The iam.iam-policy is not obeying tag absence filters
See original GitHub issueDescribe the bug
The AWS Resource iam.iam-policy is not obeying tag filters
To Reproduce
-
Create an IAM Policy which has three tags ‘Alpha’, ‘Bravo’ and ‘Charlie’
-
Create a Cloud Custodian Policy to find IAM Policies missing AWS Tags:
policies:
- name: tag-noncompliance-aws-iam-policy
mode:
type: pull
resource: aws.iam-policy
filters:
- or:
- "tag:Alpha": absent
- "tag:Bravo": absent
- "tag:Charlie": absent
- Run the policy and observe that tagged resources are returned when they do not match any absent tag filter.
Expected behavior
The tagged policies should not be returned as they have all of the tags which we are filtering on being absent.
Background (please complete the following information):
- OS: OSX 10.15.7
- Python Version: 3.7.6
- Custodian Version: 0.9.11
- Tool Version: N/A
- Cloud Provider: AWS
- Policy: [please exclude any account/sensitive information]
policies:
- name: tag-noncompliance-aws-iam-policy
mode:
type: pull
resource: aws.iam-policy
filters:
- or:
- "tag:Alpha": absent
- "tag:Bravo": absent
- "tag:Charlie": absent
- Traceback: N/A No error.
custodian version --debug
output
Please copy/paste the following info along with any bug reports:
Custodian: 0.9.11
Python: 3.7.6 (v3.7.6:43364a7ae0, Dec 18 2019, 14:18:50)
[Clang 6.0 (clang-600.0.57)]
Platform: posix.uname_result(sysname='Darwin', nodename='TASTLE-M-72NB', release='19.6.0', version='Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64', machine='x86_64')
Using venv: True
Docker: False
Installed:
argcomplete==1.12.2
attrs==20.3.0
boto3==1.17.33
botocore==1.20.33
importlib-metadata==3.7.3
jmespath==0.10.0
jsonpickle==1.3
jsonschema==3.2.0
pyrsistent==0.17.3
python-dateutil==2.8.1
pyyaml==5.4.1
s3transfer==0.3.6
setuptools==41.2.0
six==1.15.0
tabulate==0.8.9
typing-extensions==3.7.4.3
urllib3==1.26.4
zipp==3.4.1
Additional context
I suspect that the tags on the IAM Policy are not being loaded at all. This is why the policy filtering on them being absent always matches. It always matches because no tags are present.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
IAM JSON policy elements: Condition operators
If a user without the tag attempts to view or edit an access key, the condition returns false and the request is implicitly...
Read more >aws.iam resources — Cloud Custodian documentation
no -specific-managed-policy¶. Filter IAM roles that do not have a specific policy attached. For example, if the user wants to check all roles...
Read more >aws ec2 describe-instances --filters tag: seems to be ... - GitHub
The command is working, but it is not returning the actual tag values. Its giving me None(NULL), just like it did you. For...
Read more >cloud-custodian/cloud-custodian - Gitter
... not been started for 60 days or over then they will be deleted similar to internal policies as it wont be patched....
Read more >Using cloud custodian to ensure compliance across AWS ...
I am using the AWS_PROFILE environment variable to point to the ... policies: - name: s3-tag-policy resource: aws.s3 filters: - or: ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks @ajkerrigan I’ve opened a PR for the change here: https://github.com/cloud-custodian/cloud-custodian/pull/6751
I’d seen
universal_taggable
during my earlier investigation but I’d removed that change from my patch as unnecessary as I couldn’t see that it was doing. Which makes sense now as in this instance I was not trying to mutate tags using c7n.That’s great news @trastle, thanks for sticking with this one!
For the record I was dead wrong - I was working in us-east-2 which let me set but not see tags on global IAM resources. Silly, silly. Custodian is smart enough to flip to us-east-1 and “just work” in those cases.
As far as applying tags goes, I’d suggest specifying
universal_taggable
as in this example. A PR with theuniversal_augment
anduniversal_taggable
bits would be most appreciated.