mybucket/InvalidEmails.csv
format: csv2dict
- "tag:BillingCostCenter": absent
- type: value
key: "tag:BillingCostCenter"
op: not-in
value_from:
url: s3://mybucket/ValidCostCenters.csv
format: csv2dict
- "tag:Environment": absent
- type: value
key: "tag:Environment"
op: not-in
value:
- tst
- dev
- mdl
- acc
- prd
- eat
- "tag:ResourcePurpose": absent
- not:
- type: value
key: "tag:ResourcePurpose"
op: regex
value: ^.{3,}$
- "tag:Division": absent
- type: value
key: "tag:Division"
op: not-in
value_from:
url: s3://mybucket/ValidDivisions.csv
format: csv2dict
- "tag:Managed": absent
- type: value
key: "tag:Managed"
op: not-in
value:
- "true"
- "false"
actions:
- type: mark-for-op
tag: c7n_tag_compliance
op: delete
hours: 2
- type: tag
key: TagsNeedChecked
value: "true"
- type: notify
template: default.html
priority_header: 1
subject: "IAM User Tags - Missing or Invalid Required Tags - [custodian {{ account }} - {{ region }}]"
violation_desc: |
Your IAM User is either missing one or more of the required tags or has invalid values for one or more tags.
Your IAM User's required tags and values are currently being analyzed and validated which typically takes 10 minutes.
Once the issue with your tags is identified you will receive another email showing which tags are invalid or missing.
action_desc: |
Actions Taken: The IAM User is set to be deleted in 2 hours if the required tags and values are still missing.
Please properly tag your IAM User. If you are unsure of what tags or values are required please see the Tag Enforcement Documentation:
<a href="https://oursite.com/getting-started-runbook/wiki/Tagging-resources">Tagging Resources Guide</a>
to:
- [email protected]
- event-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/12345678910/cloud-custodian-mailer
region: us-east-1
#####################################################################################
### ENVIRONMENT
#####################################################################################
- name: iam-user-new-environment-tag-bad
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will check if the Environment tag value is correct and tag as INVALID if incorrect
This policy will only be applied to an IAM User once and it will tag with EnvironmentTagChecked
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:EnvironmentTagChecked": absent
- or:
- "tag:Environment": absent
- type: value
key: "tag:Environment"
op: not-in
value:
- tst
- dev
- mdl
- acc
- prd
- eat
- not:
- or:
- "tag:Environment": "INVALID"
- "tag:Environment": "invalid"
actions:
- type: tag
key: EnvironmentTagChecked
value: "true"
- type: tag
key: Environment
value: "INVALID"
- name: iam-user-new-environment-tag-validate
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will validate that the Environment tag value is correct and then will tag with EnvironmentTagChecked
This policy will only be applied to an IAM User once
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:Environment": present
- "tag:EnvironmentTagChecked": absent
- type: value
key: "tag:Environment"
op: in
value:
- tst
- dev
- mdl
- acc
- prd
- eat
- not:
- or:
- "tag:Environment": "INVALID"
- "tag:Environment": "invalid"
actions:
- type: tag
key: EnvironmentTagChecked
value: "true"
#####################################################################################
### ResourceContact
#####################################################################################
- name: iam-user-new-resourcecontact-tag-bad
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will check if the ResourceContact tag value is correct and tag as INVALID if incorrect
This policy will only be applied to an IAM User once and it will tag with ResourceContactTagChecked
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:ResourceContactTagChecked": absent
- or:
- "tag:ResourceContact": absent
- type: value
key: "tag:ResourceContact"
op: in
value_from:
url: s3://mybucket/InvalidEmails.csv
format: csv2dict
- not:
- type: value
key: "tag:ResourceContact"
op: regex
value: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
- not:
- or:
- "tag:ResourceContact": "INVALID"
- "tag:ResourceContact": "invalid"
actions:
- type: tag
key: ResourceContact
value: "INVALID"
- type: tag
key: ResourceContactTagChecked
value: "true"
- name: iam-user-new-resourcecontact-tag-validate
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will validate that the ResourceContact tag value is correct and then will tag with ResourceContactTagChecked
This policy will only be applied to an IAM User once
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:ResourceContact": present
- "tag:ResourceContactTagChecked": absent
- type: value
key: "tag:ResourceContact"
op: not-in
value_from:
url: s3://mybucket/InvalidEmails.csv
format: csv2dict
- type: value
key: "tag:ResourceContact"
op: regex
value: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
- not:
- or:
- "tag:ResourceContact": "INVALID"
- "tag:ResourceContact": "invalid"
actions:
- type: tag
key: ResourceContactTagChecked
value: "true"
#####################################################################################
### ResourcePurpose
#####################################################################################
- name: iam-user-new-resourcepurpose-tag-bad
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will check if the ResourcePurpose tag value is correct and tag as INVALID if incorrect
This policy will only be applied to an IAM User once and it will tag with ResourcePurposeTagChecked
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:ResourcePurposeTagChecked": absent
- or:
- "tag:ResourcePurpose": absent
- not:
- type: value
key: "tag:ResourcePurpose"
op: regex
value: ^.{3,}$
- not:
- or:
- "tag:ResourcePurpose": "INVALID"
- "tag:ResourcePurpose": "invalid"
actions:
- type: tag
key: ResourcePurpose
value: "INVALID"
- type: tag
key: ResourcePurposeTagChecked
value: "true"
- name: iam-user-new-resourcepurpose-tag-validate
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will validate that the ResourcePurpose tag value is correct and then will tag with ResourcePurposeTagChecked
This policy will only be applied to an IAM User once
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:ResourcePurpose": present
- "tag:ResourcePurposeTagChecked": absent
- type: value
key: "tag:ResourcePurpose"
op: regex
value: ^.{3,}$
- not:
- or:
- "tag:ResourcePurpose": "INVALID"
- "tag:ResourcePurpose": "invalid"
actions:
- type: tag
key: ResourcePurposeTagChecked
value: "true"
#####################################################################################
### BillingCostCenter
#####################################################################################
- name: iam-user-new-billingcostcenter-tag-bad
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will check if the BillingCostCenter tag value is correct and tag as INVALID if incorrect
This policy will only be applied to an IAM User once and it will tag with BillingCostCenterTagChecked
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:BillingCostCenterTagChecked": absent
- or:
- "tag:BillingCostCenter": absent
- type: value
key: "tag:BillingCostCenter"
op: not-in
value_from:
url: s3://mybucket/ValidCostCenters.csv
format: csv2dict
- not:
- or:
- "tag:BillingCostCenter": "INVALID"
- "tag:BillingCostCenter": "invalid"
actions:
- type: tag
key: BillingCostCenter
value: "INVALID"
- type: tag
key: BillingCostCenterTagChecked
value: "true"
- name: iam-user-new-billingcostcenter-tag-validate
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will validate that the BillingCostCenter tag value is correct and then will tag with BillingCostCenterTagChecked
This policy will only be applied to an IAM User once
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:BillingCostCenterTagChecked": absent
- "tag:BillingCostCenter": present
- type: value
key: "tag:BillingCostCenter"
op: in
value_from:
url: s3://mybucket/ValidCostCenters.csv
format: csv2dict
- not:
- or:
- "tag:BillingCostCenter": "INVALID"
- "tag:BillingCostCenter": "invalid"
actions:
- type: tag
key: BillingCostCenterTagChecked
value: "true"
#####################################################################################
### Division
#####################################################################################
- name: iam-user-new-division-tag-bad
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will check if the Division tag value is correct and tag as INVALID if incorrect
This policy will only be applied to an IAM User once and it will tag with DivisionTagChecked
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:DivisionTagChecked": absent
- or:
- "tag:Division": absent
- type: value
key: "tag:Division"
op: not-in
value_from:
url: s3://mybucket/ValidDivisions.csv
format: csv2dict
- not:
- or:
- "tag:Division": "INVALID"
- "tag:Division": "invalid"
actions:
- type: tag
key: Division
value: "INVALID"
- type: tag
key: DivisionTagChecked
value: "true"
- name: iam-user-new-division-tag-validate
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will validate that the Division tag value is correct and then will tag with DivisionTagChecked
This policy will only be applied to an IAM User once
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:DivisionTagChecked": absent
- "tag:Division": present
- type: value
key: "tag:Division"
op: in
value_from:
url: s3://mybucket/ValidDivisions.csv
format: csv2dict
- not:
- or:
- "tag:Division": "INVALID"
- "tag:Division": "invalid"
actions:
- type: tag
key: DivisionTagChecked
value: "true"
#####################################################################################
### Managed
#####################################################################################
- name: iam-user-new-Managed-tag-bad
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will check if the Managed tag value is correct and tag as INVALID if incorrect
This policy will only be applied to an IAM User once and it will tag with ManagedTagChecked
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:ManagedTagChecked": absent
- or:
- "tag:Managed": absent
- type: value
key: tag:Managed
op: not-in
value:
- "true"
- "false"
- not:
- or:
- "tag:Managed": "INVALID"
- "tag:Managed": "invalid"
actions:
- type: tag
key: Managed
value: "INVALID"
- type: tag
key: ManagedTagChecked
value: "true"
- name: iam-user-new-Managed-tag-validate
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
This will validate that the Managed tag value is correct and then will tag with ManagedTagChecked
This policy will only be applied to an IAM User once
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:ManagedTagChecked": absent
- "tag:Managed": present
- type: value
key: tag:Managed
op: in
value:
- "true"
- "false"
- not:
- or:
- "tag:Managed": "INVALID"
- "tag:Managed": "invalid"
actions:
- type: tag
key: ManagedTagChecked
value: "true"
######################################################################################
#### Finalize Tag Analyzation
######################################################################################
- name: iam-user-new-finalize-tag-validation
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
Once all the tagchecked tags show up on a IAM User then this policy will remove those tagchecked
tags and email the customer showing which tags are invalid
comment: Notifies on <a href="http://oursite.com/%20Global%20IT%20Control%20Framework.pdf#page=58" rel="noopener noreferrer" target="_blank">ITCF M03.02</a> - Catalog Technology Assets
filters:
- type: value
value_type: age
key: CreateDate
op: less-than
value: .0833
- "tag:c7n_tag_compliance": present
- "tag:TagsNeedChecked": present
- "tag:EnvironmentTagChecked": present
- "tag:ResourceContactTagChecked": present
- "tag:BillingCostCenterTagChecked": present
- "tag:DivisionTagChecked": present
- "tag:ManagedTagChecked": present
- "tag:ResourcePurposeTagChecked": present
actions:
- type: remove-tag
tags: ['TagsNeedChecked','EnvironmentTagChecked','ResourceContactTagChecked','BillingCostCenterTagChecked','DivisionTagChecked','ManagedTagChecked','ResourcePurposeTagChecked']
- type: notify
template: default.html
priority_header: 1
subject: "IAM User Tags - Invalid Required Tags - [custodian {{ account }} - {{ region }}]"
violation_desc: |
Your IAM User's required tags have been analyzed and one or more tag values were found to be invalid.
action_desc: |
"Actions Taken: Please see the IAM User table below to see which tags were marked as "INVALID" and then correct the tags on your IAM User.
The IAM User is set to be deleted in 2 hours if the required tags and values are still missing.
please properly tag your IAM User. If you are unsure of what tags or values are required please see the Tag Enforcement Documentation:
<a href="https://oursite.com/getting-started-runbook/wiki/Tagging-resources">Tagging Resources Guide</a>"
to:
- [email protected]
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/12345678910/cloud-custodian-mailer
region: us-east-1
######################################################################################
#### NOW COMPLIANT - UNMARK AND EMAIL CUSTOMER
######################################################################################
- name: iam-user-tag-compliance-unmark-now-compliant
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(2 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
Any IAM Users which have previously been marked as non compliant with tag policies, that are now compliant
should be unmarked and the customer emailed.
comment: Notifies on <a href="http://oursite.com/%20Global%20IT%20Control%20Framework.pdf#page=58" rel="noopener noreferrer" target="_blank">ITCF M03.02</a> - Catalog Technology Assets
filters:
- "tag:c7n_tag_compliance": not-null
- "tag:ResourceContact": present
- type: value
key: "tag:ResourceContact"
op: not-in
value_from:
url: s3://mybucket/InvalidEmails.csv
format: csv2dict
- type: value
key: "tag:ResourceContact"
op: regex
value: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
- "tag:BillingCostCenter": present
- type: value
key: "tag:BillingCostCenter"
op: in
value_from:
url: s3://mybucket/ValidCostCenters.csv
format: csv2dict
- "tag:Environment": present
- type: value
key: "tag:Environment"
op: in
value:
- tst
- dev
- mdl
- acc
- prd
- eat
- "tag:ResourcePurpose": present
- type: value
key: "tag:ResourcePurpose"
op: regex
value: ^.{3,}$
- type: value
key: "tag:ResourcePurpose"
op: ne
value: "INVALID"
- "tag:Division": present
- type: value
key: "tag:Division"
op: in
value_from:
url: s3://mybucket/ValidDivisions.csv
format: csv2dict
- "tag:Managed": present
- type: value
key: tag:Managed
op: in
value:
- "true"
- "false"
actions:
- type: remove-tag
tags: ['c7n_tag_compliance','TagsNeedChecked','EnvironmentTagChecked','ResourceContactTagChecked','BillingCostCenterTagChecked','DivisionTagChecked','ManagedTagChecked','ResourcePurposeTagChecked']
- type: notify
template: default.html
priority_header: 1
subject: "IAM User Tags - IAM User is now compliant - [custodian {{ account }} - {{ region }}]"
violation_desc: |
Your IAM User which was previously missing required tags is now compliant and won't be deleted
action_desc: "Actions Taken: The IAM User has been unmarked for deletion as its now compliant with tags"
to:
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/12345678910/cloud-custodian-mailer
region: us-east-1
- name: iam-user-tag-compliance-delete-2hr
resource: iam-user
mode:
packages: [boto3, botocore, urllib3]
type: periodic
schedule: "rate(30 minutes)"
tags:
ResourceContact: "[email protected]"
ResourcePurpose: "Created by Cloud Custodian Automated Fleet Management"
BillingCostCenter: "##########"
Division:
Environment: prd
Managed: "true"
description: |
Delete IAM Users marked for deletion whos tags are still invalid.
comment: Enforces on <a href="http://oursite.com/%20Global%20IT%20Control%20Framework.pdf#page=58" rel="noopener noreferrer" target="_blank">ITCF M03.02</a> - Catalog Technology Assets
filters:
- or:
- "tag:ResourceContact": absent
- not:
- type: value
key: "tag:ResourceContact"
op: regex
value: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
- type: value
key: "tag:ResourceContact"
op: in
value_from:
url: s3://mybucket/InvalidEmails.csv
format: csv2dict
- "tag:BillingCostCenter": absent
- type: value
key: "tag:BillingCostCenter"
op: not-in
value_from:
url: s3://mybucket/ValidCostCenters.csv
format: csv2dict
- "tag:Environment": absent
- type: value
key: "tag:Environment"
op: not-in
value:
- tst
- dev
- mdl
- acc
- prd
- eat
- "tag:ResourcePurpose": absent
- not:
- type: value
key: "tag:ResourcePurpose"
op: regex
value: ^.{3,}$
- "tag:Division": absent
- type: value
key: "tag:Division"
op: not-in
value_from:
url: s3://mybucket/ValidDivisions.csv
format: csv2dict
- "tag:Managed": absent
- type: value
key: "tag:Managed"
op: not-in
value:
- "true"
- "false"
- "tag:Managed": absent
- "tag:ResourceContact": "INVALID"
- "tag:BillingCostCenter": "INVALID"
- "tag:Environment": "INVALID"
- "tag:ResourcePurpose": "INVALID"
- "tag:Division": "INVALID"
- "tag:Managed": "INVALID"
- "tag:ResourceContact": "invalid"
- "tag:BillingCostCenter": "invalid"
- "tag:Environment": "invalid"
- "tag:ResourcePurpose": "invalid"
- "tag:Division": "invalid"
- "tag:Managed": "invalid"
- type: value
value_type: age
key: CreateDate
op: greater-than
value: .0833
- type: value
value_type: age
key: CreateDate
op: less-than
value: .5
actions:
- type: delete
- type: notify
template: default.html
priority_header: 1
subject: "IAM User - Deleted Due To Missing Tags - [custodian {{ account }} - {{ region }}]"
violation_desc: |
Your IAM User was still missing the required tags
action_desc: |
"Actions Taken: The IAM User has been deleted. A new IAM User will need to be created to replace this if needed.
Please make sure to properly tag the new IAM User. If you are unsure of what tags or values are required please
see the Tag Enforcement Documentation:
<a href="https://oursite.com/getting-started-runbook/wiki/Tagging-resources">Tagging Resources Guide</a>"
to:
- [email protected]
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/12345678910/cloud-custodian-mailer
region: us-east-1
- type: put-metric
key: UserName
namespace:
metric_name: IAM-User-Invalid-Tags-Delete
op: count
units: Count
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment