Cloud Custodian
0.9.50.0SecurityA broad feature release adding 12+ new AWS resources, new upgrade-available filters for EKS/Elasticsearch, Azure Entra ID resources, and GCP Vertex AI support. Several bug fixes address S3 cache staleness, GuardDuty validation, and IAM user errors.
enhancementAudit EKS and Elasticsearch upgrade readiness now
The new upgrade-available filter for both EKS and Elasticsearch means you can write policies that flag clusters where a newer version exists. If you've been tracking version compliance manually, replace that with a c7n policy using the upgrade-available filter and route matches to notify or tag. Good timing before any end-of-support deadlines.
enhancementAdd whitelist_patterns to cross-account filters using deleted principals
If your cross-account policies flag deleted IAM principals as violations, you've likely been dealing with false positives. The new whitelist_patterns parameter on the cross-account filter lets you skip ARN patterns for known-deleted or transient principals. Review your existing cross-account policies and add patterns for any deleted accounts or service-linked roles you see repeated in output.
enhancementAudit Azure Entra ID security posture with new resource types
Four new Entra ID resource types — conditional-access-policy, authorization-policy, named-location, security-defaults — are now queryable. If you manage Azure security baselines, write policies to check that security defaults are enabled and conditional access policies match your org's requirements. This fills a gap that previously required separate tooling.
Key changes (5)
- New upgrade-available filters for EKS and Elasticsearch let you proactively find clusters running outdated versions
- 12 new AWS resource types added: savings-plan, vpc-lattice-listener, directconnect-gateway, bedrock-inference-profile, transfer-connector, and more
- Azure Entra ID resources now manageable: conditional-access-policy, authorization-policy, named-location, and security-defaults
- GCP gains Vertex AI resources (endpoint, batch-prediction-job) and expanded set-labels support across BigQuery, BigTable, KMS, and GCS buckets
- cross-account filter gets whitelist_patterns to skip deleted IAM principals, and org-id + wildcard joint conditions now handled correctly