Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

May 20, 2022

2 min read

Writing the Cloud Custodian Policy, Validate, Run, and Reporting

A powerful open-source tool to govern your public cloud resources

This is a quick story, where we discussed how to install the Cloud Custodian, Write the policy in YAML language, Validate the policy for syntax errors, Run/deploy and Understand the output GZ files.

Cloud Custodian — Open Source Tool

Install the Cloud Custodian on your local machine

We have covered the installation of Cloud Custodian in another story- https://ismsguy.medium.com/what-is-a-cloud-custodian-c33b37b6060

Writing Cloud Custodian Policy

The Cloud Custodian Policies are YAML. You can use Visual Studio Code Editor to write the policy. After writing the policy, you can save it on your local machine. The next step is to validate to make sure it debugs nicely.

Example- Identify AWS Redshift Cluster Publicly Accessiblepolicies:
- name: redshift-cluster-publicly-accessible
  resource: aws.redshift
  comments: |
    Find Redshift clusters that are publicly accessible.This is a 
    notify only policy. The policy run once every 24 hours.
  filters:
     - "tag:redshift-publicly-accessible-exempt": absent
     - PubliclyAccessible: true
  mode:
    type: periodic
    schedule: "rate(24 hours)"
    execution-options:
      output_dir: s3://bucket-name/cclogs/{{policy}}/
    runtime: python3.8
  action:
    - type: delete

Validate your Cloud Custodian Policy

Use the below command to debug your Custodian policy.

custodian validate policy.yml

Run your Cloud Custodian Policy

Use the below command to deploy the Custodian policy to the AWS account. You can also create a terraform template CICD pipeline to deploy the policies to multiple accounts simulateneously.

custodian run ~/Desktop/cloudcustodian/policy.yml -s ~/Desktop/CustodianTest/ --assume arn:aws:iam::1234567891234:role/c7nexecutionrole

Cloud Custodian Reporting

Upon executing the policy, the cloud custodian produces three different files in gzip format as shown below in the screenshot. You can notice they are JSON format which can be further consumed into your SIEM solution.

cloud-custodian-report

We have a separate story where we have discussed the Custodian Output very comprehensively- Click Here.

Other Stories

Cloud Custodian Output Files

Dashboard for Cloud Custodian

Turn on and off your AWS resources using the Cloud Custodian

Cloud Custodian
Policy As Code
Cloud Governance
AWS
Azure

--

--

More from Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

Recommended from Medium

Yekta Sarioglu

in

Huawei Developers

The one TTS app to rule them all

Akanksha Singh

in

Geek Culture

Automation —  WordPress Deployment on Kubernetes Multi-Node Cluster launched over AWS using Ansible

Oliver K. Ernst, Ph.D.

in

Practical coding

Stop using Python’s print for your library

Jean-Noel Seneque

Integrating Unity with Github

VEDANT KHANDEKAR

High Dependency on Network

DevopsCurry

in

DevopsCurry

Best Open Source Monitoring Options in 2021 for your Kubernetes Cluster

Janlloyd Carangan

CS 373 Spring 2023: Janlloyd Carangan

Toro Cloud

Testing even before a line of code is written — is it possible?

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

80 Followers

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech