Cloud Custodian - Retroactive Tag Resource Creators from CloudTrail
Project description
AWS AutoTag Resource Creators
This script will process cloudtrail records to create a sqlite db of resources and their creators, and then use that sqlitedb to tag the resources with their creator's name.
In processing cloudtrail it can use either Athena or S3 Select. A config file of the events and resources of interest is required.
Install
$ pip install c7n_trailcreator
$ c7n-trailcreator --help
Config File
The config file format here is similiar to what custodian requires for lambda policies on cloudtrail api events as an event selector.
First for each resource, the custodian resource-type is required to be specified, and then for each event, we need to know the name of the service, the event name, and a jmespath expression to get the resource ids.
{
"resources": [
{
"resource": "iam-role",
"events": [
{
"event": "CreateRole",
"ids": "requestParameters.roleName",
"service": "iam.amazonaws.com"
}
]
},
{
"resource": "iam-user",
"shape": "User",
"events": [
{
"event": "CreateUser",
"ids": "requestParameters.userName",
"service": "iam.amazonaws.com"
}
]
}]
}
Tagging
It supports this across all the resources that custodian supports.
Multi Account / Multi Region
c7n-trailcreator supports executing across multiple accounts and regions when tagging using the same file format that c7n-org uses to denote accounts.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
