Auto-remediation for missing tags in AWS using Cloud Custodian — Part 3
8 min readNov 13, 2021
Perform auto-remediation for missing tags using the Cloud Custodian
This is the last part of the story where we continue to write more examples for different AWS resources. For the auto-tag-user Cloud Custodian policies to work it is important that you capture the correct events within the mode. One method is to create the specific event for the resource and then dig into CloudTrail events to identify the corresponding event, source, and ids.
Example- 36 IAM Role
policies:
- name: iam-role-auto-tag
resource: aws.iam-role
comments: |
Find IAM role that has not been tagged with mandatory
owner tag on- creation.Tag IAM role with the user who
created it. This policy does not apply on existing IAM role.
filters:
- "tag:owner": absent
mode:
type: cloudtrail
events:
- source: iam.amazonaws.com
event: CreateRole
ids: responseElements.role.roleName
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
actions:
- type: auto-tag-user
tag: auto-owner
principal_id_tag: principalidExample- 37 IAM User
policies:
- name: iam-user-auto-tag
resource: aws.iam-user
comments: |
Find IAM user that has not been tagged…