AWS Config

Custodian has deep integration with config, a custodian policy:

• Can be deployed as config-rule for any resource type supported by config.

• Can use config as resource database instead of querying service describe apis. Custodian supports server side querying resources with Config’s SQL expression language.

• Can filter resources based on their compliance with one or more config rules.

• Can be deployed as a config-poll-rule against any resource type supported by cloudformation.

Custodian does the legwork of normalizing the resource description from config’s idiosyncratic format to one that looks like describe api call output, so policies can utilize config with a simple change of source or execution mode.

Config Source

You can use config as a cmdb of resources instead of doing describes by adding source: config to any policy on a resource type that config supports. This also supports doing arbitrary sql selects (via config’s select resources api) on the resources in addition to the standard custodian filters.

policies:
  - name: dynamdb-checker
    resource: aws.dynamodb-table
    source: config
    query:
      - clause: "resourceId = 'MyTable'"
    filters:
      - SSEDescription: absent

Config Rule

Custodian is also one of the easiest ways of authoring custom config rules. For any config supported resource, you can just add a mode with type:config-rule to have the policy deployed as a custom config rule lambda.

policies:
  - name: ec2-checker
    resource: aws.ec2
    mode:
      type: config-rule
      role: MyLambdaConfigRole
    filters:
      - type: image
        key: "tag:NotSupported"
        value: absent

Filter

Custodian also supports filtering resources based on their compliance with other config-rules.

policies:
  - name: ec2-remediate-non-compliant
    resource: aws.ec2
    filters:
      - type: config-compliance
        rules: [my_other_config_rule, some_other_rule]
        states: [NON_COMPLIANT]
    actions:
      - stop

Config Poll Rule

For resources not supported natively by AWS Config, an execution mode of type: config-poll-rule can be used for any resource supported by CloudFormation. This is effectively a periodic policy that queries the resource’s service api and filters resources to evaluate compliance/non-compliance and then records results to AWS Config. CloudFormation resources are only partially supported by AWS Config, and are not supported for source: config nor do they support resource timeline or resource attributes.

policies:
  - name: kinesis-one-stream
    resource: aws.kinesis
    mode:
      type: config-poll-rule
      role: custodian-config-role
      schedule: Three_Hours
    filters:
      - tag:App: Dev

For resource types with native AWS Config support, the config-rule mode is typically a better fit because it avoids running policies when resources haven’t changed. For those resource types, the config-poll-rule mode will raise an error like this by default:

custodian.commands:ERROR Policy: kinesis-one-stream is invalid: resource:aws.kinesis fully supported by config and should use mode: config-rule

Adding ignore_support_check: true to a policy’s mode block can bypass that error and force config-poll-rule mode to succeed.