Cloud Custodian - Policy Rules Engine
Cloud Custodian is a rules engine for AWS fleet management. It allows users to define policies to enable a well managed cloud infrastructure, that’s both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Custodian can be used to manage AWS accounts by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.
Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (ec2, asg, redshift, etc) and are constructed from a vocabulary of filters and actions.
It integrates with lambda and cloudwatch events to provide for real time enforcement of policies with builtin provisioning of the lambdas, or as a simple cron job on a server to execute against large existing fleets.
“Engineering the Next Generation of Cloud Governance” by @drewfirment
$ virtualenv --python=python2 custodian $ source custodian/bin/activate (custodian) $ pip install c7n
First a policy file needs to be created in YAML format, as an example:
policies: - name: remediate-extant-keys description: | Scan through all s3 buckets in an account and ensure all objects are encrypted (default to AES256). resource: s3 actions: - encrypt-keys - name: ec2-require-non-public-and-encrypted-volumes resource: ec2 description: | Provision a lambda and cloud watch event target that looks at all new instances and terminates those with unencrypted volumes. mode: type: cloudtrail events: - RunInstances filters: - type: ebs key: Encrypted value: false actions: - terminate - name: tag-compliance resource: ec2 description: | Schedule a resource that does not meet tag compliance policies to be stopped in four days. filters: - State.Name: running - "tag:Environment": absent - "tag:AppId": absent - or: - "tag:OwnerContact": absent - "tag:DeptID": absent actions: - type: mark-for-op op: stop days: 4
Given that, you can run cloud-custodian with:
# Validate the configuration (note this happens by default on run) $ custodian validate policy.yml # Dryrun on the policies (no actions executed) to see what resources # match each policy. $ custodian run --dryrun -s out policy.yml # Run the policy $ custodian run -s out policy.yml
Custodian supports a few other useful subcommands and options, including outputs to s3, cloud watch metrics, sts role assumption. Policies go together like lego bricks with actions and filters.
Consult the documentation for additional information, or reach out on gitter.
Mailing List - https://groups.google.com/forum/#!forum/cloud-custodian
The Custodian project also develops and maintains a suite of additional tools here https://github.com/capitalone/cloud-custodian/tree/master/tools:
We welcome Your interest in Capital One’s Open Source Projects (the “Project”). Any Contributor to the Project must accept and sign an Agreement indicating agreement to the license terms below. Except for the license granted in this Agreement to Capital One and to recipients of software distributed by Capital One, You reserve all right, title, and interest in and to Your Contributions; this Agreement does not impact Your rights to use Your own Contributions for any other purpose.
This project adheres to the Open Code of Conduct. By participating, you are expected to honor this code.