Cloud Custodian
Introduction
Getting Started
Install Cloud Custodian
Linux and Mac OS
Windows (CMD/PowerShell)
Docker
Explore Cloud Custodian
Cloud Provider Specific Help
Troubleshooting & Tinkering
Monitor resources
Editor Integration
Tab Completion
Community Resources
Troubleshooting
Generic Filters
Value Filter
Event Filter
Reduce Filter
Grouping resources
Sorting resources
Selecting resources
Combining resource groups
Attributes
Examples
Generic Actions
Webhook Action
Advanced Usage
Running against multiple regions
Reporting against multiple regions
Conditional Policy Execution
Limiting how many resources custodian affects
Adding custom fields to reports
Example tag compliance policy
Deployment
Compliance as Code
Continuous Integration of Policies
IAM Setup
Single Node Deployment
Monitoring Cloud Custodian
Mailer and Notifications Deployment
Multi Account Execution
Advanced Continuous Integration Tips
Additional Resources
AWS
Getting Started
Write your first policy
Run your policy
A 2nd Example Policy
Monitor AWS
Troubleshooting & Tinkering
Example Policies
Account - Login From Invalid IP Address
Account - Detect Root Logins
Account - Service Limit
AMI - Stop EC2 using Unapproved AMIs
AutoScaling Group - Verify ASGs have valid configurations
AMI - ASG Garbage Collector
ASG - Offhours Support
Block New Resources In Non-Standard Regions
DMS - DB Migration Service Endpoint - Enforce SSL
EBS - Garbage Collect Unattached Volumes
EBS - Create and Manage Snapshots
EBS - Delete Unencrypted
EC2 - auto-tag aws userName on resources
EC2 - Modify Instance Metadata Options
Examples:
EC2 - Offhours Support
EC2 - Old Instance Report
EC2 - Power On For Scheduled Patching
EC2 - Terminate Unpatchable Instances
EIP - Garbage Collect Unattached Elastic IPs
ELB - Delete New Internet-Facing ELBs
ELB - Delete Unused Elastic Load Balancers
ELB - SSL Blacklist
ELB - SSL Whitelist
IAM - Manage Whether A Specific IAM Policy is Attached to Roles
Lambda - Notify On Lambda Errors
Example offhours policy
Resource Scheduling Offhours
Features
Policy Configuration
Tag Based Configuration
ScheduleParser Time Specifications
Policy examples
Resume During Offhours
ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions
Public Holidays
RDS - Delete Unused Databases With No Connections
RDS - Terminate Unencrypted Public Instances
S3 - Configure New Buckets Settings and Standards
S3 - Block Public S3 Object ACLs
S3 - Encryption
Enable Bucket Encryption
Remediate Existing
Options
Remediate Incoming
Options
Bucket Policy
S3 - Global Grants
S3 - Add lifecycle policy on bucket delete
SageMaker Notebook - Delete Public or Unencrypted
Security Groups - add permission
Security Groups - Detect and Remediate Violations
Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)
VPC - Flow Log Configuration Check
VPC - Notify On Invalid External Peering Connections
Monitoring your environment
Metrics
CloudWatch Logs
S3 Logs & Records
Reports
Lambda Support
CloudWatch Events
Cloud Custodian Integration
CloudTrail API Calls
EC2 Instance State Events
Periodic Function
Event Pattern Filtering
Config Rules
Lambda Configuration
Execution Options
AWS Topics
AWS Config
Config Source
Config Rule
Filter
Config Poll Rule
Security Hub
Getting Started
Modes
AWS Systems Manager
EC2 Systems Manager
Ops Center
OmniSSM
AWS X-Ray Support
Developer Guide
Adding New AWS Resources
Create New AWS Resource
Load New AWS Resource
Add New Filter
Add New Action
Testing
AWS Reference
AWS Execution Modes
pull
asg-instance-state
cloudtrail
config-poll-rule
config-rule
ec2-instance-state
guard-duty
hub-finding
hub-finding
periodic
phd
pull
AWS Common Actions
auto-tag-user
copy-related-tag
invoke-lambda
invoke-sfn
mark-for-op
modify-ecr-policy
modify-policy
modify-security-groups
normalize-tag
notify
post-finding
post-item
put-metric
remove-tag
rename-tag
tag
tag-trim
webhook
AWS Common Filters
alarm
api-cache
check-permissions
client-properties
config-compliance
connection-aliases
domain-options
engine
event
finding
health-event
iam-analyzer
image
instance-attribute
logging
login-profile
marked-for-op
metrics
network-location
offhour
onhour
ops-item
ownership
reduce
security-group
ses-agg-send-stats
shield-metrics
subnet
subscription-filter
tag-count
usage
usage-metric
value
vpc
account resources
aws.account
Filters
Actions
acm resources
aws.acm-certificate
Filters
Actions
apigateway resources
aws.apigw-domain-name
Filters
Actions
aws.rest-account
Filters
Actions
aws.rest-api
Filters
Actions
aws.rest-client-certificate
Filters
Actions
aws.rest-resource
Filters
Actions
aws.rest-stage
Filters
Actions
aws.rest-vpclink
Filters
Actions
apigatewayv2 resources
aws.apigwv2
Filters
Actions
appflow resources
aws.app-flow
Filters
Actions
appsync resources
aws.graphql-api
Filters
Actions
autoscaling resources
aws.asg
Filters
Actions
aws.launch-config
Filters
Actions
aws.scaling-policy
Filters
Actions
backup resources
aws.backup-plan
Filters
Actions
aws.backup-vault
Filters
Actions
batch resources
aws.batch-compute
Filters
Actions
aws.batch-definition
Filters
Actions
aws.batch-queue
Filters
Actions
clouddirectory resources
aws.cloud-directory
Filters
Actions
cloudformation resources
aws.cfn
Filters
Actions
cloudfront resources
aws.distribution
Filters
Actions
aws.streaming-distribution
Filters
Actions
cloudhsm resources
aws.hsm
Filters
Actions
aws.hsm-client
Filters
Actions
aws.hsm-hapg
Filters
Actions
cloudhsmv2 resources
aws.cloudhsm-cluster
Filters
Actions
cloudsearch resources
aws.cloudsearch
Filters
Actions
cloudtrail resources
aws.cloudtrail
Filters
Actions
cloudwatch resources
aws.alarm
Filters
Actions
aws.composite-alarm
Filters
Actions
aws.insight-rule
Filters
Actions
codeartifact resources
aws.artifact-domain
Filters
Actions
aws.artifact-repo
Filters
Actions
codebuild resources
aws.codebuild
Filters
Actions
codecommit resources
aws.codecommit
Filters
Actions
codedeploy resources
aws.codedeploy-app
Filters
Actions
aws.codedeploy-deployment
Filters
Actions
aws.codedeploy-group
Filters
Actions
codepipeline resources
aws.codepipeline
Filters
Actions
cognito-identity resources
aws.identity-pool
Filters
Actions
cognito-idp resources
aws.user-pool
Filters
Actions
config resources
aws.config-recorder
Filters
Actions
aws.config-rule
Filters
Actions
connect resources
aws.connect-instance
Filters
Actions
datapipeline resources
aws.datapipeline
Filters
Actions
dax resources
aws.dax
Filters
Actions
directconnect resources
aws.directconnect
Filters
Actions
dlm resources
aws.dlm-policy
Filters
Actions
dms resources
aws.dms-endpoint
Filters
Actions
aws.dms-instance
Filters
Actions
ds resources
aws.directory
Filters
Actions
dynamodb resources
aws.dynamodb-backup
Filters
Actions
aws.dynamodb-table
Filters
Actions
dynamodbstreams resources
aws.dynamodb-stream
Filters
Actions
ec2 resources
aws.ami
Filters
Actions
aws.customer-gateway
Filters
Actions
aws.ebs
Filters
Actions
aws.ebs-snapshot
Filters
Actions
aws.ec2
Filters
Actions
aws.ec2-host
Filters
Actions
aws.ec2-reserved
Filters
Actions
aws.ec2-spot-fleet-request
Filters
Actions
aws.elastic-ip
Filters
Actions
aws.eni
Filters
Actions
aws.internet-gateway
Filters
Actions
aws.key-pair
Filters
Actions
aws.launch-template-version
Filters
Actions
aws.mirror-session
Filters
Actions
aws.mirror-target
Filters
Actions
aws.nat-gateway
Filters
Actions
aws.network-acl
Filters
Actions
aws.peering-connection
Filters
Actions
aws.prefix-list
Filters
Actions
aws.route-table
Filters
Actions
aws.security-group
Filters
Actions
aws.subnet
Filters
Actions
aws.transit-attachment
Filters
Actions
aws.transit-gateway
Filters
Actions
aws.vpc
Filters
Actions
aws.vpc-endpoint
Filters
Actions
aws.vpn-connection
Filters
Actions
aws.vpn-gateway
Filters
Actions
ecr resources
aws.ecr
Filters
Actions
aws.ecr-image
Filters
Actions
ecs resources
aws.ecs
Filters
Actions
aws.ecs-container-instance
Filters
Actions
aws.ecs-service
Filters
Actions
aws.ecs-task
Filters
Actions
aws.ecs-task-definition
Filters
Actions
efs resources
aws.efs
Filters
Actions
aws.efs-mount-target
Filters
Actions
eks resources
aws.eks
Filters
Actions
aws.eks-nodegroup
Filters
Actions
elasticache resources
aws.cache-cluster
Filters
Actions
aws.cache-snapshot
Filters
Actions
aws.cache-subnet-group
Filters
Actions
aws.elasticache-group
Filters
Actions
elasticbeanstalk resources
aws.elasticbeanstalk
Filters
Actions
aws.elasticbeanstalk-environment
Filters
Actions
elb resources
aws.elb
Filters
Actions
elbv2 resources
aws.app-elb
Filters
Actions
aws.app-elb-target-group
Filters
Actions
emr resources
aws.emr
Filters
Actions
aws.emr-security-configuration
Filters
Actions
emr-serverless resources
aws.emr-serverless-app
Filters
Actions
es resources
aws.elasticsearch
Filters
Actions
aws.elasticsearch-reserved
Filters
Actions
events resources
aws.event-bus
Filters
Actions
aws.event-rule
Filters
Actions
aws.event-rule-target
Filters
Actions
firehose resources
aws.firehose
Filters
Actions
fis resources
aws.fis-template
Filters
Actions
fsx resources
aws.fsx
Filters
Actions
aws.fsx-backup
Filters
Actions
gamelift resources
aws.gamelift-build
Filters
Actions
aws.gamelift-fleet
Filters
Actions
glacier resources
aws.glacier
Filters
Actions
glue resources
aws.glue-catalog
Filters
Actions
aws.glue-classifier
Filters
Actions
aws.glue-connection
Filters
Actions
aws.glue-crawler
Filters
Actions
aws.glue-database
Filters
Actions
aws.glue-dev-endpoint
Filters
Actions
aws.glue-job
Filters
Actions
aws.glue-ml-transform
Filters
Actions
aws.glue-security-configuration
Filters
Actions
aws.glue-table
Filters
Actions
aws.glue-trigger
Filters
Actions
aws.glue-workflow
Filters
Actions
health resources
aws.health-event
Filters
Actions
iam resources
aws.iam-certificate
Filters
Actions
aws.iam-group
Filters
Actions
aws.iam-oidc-provider
Filters
Actions
aws.iam-policy
Filters
Actions
aws.iam-profile
Filters
Actions
aws.iam-role
Filters
Actions
aws.iam-saml-provider
Filters
Actions
aws.iam-user
Filters
Actions
iot resources
aws.iot
Filters
Actions
kafka resources
aws.kafka
Filters
Actions
kinesis resources
aws.kinesis
Filters
Actions
kinesisanalytics resources
aws.kinesis-analytics
Filters
Actions
kinesisanalyticsv2 resources
aws.kinesis-analyticsv2
Filters
Actions
kinesisvideo resources
aws.kinesis-video
Filters
Actions
kms resources
aws.kms
Filters
Actions
aws.kms-key
Filters
Actions
lakeformation resources
aws.datalake-location
Filters
Actions
lambda resources
aws.lambda
Filters
Actions
aws.lambda-layer
Filters
Actions
lightsail resources
aws.lightsail-db
Filters
Actions
aws.lightsail-elb
Filters
Actions
aws.lightsail-instance
Filters
Actions
logs resources
aws.log-group
Filters
Actions
aws.log-metric
Filters
Actions
machinelearning resources
aws.ml-model
Filters
Actions
mq resources
aws.message-broker
Filters
Actions
aws.message-config
Filters
Actions
mwaa resources
aws.airflow
Filters
Actions
network-firewall resources
aws.firewall
Filters
Actions
opsworks resources
aws.opswork-stack
Filters
Actions
opsworkscm resources
aws.opswork-cm
Filters
Actions
qldb resources
aws.qldb
Filters
Actions
rds resources
aws.rds
Filters
Actions
aws.rds-cluster
Filters
Actions
aws.rds-cluster-param-group
Filters
Actions
aws.rds-cluster-snapshot
Filters
Actions
aws.rds-param-group
Filters
Actions
aws.rds-proxy
Filters
Actions
aws.rds-reserved
Filters
Actions
aws.rds-snapshot
Filters
Actions
aws.rds-subnet-group
Filters
Actions
aws.rds-subscription
Filters
Actions
redshift resources
aws.redshift
Filters
Actions
aws.redshift-reserved
Filters
Actions
aws.redshift-snapshot
Filters
Actions
aws.redshift-subnet-group
Filters
Actions
route53 resources
aws.healthcheck
Filters
Actions
aws.hostedzone
Filters
Actions
aws.rrset
Filters
Actions
route53-recovery-control-config resources
aws.recovery-cluster
Filters
Actions
route53-recovery-readiness resources
aws.readiness-check
Filters
Actions
route53domains resources
aws.r53domain
Filters
Actions
route53resolver resources
aws.resolver-logs
Filters
Actions
s3 resources
aws.s3
Filters
Actions
s3control resources
aws.s3-access-point
Filters
Actions
aws.s3-access-point-multi
Filters
Actions
sagemaker resources
aws.sagemaker-endpoint
Filters
Actions
aws.sagemaker-endpoint-config
Filters
Actions
aws.sagemaker-job
Filters
Actions
aws.sagemaker-model
Filters
Actions
aws.sagemaker-notebook
Filters
Actions
aws.sagemaker-transform-job
Filters
Actions
sdb resources
aws.simpledb
Filters
Actions
secretsmanager resources
aws.secrets-manager
Filters
Actions
serverlessrepo resources
aws.serverless-app
Filters
Actions
service-quotas resources
aws.service-quota
Filters
Actions
aws.service-quota-request
Filters
Actions
servicecatalog resources
aws.catalog-portfolio
Filters
Actions
aws.catalog-product
Filters
Actions
shield resources
aws.shield-attack
Filters
Actions
aws.shield-protection
Filters
Actions
snowball resources
aws.snowball
Filters
Actions
aws.snowball-cluster
Filters
Actions
sns resources
aws.sns
Filters
Actions
aws.sns-subscription
Filters
Actions
sqs resources
aws.sqs
Filters
Actions
ssm resources
aws.ops-item
Filters
Actions
aws.ssm-activation
Filters
Actions
aws.ssm-data-sync
Filters
Actions
aws.ssm-document
Filters
Actions
aws.ssm-managed-instance
Filters
Actions
aws.ssm-parameter
Filters
Actions
stepfunctions resources
aws.step-machine
Filters
Actions
storagegateway resources
aws.storage-gateway
Filters
Actions
support resources
aws.support-case
Filters
Actions
swf resources
aws.swf-domain
Filters
Actions
timestream-write resources
aws.timestream-database
Filters
Actions
aws.timestream-table
Filters
Actions
transfer resources
aws.transfer-server
Filters
Actions
aws.transfer-user
Filters
Actions
waf resources
aws.waf
Filters
Actions
waf-regional resources
aws.waf-regional
Filters
Actions
wafv2 resources
aws.wafv2
Filters
Actions
workspaces resources
aws.workspaces
Filters
Actions
aws.workspaces-directory
Filters
Actions
aws.workspaces-image
Filters
Actions
Azure
Getting Started
Write your first policy
Run your policy
(Optional) Run your policy with Azure Monitoring
View policy results
Custodian Report
Next Steps
Configuring Azure Policies
Authentication & Access
Azure CLI
Service Principal
Azure Portal
Azure CLI
c7n-org
Access Token
Managed Service Identity
Azure Key Vault Integration
Azure Storage access
Azure Cloud Offerings
Logging, Metrics and Output
Writing Custodian Logs to Azure App Insights
Writing Custodian Metrics to Azure App Insights
Writing Custodian Output to Azure Blob Storage
Authentication to Storage
Hosting Options
Azure Functions Hosting
Overview
Azure Modes
Provision Options
Authentication Options
Execution Options
Event Grid Functions
Management Groups Support
Azure Container Hosting
Overview
Supported Policy Modes
Configuration
Running Locally
Deployment Options
Tutorial - ACI Deployment
1. Create a Resource Group
2. Create a Storage Account
3. Create a Managed Identity
4. Create an Application Insights Instance
5. Create the ACI Container Host
6. Upload a Custodian Policy
Tutorial - Helm Deployment
1. Create a Resource Group
2. Create a Storage Account
3. Create a Service Principal
4. Create an Application Insights Instance
5. Create an AKS Cluster and Install Tiller
6. Deploy the Helm Chart
7. Upload a Custodian Policy
Examples
General
Monitor - Filter resources by metrics from Azure Monitor
Resource Groups - Delayed operations
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Resource Groups - Remove empty Resource Groups
Tags - Add tag to Virtual Machines
Tags - Automatically tag the creator of a resource or resource group
Tags - Remove tag From Virtual Machines
Tags - Trim tags From Virtual Machines
Resource Group - Generate a Teams Message on Create
Compute
App Services - Filter By CORS Configuration
App Service - Resize All Application Service Plans
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Tags - Add tag to Virtual Machines
Tags - Remove tag From Virtual Machines
Tags - Trim tags From Virtual Machines
Virtual Machines - Find Stopped Virtual Machines
Virtual Machines - Find Virtual Machines with public IP address
Storage and Databases
Cosmos DB Collections - Resize Throughput with On/Off Hours
SQL - Find databases with specific retention options
SQL - Update SQL Database retention policies
SQL - Find all SQL Databases with Premium SKU
Storage - Add storage firewall rules
Storage - Block public access
Storage - Monitor newly created Containers for public access
Identity
Tags - Automatically tag the creator of a resource or resource group
Networking
Firewall - Update CosmosDB Rules
Firewall - Filter Storage Accounts By Rules
Load Balancer - Filter load balancer by front end public ip
Network Security Groups - Deny access to Network Security Group
Resource Groups - Delete or report on orphan resources (NICs, Disks, Public IPs)
Routes - Find route tables with a specific subnet
Storage - Add storage firewall rules
Storage - Block public access
Virtual Machines - Find Virtual Machines with public IP address
Notifications
Email - Use Azure Logic Apps to notify users of policy violations
Create and configure Azure Logic App
Author Cloud Custodian policy
Test the policy
Email - Send Users an Email
Resource Group - Generate a Teams Message on Create
Advanced Usage
Running against multiple subscriptions
Azure Policy Comparison
Examples
Developer Guide
Adding New Azure Resources
Install Azure Dependencies
Create New Azure Resource
Load New Azure Resource
Testing
Test framework
ARM templates
Cassettes
Running tests
Azure Reference
Azure Execution Modes
pull
azure-event-grid
azure-periodic
container-event
container-periodic
Azure Common Actions
auto-tag-date
auto-tag-user
delete
lock
logic-app
mark-for-op
notify
tag
tag-trim
untag
webhook
Azure Common Filters
authentication
azure-ad-administrators
blob-services
configuration
configuration-parameter
cost
diagnostic-settings
effective-route-table
event
firewall-rules
instance-view
marked-for-op
metric
offer
offhour
onhour
parent
policy-compliant
reduce
resource-lock
server-parameter
storage-diagnostic-settings
value
vm-extensions
vulnerability-assessment
AI + Machine Learning resources
azure.cognitiveservice
Filters
Actions
azure.databricks
Filters
Actions
azure.search
Filters
Actions
Active Directory resources
azure.roleassignment
Filters
Actions
azure.roledefinition
Filters
Actions
Alerts Management resources
azure.alert-logs
Filters
Actions
Analytics resources
azure.datafactory
Filters
Actions
azure.hdinsight
Filters
Actions
Compute resources
azure.aks
Filters
Actions
azure.appserviceplan
Filters
Actions
azure.batch
Filters
Actions
azure.image
Filters
Actions
azure.logic-app-workflow
Filters
Actions
azure.service-fabric-cluster
Filters
Actions
azure.service-fabric-cluster-managed
Filters
Actions
azure.vm
Filters
Actions
azure.vmss
Filters
Actions
azure.webapp
Filters
Actions
Containers resources
azure.aks
Filters
Actions
azure.container-group
Filters
Actions
azure.container-registry
Filters
Actions
azure.containerservice
Filters
Actions
Cost resources
azure.cost-management-export
Filters
Actions
Databases resources
azure.cosmosdb
Filters
Actions
azure.cosmosdb-collection
Filters
Actions
azure.cosmosdb-database
Filters
Actions
azure.mysql
Filters
Actions
azure.mysql-flexibleserver
Filters
Actions
azure.postgresql-database
Filters
Actions
azure.postgresql-server
Filters
Actions
azure.redis
Filters
Actions
azure.sql-database
Filters
Actions
azure.sql-server
Filters
Actions
Events resources
azure.eventhub
Filters
Actions
azure.eventsubscription
Filters
Actions
Generic resources
azure.armresource
Filters
Actions
azure.policyassignments
Filters
Actions
Integration resources
azure.api-management
Filters
Actions
Internet Of Things resources
azure.iothub
Filters
Actions
Media resources
azure.cdnprofile
Filters
Actions
Network resources
azure.application-gateway
Filters
Actions
azure.front-door
Filters
Actions
azure.networkwatcher
Filters
Actions
azure.traffic-manager-profile
Filters
Actions
Networking resources
azure.dnszone
Filters
Actions
azure.loadbalancer
Filters
Actions
azure.networkinterface
Filters
Actions
azure.networksecuritygroup
Filters
Actions
azure.publicip
Filters
Actions
azure.recordset
Filters
Actions
azure.routetable
Filters
Actions
azure.vnet
Filters
Actions
Resource Group resources
azure.resourcegroup
Filters
Actions
Security resources
azure.advisor-recommendation
Filters
Actions
azure.defender-alert
Filters
Actions
azure.defender-autoprovisioning
Filters
Actions
azure.defender-pricing
Filters
Actions
azure.defender-setting
Filters
Actions
azure.keyvault
Filters
Actions
azure.keyvault-certificate
Filters
Actions
azure.keyvault-key
Filters
Actions
azure.keyvault-secret
Filters
Actions
Storage resources
azure.datalake
Filters
Actions
azure.disk
Filters
Actions
azure.storage
Filters
Actions
azure.storage-container
Filters
Actions
Subscription resources
azure.policyassignments
Filters
Actions
azure.resourcegroup
Filters
Actions
azure.subscription
Filters
Actions
Web resources
azure.appserviceplan
Filters
Actions
azure.webapp
Filters
Actions
GCP
Getting Started (Beta)
Install GCP Plugin
Option 1: Install released packages to local Python Environment
Option 2: Install latest from the repository
Connect Your Authentication Credentials
GCP CLI
Environment Variables
Write Your First Policy
Run Your Policy
Examples
App Engine - Check if an SSL Certificate is About to Expire
App Engine - Check if a blacklisted domain is still in use
App Engine - Check if a Firewall Rule is in Place
Dataflow - Check for Hanged Jobs
Deployment Manager - Find expired deployments
DNS - Notify if DNS Managed Zone has no DNSSEC
DNS - Notify if Logging is Disabled in DNS Policy
Compute Engine - Enforce minimal CPU utilization target for autoscalers
Compute Engine - Delete Instance Templates with Wrong Settings
Key Management System - Audit Crypto Key protection level
Load Balancer - Delete backend buckets
Load Balancer - Network Tiers
Load Balancer - SSL Policies - Delete policies by TLS version
Pub/Sub - Early Detection of Obsolete Snapshots
Pub/Sub - Audit Subscriptions to Match Requirements
Spanner - Drop Databases
Spanner - Reduce Count of Instance Nodes
Spanner - Set IAM Policies
Cloud SQL - List Unsucessful Backups Older Than N Days
Cloud SQL - Check Regions of Instances and Their State
Cloud SQL - Notify on Certificates Which Are About to Expire
Cloud SQL - Check Users
Policies
Generic Actions
Notify
Load Balancer
Developer Guide
Adding New GCP Resources
Create New GCP Resource
Load New GCP Resource
Testing
Updating Existing Tests
GCP Reference
GCP Execution Modes
pull
gcp-audit
gcp-periodic
gcp-scc
GCP Common Actions
notify
post-finding
set-iam-policy
webhook
GCP Common Filters
alerts
compute-meta
effective-firewall
event
offhour
onhour
reduce
scc-findings
value
apikeys resources
gcp.api-key
Filters
Actions
appengine resources
gcp.app-engine
Filters
Actions
gcp.app-engine-certificate
Filters
Actions
gcp.app-engine-domain
Filters
Actions
gcp.app-engine-domain-mapping
Filters
Actions
gcp.app-engine-firewall-ingress-rule
Filters
Actions
bigquery resources
gcp.bq-dataset
Filters
Actions
gcp.bq-job
Filters
Actions
gcp.bq-table
Filters
Actions
cloudbilling resources
gcp.cloudbilling-account
Filters
Actions
cloudbuild resources
gcp.build
Filters
Actions
cloudfunctions resources
gcp.function
Filters
Actions
cloudkms resources
gcp.kms-cryptokey
Filters
Actions
gcp.kms-cryptokey-version
Filters
Actions
gcp.kms-keyring
Filters
Actions
cloudresourcemanager resources
gcp.folder
Filters
Actions
gcp.organization
Filters
Actions
gcp.project
Filters
Actions
compute resources
gcp.autoscaler
Filters
Actions
gcp.disk
Filters
Actions
gcp.firewall
Filters
Actions
gcp.image
Filters
Actions
gcp.instance
Filters
Actions
gcp.instance-template
Filters
Actions
gcp.interconnect
Filters
Actions
gcp.interconnect-attachment
Filters
Actions
gcp.loadbalancer-address
Filters
Actions
gcp.loadbalancer-backend-bucket
Filters
Actions
gcp.loadbalancer-backend-service
Filters
Actions
gcp.loadbalancer-forwarding-rule
Filters
Actions
gcp.loadbalancer-global-address
Filters
Actions
gcp.loadbalancer-global-forwarding-rule
Filters
Actions
gcp.loadbalancer-health-check
Filters
Actions
gcp.loadbalancer-http-health-check
Filters
Actions
gcp.loadbalancer-https-health-check
Filters
Actions
gcp.loadbalancer-ssl-certificate
Filters
Actions
gcp.loadbalancer-ssl-policy
Filters
Actions
gcp.loadbalancer-target-http-proxy
Filters
Actions
gcp.loadbalancer-target-https-proxy
Filters
Actions
gcp.loadbalancer-target-instance
Filters
Actions
gcp.loadbalancer-target-pool
Filters
Actions
gcp.loadbalancer-target-ssl-proxy
Filters
Actions
gcp.loadbalancer-target-tcp-proxy
Filters
Actions
gcp.loadbalancer-url-map
Filters
Actions
gcp.route
Filters
Actions
gcp.router
Filters
Actions
gcp.snapshot
Filters
Actions
gcp.subnet
Filters
Actions
gcp.vpc
Filters
Actions
container resources
gcp.gke-cluster
Filters
Actions
gcp.gke-nodepool
Filters
Actions
dataflow resources
gcp.dataflow-job
Filters
Actions
deploymentmanager resources
gcp.dm-deployment
Filters
Actions
dns resources
gcp.dns-managed-zone
Filters
Actions
gcp.dns-policy
Filters
Actions
iam resources
gcp.iam-role
Filters
Actions
gcp.project-role
Filters
Actions
gcp.service-account
Filters
Actions
gcp.service-account-key
Filters
Actions
logging resources
gcp.log-exclusion
Filters
Actions
gcp.log-project-metric
Filters
Actions
gcp.log-project-sink
Filters
Actions
ml resources
gcp.ml-job
Filters
Actions
gcp.ml-model
Filters
Actions
pubsub resources
gcp.pubsub-snapshot
Filters
Actions
gcp.pubsub-subscription
Filters
Actions
gcp.pubsub-topic
Filters
Actions
serviceusage resources
gcp.service
Filters
Actions
sourcerepo resources
gcp.sourcerepo
Filters
Actions
spanner resources
gcp.spanner-database-instance
Filters
Actions
gcp.spanner-instance
Filters
Actions
sqladmin resources
gcp.sql-backup-run
Filters
Actions
gcp.sql-instance
Filters
Actions
gcp.sql-ssl-cert
Filters
Actions
gcp.sql-user
Filters
Actions
storage resources
gcp.bucket
Filters
Actions
Tencent Cloud
Tencent Cloud
Installation
Usage
Tencent Cloud Reference
Tencent Cloud Execution Modes
pull
Tencent Cloud Common Actions
copy-instance-tags
mark-for-op
remove-tag
rename-tag
start
stop
tag
terminate
webhook
Tencent Cloud Common Filters
check-permissions
event
marked-for-op
metrics
reduce
value
cam resources
tencentcloud.cam-policy
Filters
Actions
tencentcloud.cam-user
Filters
Actions
cbs resources
tencentcloud.cbs
Filters
Actions
tencentcloud.cbs-snapshot
Filters
Actions
cdb resources
tencentcloud.mysql
Filters
Actions
tencentcloud.mysql-backup
Filters
Actions
clb resources
tencentcloud.clb
Filters
Actions
cls resources
tencentcloud.cls
Filters
Actions
cos resources
tencentcloud.cos
Filters
Actions
cvm resources
tencentcloud.ami
Filters
Actions
tencentcloud.cvm
Filters
Actions
es resources
tencentcloud.elasticsearch
Filters
Actions
tcr resources
tencentcloud.tcr
Filters
Actions
vpc resources
tencentcloud.nat-gateway
Filters
Actions
tencentcloud.security-group
Filters
Actions
tencentcloud.vpc
Filters
Actions
AWS Cloud Control
AWS Cloud Control Reference
AWS Cloud Control Execution Modes
pull
AWS Cloud Control Common Actions
auto-tag-user
mark-for-op
normalize-tag
remove-tag
rename-tag
tag
tag-trim
webhook
AWS Cloud Control Common Filters
event
marked-for-op
reduce
tag-count
value
awscc.cassandra_keyspace
Filters
Actions
delete
update
awscc.cassandra_table
Filters
Actions
delete
update
awscc.chatbot_slackchannelconfiguration
Filters
Actions
delete
update
awscc.codestarnotifications_notificationrule
Filters
Actions
delete
update
awscc.timestream_database
Filters
Actions
delete
update
awscc.timestream_scheduledquery
Filters
Actions
delete
update
awscc.timestream_table
Filters
Actions
delete
update
accessanalyzer resources
awscc.accessanalyzer_analyzer
Filters
Actions
acm resources
awscc.certificatemanager_account
Filters
Actions
acm-pca resources
awscc.acmpca_certificate
Filters
Actions
awscc.acmpca_certificateauthority
Filters
Actions
awscc.acmpca_certificateauthorityactivation
Filters
Actions
amp resources
awscc.aps_rulegroupsnamespace
Filters
Actions
awscc.aps_workspace
Filters
Actions
amplify resources
awscc.amplify_app
Filters
Actions
awscc.amplify_branch
Filters
Actions
awscc.amplify_domain
Filters
Actions
amplifyuibuilder resources
apigateway resources
awscc.apigateway_account
Filters
Actions
awscc.apigateway_apikey
Filters
Actions
awscc.apigateway_authorizer
Filters
Actions
awscc.apigateway_basepathmapping
Filters
Actions
awscc.apigateway_clientcertificate
Filters
Actions
awscc.apigateway_deployment
Filters
Actions
awscc.apigateway_documentationversion
Filters
Actions
awscc.apigateway_domainname
Filters
Actions
awscc.apigateway_method
Filters
Actions
awscc.apigateway_model
Filters
Actions
awscc.apigateway_requestvalidator
Filters
Actions
awscc.apigateway_stage
Filters
Actions
awscc.apigateway_usageplan
Filters
Actions
appflow resources
awscc.appflow_connectorprofile
Filters
Actions
awscc.appflow_flow
Filters
Actions
appintegrations resources
awscc.appintegrations_eventintegration
Filters
Actions
application-insights resources
awscc.applicationinsights_application
Filters
Actions
apprunner resources
awscc.apprunner_service
Filters
Actions
appstream resources
awscc.appstream_application
Filters
Actions
awscc.appstream_entitlement
Filters
Actions
appsync resources
awscc.appsync_domainname
Filters
Actions
awscc.appsync_domainnameapiassociation
Filters
Actions
athena resources
awscc.athena_datacatalog
Filters
Actions
awscc.athena_namedquery
Filters
Actions
awscc.athena_preparedstatement
Filters
Actions
awscc.athena_workgroup
Filters
Actions
auditmanager resources
awscc.auditmanager_assessment
Filters
Actions
autoscaling resources
awscc.autoscaling_lifecyclehook
Filters
Actions
awscc.autoscaling_warmpool
Filters
Actions
backup resources
awscc.backup_backupplan
Filters
Actions
awscc.backup_backupvault
Filters
Actions
awscc.backup_framework
Filters
Actions
awscc.backup_reportplan
Filters
Actions
batch resources
awscc.batch_schedulingpolicy
Filters
Actions
budgets resources
awscc.budgets_budgetsaction
Filters
Actions
ce resources
awscc.ce_anomalymonitor
Filters
Actions
awscc.ce_anomalysubscription
Filters
Actions
awscc.ce_costcategory
Filters
Actions
cloudformation resources
awscc.cloudformation_resourcedefaultversion
Filters
Actions
awscc.cloudformation_stackset
Filters
Actions
awscc.cloudformation_typeactivation
Filters
Actions
cloudfront resources
awscc.cloudfront_cachepolicy
Filters
Actions
awscc.cloudfront_cloudfrontoriginaccessidentity
Filters
Actions
awscc.cloudfront_distribution
Filters
Actions
awscc.cloudfront_function
Filters
Actions
awscc.cloudfront_keygroup
Filters
Actions
awscc.cloudfront_originrequestpolicy
Filters
Actions
awscc.cloudfront_publickey
Filters
Actions
awscc.cloudfront_realtimelogconfig
Filters
Actions
awscc.cloudfront_responseheaderspolicy
Filters
Actions
cloudtrail resources
awscc.cloudtrail_trail
Filters
Actions
cloudwatch resources
awscc.cloudwatch_compositealarm
Filters
Actions
awscc.cloudwatch_metricstream
Filters
Actions
codeartifact resources
awscc.codeartifact_domain
Filters
Actions
awscc.codeartifact_repository
Filters
Actions
codeguruprofiler resources
awscc.codeguruprofiler_profilinggroup
Filters
Actions
codestar-connections resources
awscc.codestarconnections_connection
Filters
Actions
config resources
awscc.config_aggregationauthorization
Filters
Actions
awscc.config_configurationaggregator
Filters
Actions
awscc.config_conformancepack
Filters
Actions
awscc.config_organizationconformancepack
Filters
Actions
awscc.config_storedquery
Filters
Actions
connect resources
awscc.connect_contactflow
Filters
Actions
awscc.connect_contactflowmodule
Filters
Actions
awscc.connect_hoursofoperation
Filters
Actions
awscc.connect_quickconnect
Filters
Actions
awscc.connect_user
Filters
Actions
awscc.connect_userhierarchygroup
Filters
Actions
cur resources
awscc.cur_reportdefinition
Filters
Actions
customer-profiles resources
awscc.customerprofiles_domain
Filters
Actions
awscc.customerprofiles_integration
Filters
Actions
awscc.customerprofiles_objecttype
Filters
Actions
databrew resources
awscc.databrew_dataset
Filters
Actions
awscc.databrew_job
Filters
Actions
awscc.databrew_project
Filters
Actions
awscc.databrew_recipe
Filters
Actions
awscc.databrew_ruleset
Filters
Actions
awscc.databrew_schedule
Filters
Actions
datasync resources
awscc.datasync_agent
Filters
Actions
awscc.datasync_locationefs
Filters
Actions
awscc.datasync_locationfsxwindows
Filters
Actions
awscc.datasync_locationhdfs
Filters
Actions
awscc.datasync_locationnfs
Filters
Actions
awscc.datasync_locationobjectstorage
Filters
Actions
awscc.datasync_locations3
Filters
Actions
awscc.datasync_locationsmb
Filters
Actions
awscc.datasync_task
Filters
Actions
detective resources
awscc.detective_graph
Filters
Actions
awscc.detective_memberinvitation
Filters
Actions
devops-guru resources
awscc.devopsguru_resourcecollection
Filters
Actions
dynamodb resources
awscc.dynamodb_globaltable
Filters
Actions
ec2 resources
awscc.ec2_capacityreservationfleet
Filters
Actions
awscc.ec2_carriergateway
Filters
Actions
awscc.ec2_dhcpoptions
Filters
Actions
awscc.ec2_ec2fleet
Filters
Actions
awscc.ec2_flowlog
Filters
Actions
awscc.ec2_gatewayroutetableassociation
Filters
Actions
awscc.ec2_host
Filters
Actions
awscc.ec2_internetgateway
Filters
Actions
awscc.ec2_ipam
Filters
Actions
awscc.ec2_ipampool
Filters
Actions
awscc.ec2_ipamscope
Filters
Actions
awscc.ec2_localgatewayroutetablevpcassociation
Filters
Actions
awscc.ec2_networkacl
Filters
Actions
awscc.ec2_networkinsightsaccessscope
Filters
Actions
awscc.ec2_networkinsightsaccessscopeanalysis
Filters
Actions
awscc.ec2_networkinsightsanalysis
Filters
Actions
awscc.ec2_networkinsightspath
Filters
Actions
awscc.ec2_networkinterface
Filters
Actions
awscc.ec2_prefixlist
Filters
Actions
awscc.ec2_routetable
Filters
Actions
awscc.ec2_spotfleet
Filters
Actions
awscc.ec2_subnet
Filters
Actions
awscc.ec2_transitgateway
Filters
Actions
awscc.ec2_transitgatewayconnect
Filters
Actions
awscc.ec2_transitgatewaymulticastdomain
Filters
Actions
awscc.ec2_transitgatewaypeeringattachment
Filters
Actions
awscc.ec2_transitgatewayvpcattachment
Filters
Actions
awscc.ec2_vpc
Filters
Actions
awscc.ec2_vpcdhcpoptionsassociation
Filters
Actions
awscc.ec2_vpcendpoint
Filters
Actions
ecr resources
awscc.ecr_publicrepository
Filters
Actions
awscc.ecr_registrypolicy
Filters
Actions
awscc.ecr_replicationconfiguration
Filters
Actions
awscc.ecr_repository
Filters
Actions
ecs resources
awscc.ecs_capacityprovider
Filters
Actions
awscc.ecs_cluster
Filters
Actions
awscc.ecs_clustercapacityproviderassociations
Filters
Actions
awscc.ecs_primarytaskset
Filters
Actions
awscc.ecs_service
Filters
Actions
awscc.ecs_taskdefinition
Filters
Actions
awscc.ecs_taskset
Filters
Actions
efs resources
awscc.efs_accesspoint
Filters
Actions
awscc.efs_filesystem
Filters
Actions
awscc.efs_mounttarget
Filters
Actions
eks resources
awscc.eks_addon
Filters
Actions
awscc.eks_cluster
Filters
Actions
awscc.eks_fargateprofile
Filters
Actions
elasticache resources
awscc.elasticache_globalreplicationgroup
Filters
Actions
awscc.elasticache_user
Filters
Actions
awscc.elasticache_usergroup
Filters
Actions
elbv2 resources
awscc.elasticloadbalancingv2_listener
Filters
Actions
awscc.elasticloadbalancingv2_listenerrule
Filters
Actions
emr resources
awscc.emr_studio
Filters
Actions
awscc.emr_studiosessionmapping
Filters
Actions
emr-containers resources
awscc.emrcontainers_virtualcluster
Filters
Actions
es resources
awscc.opensearchservice_domain
Filters
Actions
events resources
awscc.events_apidestination
Filters
Actions
awscc.events_archive
Filters
Actions
awscc.events_connection
Filters
Actions
evidently resources
awscc.evidently_experiment
Filters
Actions
awscc.evidently_feature
Filters
Actions
awscc.evidently_launch
Filters
Actions
awscc.evidently_project
Filters
Actions
finspace resources
awscc.finspace_environment
Filters
Actions
fis resources
awscc.fis_experimenttemplate
Filters
Actions
fms resources
awscc.fms_notificationchannel
Filters
Actions
awscc.fms_policy
Filters
Actions
forecast resources
awscc.forecast_datasetgroup
Filters
Actions
frauddetector resources
awscc.frauddetector_detector
Filters
Actions
awscc.frauddetector_entitytype
Filters
Actions
awscc.frauddetector_eventtype
Filters
Actions
awscc.frauddetector_label
Filters
Actions
awscc.frauddetector_outcome
Filters
Actions
awscc.frauddetector_variable
Filters
Actions
gamelift resources
awscc.gamelift_alias
Filters
Actions
awscc.gamelift_fleet
Filters
Actions
awscc.gamelift_gameservergroup
Filters
Actions
globalaccelerator resources
awscc.globalaccelerator_accelerator
Filters
Actions
awscc.globalaccelerator_endpointgroup
Filters
Actions
awscc.globalaccelerator_listener
Filters
Actions
glue resources
awscc.glue_registry
Filters
Actions
awscc.glue_schema
Filters
Actions
greengrassv2 resources
awscc.greengrassv2_componentversion
Filters
Actions
groundstation resources
awscc.groundstation_config
Filters
Actions
awscc.groundstation_missionprofile
Filters
Actions
healthlake resources
awscc.healthlake_fhirdatastore
Filters
Actions
iam resources
awscc.iam_oidcprovider
Filters
Actions
awscc.iam_role
Filters
Actions
awscc.iam_samlprovider
Filters
Actions
awscc.iam_servercertificate
Filters
Actions
awscc.iam_virtualmfadevice
Filters
Actions
imagebuilder resources
awscc.imagebuilder_distributionconfiguration
Filters
Actions
awscc.imagebuilder_image
Filters
Actions
awscc.imagebuilder_imagepipeline
Filters
Actions
awscc.imagebuilder_infrastructureconfiguration
Filters
Actions
inspector2 resources
awscc.inspectorv2_filter
Filters
Actions
iot resources
awscc.iot_accountauditconfiguration
Filters
Actions
awscc.iot_authorizer
Filters
Actions
awscc.iot_certificate
Filters
Actions
awscc.iot_custommetric
Filters
Actions
awscc.iot_dimension
Filters
Actions
awscc.iot_domainconfiguration
Filters
Actions
awscc.iot_fleetmetric
Filters
Actions
awscc.iot_logging
Filters
Actions
awscc.iot_mitigationaction
Filters
Actions
awscc.iot_provisioningtemplate
Filters
Actions
awscc.iot_resourcespecificlogging
Filters
Actions
awscc.iot_scheduledaudit
Filters
Actions
awscc.iot_securityprofile
Filters
Actions
awscc.iot_topicrule
Filters
Actions
awscc.iot_topicruledestination
Filters
Actions
iotanalytics resources
awscc.iotanalytics_dataset
Filters
Actions
awscc.iotanalytics_datastore
Filters
Actions
awscc.iotanalytics_pipeline
Filters
Actions
iotdeviceadvisor resources
awscc.iotcoredeviceadvisor_suitedefinition
Filters
Actions
iotevents resources
awscc.iotevents_detectormodel
Filters
Actions
awscc.iotevents_input
Filters
Actions
iotfleethub resources
awscc.iotfleethub_application
Filters
Actions
iotsitewise resources
awscc.iotsitewise_accesspolicy
Filters
Actions
awscc.iotsitewise_asset
Filters
Actions
awscc.iotsitewise_assetmodel
Filters
Actions
awscc.iotsitewise_dashboard
Filters
Actions
awscc.iotsitewise_gateway
Filters
Actions
awscc.iotsitewise_portal
Filters
Actions
awscc.iotsitewise_project
Filters
Actions
iotwireless resources
awscc.iotwireless_destination
Filters
Actions
awscc.iotwireless_fuotatask
Filters
Actions
awscc.iotwireless_multicastgroup
Filters
Actions
awscc.iotwireless_partneraccount
Filters
Actions
awscc.iotwireless_wirelessdevice
Filters
Actions
awscc.iotwireless_wirelessgateway
Filters
Actions
ivs resources
awscc.ivs_channel
Filters
Actions
awscc.ivs_playbackkeypair
Filters
Actions
awscc.ivs_recordingconfiguration
Filters
Actions
awscc.ivs_streamkey
Filters
Actions
kendra resources
awscc.kendra_datasource
Filters
Actions
awscc.kendra_faq
Filters
Actions
awscc.kendra_index
Filters
Actions
kinesis resources
awscc.kinesis_stream
Filters
Actions
kinesis-firehose resources
awscc.kinesisfirehose_deliverystream
Filters
Actions
kinesisvideo resources
awscc.kinesisvideo_signalingchannel
Filters
Actions
awscc.kinesisvideo_stream
Filters
Actions
kms resources
awscc.kms_alias
Filters
Actions
awscc.kms_key
Filters
Actions
awscc.kms_replicakey
Filters
Actions
lambda resources
awscc.lambda_codesigningconfig
Filters
Actions
awscc.lambda_eventsourcemapping
Filters
Actions
awscc.lambda_function
Filters
Actions
lexv2-models resources
awscc.lex_bot
Filters
Actions
awscc.lex_botalias
Filters
Actions
awscc.lex_resourcepolicy
Filters
Actions
license-manager resources
awscc.licensemanager_grant
Filters
Actions
awscc.licensemanager_license
Filters
Actions
lightsail resources
awscc.lightsail_alarm
Filters
Actions
awscc.lightsail_bucket
Filters
Actions
awscc.lightsail_database
Filters
Actions
awscc.lightsail_disk
Filters
Actions
awscc.lightsail_instance
Filters
Actions
awscc.lightsail_loadbalancer
Filters
Actions
awscc.lightsail_loadbalancertlscertificate
Filters
Actions
awscc.lightsail_staticip
Filters
Actions
logs resources
awscc.logs_loggroup
Filters
Actions
awscc.logs_querydefinition
Filters
Actions
awscc.logs_resourcepolicy
Filters
Actions
lookoutequipment resources
awscc.lookoutequipment_inferencescheduler
Filters
Actions
lookoutmetrics resources
awscc.lookoutmetrics_anomalydetector
Filters
Actions
lookoutvision resources
awscc.lookoutvision_project
Filters
Actions
macie resources
awscc.macie_customdataidentifier
Filters
Actions
awscc.macie_findingsfilter
Filters
Actions
awscc.macie_session
Filters
Actions
mediaconnect resources
awscc.mediaconnect_flow
Filters
Actions
awscc.mediaconnect_flowentitlement
Filters
Actions
awscc.mediaconnect_flowoutput
Filters
Actions
awscc.mediaconnect_flowsource
Filters
Actions
awscc.mediaconnect_flowvpcinterface
Filters
Actions
mediapackage resources
awscc.mediapackage_channel
Filters
Actions
awscc.mediapackage_originendpoint
Filters
Actions
awscc.mediapackage_packaginggroup
Filters
Actions
memorydb resources
awscc.memorydb_acl
Filters
Actions
awscc.memorydb_cluster
Filters
Actions
awscc.memorydb_parametergroup
Filters
Actions
awscc.memorydb_subnetgroup
Filters
Actions
awscc.memorydb_user
Filters
Actions
mwaa resources
awscc.mwaa_environment
Filters
Actions
network-firewall resources
awscc.networkfirewall_firewall
Filters
Actions
awscc.networkfirewall_firewallpolicy
Filters
Actions
awscc.networkfirewall_loggingconfiguration
Filters
Actions
awscc.networkfirewall_rulegroup
Filters
Actions
networkmanager resources
awscc.networkmanager_device
Filters
Actions
awscc.networkmanager_globalnetwork
Filters
Actions
awscc.networkmanager_link
Filters
Actions
awscc.networkmanager_site
Filters
Actions
nimble resources
awscc.nimblestudio_launchprofile
Filters
Actions
awscc.nimblestudio_streamingimage
Filters
Actions
awscc.nimblestudio_studio
Filters
Actions
awscc.nimblestudio_studiocomponent
Filters
Actions
opsworkscm resources
awscc.opsworkscm_server
Filters
Actions
panorama resources
awscc.panorama_applicationinstance
Filters
Actions
awscc.panorama_package
Filters
Actions
awscc.panorama_packageversion
Filters
Actions
pinpoint resources
awscc.pinpoint_inapptemplate
Filters
Actions
qldb resources
awscc.qldb_stream
Filters
Actions
quicksight resources
awscc.quicksight_analysis
Filters
Actions
awscc.quicksight_dashboard
Filters
Actions
awscc.quicksight_dataset
Filters
Actions
awscc.quicksight_datasource
Filters
Actions
awscc.quicksight_template
Filters
Actions
awscc.quicksight_theme
Filters
Actions
rds resources
awscc.rds_dbproxy
Filters
Actions
awscc.rds_dbproxyendpoint
Filters
Actions
awscc.rds_dbproxytargetgroup
Filters
Actions
awscc.rds_globalcluster
Filters
Actions
redshift resources
awscc.redshift_cluster
Filters
Actions
awscc.redshift_endpointaccess
Filters
Actions
awscc.redshift_endpointauthorization
Filters
Actions
awscc.redshift_eventsubscription
Filters
Actions
awscc.redshift_scheduledaction
Filters
Actions
rekognition resources
awscc.rekognition_project
Filters
Actions
resiliencehub resources
awscc.resiliencehub_app
Filters
Actions
awscc.resiliencehub_resiliencypolicy
Filters
Actions
resource-groups resources
awscc.resourcegroups_group
Filters
Actions
robomaker resources
awscc.robomaker_fleet
Filters
Actions
awscc.robomaker_robot
Filters
Actions
awscc.robomaker_simulationapplication
Filters
Actions
route53 resources
awscc.route53_healthcheck
Filters
Actions
awscc.route53_hostedzone
Filters
Actions
awscc.route53_keysigningkey
Filters
Actions
route53-recovery-control-config resources
awscc.route53recoverycontrol_controlpanel
Filters
Actions
awscc.route53recoverycontrol_routingcontrol
Filters
Actions
awscc.route53recoverycontrol_safetyrule
Filters
Actions
route53-recovery-readiness resources
awscc.route53recoveryreadiness_cell
Filters
Actions
awscc.route53recoveryreadiness_readinesscheck
Filters
Actions
awscc.route53recoveryreadiness_recoverygroup
Filters
Actions
awscc.route53recoveryreadiness_resourceset
Filters
Actions
route53resolver resources
awscc.route53resolver_firewalldomainlist
Filters
Actions
awscc.route53resolver_firewallrulegroup
Filters
Actions
awscc.route53resolver_firewallrulegroupassociation
Filters
Actions
awscc.route53resolver_resolverrule
Filters
Actions
rum resources
awscc.rum_appmonitor
Filters
Actions
s3 resources
awscc.s3_accesspoint
Filters
Actions
awscc.s3_bucket
Filters
Actions
awscc.s3_multiregionaccesspoint
Filters
Actions
awscc.s3_multiregionaccesspointpolicy
Filters
Actions
awscc.s3_storagelens
Filters
Actions
s3control resources
awscc.s3objectlambda_accesspoint
Filters
Actions
awscc.s3objectlambda_accesspointpolicy
Filters
Actions
s3outposts resources
awscc.s3outposts_accesspoint
Filters
Actions
awscc.s3outposts_bucket
Filters
Actions
awscc.s3outposts_bucketpolicy
Filters
Actions
sagemaker resources
awscc.sagemaker_appimageconfig
Filters
Actions
awscc.sagemaker_device
Filters
Actions
awscc.sagemaker_devicefleet
Filters
Actions
awscc.sagemaker_domain
Filters
Actions
awscc.sagemaker_image
Filters
Actions
awscc.sagemaker_modelpackagegroup
Filters
Actions
awscc.sagemaker_monitoringschedule
Filters
Actions
awscc.sagemaker_pipeline
Filters
Actions
awscc.sagemaker_project
Filters
Actions
awscc.sagemaker_userprofile
Filters
Actions
schemas resources
awscc.eventschemas_registrypolicy
Filters
Actions
servicecatalog resources
awscc.servicecatalog_cloudformationprovisionedproduct
Filters
Actions
awscc.servicecatalog_serviceaction
Filters
Actions
servicecatalog-appregistry resources
awscc.servicecatalogappregistry_application
Filters
Actions
awscc.servicecatalogappregistry_attributegroup
Filters
Actions
ses resources
awscc.ses_contactlist
Filters
Actions
signer resources
awscc.signer_signingprofile
Filters
Actions
ssm resources
awscc.ssm_association
Filters
Actions
awscc.ssm_document
Filters
Actions
awscc.ssm_resourcedatasync
Filters
Actions
ssm-contacts resources
awscc.ssmcontacts_contact
Filters
Actions
awscc.ssmcontacts_contactchannel
Filters
Actions
ssm-incidents resources
awscc.ssmincidents_replicationset
Filters
Actions
awscc.ssmincidents_responseplan
Filters
Actions
sso resources
awscc.sso_instanceaccesscontrolattributeconfiguration
Filters
Actions
awscc.sso_permissionset
Filters
Actions
stepfunctions resources
awscc.stepfunctions_activity
Filters
Actions
awscc.stepfunctions_statemachine
Filters
Actions
synthetics resources
awscc.synthetics_canary
Filters
Actions
transfer resources
awscc.transfer_workflow
Filters
Actions
wafv2 resources
awscc.wafv2_ipset
Filters
Actions
awscc.wafv2_loggingconfiguration
Filters
Actions
awscc.wafv2_regexpatternset
Filters
Actions
awscc.wafv2_webaclassociation
Filters
Actions
xray resources
awscc.xray_group
Filters
Actions
awscc.xray_samplingrule
Filters
Actions
Kubernetes
Getting Started (Alpha)
Install Kubernetes Plugin
Option 1: Install released packages to local Python Environment
Option 2: Install latest from the repository
Connecting to your Cluster
Write Your First Policy
Run Your Policy
Kubernetes Controller Mode
Install the Server
Option 1: Manual installation
Option 2: Helm chart
Testing
Authoring Policies
Examples
Denying Pod Exec or Attach
Require Labels on Resources on Creation or Update
Require Replicas on Deployments
Restrict Service Account Usage
Tools
c7n-org: Multi Account Custodian Execution
Installation
Config File Generation
Running a Policy with c7n-org
Selecting accounts, regions, policies for execution
Defining and using variables
Other commands
Additional Azure Instructions
c7n-mailer: Custodian Mailer
Message Relay
Tutorial
Email:
DataDog:
Slack:
Splunk HTTP Event Collector (HEC)
Now run:
Usage & Configuration
Standard Lambda Function Config
Standard Azure Functions Config
Mailer Infrastructure Config
SMTP Config
DataDog Config
Slack Config
SendGrid Config
Splunk HEC Config
SDK Config
Secured String
AWS
Azure
GCP
Configuring a policy to send email
Using on Azure
Deploying Azure Functions
Configuring Function Identity
Using on GCP
Deploying GCP Functions
Writing an email template
Developer Install (OS X El Capitan)
Testing Templates and Recipients
Testing Templates for Azure
Custodian policies for Infrastructure Code
Install
Usage
Filters
Outputs
c7n-log-exporter: Cloud watch log exporter automation
Features
Assumptions
Cli usage
Config format
Using S3 Bucket as destination
Using CloudWatch Destination as destination cross account
Multiple accounts via cli
Serverless Usage
c7n-trailcreator: Retroactive Resource Creator Tagging
Install
Config File
Athena Usage
Tagging
Multi Account / Multi Region
c7n-policystream: Policy Changes from Git
Install
Build
Usage
Options
OmniSSM - EC2 Systems Manager Automation
Client Configuration
Links
Todo
c7n-guardian: Automated multi-account Guard Duty setup
Accounts Credentials
Using custodian policies for remediation
c7n-salactus: Distributed Scale out S3 processing
Use Cases
Usage
Sample Configuration
Contributing
Contributing to Cloud Custodian
Developer install
Issues
Code of Conduct
Contributor agreement
Developer Guide
Installing for Developers
Installing Prerequisites
Install Python 3
On Ubuntu
On macOS with Homebrew
On Windows
Other Installation Methods
Install Poetry
On Mac/Linux
On Windows with Powershell
Installing Custodian
Testing for Developers
Running tests
Operating System Compatibility
Writing Tests for Cloud Controlled Resources
Creating Cloud Resources with Terraform
Recording Custodian Interactions
Controlling Resource Cleanup
Converting older functional tests
Documentation For Developers
Find the Documentation
Edit the Documentation
Render the Documentation
Packaging Custodian
Usage
Caveats
Cloud Custodian
AWS Cloud Control Reference
<no title>
Previous
Next
awscc.cassandra_keyspace
awscc.cassandra_table
awscc.chatbot_slackchannelconfiguration
awscc.codestarnotifications_notificationrule
awscc.timestream_database
awscc.timestream_scheduledquery
awscc.timestream_table