Cloud Custodian is an open‐source tool created by Capital One that was released in 2016 to the public and allows organizations to “define policies that better manage their cloud environments” within AWS, Azure, and GCP environments.
It does this by assisting in automating governance, security, compliance, and efficiency. More specifically, actions can be configured that can remove a non‐compliant asset, tag assets for review, and notify via Slack or email that a policy has been broken. This can be beneficial to a DevSecOps environment, with the following policy life‐cycle example regarding an identified deficiency highlighting its ease of use:
In the above figure, a deficiency is identified and policy is written to remediate the deficiency. Once the policy is approved, it will be written as code and submitted to Cloud Custodian. After reviews and approval, the policy is uploaded to generate an AWS Config service rule, which ensures automatic monitoring of compliance. AWS Config is a service that provides an easy‐to‐use portal, giving engineers the capability to assess, audit, and evaluate AWS resources. As rules are implemented, they are configured to continuously monitor resources. Additionally, AWS Config can automate actions to ensure compliance without human intervention. Other examples can be to use Cloud Custodian to monitor for unused RDSs or EC2 instances not part of an AutoScaling‐Group (ASG). The possibilities are endless with how this tool can be used to assist in cloud management. Finally, Cloud Custodian results can be sent to the Cloudwatch dashboard or ported to other applications, such as Grafana. Setup for Cloud Custodian is relatively straightforward and well‐documented on its GitHub page (https://github.com/cloud‐custodian/cloud‐custodian), giving tutorials for each cloud provider. To configure policies in Cloud Custodian, one needs to be fluent in writing YAML files, which now stands for “YAML Ain’t Markup Language” but was previously known as “Yet Another Markup Language.” These are configuration files that use the “human friendly data serialization standard for all programming languages” known as YAML. JSON is another popular format for cloud configuration files. If this is something you’re not comfortable setting up, PSI has experience establishing Cloud Custodian instances for the above use cases and is happy to help.
Article written by Jimi-Ray Milam