jtroberts83 · April 6, 2018 15:17
diff --git a/mailerexample.json b/mailerexample.json
 {
   "account":"accountaliashere",
   "account_id":"1234567890",
   "region":"us-west-1",
   "action":{
      "violation_desc":"Public IP Address:",
      "to":[
         "[email protected]",
         "event-owner"
      ],
      "action_desc":"Actions Taken:  The EC2 Instance Has Been Terminated",
      "template":"default.html",
      "subject":"EC2 - Public IP Terminated - [custodian {{ account }} - {{ region }}]",
      "type":"notify",
      "transport":{
         "queue":"https://sqs.us-east-1.amazonaws.com/1234567890/cloud-custodian-mailer",
         "region":"us-east-1",
         "type":"sqs"
      },
      "priority_header":1
   },
   "policy":{
      "resource":"account",
      "name":"no-ec2-public-ips",
      "actions":[
         {
            "force":true,
            "type":"terminate"
         },
         {
            "violation_desc":"Public IP Address:",
            "to":[
               "[email protected]",
               "event-owner"
            ],
            "action_desc":"Actions Taken:  The EC2 Instance Has Been Terminated",
            "template":"AGTdefault.html",
            "priority_header":1,
            "type":"notify",
            "transport":{
               "queue":"https://sqs.us-east-1.amazonaws.com/1234567890/cloud-custodian-mailer",
               "region":"us-east-1",
               "type":"sqs"
            },
            "subject":"EC2 - Public IP Terminated - [custodian {{ account }} - {{ region }}]"
         }
      ],
      "comments":"If a EC2 instance is launched with a public IP attached initially\nit will get terminated unless its aviatrix and Notification sent.\n",
      "filters":[
         {
            "type":"event",
            "value":true,
            "key":"detail.requestParameters.networkInterfaceSet.items[0].associatePublicIpAddress"
         },
         {
            "not":[
               {
                  "type":"event",
                  "value":"^((?i)aviatrix(?i))",
                  "key":"detail.userIdentity.userName",
                  "op":"regex"
               }
            ]
         }
      ],
      "mode":{
         "type":"cloudtrail",
         "events":[
            "RunInstances"
         ]
      }
   },
   "event":{
    "account": "1234567890",
    "region": "eu-west-1",
    "detail": {
        "eventVersion": "1.05",
        "eventID": "31a25aab-b39a-4ad2-9be9-da34f6451ddd",
        "eventTime": "2018-02-15T19:21:53Z",
        "sharedEventID": "d2a10f4b-5436-463d-8d77-ea9197dfe6aa",
        "additionalEventData": {
            "x-amz-id-2": "BHynMZIq/SDSDSDSDSDSDSDSD/sEOGPaCo9jS97J71IgEJvGZjl10="
        },
        "requestParameters": {
            "key": "curl.exe",
            "bucketName": "s3bucketnamehere",
            "x-amz-copy-source": "prefix/curl.exe"
        },
        "eventType": "AwsApiCall",
        "responseElements": {
            "x-amz-version-id": "SDSDSDSDSDSDSDSDSD",
            "x-amz-copy-source-version-id": "UYkHGQzlYzB26I.PEBPxJEV2nI1cuRry"
        },
        "awsRegion": "eu-west-1",
        "eventName": "CopyObject",
        "readOnly": false,
        "userIdentity": {
            "principalId": "ROLEPRINCIPALID:i-InstanceId",
            "accessKeyId": "ACCESSKEYHERE",
            "sessionContext": {
                "sessionIssuer": {
                    "userName": "usernamehere",
                    "type": "Role",
                    "arn": "arn:aws:iam::1234567890:role/usernamehere",
                    "principalId": "ROLEPRINCIPALID",
                    "accountId": "1234567890"
                },
                "attributes": {
                    "creationDate": "2018-02-15T18:59:34Z",
                    "mfaAuthenticated": "false"
                }
            },
            "type": "AssumedRole",
            "arn": "arn:aws:sts::1234567890:assumed-role/usernamehere/i-instanceid",
            "accountId": "1234567890"
        },
        "eventSource": "s3.amazonaws.com",
        "requestID": "SDSWDSDSDSDSDSDSDD",
        "userAgent": "[aws-cli/1.14.9 Python/2.7.13 Linux/4.9.77-31.58.amzn1.x86_64 botocore/1.8.13]",
        "sourceIPAddress": "IP.IP.IP.IP",
        "resources": [
            {
                "type": "AWS::S3::Object",
                "ARN": "arn:aws:s3:::s3bucketnamehere/curl.exe"
            },
            {
                "type": "AWS::S3::Bucket",
                "ARN": "arn:aws:s3:::s3bucketnamehere",
                "accountId": "123123123123"
            }
        ],
        "recipientAccountId": "1234567890"
    },
    "detail-type": "AWS API Call via CloudTrail",
    "source": "aws.s3",
    "version": "0",
    "time": "2018-02-15T19:21:53Z",
    "debug": true,
    "id": "e47f-c7d1-2364-44746ff734d2",
    "resources": []
 },
   "resources":[
      {
         "Monitoring":{
            "State":"disabled"
         },
         "PublicDnsName":"",
         "State":{
            "Code":16,
            "Name":"running"
         },
         "EbsOptimized":false,
         "LaunchTime":"2017-07-05T15:01:41+00:00",
         "PublicIpAddress":"54.100.41.12",
         "PrivateIpAddress":"10.56.56.56",
         "ProductCodes":[

         ],
         "VpcId":"vpc-abc123",
         "StateTransitionReason":"",
         "InstanceId":"i-InstanceId",
         "EnaSupport":true,
         "ImageId":"ami-123456",
         "PrivateDnsName":"ip-10-56-56-56.company.com",
         "KeyName":"PEMKEY",
         "SecurityGroups":[
            {
               "GroupName":"sgname",
               "GroupId":"sg-123456"
            }
         ],
         "ClientToken":"sDSDSDSDSDDSDSD",
         "SubnetId":"subnet-subnet",
         "InstanceType":"t2.micro",
         "NetworkInterfaces":[
            {
               "Status":"in-use",
               "MacAddress":"22:cd:44:96:33:22",
               "SourceDestCheck":true,
               "VpcId":"vpc-afafafafafafaf",
               "Description":"Primary network interface",
               "Association":{
                  "PublicIp":"54.100.41.12",
                  "PublicDnsName":"",
                  "IpOwnerId":"amazon"
               },
               "NetworkInterfaceId":"eni-sdfsdfsdfsdf",
               "PrivateIpAddresses":[
                  {
                     "Association":{
                        "PublicIp":"54.100.41.12",
                        "PublicDnsName":"",
                        "IpOwnerId":"amazon"
                     },
                     "Primary":true,
                     "PrivateIpAddress":"10.56.56.56"
                  }
               ],
               "Ipv6Addresses":[

               ],
               "Attachment":{
                  "Status":"attached",
                  "DeviceIndex":0,
                  "DeleteOnTermination":true,
                  "AttachmentId":"eni-attach-sdsdsdsdsdsdsds",
                  "AttachTime":"2017-07-05T15:01:41+00:00"
               },
               "Groups":[
                  {
                     "GroupName":"sgname",
                     "GroupId":"sg-sdsdsdsdsd"
                  }
               ],
               "SubnetId":"subnet-sdsdsdsdsdsd",
               "OwnerId":"1234567890",
               "PrivateIpAddress":"10.56.56.56"
            }
         ],
         "SourceDestCheck":true,
         "Placement":{
            "Tenancy":"default",
            "GroupName":"",
            "AvailabilityZone":"us-west-1a"
         },
         "Hypervisor":"xen",
         "BlockDeviceMappings":[
            {
               "DeviceName":"/dev/xvda",
               "Ebs":{
                  "Status":"attached",
                  "DeleteOnTermination":true,
                  "VolumeId":"vol-99999999999999",
                  "AttachTime":"2017-07-05T15:01:42+00:00"
               }
            }
         ],
         "Architecture":"x86_64",
         "RootDeviceType":"ebs",
         "RootDeviceName":"/dev/xvda",
         "VirtualizationType":"hvm",
         "Tags":[
            {
               "Value":"TestEvent",
               "Key":"Name"
            }
         ],
         "AmiLaunchIndex":0
      }
   ]
 }
	{
	"account":"accountaliashere",
	"account_id":"1234567890",
	"region":"us-west-1",
	"action":{
	"violation_desc":"Public IP Address:",
	"to":[
	"[email protected]",
	"event-owner"
	],
	"action_desc":"Actions Taken: The EC2 Instance Has Been Terminated",
	"template":"default.html",
	"subject":"EC2 - Public IP Terminated - [custodian {{ account }} - {{ region }}]",
	"type":"notify",
	"transport":{
	"queue":"https://sqs.us-east-1.amazonaws.com/1234567890/cloud-custodian-mailer",
	"region":"us-east-1",
	"type":"sqs"
	},
	"priority_header":1
	},
	"policy":{
	"resource":"account",
	"name":"no-ec2-public-ips",
	"actions":[
	{
	"force":true,
	"type":"terminate"
	},
	{
	"violation_desc":"Public IP Address:",
	"to":[
	"[email protected]",
	"event-owner"
	],
	"action_desc":"Actions Taken: The EC2 Instance Has Been Terminated",
	"template":"AGTdefault.html",
	"priority_header":1,
	"type":"notify",
	"transport":{
	"queue":"https://sqs.us-east-1.amazonaws.com/1234567890/cloud-custodian-mailer",
	"region":"us-east-1",
	"type":"sqs"
	},
	"subject":"EC2 - Public IP Terminated - [custodian {{ account }} - {{ region }}]"
	}
	],
	"comments":"If a EC2 instance is launched with a public IP attached initially\nit will get terminated unless its aviatrix and Notification sent.\n",
	"filters":[
	{
	"type":"event",
	"value":true,
	"key":"detail.requestParameters.networkInterfaceSet.items[0].associatePublicIpAddress"
	},
	{
	"not":[
	{
	"type":"event",
	"value":"^((?i)aviatrix(?i))",
	"key":"detail.userIdentity.userName",
	"op":"regex"
	}
	]
	}
	],
	"mode":{
	"type":"cloudtrail",
	"events":[
	"RunInstances"
	]
	}
	},
	"event":{
	"account": "1234567890",
	"region": "eu-west-1",
	"detail": {
	"eventVersion": "1.05",
	"eventID": "31a25aab-b39a-4ad2-9be9-da34f6451ddd",
	"eventTime": "2018-02-15T19:21:53Z",
	"sharedEventID": "d2a10f4b-5436-463d-8d77-ea9197dfe6aa",
	"additionalEventData": {
	"x-amz-id-2": "BHynMZIq/SDSDSDSDSDSDSDSD/sEOGPaCo9jS97J71IgEJvGZjl10="
	},
	"requestParameters": {
	"key": "curl.exe",
	"bucketName": "s3bucketnamehere",
	"x-amz-copy-source": "prefix/curl.exe"
	},
	"eventType": "AwsApiCall",
	"responseElements": {
	"x-amz-version-id": "SDSDSDSDSDSDSDSDSD",
	"x-amz-copy-source-version-id": "UYkHGQzlYzB26I.PEBPxJEV2nI1cuRry"
	},
	"awsRegion": "eu-west-1",
	"eventName": "CopyObject",
	"readOnly": false,
	"userIdentity": {
	"principalId": "ROLEPRINCIPALID:i-InstanceId",
	"accessKeyId": "ACCESSKEYHERE",
	"sessionContext": {
	"sessionIssuer": {
	"userName": "usernamehere",
	"type": "Role",
	"arn": "arn:aws:iam::1234567890:role/usernamehere",
	"principalId": "ROLEPRINCIPALID",
	"accountId": "1234567890"
	},
	"attributes": {
	"creationDate": "2018-02-15T18:59:34Z",
	"mfaAuthenticated": "false"
	}
	},
	"type": "AssumedRole",
	"arn": "arn:aws:sts::1234567890:assumed-role/usernamehere/i-instanceid",
	"accountId": "1234567890"
	},
	"eventSource": "s3.amazonaws.com",
	"requestID": "SDSWDSDSDSDSDSDSDD",
	"userAgent": "[aws-cli/1.14.9 Python/2.7.13 Linux/4.9.77-31.58.amzn1.x86_64 botocore/1.8.13]",
	"sourceIPAddress": "IP.IP.IP.IP",
	"resources": [
	{
	"type": "AWS::S3::Object",
	"ARN": "arn:aws:s3:::s3bucketnamehere/curl.exe"
	},
	{
	"type": "AWS::S3::Bucket",
	"ARN": "arn:aws:s3:::s3bucketnamehere",
	"accountId": "123123123123"
	}
	],
	"recipientAccountId": "1234567890"
	},
	"detail-type": "AWS API Call via CloudTrail",
	"source": "aws.s3",
	"version": "0",
	"time": "2018-02-15T19:21:53Z",
	"debug": true,
	"id": "e47f-c7d1-2364-44746ff734d2",
	"resources": []
	},
	"resources":[
	{
	"Monitoring":{
	"State":"disabled"
	},
	"PublicDnsName":"",
	"State":{
	"Code":16,
	"Name":"running"
	},
	"EbsOptimized":false,
	"LaunchTime":"2017-07-05T15:01:41+00:00",
	"PublicIpAddress":"54.100.41.12",
	"PrivateIpAddress":"10.56.56.56",
	"ProductCodes":[

	],
	"VpcId":"vpc-abc123",
	"StateTransitionReason":"",
	"InstanceId":"i-InstanceId",
	"EnaSupport":true,
	"ImageId":"ami-123456",
	"PrivateDnsName":"ip-10-56-56-56.company.com",
	"KeyName":"PEMKEY",
	"SecurityGroups":[
	{
	"GroupName":"sgname",
	"GroupId":"sg-123456"
	}
	],
	"ClientToken":"sDSDSDSDSDDSDSD",
	"SubnetId":"subnet-subnet",
	"InstanceType":"t2.micro",
	"NetworkInterfaces":[
	{
	"Status":"in-use",
	"MacAddress":"22:cd:44:96:33:22",
	"SourceDestCheck":true,
	"VpcId":"vpc-afafafafafafaf",
	"Description":"Primary network interface",
	"Association":{
	"PublicIp":"54.100.41.12",
	"PublicDnsName":"",
	"IpOwnerId":"amazon"
	},
	"NetworkInterfaceId":"eni-sdfsdfsdfsdf",
	"PrivateIpAddresses":[
	{
	"Association":{
	"PublicIp":"54.100.41.12",
	"PublicDnsName":"",
	"IpOwnerId":"amazon"
	},
	"Primary":true,
	"PrivateIpAddress":"10.56.56.56"
	}
	],
	"Ipv6Addresses":[

	],
	"Attachment":{
	"Status":"attached",
	"DeviceIndex":0,
	"DeleteOnTermination":true,
	"AttachmentId":"eni-attach-sdsdsdsdsdsdsds",
	"AttachTime":"2017-07-05T15:01:41+00:00"
	},
	"Groups":[
	{
	"GroupName":"sgname",
	"GroupId":"sg-sdsdsdsdsd"
	}
	],
	"SubnetId":"subnet-sdsdsdsdsdsd",
	"OwnerId":"1234567890",
	"PrivateIpAddress":"10.56.56.56"
	}
	],
	"SourceDestCheck":true,
	"Placement":{
	"Tenancy":"default",
	"GroupName":"",
	"AvailabilityZone":"us-west-1a"
	},
	"Hypervisor":"xen",
	"BlockDeviceMappings":[
	{
	"DeviceName":"/dev/xvda",
	"Ebs":{
	"Status":"attached",
	"DeleteOnTermination":true,
	"VolumeId":"vol-99999999999999",
	"AttachTime":"2017-07-05T15:01:42+00:00"
	}
	}
	],
	"Architecture":"x86_64",
	"RootDeviceType":"ebs",
	"RootDeviceName":"/dev/xvda",
	"VirtualizationType":"hvm",
	"Tags":[
	{
	"Value":"TestEvent",
	"Key":"Name"
	}
	],
	"AmiLaunchIndex":0
	}
	]
	}