AWS & Devops Ponderings

Cloud Custodian

Prakash's photo
Prakash
·

2 min read

Cloud Custodian is an open-source tool developed by Capital One that helps organizations manage their cloud infrastructure and resources using policies. With Cloud Custodian, users can define policies that automatically enforce compliance, security, and cost optimization rules on AWS resources.

Here's a step-by-step guide on two of my favourite but simple policies

  • Disable public s3 bucket access at AWS account level

  • Set expiry of all CloudWatch Log Groups to 30 days

Install Cloud Custodian

Install Cloud Custodian:

You can install Cloud Custodian using pip by running the following command:

pip install c7n

Create Policies

Create a file called disable-s3-access.yml and add the following code to it:

policies:
  - name: disable-public-access
    resource: account
    filters:
      - type: value
        key: 's3BlockPublicAcls'
        value: false
      - type: value
        key: 's3IgnorePublicAcls'
        value: false
      - type: value
        key: 's3RestrictPublicBuckets'
        value: false
    actions:
      - type: set-false
        keys:
          - 's3BlockPublicAcls'
          - 's3IgnorePublicAcls'
          - 's3RestrictPublicBuckets'

Create a file called set-cwl-expiry.yml and add the following code to it:

policies:
  - name: set-cloudwatch-retention
    resource: aws.cloudwatch-log-group
    actions:
      - type: put-retention-policy
        days: 30

This policy will set the retention policy of ALL cloudwatch log groups in the account. If you want to restrict to specific cloudwatch log groups, you may add a 'filters' section.

Execute the policies

Execute the following code to run all policies in the current folder:

custodian run --metrics .

Wrapping up

Cloud Custodian policies can be set to trigger in two ways:

  • Based on Cloudtrail events: In the above example, the policy can be modified to execute whenever a CloudWatch log group is created for example. Or a policy can be created to encrypt S3bucket in case a new bucket is created or if someone removes encryption.

  • Ad-hoc: The above two policies are executed whenever the 'custodian run' command is executed. Some organisations execute these policies at scheduled intervals in all the AWS accounts they own.

I hope this article provides insight into how to use Cloud Custodian to manage infrastructure securely. For more details, refer to Cloud Custodian Documentation.

AWSSecurityawssecuritycloudcustodian