A Watchman for Your Cloud that never sleeps, and it’s free!

Cloud Custodian is an open-source project — free to use.

Cloud Custodian is very powerful in identifying when the filters are matched and then taking actions defined in the policy. Organizations have multi-cloud environments with hundreds of accounts and several hundreds of employees working across the globe continuously working on the next big thing. At such speed, it is necessary for the security team to move fast enough to have adequate administrative and technical controls to provide continuous visibility, transparency, security, compliance, and operations-related concerns in the cloud.

policies:- name: aws-existing-sg-wide-open-remediate
resource: aws.security-group
comment: |
Identify existing security groups that allows unrestricted
access
filters:
- or:
- type: ingress
Cidr:
value: "0.0.0.0/0"
- type: ingress
Cidr:
value: "::/0"
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: remove-permissions
ingress: matched
policies:- name: aws-oncreation-sg-wide-open-remediate
resource: aws.security-group
comment: |
Identify and remove the permission of the newly created security
groups that allows unrestricted access for both IPv4 and IPv6.
The policy will take action only for the matching ingress CIDR.
filters:
- or:
- type: ingress
Cidr:
value: "0.0.0.0/0"
- type: ingress
Cidr:
value: "::/0"
mode:
type: cloudtrail
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupEgress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupEgress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: remove-permissions
ingress: matched
policies:- name: aws-s3-public-bucket-remediate
resource: aws.s3
comment: |
Identify all the existing s3 buckets that are accessible to
public. Remove the global grant permissions from the bucket
which includes (READ, WRITE, WRITE_ACP, READ_ACP, FULL_CONTROL)
filters:
- type: global-grants
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: delete-global-grants
policies:- name: aws-s3-public-bucket-remediate-aes256
resource: aws.s3
comment: |
Identify all the existing s3 buckets that are not encrypted.
Enable the bucket encryption using AWS server side encryption.
By default, it uses AWS SSE with AES256 Crypto.
filters:
- type: bucket-encryption
state: False
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: set-bucket-encryption
policies:- name: aws-s3-public-bucket-remediate-kms-alias
resource: aws.s3
comment: |
Identify all the existing s3 buckets that are not encrypted.
Enable the bucket encryption using AWS server side encryption
using AWS KMS and alias key.
filters:
- type: bucket-encryption
state: False
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: set-bucket-encryption
enabled: true
crypto: aws:kms
key: alias/example/aladdin/key
bucket-key: true
policies:- name: aws-elb-internet-facing-remediate
resource: aws.elb
comment: |
Identify and delete the newly created internet facing classic
elastic load balancer. This policy does not touch the existing
elastic load balancer.
filters:
- type: event
key: "detail.requestParameters.scheme"
op: eq
value: "internet-facing"
mode:
type: cloudtrail
events:
- CreateLoadBalancer
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: delete
policies:- name: aws-rds-unencrypted-public-remediate
resource: aws.rds
comment: |
Identify and delete the newly created RDS database instance that
is not encrypted and accessible to the public. Skip Snapshot
will not delete the snapshot.
filters:
- or:
- StorageEncrypted: false
- PubliclyAccessible: true
mode:
type: cloudtrail
events:
- CreateDBInstance
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: delete
skip-snapshot: true
policies:- name: aws-vpc-flow-logs-disabled-remediate
resource: aws.vpc
comment: |
Identify all the existing s3 buckets that are not encrypted.
Enable the bucket encryption using AWS server side encryption
using AWS KMS and alias key.
filters:
- type: flow-logs
enabled: false
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: set-flow-log
DeliveryLogsPermissionArn: arn:iam:role-aladdin
LogGroupName: /custodian/vpc/flowlogs
policies:- name: aws-redshift-public-remediate
resource: aws.redshift
comment: |
Identify all the existing Redshift Clusters that are accessible
to public. Modify the configuration to make it private.
filters:
- PubliclyAccessible: true
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: set-public-access
state: false
policies:- name: aws-ebs-unencrypted-remediate
resource: aws.ebs
comment: |
Identify all the existing EBS volume that are not encrypted.
Modify the configuration to encrypt the volume.
filters:
- Encrypted: false
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: encrypt-instance-volumes
key: alias/encrypted
policies:- name: aws-sns-unencrypted-remediate
resource: aws.sns
comment: |
Identify all the existing SNS topic that are not encrypted.
Modify the configuration to encrypt the volume.
filters:
- type: value
key: Attribute.KmsMasterKeyId
op: eq
value: null
mode:
schedule: "rate(24 hours)"
type: periodic
execution-options:
output_dir: s3://s3bucket/{account_id}/
actions:
- type: set-encryption
key: alias/cmk/key
enabled: true

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

67 Followers

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.