Custodian has deep integration with config, a custodian policy:
Can be deployed as config-rule for any resource type supported by config.
Can use config as resource database instead of querying service describe apis. Custodian supports server side querying resources with Config’s SQL expression language.
Can filter resources based on their compliance with one or more config rules.
Can be deployed as a config-poll-rule against any resource type supported by cloudformation.
Custodian does the legwork of normalizing the resource description from config’s idiosyncratic format to one that looks like describe api call output, so policies can utilize config with a simple change of source or execution mode.
You can use config as a cmdb of resources instead of doing describes by adding source: config to any policy on a resource type that config supports. This also supports doing arbitrary sql selects (via config’s select resources api) on the resources in addition to the standard custodian filters.
policies: - name: dynamdb-checker resource: aws.dynamodb-table source: config query: - clause: "resourceId = 'MyTable'" filters: - SSEDescription: absent
Custodian is also one of the easiest ways of authoring custom config rules. For any config supported resource, you can just add a mode with type:config-rule to have the policy deployed as a custom config rule lambda.
policies: - name: ec2-checker resource: aws.ec2 mode: type: config-rule role: MyLambdaConfigRole filters: - type: image tag: "NotSupported" value: absent
Custodian also supports filtering resources based on their compliance with other config-rules.
policies: - name: ec2-remediate-non-compliant resource: aws.ec2 filters: - type: config-compliance rules: [my_other_config_rule, some_other_rule] states: [NON_COMPLIANT] actions: - stop
Config Poll Rule¶
For resources not supported natively by AWS Config, an execution mode of type: config-poll-rule can be used for any resource supported by CloudFormation. This is effectively a periodic policy that queries the resource’s service api and filters resources to evaluate compliance/non-compliance and then records results to AWS Config. CloudFormation resources are only partially supported by AWS Config, and are not supported for source: config nor do they support resource timeline or resource attributes.
policies: - name: kinesis-one-stream resource: aws.kinesis mode: type: config-poll-rule role: custodian-config-role schedule: Three_Hours filters: - tag:App: Dev