Just setting up an issue ticket pertaining to my PR.
When using c7n_mailer to enable email notifications on a policy, I want an email sent directly to the user who created/triggered that event.
Example use case:
I have a policy discouraging doing cidr 0.0.0.0/0 as a security group rule in non-productions.
I want the policy to email the user who did the change and cc to the Ops teams.
policies:
- name: open-network-sg-rule
resource: security-group
mode:
type: cloudtrail
role: arn:aws:iam::123456789:role/custodian-monitor
events:
- event: AuthorizeSecurityGroupIngress
source: ec2.amazonaws.com
ids: requestParameters.groupId
filters:
- type: ingress
Cidr:
value: 0.0.0.0/0
op: eq
value_type: cidr
actions:
- type: notify
template: default.html
priority_header: 2
subject: "[Cloud Custodian] Security Group Rule Violation! - Too Open!"
violation_desc: |
IP Range to the open world (0.0.0.0/0) should not be used!
You should only whitelist by Security Group ID or specific single IP
to:
- teamemail@org.com
- event-owner
transport:
type: sqs
queue: https://sqs. us-west-2.amazonaws.com/123456789/email_queue
region: us-west-2
Currently when using the event-owner in the to: field, the lambda function gets the PrincipalID from the UserIdentity section of the cloudtrail event. This normally results in the actual IAM Access Key which in turn results in an invalid email sent.
mechastorm
commented
7 years ago
Just setting up an issue ticket pertaining to my PR. When using
c7n_mailerto enable email notifications on a policy, I want an email sent directly to the user who created/triggered that event.Example use case: I have a policy discouraging doing cidr 0.0.0.0/0 as a security group rule in non-productions. I want the policy to email the user who did the change and cc to the Ops teams.
Currently when using the
event-ownerin theto:field, the lambda function gets thePrincipalIDfrom theUserIdentitysection of the cloudtrail event. This normally results in the actual IAM Access Key which in turn results in an invalid email sent.