Dashboard for Cloud Custodian

An alternate method to get the visuals and build your own dashboards

After using the Cloud Custodian for over four years, we can all agree to have missed one prominent feature that is “Dashboard”. Cloud Custodian does not have the front end / GUI where you can easily navigate the findings, provide a single plane of glass view of all the accounts you have from all of the public cloud providers, show checks on policy health, display various charts, and guidance to tell the story to the management. Due to this shortcoming, the user has to integrate with native tools or third-party tools. We know how powerful is the Cloud Custodian with all the execution modes, filters, and action items. The fact that it is serverless, running Cloud Custodian is very cheap. Every organization's environment is different and so is the configuration, simply stating the monthly cost to run 200 policies (approx.) is less than $100 (depends on how frequently you are running).

Cloud Custodian is an open-source python based serverless tool

In this story, I will go through the high-level architecture of the Cloud Custodian and Sumo Logic setup which enables us to ingest the Custodian Logs and write various queries to look for non-compliant items, check for policy health, and draw pretty dashboards.

Example- Identify AWS Redshift Cluster Publicly Accessiblepolicies:
- name: redshift-cluster-publicly-accessible
resource: aws.redshift
comments: |
Find Redshift clusters that are publicly accessible.This is a
notify only policy. The policy run once every 24 hours.
filters:
- "tag:redshift-publicly-accessible-exempt": absent
- PubliclyAccessible: true
mode:
type: periodic
schedule: "rate(24 hours)"
execution-options:
output_dir: s3://s3bucket/cclogs/{account_id}/
runtime: python3.8
action:
- type: delete

Different Components

The basic component of Cloud Custodian depending on your implementation includes — Lambda Function, CloudWatch Log Groups, and Cloud Watch Event Rules. Firstly, you write a policy in YAML as shown above, as an example to identify the publicly accessible Redshift clusters. When you deploy the policy to the AWS account, the real magic happens. It creates the lambda…

--

--

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.