Custodian can be utilized to handle AWS accounts by guaranteeing actual time compliance to safety insurance policies (like encryption and entry necessities), tag insurance policies, and price administration through rubbish assortment of unused sources and off-hours useful resource administration.
- Comprehensive help for AWS providers and sources (> 100), together with 400+ actions and 300+ filters to construct insurance policies with.
- Supports arbitrary filtering on sources with nested boolean circumstances.
- Dry run any coverage to see what it could do.
- Automatically provisions AWS Lambda capabilities, AWS Config guidelines, and Cloudwatch occasion targets for actual-time insurance policies.
- AWS Cloudwatch metrics outputs on sources that matched a coverage
- Structured outputs into S3 of which sources matched a coverage.
- Intelligent cache utilization to attenuate api calls.
- Battle-tested – in manufacturing on some very giant AWS accounts.
- Supports cross-account utilization through STS function assumption.
- Supports integration with customized/person provided Lambdas as actions.
- Supports each Python 2.7 and Python 3.6 (beta) Lambda runtimes
$ virtualenv --python=python2 custodian $ supply custodian/bin/activate (custodian) $ pip set up c7n
insurance policies: - title: remediate-extant-keys description: | Scan via all s3 buckets in an account and guarantee all objects are encrypted (default to AES256). useful resource: s3 actions: - encrypt-keys - title: ec2-require-non-public-and-encrypted-volumes useful resource: ec2 description: | Provision a lambda and cloud watch occasion goal that appears in any respect new cases and terminates these with unencrypted volumes. mode: sort: cloudtrail occasions: - RunInstances filters: - sort: ebs key: Encrypted worth: false actions: - terminate - title: tag-compliance useful resource: ec2 description: | Schedule a useful resource that doesn't meet tag compliance insurance policies to be stopped in 4 days. filters: - State.Name: working - "tag:Environment": absent - "tag:AppId": absent - or: - "tag:OwnerContact": absent - "tag:DeptID": absent actions: - sort: mark-for-op op: cease days: 4
Given that, you’ll be able to run Cloud Custodian with:
# Validate the configuration (notice this occurs by default on run) $ custodian validate coverage.yml # Dryrun on the insurance policies (no actions executed) to see what sources # match every coverage. $ custodian run --dryrun -s out coverage.yml # Run the coverage $ custodian run -s out coverage.yml
Custodian helps a couple of different helpful subcommands and choices, together with outputs to S3, Cloudwatch metrics, STS function assumption. Policies go collectively like Lego bricks with actions and filters.
Consult the documentation for extra data, or attain out on gitter.
Mailing List – https://groups.google.com/forum/#!forum/cloud-custodian
Gitter – https://gitter.im/capitalone/cloud-custodian
The Custodian venture additionally develops and maintains a collection of further instruments right here https://github.com/capitalone/cloud-custodian/tree/master/tools:
- Scale out s3 scanning.
- A reference implementation of sending messages to customers to inform them.
- Cloudtrail indexing and timeseries technology for dashboarding
- Cloud watch log exporting to s3
- Indexing of custodian metrics and outputs for dashboarding
- Log parsing for python tracebacks to combine with https://sentry.io/welcome/