Provides a brief overview of Cloud Custodian (an open-source project by Capital One) and covers the benefits around Cost Savings, Compliance and Security, and Speed of Delivery. Several example policies provided for each. Check out my github for lots more examples and Cloud Custodian scripts - https://github.com/jtroberts83/Cloud-Custodian

2. WHAT IS CLOUD CUSTODIAN?
• Cloud Custodian is a tool that unifies the dozens of tools and
scripts most organizations use for managing their AWS
accounts into one open source tool. It’s a stateless rules
engine for policy definition and enforcement, with metrics and
reporting for AWS.

3. WHAT IS CLOUD CUSTODIAN?
• We want developers to be able to use the cloud and get the full native experience but
sometimes developers make mistakes and create S3 buckets or databases that are
publicly accessible to the internet etc.
• Cloud Custodian provides an easy method to put guardrails in place through real-time
and reactive automation instead of the old way of manual process and checklists.
• It helps keep developers in a safe space while being productive without the manual
side of management which can lock down their ability for innovation.
• Using repeatable actions and filters effectively provides millions of Lego bricks to build
ad-hoc policies from. There isn't a specific number of things Cloud Custodian can do,
it's really up to the imagination.

4. WHAT IS CLOUD CUSTODIAN?
- name: (Required) Name for the policy
- resource: (Required) Which resource type to check (ec2, rds, ebs, etc 100+)
- description: Brief statement of what the policy does
- mode: How the policy will be executed (event(API Triggered), periodic(Cron Scheduled), config(Config Change Triggered), no mode for manual
runs)
- filters: Narrow down resource matches with 1 or more of these
- actions: What to do with the resulting resource set found. (notify, stop, start, terminate, tag, resize, etc)
Cloud Custodian is fed basic instructions on what to do using a user defined yaml file(s) which contain 1 or
more policies the user wants executed against their AWS resources. Policies are generally pretty simple to
define as Cloud Custodian does all the heavy lifting and code processing on the backend.
Here is the basic structure of a policy:

5. WHAT DOES IT DO?
Cost Savings:
• Resource Off Hours
– Easy way to cut expenses by turning on/off resources on a automated schedule.
• Resource Resizing
– Ability to automatically resize resources based on metrics over time.
• Garbage Collection
– Automatic notifications and removal of stale and unused resources.

6. WHAT DOES IT DO?
Compliance:
• Encryption
– Verify and enforce encryption across numerous resources.
• Backups
– Performs automated snapshots of servers and databases.
• Tag Enforcement
– Proper tags are necessary for resource support and tracking.
• Security
– Puts up automated safeguards to detect, remediate, and notify customers of non-compliant actions
• Standards
– Ensure certain standards are used with consistency across all managed AWS accounts.

7. WHAT DOES IT DO?
Speed of Delivery:
• New AWS Accounts
– Verifies CloudTrail Logging is enabled and configured properly
– Verifies Network Logging is enabled and configured properly
– Verifies Root user’s access keys have been deleted
– Verifies MFA Token has been applied to Root user
– Verifies proper IAM password policy is enforced for users
• Detects and automates service limit increases
– Automatically opens AWS support case for service limit increases when
necessary*
*Only works on accounts with Business Support Plans or above as this feature relies
on advanced Trusted Advisor stats only available on certain paid support plans.

8. CLOUD CUSTODIAN POLICY EXAMPLES

9. COST SAVINGS - RESOURCE OFF HOURS
- name: ec2-offhours-stop
resource: ec2
description: |
Stops any EC2 instance which has a c7n_maid_offhours
tag set if the day and time specified in the tag match the
current day and time. Ex off=(M-F,19);on=(M-F,7);tz=ct
mode:
type: periodic
schedule: "rate(5 minutes)"
filters:
- type: offhour
tag: c7n_maid_offhours
default_tz: ct
offhour: 19
actions:
- stop
- name: ec2-offhours-start
resource: ec2
description: |
Starts any EC2 instance which has a c7n_maid_offhours tag set
if the day and time specified in the tag match the current day and
time.
Ex off=(M-F,19);on=(M-F,7);tz=ct
mode:
type: periodic
schedule: "rate(5 minutes)"
filters:
- type: onhour
tag: c7n_maid_offhours
default_tz: ct
onhour: 7
actions:
- start

10. COST SAVINGS - RESIZING RESOURCES
- name: rds-resize-storage
resource: rds
description: |
Resizes RDS databases who are using more than
90%
of their storage space and adds 30% more space
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: 30
- name: ec2-instance-too-large-resizer
resource: ec2
filters:
- type: value
key: InstanceType
op: in
value:
- m4.10xlarge
- m4.4xlarge
- type: instance-age
value: 14
- type: metrics
name: CPUUtilization
days: 14
value: 3
op: less-than
actions:
- type: resize
restart: true
type-map:
m4.4xlarge: m4.2xlarge
m4.10xlarge: m4.4xlarge

11. COST SAVINGS - GARBAGE COLLECTION
- name: ebs-mark-unattached-
deletion
resource: ebs
description: |
Mark any unattached EBS volumes for deletion
in
30 days. This will clean up old unused
orphaned
volumes that customers forget to delete.
filters:
- "tag:maid_status": absent
- State: available
actions:
- type: mark-for-op
op: delete
days: 30
- name: elb-mark-unused-for-deletion
resource: elb
description: |
Mark any ELB with no instances attached for
deletion in 14 days.
filters:
- "tag:maid_status": absent
- Instances: []
actions:
- type: mark-for-op
tag: c7n_unused_elb
msg: "Unused ELB No Instances: {op}@{action_date}"
op: delete
days: 14
- name: rds-mark-unused
resource: rds
description: |
Take the average number of connections over
14 days and mark any unused for deletion
filters:
- "tag:c7n_rds_unused": absent
- type: value
value_type: age
key: InstanceCreateTime
value: 14
op: greater-than
- type: metrics
name: DatabaseConnections
days: 14
value: 0
op: equal
actions:
- type: mark-for-op
tag: c7n_rds_unused
op: delete
days: 14
- notify…..

12. COMPLIANCE - ENCRYPTION- name: s3-encrypt-buckets-realtime
resource: s3
description: |
A lambda encryption function is generated (if missing) and
attached
to newly created S3 buckets which will encrypt all uploaded
objects
mode:
type: cloudtrail
events:
- CreateBucket
filters:
- type: value
key: "Notification"
value: empty
- not:
- type: value
key: "Name"
op: regex
value: ^(cf-te?)w+
actions:
- attach-encrypt
- name: encrypt-unencrypted-ebs-volumes
resource: ebs
description: |
Multistep automated Cloud Custodian encryption process:
- Stop instance (if running)
- For each volume
- Create snapshot
- Wait on snapshot creation
- Copy Snapshot to create encrypted snapshot
- Wait on snapshot creation
- Create encrypted volume from snapshot
- Wait on volume creation
- Delete transient snapshots
- Detach Unencrypted Volume
- Attach Encrypted Volume
- Set DeleteOnTermination instance attribute equal to source
volume
- For each volume
- Delete unencrypted volume
- Start Instance (if originally running)
- For each newly encrypted volume
- Delete transient tags
filters:
- Encrypted: false
actions:
- type: encrypt-instance-volumes
key: alias/encrypted

13. COMPLIANCE - BACKUPS
- name: ec2-daily-backup
resource: ec2
description: |
Creates a snapshot of every EC2 EBS
volume daily when custodian runs
its daily scan
actions:
- type: snapshot
copy-tags:
- Owner
- "Resource Contact"
- Environment
- "Billing Cost Center"
- Name
- name: rds-daily-snapshot
resource: rds
description: |
Creates a snapshot of every RDS
volume daily when custodian runs
its full scan
actions:
- snapshot
- name: delete-old-snapshots
resource: ebs-snapshot
description: |
Deletes a snapshot if its older than 7
days and it was created by
cloud custodian
mode:
type: periodic
schedule: "rate(1 day)"
timeout: 300
filters:
- type: age
days: 7
op: greater-equal
- type: value
key: Description
op: regex
value: ^(Automated,Backup,-
?)w+
actions:
- delete
- name: rds-snapshot-delete-stale
resource: rds-snapshot
description: |
Deletes RDS single instance
snapshots
of age 15 days or older.
filters:
- type: age
days: 15
op: greater-equal
- type: value
key: DBSnapshotIdentifier
op: regex
value: ^(backup-?)w+
- type: value
key: SnapshotType
op: eq
value: manual
actions:
- delete

14. COMPLIANCE – TAG ENFORCEMENT- name: ec2-tag-compliance-mark
resource: ec2
mode:
type: cloudtrail
events:
- RunInstances
description: |
Find all non-autoscaling instances
that
are not conformant to tagging
policies
and tag them for stoppage in 1
days.
filters:
- "tag:aws:autoscaling:groupName":
absent
- "tag:c7n_tag_compliance": absent
- or:
- "tag:Resource Contact": absent
- "tag:Billing Cost Center":
absent
- "tag:Environment": absent
- "tag:Resource Purpose":
absent
- "tag:Business Unit": absent
actions:
- type: mark-for-op
tag: c7n_tag_compliance
op: stop
days: 1
- notify….
- name: ec2-tag-compliance-stop
resource: ec2
mode:
type: periodic
schedule: "rate(1 hour)"
description: |
Stop all non-autoscaling group
instances previously marked for
stoppage by today's date, and
schedule termination in 2 days.
filters:
- "tag:aws:autoscaling:groupName":
absent
- or:
- "tag:Resource Contact": absent
- "tag:Billing Cost Center":
absent
- "tag:Environment": absent
- "tag:Resource Purpose":
absent
- "tag:Business Unit": absent
- type: marked-for-op
tag: c7n_tag_compliance
op: stop
- type: instance-age
op: greater-than
hours: 24
- not:
- "State.Name": terminated
actions:
- stop
- type: mark-for-op
tag: c7n_tag_compliance
op: terminate
days: 2
- name: ec2-tag-compliance-nag-
stop
resource: ec2
mode:
type: periodic
schedule: "rate(1 hour)"
description: |
Stop all instances marked for
termination every hour starting 1
day
before their termination.
filters:
- "tag:aws:autoscaling:groupName": absent
- or:
- "tag:Resource Contact": absent
- "tag:Billing Cost Center":
absent
- "tag:Environment": absent
- "tag:Resource Purpose":
absent
- "tag:Business Unit": absent
- type: marked-for-op
tag: c7n_tag_compliance
op: terminate
skew: 1
- type: instance-age
op: greater-than
hours: 48
- not:
- "State.Name": terminated
actions:
- stop
- notify….
- name: ec2-tag-compliance-terminate
resource: ec2
mode:
type: periodic
schedule: "rate(1 hour)"
description: |
Terminate all stopped instances
marked for termination today
filters:
- "tag:aws:autoscaling:groupName":
absent
- or:
- "tag:Resource Contact": absent
- "tag:Billing Cost Center":
absent
- "tag:Environment": absent
- "tag:Resource Purpose":
absent
- "tag:Business Unit": absent
- type: marked-for-op
tag: c7n_tag_compliance
op: terminate
- type: instance-age
op: greater-than
hours: 72
- not:
- "State.Name": terminated
actions:
- type: terminate
force: true
- notify….

15. COMPLIANCE - STANDARDS
- name: rds-prd-multi-az-remediate
resource: rds
description: |
Notify on all Prod RDS Instances that are Not Multi AZ setup.
mode:
type: cloudtrail
events:
- source: rds.amazonaws.com
event: CreateDBInstance
ids:
"requestParameters.dBInstanceIdentifier"
filters:
- type: value
key: 'tag:Environment'
value: '^pro?d'
op: regex
- MultiAZ: false
actions:
- notify…..
- name: ec2-auto-tag-user
resource: ec2
description: |
Tag any new instance with the
Creators ID and Principle ID.
mode:
type: cloudtrail
events:
- RunInstances
filters:
- tag:CreatorName: absent
actions:
- type: auto-tag-user
tag: CreatorName
principal_id_tag:
CreatorId
- name: password-policy-check
resource: account
description: |
Verifies password policy on account
meets our requirements and notifies if not
region: us-east-1
filters:
- type: password-policy
key: MinimumPasswordLength
value: 14
op: less-than
- type: password-policy
key: RequireSymbols
value: false
- type: password-policy
key: RequireNumbers
value: false
- type: password-policy
key: RequireUppercaseCharacters
value: false
- type: password-policy
key: RequireLowercaseCharacters
value: false
- type: password-policy
key: PasswordReusePrevention
value: 2
op: less-than
- type: password-policy
key: MaxPasswordAge
value: 90
op: less-than
- type: password-policy
key: ExpirePasswords
value: false
- type: password-policy
key: HardExpiry
value: false
actions:
- notify….

16. CLOUD CUSTODIAN QUESTIONS