How to combine rules?
119 views
Skip to first unread message
James Lance
May 23, 2018, 6:05:45 PM5/23/18
to cloud-custodian
I'm trying to wrap my brain around how to appropriately filter security group rules.
I currently have this rule (and it works fine):
I'm auto removing this rule.
Now I need to update this rule to try and catch a few more things. I want to also remove the ingress rule if it matches "::/0".
Finally I've been asked to create a rule that automatically removes *all* rules (both ingress and egress) on the default security group.
I'm trying to figure out if there is a way to capture that logic for this one policy. I can get my attempts to pass validation, but then nothing ever gets removed.
Here is what I've tried:
Are filters "Anded"? This policy filter would no longer match any ingress rules.
I wasn't able to get a rule that would match the security group by name, but that seems like it should be easy.
I've discovered "custodian schema security-group.filters.ingress" that was helpful, but even that doesn't seem to accurately show all the options, like it doesn't mention "Cidr" as a key, but that obviously works.
Am I just making myself crazy trying to fit this all in one policy, or should I just be generating a ton of little policies? Maybe I'm worrying about the wrong thing? It seems like it would be nice to have like rules together though.
I currently have this rule (and it works fine):
filters:
- type: ingress
Ports: [22, 3389]
Cidr:
value: "0.0.0.0/0"
actions:
- type: remove-permissions
ingress: matched
I'm auto removing this rule.
Now I need to update this rule to try and catch a few more things. I want to also remove the ingress rule if it matches "::/0".
Finally I've been asked to create a rule that automatically removes *all* rules (both ingress and egress) on the default security group.
I'm trying to figure out if there is a way to capture that logic for this one policy. I can get my attempts to pass validation, but then nothing ever gets removed.
Here is what I've tried:
filters:
- type: ingress
Ports: [22, 3389]
Cidr:
value: "0.0.0.0/0"
- type: ingress
Ports: [22, 3389]
Cidr:
value: "::/0"
Are filters "Anded"? This policy filter would no longer match any ingress rules.
I wasn't able to get a rule that would match the security group by name, but that seems like it should be easy.
I've discovered "custodian schema security-group.filters.ingress" that was helpful, but even that doesn't seem to accurately show all the options, like it doesn't mention "Cidr" as a key, but that obviously works.
Am I just making myself crazy trying to fit this all in one policy, or should I just be generating a ton of little policies? Maybe I'm worrying about the wrong thing? It seems like it would be nice to have like rules together though.
Kapil Thangavelu
Jun 1, 2018, 7:19:35 AM6/1/18
to cloud-custodian
Just following up there's an issue with ipv6 support https://github.com/capitalone/cloud-custodian/issues/2313 with a pr from James.
Joseph Golan
Feb 11, 2020, 1:19:39 PM2/11/20
to cloud-custodian
hello,
i am also new to Cloudcustodian,
is there a library of " rules" somewhere?
can i run multiple rules in one bundle?
ty
On Wednesday, May 23, 2018 at 6:05:45 PM UTC-4, James Lance wrote:
Kapil Thangavelu
Apr 21, 2020, 11:49:42 AM4/21/20
to cloud-custodian
you can put as many policies as you want into a file and run multiple files.
there's numerous GitHub repos with example policies.
Reply all
Reply to author
Forward
0 new messages