Basic concepts and terms¶
Cloud Custodian works with the following basic concepts, terms, and relationships between them.
- Policy -
c7n.policy Defined in yaml, specifies a set of filters and actions to take on a given AWS resource type.
- Resource -
c7n.manager.ResourceManager Provides for retrieval of a resource of a given type (typically via AWS API) and defines the vocabulary of filters and actions that can be used on those resources (e.g., ASG, S3, EC2, ELBs, etc).
With the addition of more cloud providers, resources should be prefixed with the appropraite provider, except in the case of AWS resources which do not require a
aws.prefix for backwards-compatibility (e.g. azure.vm, gcp.instance).- Mode -
c7n.policy(yes,policy) Defines how the policy will execute (lambda, config rule, poll, etc). Policies run in
pullmode by default.
mode:
type: cloudtrail
events:
- RunInstances
- Filters -
c7n.filters Given a set of resources, how we filter to the subset that we’re interested in operating on. The filtering language has some default behaviors across resource types like value filtering with JMESPath expressions against the JSON representation of a resource, as well as specific filters for particular resources types (instance age, tag count, etc).
filters:
- "tag:aws:autoscaling:groupName": absent
- type: ebs
key: Encrypted
value: false
skip-devices:
- "/dev/sda1"
- "/dev/xvda"
- type: event
key: "detail.userIdentity.sessionContext.sessionIssuer.userName"
value: "SuperUser"
op: ne
- Actions -
c7n.actions A verb to use on a given resource, i.e. stop, start, suspend, delete, encrypt, etc.
actions:
- type: tag
key: c7n_status
value: "Unencrypted EBS! Please recreate with Encryption"
- type: terminate
force: true