May 19, 2022
4 min read
Turn on and off your AWS resources using the Cloud Custodian
Automatically turn on and off your AWS EC2 instances
Cloud Custodian is an open-source tool from Capital One written in python language and comprises of many tools and scripts. It is a powerful tool that allows you to put guard rails in real-time. It is serverless (code runs as a lambda function) and no agent is required. It allows you to define your own rules. It is also referred to as a “Policy as Code”.
In this story, we will discuss how awesome is the Cloud Custodian that helps us save money. It automatically turns off the ec2 instances every night or weekend and turns them back on every morning. In the below example, we have discussed a few scenarios-
# 1 — EC2 off-hours stop
policies:- name: csp-na-ec2-off-hours-stop
resource: aws.ec2
comments: |
The policy will apply only to those EC2 instances that are
atleast 1 hours old and include the tag "c7n_off_hours". Tag
your EC2 instance with Key "c7n_off_hours" for Custodian to
consider it in scope for action. Value can be anything.
Custodian just look for "Key" to consider it into the scope for
offhours. Stop EC2 instances as per schedule in c7n_off_hours
that is 0 UTC = 6PM CST.
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: offhour
default_tz: "utc"
offhour: 0
tag: c7n_off_hours # Use this tag to be included in scope
- type: instance-age
hours: 1
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- stop
#2 — EC2 off-hours start
policies:- name: csp-na-ec2-off-hours-start
resource: aws.ec2
comments: |
Tag your EC2 with Key "c7n_off_hours" for Custodian to consider
it in scope for action. Value can be anything. Custodian just
look for "Key" to consider it into the scope for offhours. Start
EC2 instances as per schedule in c7n_off_hours that is 12 UTC =
6AM CST.
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: onhour
default_tz: "utc"
onhour: 12
tag: c7n_off_hours # Use this tag to be included in scope
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- start
- type: notify
template: default.html # Using jinja template
template_format: 'html'
priority_header: '1'
subject: Started {{ policy['resource'] }} as per defined c7n
offhours- {{account}} {{region}} via
{{policy['name']}}
action_desc: |
Custodian has started the EC2 instance based on the defined
c7n offhours.
to:
- first.last@example.com
transport:
type: sqs
queue: https://sqs.
{{region}}.amazonaws.com/{{account_id}}/c7nmailermessagequeue
# 3— EC2 off-hours enforcement
vars:
sec-tags: &sec-tags
owner: distro@example.com
service: cloudcustodian
department: music
compliance: ABCD policies:- name: csp-na-ec2-off-hours-enforcement
resource: aws.ec2
comments: |
Opt in EC2 instances without a c7n_off_hours tag.
filters:
- "tag:c7n_off_hours": absent
- "tag:aws:autoscaling:groupName": absent
mode:
type: periodic
schedule: "rate(24 hours)"
tags: *sec-tags
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- type: tag
key: c7n_off_hours
value: "on"
# 4 — Stop EC2 every Thursday evening at 6 PM (once the vulnerability scanner is done its scanning job)
policies:- name: csp-na-vuln-scanner-off-hours-stop
resource: aws.ec2
comments: |
Stop EC2 instances, every Thursday evening at 6:00 PM (CST).
Tag the instance with key "vuln_offhours" and value "off=
(H,18);on=(H,8);tz=ct".Tag the EC2 if you want this policy to be
applied on your instance and take action. Instance will be
turned on for 10 hrs for vulnerability scanner to start and
complete the vulnerability scanning. Time zone is ct.
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: offhour
default_tz: ct
offhour: 18
opt-out: false
tag: vuln_offhours # Use this tag to be included in scope
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- stop
- type: notify
template: default.html # Using jinja template
template_format: 'html'
priority_header: '1'
subject: Stopped {{ policy['resource'] }} as per defined
vuln offhours- {{account}} {{region}} via
{{policy['name']}}
action_desc: |
Custodian has stopped the EC2 instance based on the defined
nessus offhours.
to:
- first.last@example.com
transport:
type: sqs
queue: https://sqs.
{{region}}.amazonaws.com/{{account_id}}/c7nmailermessagequeue
#5 — Start EC2 every Thursday at 8 AM for the vulnerability scanner.
policies:- name: csp-na-vuln-scanner-off-hours-start
resource: aws.ec2
comments: |
Start EC2 instances, every Thursday at 8:00 AM (CST).
Tag the instance with key "vuln_offhours" and value "off=
(H,18);on=(H,8);tz=ct".Tag the instance if you want this policy
to be applied and take action. Instance will be turned on for 10
hrs for vuln scanner to start and complete the vulnerability
scanning. Time zone is ct..
filters:
- "tag:c7n_do_not_shut_down": absent
- "tag:aws:autoscaling:groupName": absent
- type: onhour
default_tz: ct
opt-out: false
onhour: 8
tag: vuln_offhours # Use this tag to be included in scope
mode:
type: periodic
schedule: "rate(60 minutes)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- start
- type: notify
template: default.html # Using jinja template
template_format: 'html'
priority_header: '1'
subject: Started {{ policy['resource'] }} as per defined c7n
offhours- {{account}} {{region}} via
{{policy['name']}}
action_desc: |
Custodian has started the EC2 instance based on the defined
c7n offhours.
to:
- first.last@example.com
transport:
type: sqs
queue: https://sqs.
{{region}}.amazonaws.com/{{account_id}}/c7nmailermessagequeue
# 6— EC2 running continuously for last 1 week
policies:- name: csp-n-ec2-running-for-last-7-days
resource: aws.ec2
comments: |
Find all EC2 instances that are in running state for the last 7
days.This is a notify only policy. This policy runs every day at
6:00 AM UTC (1:00 AM CDT)
filters:
- "State.Name": running
- type: instance-age
days: 7
mode:
type: periodic
schedule: "cron(0 6 * * ? *)"
execution-options:
output_dir: s3://bucket-name/cclogs/{{policy}}/
action:
- type: notify
Other Stories
Ingesting Cloud Custodian Logs into Sumo Logic
AWS Resource Inventory using Cloud Custodian
