Cloud Custodian: Rules engine for cloud security

Cloud Custodian

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well-managed cloud infrastructure, that’s both secure and cost-optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real-time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.

It integrates with the cloud-native serverless capabilities of each provider to provide for real-time enforcement of policies with built-in provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.

“Engineering the Next Generation of Cloud Governance” by @drewfirment

Features

• Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
• Supports arbitrary filtering on resources with nested boolean conditions.
• Dry run any policy to see what it would do.
• Automatically provisions serverless functions and event sources ( AWS CloudWatchEvents, AWS Config Rules, Azure EventGrid, GCP AuditLog & Pub/Sub, etc)
• Cloud provider native metrics outputs on resources that matched a policy
• Structured outputs into cloud-native object storage of which resources matched a policy.
• Intelligent cache usage to minimize api calls.
• Supports multi-account/subscription/project usage.
• Battle-tested – in production on some very large cloud environments.

Install && Use

Copyright 2015-2017 Capital One Services, LLC