Open in app

Sign in

Write

Sign in

Cloud Custodian integration with GCP for Auto-Remediation and Compliance

Hukam Yadav
Google Cloud - Community
Published in
4 min readJul 3, 2023

The blog is intended to be a starting point for readers who are interested in learning more about GCP Custodian integration and will provide an overview of the following topics :

  • What is Cloud Custodian?
  • How does Cloud Custodian work?
  • How to integrate Cloud Custodian with GCP
  • Examples of Cloud Custodian policies for GCP
  • Benefits of using Cloud Custodian for GCP

Introduction:

Cloud Custodian is an open source project that allows you to manage your cloud resources by filtering, tagging, and then applying actions to them. The YAML DSL allows definition of rules to enable well-managed cloud infrastructure that’s both secure and cost optimized.

GCP Custodian is a community-maintained project that provides integrations with GCP services. This allows you to use Cloud Custodian to automate security and compliance tasks for your GCP resources.

How does Cloud Custodian work :

The Cloud Custodian policy file is used to define the rules that you want to apply to your GCP resources. For example, you could create a policy that requires all Compute Engine instances to have a tag with the value “production”.

The Cloud Custodian instance will periodically scan your GCP resources for violations of your policies. If a violation is detected, a notification will be sent to the Cloud Pub/Sub topic.

The Cloud Function will listen for notifications from the Cloud Pub/Sub topic. When a notification is received, the Cloud Function will take action to remediate the violation. For example, if the violation is a Compute Engine instance that does not have the required tag, the Cloud Function could delete the instance

GCP integration with Cloud Custodian for Auto-remediation and Compliance

Integrating Cloud Custodian with GCP:

To integrate Cloud Custodian with GCP, you will need to:

  1. Install Cloud Custodian on your local machine and GCP plugin.

Cloud Custodian Installation Guide:

python3 -m venv custodian
source custodian/bin/activate

GCP Plugin Installation steps :

Option 1: Install released packages to local Python Environment

pip install c7n
pip install c7n_gcp

Option 2: Install latest from the repository

git clone https://github.com/cloud-custodian/cloud-custodian.git
pip install -e ./cloud-custodian
pip install -e ./cloud-custodian/tools/c7n_gcp

2. Create a GCP project and enable the Cloud Custodian API.

3. Create a Cloud Custodian policy file that defines the rules you want to apply to your GCP resources.

Main components of a Policy :

· Resource: the type of resource to run the policy against

· Filters: criteria to produce a specific subset of resources

· Actions: directives to take on the filtered set of resources

Example: compute.yml ( policy that will delete any Compute Engine instances that are older than 30 days)

resource: compute.v1.instance
filters:
- name: age
  value: 30d
actions:
- delete

4. Deploy the Cloud Custodian policy file to your Cloud Custodian instance.

GOOGLE_CLOUD_PROJECT="project-id" custodian run --output-dir=. compute.yml

5. The Cloud Custodian instance will periodically scan your GCP resources for violations of your policies. If a violation is detected, a notification will be sent to the Cloud Pub/Sub topic.

The Cloud Function will listen for notifications from the Cloud Pub/Sub topic. When a notification is received, the Cloud Function will take action to remediate the violation.

6. Create a Cloud Function. The Cloud Function will be responsible for receiving the notification from Cloud Custodian and then deleting the Compute Engine instance.

The code for the Cloud Function will need to do the following:

a. Get the notification from Cloud Custodian.

b. Check the notification to see if it contains the name of a Compute Engine instance.

c. If the notification contains the name of a Compute Engine instance, then the Cloud Function should delete the instance.

Example : Snippet of Python code for Cloud Function

def delete_instance(event, context):
        instance_name = event['resource']['name']
  compute = google.cloud.compute()
        instance = compute.instances().get(
           name=instance_name,
           project=context.project_id)
           instance.delete()

if __name__ == '__main__':
    delete_instance()

7. Deploy the Cloud Function. Once you have written the code for the Cloud Function, you need to deploy it to GCP.

Examples of Cloud Custodian Policies for GCP:

  • A policy that checks for unused Cloud Storage buckets and deletes them.
  • A policy that checks for Cloud Compute instances that are running with the default security settings and applies security hardening to them.
  • A policy that checks for Cloud Billing resources that are over their budget and generates alerts.

Benefits of Using Cloud Custodian for GCP:

Cloud Custodian can help you to:

  • Automate security and compliance tasks for your GCP resources.
  • Improve the security and compliance of your GCP infrastructure.
  • Save money on your GCP costs.
  • Reduce the workload on your IT team.

Conclusion:

Cloud Custodian is a powerful tool that can help you to automate security and compliance tasks for your GCP resources. By integrating Cloud Custodian with GCP, you can improve the security and compliance of your GCP infrastructure, save money on your GCP costs, and reduce the workload on your IT team.

Resources:

https://cloudcustodian.io/docs/overview.html

Google Cloud Platform
Cloud Custodian
Gcp Security Operations
Compliance

--

--

Hukam Yadav
Google Cloud - Community

Written by Hukam Yadav

2 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams