Cloud Custodian Documentation

Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their public cloud accounts into one open source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs and detailed reporting for clouds infrastructure. It integrates tightly with serverless runtimes to provide real time remediation/response with low operational overhead.

Organizations can use Custodian to manage their cloud environments by ensuring compliance to security policies, tag policies, garbage collection of unused resources, and cost management from a single tool.

Cloud Custodian can be bound to serverless event streams across multiple cloud providers that maps to security, operations, and governance use cases. Custodian adheres to a compliance as code principle, so you can validate, dry-run, and review changes to your policies.

Cloud Custodian policies are expressed in YAML and include the following:

• The type of resource to run the policy against

• Filters to narrow down the set of resources

• Actions to take on the filtered set of resources

Navigate below to your cloud provider and get started with Cloud Custodian!

Introduction

• Getting Started
  • Install Cloud Custodian
  • Explore Cloud Custodian
  • Cloud Provider Specific Help
  • Monitor resources
  • Editor Integration
  • Tab Completion
  • Pre-commit Integration
  • Community Resources
• Generic Filters
  • Value Filter
  • List Item Filter
  • Event Filter
  • Reduce Filter
• Generic Actions
  • Webhook Action
• Advanced Usage
  • Running against multiple regions
  • Reporting against multiple regions
  • Conditional Policy Execution
  • Limiting how many resources custodian affects
  • Adding custom fields to reports
• Example tag compliance policy
• Deployment
  • Compliance as Code
  • Continuous Integration of Policies
  • IAM Setup
  • Single Node Deployment
  • Monitoring Cloud Custodian
  • Mailer and Notifications Deployment
  • Multi Account Execution
  • Advanced Continuous Integration Tips
  • Additional Resources

AWS

• Getting Started
• Example Policies
• Monitoring your environment
• Lambda Support
• AWS Topics
• Developer Guide
• Adding New AWS Resources
• AWS Reference

Azure

• Getting Started
  • Write your first policy
  • Run your policy
  • View policy results
  • Next Steps
• Configuring Azure Policies
  • Authentication & Access
  • Logging, Metrics and Output
  • Hosting Options
• Examples
  • General
  • Compute
  • Storage and Databases
  • Identity
  • Networking
  • Notifications
• Advanced Usage
  • Running against multiple subscriptions
  • Azure Policy Comparison
  • Developer Guide
• Azure Reference
  • Azure Execution Modes
  • Azure Common Actions
  • Azure Common Filters
  • AI + Machine Learning resources
  • Active Directory resources
  • Alerts Management resources
  • Analytics resources
  • Backup and Recovery resources
  • Compute resources
  • Containers resources
  • Cost resources
  • Databases resources
  • Events resources
  • Generic resources
  • Integration resources
  • Internet Of Things resources
  • ML resources
  • Media resources
  • Monitoring resources
  • Network resources
  • Networking resources
  • Resource Group resources
  • Security resources
  • Storage resources
  • Subscription resources
  • Web resources

GCP

• Getting Started
• Examples
• Policies
• Developer Guide
• Adding New GCP Resources
• Testing
• GCP Reference

Oracle Cloud Infrastructure (OCI)

• Getting Started (Beta)
• Example Policies
• Testing
• Oracle Cloud Infrastructure Reference
• Advanced Usage

Tencent Cloud

• Tencent Cloud
• Installation
• Usage
• Tencent Cloud Reference

Kubernetes

• Getting Started (Alpha)
• Kubernetes Controller Mode
• Option 1: Manual installation
• Option 2: Helm chart
• Examples

Tools

• c7n-org: Multi Account Custodian Execution
  • Installation
  • Running a Policy with c7n-org
  • Selecting accounts, regions, policies for execution
  • Defining and using variables
  • Other commands
  • Additional Azure Instructions
  • Additional OCI Instructions
• c7n-mailer: Custodian Mailer
  • Message Relay
  • Tutorial
  • Usage & Configuration
  • Configuring a policy to send email
  • Using on Azure
  • Using on GCP
  • Writing an email template
  • Developer Install (OS X El Capitan)
  • Testing Templates and Recipients
• Custodian policies for Infrastructure Code
  • Install
  • Usage
  • CLI Filters
  • Outputs
  • Policy Language
  • Policy Testing
• Custodian Kubernetes Support
  • Running the server
  • Generate a MutatingWebhookConfiguration
  • Development
• cask: easy custodian exec via docker
  • Install
  • Run
  • Build
• c7n-log-exporter: Cloud watch log exporter automation
  • Features
  • Assumptions
  • Cli usage
  • Config format
  • Multiple accounts via cli
  • Serverless Usage
• c7n-trailcreator: Retroactive Resource Creator Tagging
  • Install
  • Config File
  • Athena Usage
  • Tagging
  • Multi Account / Multi Region
• c7n-policystream: Policy Changes from Git
  • Install
  • Build
  • Usage
  • Options
• OmniSSM - EC2 Systems Manager Automation
  • Client Configuration
  • Links
  • Todo
• c7n-guardian: Automated multi-account Guard Duty setup
  • Accounts Credentials
  • Using custodian policies for remediation
• c7n-salactus: Distributed Scale out S3 processing
  • Use Cases
  • Usage
  • Sample Configuration

Contributing

• Contributing to Cloud Custodian
  • Developer install
  • Issues
  • Code of Conduct
  • Contributor agreement
• Developer Guide
• Installing for Developers
  • Installing Prerequisites
  • Installing Custodian
• Testing for Developers
  • Running tests
  • Operating System Compatibility
  • Writing Tests for Cloud Controlled Resources
  • Converting older functional tests
• Documentation For Developers
  • Find the Documentation
  • Edit the Documentation
  • Render the Documentation
• Packaging Custodian
  • Usage
  • Caveats