Cloud Custodian v0.9.24 releases: Rules engine for cloud security
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well-managed cloud infrastructure, that’s both secure and cost-optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real-time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.
Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.
It integrates with the cloud-native serverless capabilities of each provider to provide for real-time enforcement of policies with built-in provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.
“Engineering the Next Generation of Cloud Governance” by @drewfirment
- Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
- Supports arbitrary filtering on resources with nested boolean conditions.
- Dry run any policy to see what it would do.
- Automatically provisions serverless functions and event sources ( AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP AuditLog & Pub/Sub, etc)
- Cloud provider native metrics outputs on resources that matched a policy
- Structured outputs into cloud-native object storage of which resources matched a policy.
- Intelligent cache usage to minimize api calls.
- Supports multi-account/subscription/project usage.
- Battle-tested – in production on some very large cloud environments.
- aws – ami – allow no ‘add’ in set-permissions action (#8327)
- aws – apigw – generate domain name arns (#8366)
- aws – asg – let valid/invalid filters work in explicit pull mode (#8308)
- aws – efs-mount-point – network-location filter (#8347)
- aws – eks – add network-location filter (#8377)
- aws – elasticsearch – enable support for server-side query filtering (#8337)
- aws – elasticsearch – new action to enable audit logs to cloudwatch (#8232)
- aws – enhance modify-security-groups action to support add groups by tag (#8356)
- aws – hosted zone – explicit config_id for config-rule support (#8269)
- aws – lambda – filter for lambda@edge (#8382)
- aws – rds – bug fix in consecutive-snapshots filter (#8357)
- aws – route53 ARC – control panel: add resource and tagging (#8352)
- aws – route53.recovery-cluster – add resource and tagging support (#8301)
- aws – s3 – check-public-filter handle access denied errors (#8374)
- aws – s3 output bucket region determination refactor (#8289)
- aws – security-group unused filter – add batch compute envs (#8297)
- aws – tag variable interpolation fix (#8383)
- aws – vpc – bug fix security-groups-used on in-use eni with no attachment (#8099) (#8390)
- aws – wafv2 – add scope param to list call in lambda modes (#8120)
- feat: fix marked-for-op filter bug (#8313)
- c7n_azure – adding new resource for mysql flexibleserver and a new filter (#8241)
- core – filters – add headers to value_from url (#8307)
- core – offhours filter – fixing typo on fallback-schedule schema (#7929)
- core – pass validate to load_data so intent to validate policies or not is fully respected (#8305)
- core – query – have resource manager init args match the base class (#8310)
- gcp – bq-table – add augment to table for encryption config (#7952)
- kubernetes – fix test via k8s registry url update (#8290)
- c7n-left – test handling of terraform local modules (#8286)
- c7n-left – traverse filter supports non value type filters (#8299)
Install && Use
Copyright 2015-2017 Capital One Services, LLC