Cloud Custodian v0.8.41.0 releases: Rules engine for cloud security

Cloud Custodian

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well-managed cloud infrastructure, that’s both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real-time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

Cloud Custodian

Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.

It integrates with the cloud-native serverless capabilities of each provider to provide for real-time enforcement of policies with built-in provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.

Engineering the Next Generation of Cloud Governance” by @drewfirment


  • Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
  • Supports arbitrary filtering on resources with nested boolean conditions.
  • Dry run any policy to see what it would do.
  • Automatically provisions serverless functions and event sources ( AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP AuditLog & Pub/Sub, etc)
  • Cloud provider native metrics outputs on resources that matched a policy
  • Structured outputs into cloud-native object storage of which resources matched a policy.
  • Intelligent cache usage to minimize api calls.
  • Supports multi-account/subscription/project usage.
  • Battle-tested – in production on some very large cloud environments.

Changelog v0.8.41.0


  • upgrade pyyaml to 4.2b4 to avoid cve flagging (custodian is unaffected as we use safe load in all cases). (#3520)


  • autoscaling launch template support (#3484)
  • govcloud/china partition awareness for arns (#3518#3527)
  • dynamodb sleep for on create events (#3516)
  • lambda policy support for setting layers and concurrent executions (#3491)
  • phd event policy lambda support (#3269)
  • copy-related-tag action (#3489)
  • managed kafka resource (#3467)
  • ecr tag actions/filters (#3490)
  • security hub – allow configuration finding of batch size to work around ux bug (#3512)
  • lambda resource use resource group tagging api (#3513)
  • codebuild / acm certificate / cloud directory tag actions/filters (#3515)
  • secrets manager cross-account filter (#2596)
  • kms key filter for fsx and fsx backup (#3487)
  • network related filters don’t require value with match-resource (#3524)
  • refactor tag machinery to avoid session creation in threads (#3498)
  • bug fix ecs agent update action (#3502)


  • support windows client upload of serverless policies (#3466)


  • c7n_mailer – restore support cc recipients in email (#3517)
  • c7n_mailer – support sending slack message to owner contact absent (#3533)

Install && Use

Copyright 2015-2017 Capital One Services, LLC