Cloud Custodian v0.9.2 releases: Rules engine for cloud security
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well-managed cloud infrastructure, that’s both secure and cost-optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real-time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.
Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.
It integrates with the cloud-native serverless capabilities of each provider to provide for real-time enforcement of policies with built-in provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.
“Engineering the Next Generation of Cloud Governance” by @drewfirment
- Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
- Supports arbitrary filtering on resources with nested boolean conditions.
- Dry run any policy to see what it would do.
- Automatically provisions serverless functions and event sources ( AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP AuditLog & Pub/Sub, etc)
- Cloud provider native metrics outputs on resources that matched a policy
- Structured outputs into cloud-native object storage of which resources matched a policy.
- Intelligent cache usage to minimize api calls.
- Supports multi-account/subscription/project usage.
- Battle-tested – in production on some very large cloud environments.
- aws – account – emr block public access configuration filter/action (#5642)
- aws – add cfn types to resources (#5681)
- aws – add redshift set-attributes action (#5721)
- aws – additional config resource support (#5408)
- aws – cloudtrail status – dont process foreign account org trails (#5715)
- aws – code commit & pipeline tags and delete action (#5682)
- aws – config-poll-rule mode (#5695)
- aws – cwe – event-rule resource group tagging support (#5676)
- aws – dynamodb – continuous backups filter and action for tables (#5701)
- aws – dynamodb – remove resource specific implementation for status filter (#5709)
- aws – ec2 – add tags mapping to snapshot creation (#5700)
- aws – ec2 – security hub post-finding include public ips (#5686)
- aws – image-age filter – check launch template found else fallback (#5749)
- aws – refactor resource specific state filters to reuse common (#5717)
- aws – s3 – event based policies include CreationDate (#5765)
- aws – securityhub – update native resources supported (#5248)
- aws – subnet groups – unused filter update (#5669)
- aws – vpc – unused key pair filter and delete action (#5726)
- aws – glue-catalog – boolean filter support for glue catalog, cleanup schemas (#5702)
- aws – ecs container instance arn fix typo
- azure – container host handles attribute errors while unloading (#5737)
- azure – nested management group subscription support for serverless policies (#5672)
- cli – schema command – add –outline option (#5747)
- cli – schema command skip uninstalled providers (#5663)
- cli – schema command supports aliased resources (#5771)
- core – normalize jsonschema output generation (#5731)
- core – notify message w/ custodian version (#5746)
- core – policy conditions don’t evaluate event filters for dry run and provision (#5727)
- core – python 2 to 3 cleanups – remove six usage (#5704)
- core – upgrade deps / mailer declare additional deps (#5708)
- docs – asg example policies for mark-sweep-notify on capacity/size (#5186)
- docs – aws security hub integration needs enablement w/ 0.9+ (#5685)
- releng – address lint issues found by new flake8 version (#5752)
- releng – doc build – dont set tox path (#5706)
- releng – restore github action cache (#5667)
- lint – python 2 to 3 cleanup – remove versioninfo checks (#5725)
- lint – style – convert more set literals (#5733)
Copyright 2015-2017 Capital One Services, LLC