Skip to content
SahanaJSJ edited this page Jun 29, 2018 · 1 revision

Welcome to the cloudcustodian-policies wiki!

AWS S3 GOVERNANCE USING CLOUD CUSTODIAN

• Using Cloud Custodian (a.k.a C7N) for Cloud Governance in AWS
• It Python CLI tool that gives you powerful account management capabilities with a simple config file.
• It can help us manage your AWS account using a simple policy config file and time-based or event-based Lambdas.

AWS Security with Cloud Custodian

• Custodian is an open source rules engine for fleet management in AWS.
• YAML DSL for policies based on querying resources or subscribe to events then apply filters and take actions.
• Cloud Custodian will automatically provision event sources and lambda functions.
• Outputs to Amazon S3, Amazon Cloud Watch Logs, Amazon Cloud Watch Metrics.

Why Cloud Custodian for AWS Security?

Problem Statement: AWS allows you to build enormous and complex cloud infrastructures in a matter of hours. With the ability to create resources so easily, sometimes it can be hard to manage all those resources.
Solution: If only there were a simple but powerful tool that could manage it all is Cloud Custodian (a.k.a C7N). • Drives Behavior Change
• Notifies users in real-time as they do something wrong.
• Drives Compliance
• Security/Access Control, Encryption, Backups, etc.
• Drives Cost Savings
• Off-hours, Monitoring and Garbage Collection of unused and underutilized resources.

Step 1: Setup IAM with appropriate Roles and Permissions to provide access to S3 Buckets

  1. We need to create IAM roles with appropriate permissions
  2. You will have to edit your trust relationship for the role to incorporate the lambda function. Every policy targets a particular resource type (like EC2, S3, etc). They are a bunch of YAML files. To run a policy, just write it in a YAML file and just run it.

Step 2: To install Cloud Custodian and Custodian mailer

With the reference of installation steps.

Step 3: Verify the AWS Services: