Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well-managed cloud infrastructure, that’s both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real-time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.
Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.
It integrates with the cloud-native serverless capabilities of each provider to provide for real-time enforcement of policies with built-in provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.
“Engineering the Next Generation of Cloud Governance” by @drewfirment
- Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
- Supports arbitrary filtering on resources with nested boolean conditions.
- Dry run any policy to see what it would do.
- Automatically provisions serverless functions and event sources ( AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP AuditLog & Pub/Sub, etc)
- Cloud provider native metrics outputs on resources that matched a policy
- Structured outputs into cloud-native object storage of which resources matched a policy.
- Intelligent cache usage to minimize api calls.
- Supports multi-account/subscription/project usage.
- Battle-tested – in production on some very large cloud environments.
- upgrade pyyaml to 4.2b4 to avoid cve flagging (custodian is unaffected as we use safe load in all cases). (#3520)
- autoscaling launch template support (#3484)
- govcloud/china partition awareness for arns (#3518, #3527)
- dynamodb sleep for on create events (#3516)
- lambda policy support for setting layers and concurrent executions (#3491)
- phd event policy lambda support (#3269)
- copy-related-tag action (#3489)
- managed kafka resource (#3467)
- ecr tag actions/filters (#3490)
- security hub – allow configuration finding of batch size to work around ux bug (#3512)
- lambda resource use resource group tagging api (#3513)
- codebuild / acm certificate / cloud directory tag actions/filters (#3515)
- secrets manager cross-account filter (#2596)
- kms key filter for fsx and fsx backup (#3487)
- network related filters don’t require value with match-resource (#3524)
- refactor tag machinery to avoid session creation in threads (#3498)
- bug fix ecs agent update action (#3502)
- support windows client upload of serverless policies (#3466)
Copyright 2015-2017 Capital One Services, LLC