Cloud Custodian is a YAML DSL based stateless rules engine for cloud audit, management, and governance.
Cloud Custodian exists as a policy/governance as code tool for organizations to enable realtime detective controls to ensure that organizational policies are being adhered to by their cloud infrastructure. Policy/governance as code is about bringing some of the best practices of software engineering to policy/governance, ie. using version control, code review, testing, and continuous integration and deployment tools.
Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, operations best practices, and cost management via garbage collection of unused resources and off-hours resource management. Kubernetes and OpenStack support is present in alpha stages at the moment.
Some of its features:
- Ability to implement detective controls to ensure adherence to organizational policies
- Supports real-time detection, reporting/notification, and remediation
- Consistent outputs and telemetry (blob, logs, trace, metrics) with provider native sinks.
- Minimal installation, usable as a cli query/investigative tool, or as an operations tool in a compliance as code environment.
Custodian enables reusable vocabularies of filters and actions that can be used to implement many semantic policies across hundreds of resource types.
For example an action like stop a vm instance could be used for offhours savings, tag compliance, or incident response.
Some additional examples use cases might be
- Identify and Remediate load balancers or storage buckets not configured for logging
- Turning off development servers/clusters and databases off at night to realize cost savings.
- Finding underutilized resources and sending an email to their creator to reduce the size.
- Enforcing tag compliance policies on resources.
- Finding resources with embedded access control policies that are setup to give access across the org boundary.
- In response to a security event, used as a remediation tool to snapshot, disk, network isolate a server, change cloud credentials, and install forensics tools.
Applying for Incubation Soon(tm)
Ricardo Rocha
[Slides] -- ? Proposal Document Pull Request
c7n was accepted into the CNCF Sandbox on June 25, 2020
Governance as Code Day as Part of KubeCon + CloudNativeCon - 2,500+ registrants, 310 live attendees, top 50 hashtags for KubeCon - Recordings from the day
- State of Cloud Custodian 2021
- A summary video for our community, covers many aspects of the project
- New enhancement process for feature development
- GCP moving from beta to GA
- ARM64 docker images
- Extracting core from the AWS provider (have each cloud provider in its own package)
- Kubernetes Admission Controller
- Policy Enforcement against IaC definitions like Terraform (aka shift left)
- End User Policy Testing framework
"Have a healthy number of committers" "Demonstrate a substantial ongoing flow of commits and merged contributions"
| Statistic | Sandbox | Current | Growth |
|---|---|---|---|
| GitHub Stars | 2,940+ | 3,888 | 32% |
| Releases | 77+ | 116+ | 50% |
| Commits | 3,292+ | 3,677 | 12% |
| Forks | 856+ | 1,100+ | 29% |
| Contributors | 258+ | 320+ | 24% |
| Maintainers | 14 | 10 | -29% |
| Affiliations between Maintainers | 4 | 6 | 50% |
- Kapil Thangavelu @kapilt (@kapilt) - Project Lead - Stacklet
- Todd Stansell (@tjstansell) - 23andme
- John Hillegass (@JohnHillegass) - Fidelity
- Sonny Shi (@thisisshi) - Stacklet
- David Filiatrault (@FireballDWF) - Amazon
- Jamison Roberts (@jtroberts83) - Stacklet
- Karol Lassak (@ingwarsw) - Ingwar & co.
- Stefan Gordon (@stefangordon) - Stacklet
- Andy Luong (@aluong) - Microsoft
- Kiril Logachev (@logachev) - Stacklet
Since the opensource inception of Cloud Custodian in April 2016, we have had numerous maintainers who over the course of years are no longer current contributors, but we still celebrate their contributions and they are listed here.
- Kit Ewbank (@ewbankkit)
- Mandeep Bal (@mandeepbal)
- Erin Welch (@erwelch)
- Darcy Laylock (@Sutto)
"Clearly documented security processes explaining how to report security issues to the project"
Dedicated security mailing list for potential vulnerability reports.
More security details in: Joint Review Self-assessment
Note: Both documents pending merge, will update accordingly
- Downloads from end users have increased 4x since this time last year
- Over a million downloads a month
- Over 60 million total downloads from Docker Hub
The Cloud Custodian project is composed of multiple source code repositories, all of which are hosted on Github under the cloud-custodian organization:
The core repository can be found at
All issues are found in the appropriate repo in our GitHub organization: https://github.com/cloud-custodian.
The official public facing website can be found at https://cloudcustodian.io/
The official communication channel for the project can be found at:
Less active channels include a mailing list and Stack Overflow.
-
CII Best Practices. https://bestpractices.coreinfrastructure.org/en/projects/3402
-
Case Studies / Articles
- https://stelligent.com/2017/05/15/cloud-custodian-cleans-up-your-cloud-clutter/
- https://www.cloudsecops.com/aws-security-audit-using-cloud-custodian-for-aws/
- https://aws.amazon.com/blogs/opensource/announcing-cloud-custodian-integration-aws-security-hub/
- https://aws.amazon.com/blogs/opensource/compliance-as-code-and-auto-remediation-with-cloud-custodian/
- https://medium.com/slalom-technology/managing-cloud-compliance-at-scale-with-aws-security-hub-and-cloud-custodian-73c630863a59
-
We have a separate document with more exhaustive threat modeling exercises contributed by Capital One https://docs.google.com/document/d/1S9zQZaT6G1TA3IAx6YNL0f7G938xaFZ-bziszhuxMZg/edit?usp=sharing
All graphics and artwork can be found in the primary Cloud Custodian repo: https://github.com/cloud-custodian/cloud-custodian/tree/master/docs/logos