Issue with group filter when run as lambda
See original GitHub issueThis ticket is related to #2454.
When policy is run as a Lambda function, the following messages appear in the CloudWatch logs:
[ERROR] 2018-06-05T22:20:12.415Z 79a5d662-690e-11e8-bd2d-d557592c4236 Error while executing policy
Traceback (most recent call last):
File "/var/task/c7n/policy.py", line 229, in run
resources = self.policy.resource_manager.resources()
File "/var/task/c7n/query.py", line 421, in resources
return self.filter_resources(resources)
File "/var/task/c7n/manager.py", line 90, in filter_resources
resources = f.process(resources, event)
File "/var/task/c7n/resources/iam.py", line 960, in process
for p in r['c7n:Groups']:
KeyError: u'c7n:Groups'
u'c7n:Groups': KeyError
Traceback (most recent call last):
File "/var/task/custodian_policy.py", line 4, in run
return handler.dispatch_event(event, context)
File "/var/task/c7n/handler.py", line 89, in dispatch_event
p.push(event, context)
File "/var/task/c7n/policy.py", line 739, in push
return mode.run(event, lambda_ctx)
File "/var/task/c7n/policy.py", line 504, in run
return PullMode.run(self)
File "/var/task/c7n/policy.py", line 229, in run
resources = self.policy.resource_manager.resources()
File "/var/task/c7n/query.py", line 421, in resources
return self.filter_resources(resources)
File "/var/task/c7n/manager.py", line 90, in filter_resources
resources = f.process(resources, event)
File "/var/task/c7n/resources/iam.py", line 960, in process
for p in r['c7n:Groups']:
KeyError: u'c7n:Groups'
Policy
policies:
- name: mfa-unused-audit
description: |
Cloud Custodian MFA Admin Audit
comments: |
Retrieve list of all IAM users in the group 'CloudCustodianAdmins'
who have not enabled MFA and delete their ssh-keys and access-keys.
Also, disable access to management console.
resource: iam-user
mode:
type: periodic
role: arn:aws:iam::1234567890:role/CloudCustodianRole
schedule: "rate(1 minute)"
filters:
- type: credential
key: mfa_active
value: false
- type: group
key: GroupName
value: CloudCustodianAdmins
actions:
- type: delete
options:
- access-keys
- ssh-keys
- console-access
The policy runs clean when run locally.
Issue Analytics
- State:
- Created 5 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Unresolved issue with group filter when run as Lambda #2527
Sorry for not clarifying. The issue observed is the group filter used with the lambda cron policy. I haven't tested with the event...
Read more >Fix "Log group does not exist" for Lambda logs in CloudWatch
When I try to view logs for my AWS Lambda function in the Amazon CloudWatch console, I get a "Log group does not...
Read more >Lambda SQS Event Filters may delete your messages if you're ...
We learned that the Lambda Event Filter deletes messages from the Queue when they don't match the filter criteria. That has not been...
Read more >Send AWS Services Logs With The Datadog Lambda Function
Lists the subscription filters for the specified log group. In the AWS Integration page, select the AWS Account to collect logs from and...
Read more >Trigger lambda function based on keyword, Error ... - YouTube
In this video, I have covered how to send an email notification when there is an error within any lambda function based on...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I went ahead and changed the title to more accurately reflect the reported issue.
While the errors are no longer appearing, my group filter is not matching against any users when run as a Lambda.
Also, when I run my policy locally the group filter only matches when the GroupName is ‘Administrators’.
If the GroupName anything else, the group filter shows no matches.
Temporary workaround is to run policy locally as a cron job – but ideally, I would like to run it as a Lambda filtering against any custom GroupName given.