Skip to content

Instantly share code, notes, and snippets.

@nitrocode

nitrocode/cloud-custodian-s3-bucket-deleted-principal.json

Last active April 4, 2025 14:16
Show Gist options
  • Save nitrocode/35d1bc68d35ea615c57c034baf4ca22f to your computer and use it in GitHub Desktop.
Save nitrocode/35d1bc68d35ea615c57c034baf4ca22f to your computer and use it in GitHub Desktop.
Download ZIP
JSON of cloud-custodian's output of an s3 cross-account filter with a deleted principal for https://github.com/cloud-custodian/cloud-custodian/issues/9961
Raw
cloud-custodian-s3-bucket-deleted-principal.json
[
{
"Name": "snip",
"CreationDate": "2019-12-12T02:45:01+00:00",
"Location": {
"LocationConstraint": null
},
"Tags": [],
"Policy": "snip",
"Acl": {
"Owner": {
"DisplayName": "snip",
"ID": "snip"
},
"Grants": [
{
"Grantee": {
"DisplayName": "snip",
"ID": "snip",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
},
"Replication": null,
"Versioning": {},
"Website": null,
"Logging": {},
"Notification": {},
"Lifecycle": null,
"c7n:MatchedFilters": [
"Name",
"Name"
],
"CrossAccountViolations": [
{
"Sid": "SID",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root",
"AROAY3OEXAMPLEEXAMPLE"
]
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::snip",
"arn:aws:s3:::snip/*"
]
}
],
"c7n:ListItemMatches": [
"CrossAccountViolations[].Principal.AWS[].{id: @}[0]"
]
}
]
Raw
s3-cross-account-policy.yml
policies:
- name: s3-cross-account
resource: s3
tags:
- schedule:hourly
conditions:
- region: us-east-1
filters:
- type: cross-account
whitelist:
## external aws accounts
- "123456789012"
# Ignore deleted IAM principals
# See https://github.com/cloud-custodian/cloud-custodian/issues/9961
- type: list-item
key: "CrossAccountViolations[].Principal.AWS[].{id: @}"
attrs:
- not:
- type: value
key: id
op: regex
value: "(AIDA|AROA).*"
actions: []
# - type: notify
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment