What is Cloud Custodian?

Definition, Key Features, Installation, Version, and Schema

A Cloud Custodian is an open-source from CapitalOne written in python language and comprises many tools and scripts. It is a rule engine where you can write policy definitions in YAML. This enables an organization to manage their public cloud resources by writing policies for cost savings, explore tagging, compliance, security, operations related concerns, and resource inventory.

Addresses various domains

Key Features:

  1. Supports AWS, Azure, and GCP Cloud Providers.
  2. Does not require an agent or client to be installed.
  3. Write your own rules in the form of YAML policy.
  4. Enables you to check on your compliance requirements.
  5. Real-Time Guard rails, that take action on the resources to do auto-remediation.
  6. Best in class to filter on certain values and define actions to be taken at certain time intervals. For example- mark now, notify the user, and delete after 1 hour, and then notify again. Hence, allows using a wide variety of combinations to meet your use cases without being pesky to the developers.
  7. Allows you to define if action needs to be taken on an existing or newly created resources.
  8. Allows you to count resources and corresponding tags.
  9. c7n-mailer is a separate script from the community which allows you to get notified via email of actions taken by Cloud Custodian.
  10. Produces the output which can be ingested into a Security Information and Event Management solution (SIEM).

Cloud Custodian is AMAZING for AWS. Not mature enough for Azure and GCP.

Cloud Custodian Highlights


Run the following commands as shown below-

Installing Cloud Custodian and Packages

Important points to note here-

  1. Cloud Custodian gets installed on your local machine.
  2. You write the YAML policy and validate using the command line on your local machine.
  3. Use “$ custodian run --dryrun” command to check the affected resource and it does not run any actions on the resources.
  4. Use “$ custodian run” command to deploy the policy to your cloud account.
  5. Each YAML policy upon deploying creates a lambda function, cloudwatch log-groups, and cloudwatch event-rules (depends on the execution options).
  6. Policies cannot share Lambda functions, log groups, and event rules. These are 1:1 relations. This means, one policy cannot share its infrastructure with another policy. Also, you cannot define multiple resources in one policy. You must create one policy for one resource.

Check your Cloud Custodian Version: $ custodian version displays the version installed.

Update your Cloud Custodian Version: $ pip install c7n==

I have a separate story where we have explained how to upgrade the Cloud Custodian to the latest version — https://ismsguy.medium.com/upgrade-cloud-custodian-to-the-latest-version-4a2aab465a93

Exploring Cloud Custodian

Custodian Help Command: Use the terminal type “custodian -h” as shown in the below screenshot to display all the commands supported by Cloud Custodian.

Help Options

Custodian Execution Mode: Use the terminal type “custodian schema mode” as shown in the below screenshot to display all the modes supported by Cloud Custodian for all three Public Cloud Providers — AWS, Azure, and GCP

Execution Mode

Resources Supported by Cloud Custodian: Use the terminal type “custodian schema aws” as shown in the below screenshot to display all the supported resources for AWS Cloud Provider. Similarly, you can check for Azure and GCP.

AWS resources supported by Cloud Custodian
Azure resources supported by Cloud Custodian

The summary below provides the syntax for various schema commands for different cloud providers.

schema commands for AWS and Azure

Cloud Custodian Output

Cloud Custodian Policy will be executed based on the Cloud Watch Event Rule as defined in the YAML policy. The output is then delivered to the S3 bucket. It is important to know that the Cloud Custodian execution role must have the permissions to that s3 bucket. Cloud Custodian produces 3 separate files as output — resources.json.gz, metadata.json.gz, and custodian-run.log.gz. We have discussed this in a separate story as linked below-


In the next chapter, we will look at how to write the YAML policy, its deployment, validation, and reporting.

Other Stories

Tried replacing the Cloud Custodian with Something else…

Cloud Custodian Policies for CIS AWS Foundations Benchmark (Part 1)

Propagating Tags from provider level down to all resources using Terraform Template




Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.