Turn on and off your AWS resources using the Cloud Custodian

policies:- name: csp-na-ec2-off-hours-stop
resource: aws.ec2
comments: |
The policy will apply only to those EC2 instances that are
atleast 1 hours old and include the tag "c7n_off_hours". Tag
your EC2 instance with Key "c7n_off_hours" for Custodian to
consider it in scope for action. Value can be anything.
Custodian just look for "Key" to consider it into the scope for
offhours. Stop EC2 instances as per schedule in c7n_off_hours
that is 0 UTC = 6PM CST.
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: offhour
default_tz: "utc"
offhour: 0
tag: c7n_off_hours # Use this tag to be included in scope
- type: instance-age
hours: 1
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- stop
policies:- name: csp-na-ec2-off-hours-start
resource: aws.ec2
comments: |
Tag your EC2 with Key "c7n_off_hours" for Custodian to consider
it in scope for action. Value can be anything. Custodian just
look for "Key" to consider it into the scope for offhours. Start
EC2 instances as per schedule in c7n_off_hours that is 12 UTC =
6AM CST.
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: onhour
default_tz: "utc"
onhour: 12
tag: c7n_off_hours # Use this tag to be included in scope
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- start
- type: notify
template: default.html # Using jinja template
template_format: 'html'
priority_header: '1'
subject: Started {{ policy['resource'] }} as per defined c7n
offhours- {{account}} {{region}} via
{{policy['name']}}
action_desc: |
Custodian has started the EC2 instance based on the defined
c7n offhours.
to:
- first.last@example.com
transport:
type: sqs
queue: https://sqs.
{{region}}.amazonaws.com/{{account_id}}/c7nmailermessagequeue
vars:
sec-tags: &sec-tags
owner: distro@example.com
service: cloudcustodian
department: music
compliance: ABCD
policies:- name: csp-na-ec2-off-hours-enforcement
resource: aws.ec2
comments: |
Opt in EC2 instances without a c7n_off_hours tag.
filters:
- "tag:c7n_off_hours": absent
- "tag:aws:autoscaling:groupName": absent
mode:
type: periodic
schedule: "rate(24 hours)"
tags: *sec-tags
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- type: tag
key: c7n_off_hours
value: "on"
policies:- name: csp-na-vuln-scanner-off-hours-stop
resource: aws.ec2
comments: |
Stop EC2 instances, every Thursday evening at 6:00 PM (CST).
Tag the instance with key "vuln_offhours" and value "off=
(H,18);on=(H,8);tz=ct".Tag the EC2 if you want this policy to be
applied on your instance and take action. Instance will be
turned on for 10 hrs for vulnerability scanner to start and
complete the vulnerability scanning. Time zone is ct.
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: offhour
default_tz: ct
offhour: 18
opt-out: false
tag: vuln_offhours # Use this tag to be included in scope
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- stop
- type: notify
template: default.html # Using jinja template
template_format: 'html'
priority_header: '1'
subject: Stopped {{ policy['resource'] }} as per defined
vuln offhours- {{account}} {{region}} via
{{policy['name']}}
action_desc: |
Custodian has stopped the EC2 instance based on the defined
nessus offhours.
to:
- first.last@example.com
transport:
type: sqs
queue: https://sqs.
{{region}}.amazonaws.com/{{account_id}}/c7nmailermessagequeue
policies:- name: csp-na-vuln-scanner-off-hours-start
resource: aws.ec2
comments: |
Start EC2 instances, every Thursday at 8:00 AM (CST).
Tag the instance with key "vuln_offhours" and value "off=
(H,18);on=(H,8);tz=ct".Tag the instance if you want this policy
to be applied and take action. Instance will be turned on for 10
hrs for vuln scanner to start and complete the vulnerability
scanning. Time zone is ct..
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: onhour
default_tz: ct
opt-out: false
onhour: 8
tag: vuln_offhours # Use this tag to be included in scope
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- start
- type: notify
template: default.html # Using jinja template
template_format: 'html'
priority_header: '1'
subject: Started {{ policy['resource'] }} as per defined c7n
offhours- {{account}} {{region}} via
{{policy['name']}}
action_desc: |
Custodian has started the EC2 instance based on the defined
c7n offhours.
to:
- first.last@example.com
transport:
type: sqs
queue: https://sqs.
{{region}}.amazonaws.com/{{account_id}}/c7nmailermessagequeue
policies:- name: csp-n-ec2-running-for-last-7-days
resource: aws.ec2
comments: |
Find all EC2 instances that are in running state for the last 7
days.This is a notify only policy. This policy runs every day at
6:00 AM UTC (1:00 AM CDT)
filters:
- "State.Name": running
- type: instance-age
days: 7
mode:
type: periodic
schedule: "cron(0 6 * * ? *)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- type: notify

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

67 Followers

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.