RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Cloud Custodian解除 ×

Cloud Custodian

Security2026年5月28日

0.9.51.0 is a broad feature release adding new AWS AI/ML and agent resources, fixing a breaking iam-access-key schema change, and significantly expanding GCP label management coverage across ~15 resource types.

  • breakingRemove json-diff filter from iam-access-key policies before upgrading

    The `json-diff` filter has been removed from `aws.iam-access-key`. Any policies using this filter will fail at runtime. Audit your policy files for `iam-access-key` resources before upgrading and remove or replace any `json-diff` filter references.

  • enhancementAdopt new cross-account org path support for IAM policy checks

    AWS cross-account policy evaluation now supports `aws:PrincipalOrgPaths` and whitelisted accounts. If you run cross-account governance policies, review this new support — it may let you replace custom workarounds you've built for org-path-based principal checks.

  • enhancementExtend GCP label compliance policies to cover newly supported resource types

    GCP label coverage has expanded significantly: Cloud Run services/jobs, Pub/Sub topics/subscriptions, Redis, Secrets Manager secrets, snapshots, DNS managed zones, interconnects, load balancer addresses and forwarding rules, and Cloud Functions all now support `set-labels` and `mark-for-op`. If you run GCP tagging compliance policies, this release lets you extend label enforcement to most of these resource types without workarounds. Update your GCP policies to cover the newly supported resources.

主な変更 (5)
  • Breaking: `json-diff` filter removed from `aws.iam-access-key` — policies using it will error on upgrade
  • New AWS resources: `bedrock-foundation-model`, `bedrock-guardrail`, and `devops-agent-space` added; Bedrock inference profiles gain a `metrics` filter
  • AWS EKS gets `addon` and `metrics` (container insights) filters; RDS gains `recommendations` filter; unused RDS parameter group filter added for both `rds-param-group` and `rds-cluster-param-group`
  • EC2 and Lambda now have `iam-role` and `iam-role-tag-mirror` filters, fixing a previous resource/role attribute mismatch
  • GCP label actions (`set-labels`, `mark-for-op`) added to ~15 resource types including Cloud Run, Pub/Sub, Redis, Secrets, DNS, and interconnects; new resources added for Firestore, NCC spoke, Redis cluster, and Vertex AI Model Garden
原文

Cloud Custodian

Security2026年3月18日

A broad feature release adding 12+ new AWS resources, new upgrade-available filters for EKS/Elasticsearch, Azure Entra ID resources, and GCP Vertex AI support. Several bug fixes address S3 cache staleness, GuardDuty validation, and IAM user errors.

  • enhancementAudit EKS and Elasticsearch upgrade readiness now

    The new upgrade-available filter for both EKS and Elasticsearch means you can write policies that flag clusters where a newer version exists. If you've been tracking version compliance manually, replace that with a c7n policy using the upgrade-available filter and route matches to notify or tag. Good timing before any end-of-support deadlines.

  • enhancementAdd whitelist_patterns to cross-account filters using deleted principals

    If your cross-account policies flag deleted IAM principals as violations, you've likely been dealing with false positives. The new whitelist_patterns parameter on the cross-account filter lets you skip ARN patterns for known-deleted or transient principals. Review your existing cross-account policies and add patterns for any deleted accounts or service-linked roles you see repeated in output.

  • enhancementAudit Azure Entra ID security posture with new resource types

    Four new Entra ID resource types — conditional-access-policy, authorization-policy, named-location, security-defaults — are now queryable. If you manage Azure security baselines, write policies to check that security defaults are enabled and conditional access policies match your org's requirements. This fills a gap that previously required separate tooling.

主な変更 (5)
  • New upgrade-available filters for EKS and Elasticsearch let you proactively find clusters running outdated versions
  • 12 new AWS resource types added: savings-plan, vpc-lattice-listener, directconnect-gateway, bedrock-inference-profile, transfer-connector, and more
  • Azure Entra ID resources now manageable: conditional-access-policy, authorization-policy, named-location, and security-defaults
  • GCP gains Vertex AI resources (endpoint, batch-prediction-job) and expanded set-labels support across BigQuery, BigTable, KMS, and GCS buckets
  • cross-account filter gets whitelist_patterns to skip deleted IAM principals, and org-id + wildcard joint conditions now handled correctly
原文