Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

When deploying RDS and S3 Buckets for tag compliance as AWS config rules, all resources are being included in the filter

See original GitHub issue

I believe this is related to https://github.com/capitalone/cloud-custodian/issues/801 but I wanted to report this as well, because it has serious implications.

If I run a tagging compliance policy for RDS and S3 buckets via dryrun mode AND explicitly pass in the region, I get the correct results. However, if I deploy the policy as an AWS config rule, every one of my S3 and RDS resources seems to be included as non-compliant, even when I’m passing in region at the command line. Fortunately, I did not have any actions enabled (we’ll be deleting them once this is filtering properly).

Here are the policies:

- name: rds-tag-compliance
  resource: rds
  description:
    Terminate an RDS through a config rule
    if it does not comply with tagging best practices.
    The instance will be terminated within 15 minutes.
  mode:
      type: config-rule
  filters:
    - "tag:CostCenter": absent

- name: s3-tag-compliance
  resource: s3
  description:
    Terminate an S3 through a config rule
    if it does not comply with tagging best practices.
    The instance will be terminated within 15 minutes.
  mode:
      type: config-rule
  filters:
    - "tag:CostCenter": absent

Issue Analytics

State:
Created 7 years ago
Comments:7 (1 by maintainers)

Top GitHub Comments

1reaction

kapiltcommented, Feb 6, 2017

yeah the issue is effectively that all tags are missing on a handful of resource types rds, rds snapshots, app elb, and s3 buckets since its considered by config to be a supplementary field. for config rules not using those fields no issues. for those that are, results will be misleading since there are no tag values to validate against. the referenced pull request merges the supplementary config to get config and other data back into the resource when custodian evaluates it.

0reactions

caversacommented, Feb 6, 2017

Kapil, sounds like you’ve found the issue, but I wanted to provide a little extra information in case it helps. On Friday I created a config rule where I was specifying a tag value to search for (looking for an obsolete Cost Center), and that worked properly, so the issue seems to be specific to searching for the absence of the tag.

Top Results From Across the Web

Selecting Which Resources AWS Config Records

Customize AWS Config to record configuration changes for all supported types of resources or for only those types that you specify.

Tagging Your AWS Config Resources

Each tag consists of a key and an optional value, both of which you define. Tags make it easier to manage, search for,...

Supported Resource Types - AWS Config

AWS Config supports the following AWS resources types and resource relationships. Some regions support a subset of these resource types.

Viewing Compliance History Timeline for Resources

View the state changes for resources as evaluated by AWS Config rules over a period of time as displayed in a timeline.

Managing Your AWS Config Rules

When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see Viewing ......