Skip to content

Instantly share code, notes, and snippets.

@jtroberts83

jtroberts83/ec2-stopped-instance-policies

Created March 22, 2019 14:01
Show Gist options
  • Save jtroberts83/67de5f6d43ffc802fe4d3b4d8fea7c55 to your computer and use it in GitHub Desktop.
Save jtroberts83/67de5f6d43ffc802fe4d3b4d8fea7c55 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ec2-stopped-instance-policies
policies:
- name: ec2-mark-stopped-instance-realtime
resource: ec2
mode:
type: cloudtrail
events:
- source: ec2.amazonaws.com
event: StopInstances
ids: "responseElements.instancesSet.items[].instanceId"
description: |
Mark the instance that was just stopped for deletion in 60 days
if not started again in the meantime for patching which is
similar to internal policies as it wont be patched.
It also Tags the user who last stopped the instance
filters:
- "tag:c7n_stopped_instance": absent
- "tag:c7n_stopped_instance1": absent
- "tag:c7n_stopped_instance2": absent
- "tag:c7n_stopped_instance3": absent
- not:
- "tag:ServerStoppedBy": "custodian-agt-ec2-offhours-stop"
actions:
- type: mark-for-op
tag: c7n_stopped_instance
op: terminate
days: 60
- type: auto-tag-user
tag: ServerStoppedBy
- name: ec2-unmark-running-deletion-realtime
resource: ec2
mode:
type: cloudtrail
events:
- source: ec2.amazonaws.com
event: StartInstances
ids: "responseElements.instancesSet.items[].instanceId"
description: |
Unmark/untag the ec2 instance that was just started if it was
scheduled for deletion due to being stopped. It also
Tags server with who started it last
actions:
- type: unmark
tags: ["c7n_stopped_instance","c7n_stopped_instance1","c7n_stopped_instance2","c7n_stopped_instance3"]
- type: auto-tag-user
tag: ServerStartedBy
- name: ec2-mark-stopped-instance
resource: ec2
description: |
Mark any stopped ec2 instance for deletion in 60 days
If an instance has not been started for 60 days or over
then they will be deleted similar to internal policies as it wont be patched.
filters:
- "tag:c7n_stopped_instance": absent
- "tag:c7n_stopped_instance1": absent
- "tag:c7n_stopped_instance2": absent
- "tag:c7n_stopped_instance3": absent
- "State.Name": stopped
actions:
- type: mark-for-op
tag: c7n_stopped_instance
op: terminate
days: 46
- name: ec2-unmark-running-deletion
resource: ec2
description: |
Unmark/untag any ec2 instance that was scheduled for deletion due to being stopped
if they are currently running.
filters:
- "State.Name": running
- or:
- "tag:c7n_stopped_instance": present
- "tag:c7n_stopped_instance1": present
- "tag:c7n_stopped_instance2": present
- "tag:c7n_stopped_instance3": present
actions:
- type: unmark
tags: ["c7n_stopped_instance", "c7n_stopped_instance1", "c7n_stopped_instance2", "c7n_stopped_instance3"]
- name: ec2-notify-before-delete-marked-14-days
resource: ec2
description: |
Notify on any ec2 instances that will be deleted in 14 days if not started
comments: |
Your EC2 server will be terminated in 14 days if not started and patched by then.
Please start your stopped servers and install all patches. After patching is complete you may power off your server again.
filters:
- type: marked-for-op
tag: c7n_stopped_instance
op: terminate
actions:
- type: unmark
tags: ["c7n_stopped_instance"]
- type: mark-for-op
tag: c7n_stopped_instance1
op: terminate
days: 6
- type: notify
template: default.html
priority_header: 2
subject: "EC2 Stopped Instance Termination Scheduled! [custodian {{ account }} - {{ region }}]"
violation_desc: "EC2(s) have been in a stopped state for 45 days and at 60 days will be termianted:"
action_desc: "Actions Taken: Notification Only"
to:
- [email protected]
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXXX/cloud-custodian-mailer
region: us-east-1
- name: ec2-notify-before-delete-marked-7-days
resource: ec2
description: |
Notify on any ec2 instances that will be deleted in 7 days if not started
comments: |
Your EC2 server will be terminated in 7 days if not started and patched by then.
Please start your stopped servers and install all patches. After patching is complete you may power off your server again.
filters:
- type: marked-for-op
tag: c7n_stopped_instance1
op: terminate
actions:
- type: unmark
tags: ["c7n_stopped_instance1"]
- type: mark-for-op
tag: c7n_stopped_instance2
op: terminate
days: 1
- type: notify
template: default.html
priority_header: 1
subject: "EC2 Stopped Instance Termination Scheduled! [custodian {{ account }} - {{ region }}]"
violation_desc: "EC2(s) have been in a stopped state for 53 days and at 60 days will be termianted:"
action_desc: "Actions Taken: Notification Only"
to:
- [email protected]
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/xXXXXXXXXXX/cloud-custodian-mailer
region: us-east-1
- name: ec2-notify-before-delete-marked-1-days
resource: ec2
description: |
Notify on any ec2 instances that will be deleted in 1 days if not started
comments: |
Your EC2 server will be terminated in 1 days if not started and patched by then.
Please start your stopped servers and install all patches. After patching is complete you may power off your server again.
filters:
- type: marked-for-op
tag: c7n_stopped_instance2
op: terminate
actions:
- type: unmark
tags: ["c7n_stopped_instance2"]
- type: mark-for-op
tag: c7n_stopped_instance3
op: terminate
days: 1
- type: notify
template: default.html
priority_header: 1
subject: "EC2 Stopped Instance Termination Scheduled tomorrow! [custodian {{ account }} - {{ region }}]"
violation_desc: "EC2(s) have been in a stopped state for 59 days and at 60 days will be termianted:"
action_desc: "Actions Taken: Notification Only"
to:
- [email protected]
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXXXX/cloud-custodian-mailer
region: us-east-1
- name: ec2-delete-marked
resource: ec2
description: |
Notify on any ec2 instances that were scheduled
for deletion if its been stopped for 60 days
and no longer up-to-date on patching.
comments: Your EC2 server has been terminated due to being offline for 60 days.
filters:
- type: marked-for-op
tag: c7n_stopped_instance3
op: terminate
- "tag:ResourceContact": present
actions:
- type: terminate
force: true
- type: notify
template: default.html
priority_header: 1
subject: "EC2 Stopped Instance Tagged [custodian {{ account }} - {{ region }}]"
violation_desc: "EC2(s) have been stopped for 60 days:"
action_desc: "Actions Taken: The EC2(s) have been terminated as their patching is out-of-date"
to:
- [email protected]
- resource-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXXXX/cloud-custodian-mailer
region: us-east-1
- name: ec2-stopped-over-60days-instance-no-contact
resource: ec2
description: |
Notify on any ec2 instances that were scheduled
for deletion if its been stopped for 60 days
and no longer up-to-date on patching.
comments: SERVERS NEED DELETING BUT NO RESOURCE CONTACT PRESENT.
filters:
- type: marked-for-op
tag: c7n_stopped_instance3
op: terminate
- "tag:ResourceContact": absent
actions:
- type: notify
template: default.html
priority_header: 1
subject: "OLD EC2 NO CONTACT TAG[custodian {{ account }} - {{ region }}]"
violation_desc: "The following EC2 instances have been stopped for over 60 days and would normally be deleted by Cloud Custodian but there are no Resource Contact tags:"
action_desc: "Please investigate and notify the servers owners to add tags and start and patch their servers."
to:
- [email protected]
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXXXX/cloud-custodian-mailer
region: us-east-1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment