Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their AWS accounts into one open source tool. It’s a stateless rules engine for policy definition and enforcement, with metrics and detailed reporting for AWS.
Organizations can use Custodian to manage their AWS environments by ensuring compliance to security policies, tag policies, garbage collection of unused resources, and cost management via off-hours resource management, all from the same place. Custodian policies are written in simple YAML configuration files that specify given resource types and are constructed from a vocabulary of filters and actions.
Please go for further information to the official documentation.
docker pull einyx/cloud-custodian
If you have the aws-cli configured your ready to run.
We can mapp your ~/.aws folder in readOnly mode inside the Container.
#!/usr/bin/env bash
function main () {
docker run \
-it \
-v "${HOME}/.aws:/custodian/.aws:ro" \
-v "${PWD}/logs:/tmp" \
-v "${PWD}/.cache:/custodian/.cache" \
-v "${PWD}/policies:/custodian/policies:ro" \
einyx/cloud-custodian run --output-dir=/tmp \
policies/my-policy.yml
}
main
Export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY so that we can pass them on in the next step inside the Container.
#!/usr/bin/env bash
export AWS_ACCESS_KEY_ID="your-key-here"
export AWS_SECRET_ACCESS_KEY="your-sec-key-here"
#!/usr/bin/env bash
function main () {
docker run \
-it \
-e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
-e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
-v "${PWD}/logs:/tmp" \
-v "${PWD}/.cache:/custodian/.cache" \
-v "${PWD}/policies:/custodian/policies:ro" \
einyx/cloud-custodian run --output-dir=/tmp \
policies/my-policy.yml
}
main
policies: here is the place to store your policies and run them like in the example with your name.
logs: all output logs get's stored there
.cache: is needed by the program
- Cloud Custodian Website
- Cloud Custodian Docs
- Github Repository# cloud-custodian