Cloud Custodian – Rules Engine For Cloud Security, Cost Optimization, And Governance, DSL In Yaml For Policies To Query, Filter, And Take Actions On Resources

Cloud Custodian – Rules Engine For Cloud Security, Cost Optimization, And Governance, DSL In Yaml For Policies To Query, Filter, And Take Actions On Resources

Cloud Custodian is a guidelines engine for AWS fleet administration. It permits customers to outline insurance policies to allow a properly managed cloud infrastructure, that is each secure and price optimized. It consolidates most of the adhoc scripts organizations have into a light-weight and versatile instrument, with unified metrics and reporting.

Custodian can be utilized to handle AWS accounts by guaranteeing actual time compliance to safety insurance policies (like encryption and entry necessities), tag insurance policies, and price administration through rubbish assortment of unused sources and off-hours useful resource administration.

Custodian insurance policies are written in easy YAML configuration information that allow customers to specify insurance policies on a useful resource sort (EC2, ASG, Redshift, and so on) and are constructed from a vocabulary of filters and actions.
It integrates with AWS Lambda and AWS Cloudwatch occasions to supply for actual time enforcement of insurance policies with builtin provisioning of the Lambdas, or as a easy cron job on a server to execute towards giant present fleets.


  • Comprehensive help for AWS providers and sources (> 100), together with 400+ actions and 300+ filters to construct insurance policies with.
  • Supports arbitrary filtering on sources with nested boolean circumstances.
  • Dry run any coverage to see what it could do.
  • Automatically provisions AWS Lambda capabilities, AWS Config guidelines, and Cloudwatch occasion targets for actual-time insurance policies.
  • AWS Cloudwatch metrics outputs on sources that matched a coverage
  • Structured outputs into S3 of which sources matched a coverage.
  • Intelligent cache utilization to attenuate api calls.
  • Battle-tested – in manufacturing on some very giant AWS accounts.
  • Supports cross-account utilization through STS function assumption.
  • Supports integration with customized/person provided Lambdas as actions.
  • Supports each Python 2.7 and Python 3.6 (beta) Lambda runtimes

Quick Install

$ virtualenv --python=python2 custodian
$ supply custodian/bin/activate
(custodian) $ pip set up c7n

First a coverage file must be created in YAML format, for instance:

insurance policies:
- title: remediate-extant-keys
  description: |
    Scan via all s3 buckets in an account and guarantee all objects
    are encrypted (default to AES256).
  useful resource: s3
    - encrypt-keys

- title: ec2-require-non-public-and-encrypted-volumes
  useful resource: ec2
  description: |
    Provision a lambda and cloud watch occasion goal
    that appears in any respect new cases and terminates these with
    unencrypted volumes.
    sort: cloudtrail
        - RunInstances
    - sort: ebs
      key: Encrypted
      worth: false
    - terminate

- title: tag-compliance
  useful resource: ec2
  description: |
    Schedule a useful resource that doesn't meet tag compliance insurance policies
    to be stopped in 4 days.
    - State.Name: working
    - "tag:Environment": absent
    - "tag:AppId": absent
    - or:
      - "tag:OwnerContact": absent
      - "tag:DeptID": absent
    - sort: mark-for-op
      op: cease
      days: 4

Given that, you’ll be able to run Cloud Custodian with:

# Validate the configuration (notice this occurs by default on run)
$ custodian validate coverage.yml

# Dryrun on the insurance policies (no actions executed) to see what sources
# match every coverage.
$ custodian run --dryrun -s out coverage.yml

# Run the coverage
$ custodian run -s out coverage.yml

Custodian helps a couple of different helpful subcommands and choices, together with outputs to S3, Cloudwatch metrics, STS function assumption. Policies go collectively like Lego bricks with actions and filters.
Consult the documentation for extra data, or attain out on gitter.

Get Involved
Mailing List –!forum/cloud-custodian
Gitter –

Additional Tools
The Custodian venture additionally develops and maintains a collection of further instruments right here

Scale out s3 scanning.
A reference implementation of sending messages to customers to inform them.
Cloudtrail indexing and timeseries technology for dashboarding
Cloud watch log exporting to s3
Indexing of custodian metrics and outputs for dashboarding
Log parsing for python tracebacks to combine with


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.