AWS ModesΒΆ
Custodian can run in numerous modes depending on the provider with the default being pull Mode.
- pull:
Default mode, which runs locally where custodian is run.
properties: type: enum: - pull required: - type
- periodic:
Runs Custodian in AWS lambda at user defined cron interval.
properties: concurrency: type: integer dead_letter_config: type: object environment: type: object execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 schedule: type: string security_groups: type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - periodic required: - type
- phd:
Runs custodian in AWS lambda and is triggered by Personal Health Dashboard events. These events are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues. See Personal Health Dashboard for more details.
properties: categories: items: enum: - issue - accountNotification - scheduledChange type: array concurrency: type: integer dead_letter_config: type: object environment: type: object events: items: type: string type: array execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 security_groups: type: array statuses: items: enum: - open - upcoming - closed type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - phd required: - type
- cloudtrail:
Runs custodian in AWS lambda and is triggered by cloudtrail events. This allows you to apply your policies as soon as events occur. Cloudtrail creates an event for every api call that occurs in your aws account. See Cloudtrail for more details.
properties: concurrency: type: integer dead_letter_config: type: object environment: type: object events: items: oneOf: - type: string - properties: event: type: string ids: type: string source: type: string required: - event - source - ids type: object type: array execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 security_groups: type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - cloudtrail required: - type
- ec2-instance-state:
Runs custodian in AWS lambda and is triggered by ec2 instance state changes. This is useful if you have policies that are specific to ec2. See EC2 lifecycles for more details.
properties: concurrency: type: integer dead_letter_config: type: object environment: type: object events: items: enum: - pending - running - shutting-down - stopped - stopping - terminated type: array execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 security_groups: type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - ec2-instance-state required: - type
- asg-instance-state:
Runs custodian in AWS lambda and is triggered by asg instance state changes. This is useful if you have policies that are specific to asg. See ASG lifecycle hooks for more details.
properties: concurrency: type: integer dead_letter_config: type: object environment: type: object events: items: enum: - launch-success - launch-failure - terminate-success - terminate-failure type: array execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 security_groups: type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - asg-instance-state required: - type
- guard-duty:
Runs custodian in AWS lambda and is triggered by guard-duty responses. AWS Guard Duty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. This mode allows you to execute polcies when various alerts are created by AWS Guard Duty. See Guard Duty for more details.
properties: concurrency: type: integer dead_letter_config: type: object environment: type: object execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 security_groups: type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - guard-duty required: - type
- config-rule:
Runs custodian in AWS lambda and gets triggered by AWS config when there are configuration changes of your AWS resources. This is useful if you have policies that enforce certain configurations or want to get notified based on certain configuration changes. See AWS Config for more details.
properties: concurrency: type: integer dead_letter_config: type: object environment: type: object execution-options: type: object function-prefix: type: string kms_key_arn: type: string layers: items: type: string type: array member-role: type: string memory: type: number packages: items: type: string type: array pattern: minProperties: 1 type: object role: type: string runtime: enum: - python2.7 - python3.6 - python3.7 - python3.8 security_groups: type: array subnets: type: array tags: type: object timeout: type: number tracing_config: type: object type: enum: - config-rule required: - type