Auto-remediation for missing tags in AWS using Cloud Custodian — Part 1

auto-tag-user schema
actions
screenshot — 1
screenshot - 2
policies:- name: misc-na-acm-certificate-auto-tag
resource: aws.acm-certificate
comments: |
Find ACM Certificate that has not been tagged with mandatory
owner tag on-creation. Tag ACM Certificate with the user who
created it. This policy does not apply on existing ACM Certs.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: acm.amazonaws.com
event: RequestCertificate
ids: requestParameters.domainName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: misc-na-ami-auto-tag
resource: aws.ami
comments: |
Find AMI that has not been tagged with mandatory owner tag on-
creation. Tag AMI with the user who created it. This policy does
not apply on existing ACM Certs.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ec2.amazonaws.com
event: CreateImage
ids: requestParameters.imageId
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: auto-scaling-group-auto-tag
resource: aws.asg
comments: |
Find ASG that has not been tagged with mandatory
owner tag on-creation. Tag ASG with the user who
created it. This policy does not apply on existing ASG.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: autoscaling.amazonaws.com
event: CreateAutoScalingGroup
ids: requestParameters.autoScalingGroupName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: rest-api-auto-tag
resource: aws.rest-api
comments: |
Find API Gateway RestApi that has not been tagged with mandatory
owner tag on-creation. Tag RestApi with the user who
created it. This policy does not apply on existing RestApi.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: apigateway.amazonaws.com
event: CreateRestApi
ids: responseElements.restapiResources.restApiId
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: backup-plan-auto-tag
resource: aws.backup-plan
comments: |
Find API Gateway RestApi that has not been tagged with mandatory
owner tag on-creation. Tag RestApi with the user who
created it. This policy does not apply on existing RestApi.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: backup.amazonaws.com
event: CreateBackupPlan
ids: responseElements.backupPlanArn
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: cloudformation-auto-tag
resource: aws.cfn
comments: |
Find CloudFormation that has not been tagged with mandatory
owner tag on-creation. Tag cfn stack with the user who
created it. This policy does not apply on existing cfn stack.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: cloudformation.amazonaws.com
event: CreateStack
ids: responseParameters.stackName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: cloudtrail-auto-tag
resource: aws.cloudtrail
comments: |
Find CloudTrail that has not been tagged with mandatory
owner tag on-creation. Tag cloudtrail stack with the user who
created it. This policy does not apply on existing cloudtrail.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: cloudtrail.amazonaws.com
event: CreateTrail
ids: responseParameters.name
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: customer-gateway-auto-tag
resource: aws.customer-gateway
comments: |
Find Customer Gateway that has not been tagged with mandatory
owner tag on-creation. Tag customer gateway stack with the user
who created it. This policy does not apply on existing customer
gateway.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ec2.amazonaws.com
event: CreateCustomerGateway
ids: responseElements.customerGateway.customerGatewayId
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: cloudfront-distr-streaming-auto-tag
resource: aws.distribution
comments: |
Find Cloudfront distribution that has not been tagged with
mandatory owner tag on-creation. Tag cloudfront distribution
stack with the user who created it. This policy does not apply
on existing cloudfront distribution.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: cloudfront.amazonaws.com
event: CreateDistribution
ids: responseElements.distribution.id
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: datapipeline-auto-tag
resource: aws.datapipeline
comments: |
Find Datapipeline that has not been tagged with mandatory owner
tag on-creation. Tag datapipeline with the user who created it.
This policy does not apply on existing datapipeline.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: datapipeline.amazonaws.com
event: CreatePipeline
ids: responseParameters.name
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: directconnect-auto-tag
resource: aws.directconnect
comments: |
Find Directconnect that has not been tagged with mandatory owner
tag on-creation. Tag directconnect with the user who created it.
This policy does not apply on existing directconnect.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: directconnect.amazonaws.com
event: CreateDirectConnectGateway
ids: responseElements.directConnectGateway.directConnectGatewayId
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: dynamodb-table-auto-tag
resource: aws.dynamodb-table
comments: |
Find DynamoDB table that has not been tagged with mandatory
owner tag on-creation. Tag dynamodb table with the user who
created it. This policy does not apply on existing dynamodb
table.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: dynamodb.amazonaws.com
event: CreateTable
ids: requestParameters.tableName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: ec2-auto-tag
resource: aws.ec2
comments: |
Find ec2 that has not been tagged with mandatory owner
tag on-creation. Tag ec2 with the user who created it.
This policy does not apply on existing ec2.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ec2.amazonaws.com
event: RunInstances
ids: responseElements.instancesSet.items[].instanceId
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: owner
principal_id_tag: principalid
policies:- name: ecr-auto-tag
resource: aws.ecr
comments: |
Find ECR that has not been tagged with mandatory owner tag on-
creation. Tag ECR with the user who created it. This policy
does not apply on existing ECR.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ecr.amazonaws.com
event: CreateRepository
ids: responseElements.repository.repositoryName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: auto-owner
principal_id_tag: principalid
policies:- name: ecs-auto-tag
resource: aws.ecs
comments: |
Find ECS that has not been tagged with mandatory owner tag on-
creation. Tag ECS with the user who created it. This policy
does not apply on existing ECS.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ecs.amazonaws.com
event: CreateCluster
ids: responseElements.cluster.clusterName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: auto-owner
principal_id_tag: principalid
policies:- name: ecs-service-auto-tag
resource: aws.ecs-service
comments: |
Find ECS service that has not been tagged with mandatory owner
tag on-creation. Tag ECS service with the user who created it.
This policy does not apply on existing ECS service.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ecs.amazonaws.com
event: CreateService
ids: responseElements.service.serviceName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: auto-owner
principal_id_tag: principalid
policies:- name: ecs-task-definition-auto-tag
resource: aws.ecs-task-definition
comments: |
Find ECS task definition that has not been tagged with mandatory
owner tag on-creation. Tag ECS task definition with the user who
created it. This policy does not apply on existing ECS task
definition.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: ecs.amazonaws.com
event: RegisterTaskDefinition
ids: responseElements.taskDefinition.taskDefinitionArn
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: auto-owner
principal_id_tag: principalid
policies:- name: elastic-file-system-auto-tag
resource: aws.efs
comments: |
Find EFS that has not been tagged with mandatory owner tag on-
creation. Tag EFS with the user who created it. This policy
does not apply on existing EFS.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: elasticfilesystem.amazonaws.com
event: CreateFileSystem
ids: responseElements.fileSystemArn
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: auto-owner
principal_id_tag: principalid

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.