Cloud Agnostic Compliance-as-code

Infoservices LLC
Apr 26 · 3 min read

Manage public cloud accounts and resources compliance by defining policies as code for a well managed cloud infrastructure.

Cloud Custodian

is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that’s both secure and cost optimized.

Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift) and are constructed from a vocabulary of filters and actions.

Benefits:

  • Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
  • Supports arbitrary filtering on resources with nested boolean conditions.
  • Dry run any policy to see what it would do.
  • Automatically provisions serverless functions and event sources (AWS CloudWatch Events, AWS Config Rules, etc)
  • Cloud provider native metrics outputs on resources that matched a policy
  • Structured outputs into cloud native object storage of which resources matched a policy.
  • Intelligent cache usage to minimize api calls.

Three parts:

Cloud Custodian policies contains 3 parts:

  • Type of resource to run the policy against (eg: EC2)
  • Filters to narrow down the resources (eg: missing a tag)
  • Actions to perform on those filtered resources (eg: stop)

Examples:

Enable AWS VPC flow logs if disabled

Delete unencrypted AWS EBS volume:

Delete Unmanaged Azure disk:

Sample Commands:

# Perform dry run without impacting the resources
custodian run --dryrun -s . custodian.yml
# Run policy against multiple regions
custodian run -s out --region us-east-1 --region us-west-1 policy.yml
# Run policy against all applicable regions
custodian run -s out --region all policy.yml
# Enable C7n metrics on AWS
$ custodian run -s output -m aws policy.yml

# Enable C7n metrics on Azure
$ custodian run -s output -m azure policy.yml
# Enable C7n logs to AWS CloudWatch Logs
$ custodian run -s output -l policy.yml

# Enable C7n logs to Azure App Insights Logs
$ custodian run -s output -l policy.yml

Deployment Options:

Continuous Integration of Policies
Courtesy from AWS blog: https://aws.amazon.com/blogs/opensource/continuous-deployment-of-cloud-custodian-to-aws-control-tower/

What Next?

In the next blog installment, we will cover Alert-as-code to see how Python can be used to create alerts on any logs and send notifications to Slack, PagerDuty and others.

Reach out to Info Services if you need any assistance with cloud workloads

infoservicesllc-lab

Cloud & AI made easy — https://www.infoservicesllc.com

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store