Cloud Custodian enables you to manage your cloud resources by filtering, tagging, and then applying actions to them. The YAML DSL allows definition of rules to enable well-managed cloud infrastructure that's both secure and cost optimized.
This solution automates the setup of a multi account Cloud Custodian installation allowing you to make use of the AWS Serverless services. This solution will set up the AWS EventBridge policies, event buses, event forwarding, cross account roles, provisioning of the policy AWS Lambda Functions for real time monitoring and the periodic triggering needed for delayed actions and retrospective monitoring.
This solution allows you to write policies in any of the c7n supported modes.
If you write pull based policies they will be run periodically within an AWS CodeBuild environment on a schedule of your choosing. AWS Lambda policies are provisioned within an AWS CodeBuild project run. If you would like to apply the policies to multiple accounts you will need to specify a value for c7n_org_version in the config:
To get started you must add a
c7n-aws-lambdas section to the manifest file and specify the custodian, policies and
Here is an example cloudtrail policy:
If you want to use delayed actions - for example terminate unused ebs volumes after 30 days then you will need to set a schedule_expression. This will trigger the solution to run c7n as often as you have specified. You can use AWS Amazon EventBridge cron or rate expressions when specifying the value. You should choose a value that makes sense depending on your requirements, for example if you wait 30 days before performing actions you could probably use a 24hr schedule or if you want to be more aggressive with your cost savings or have stricter policies you can set the schedule to run hourly. We do not recommend running the schedule in such a way where run N is starting before run N-1 has finished.
Here is an example:
For the accounts you specify as custodians an Amazon EventBridge EventBus will be provisioned in the default region with a bus policy allowing the accounts you are monitoring to put events - cross region and cross account. For each region of each account you monitor an event rule will be provisioned, forwarding events to the custodian account using an IAM role provisioned in the account being monitored.
When you specify a policy, Cloud Custodian provisions a specific event rule based on the events you specified that trigger an AWS Lamdba function it created for that policy to perform the actions you specified.
Whatever policies you would have written in Cloud Custodian can be pasted into the manifest file ‘as is’ - you do not need to make any changes. If you do not specify a mode: type: cloudtrail it will be added for you. If you specify a mode: type: something-else it will be replaced with mode: type: cloudtrail. You should not specify a mode: member-role attribute, one will be added for you and any you add will be overriden.
You can customise the name of the role, the path and the managed policies attached to the role:
To reduce the overall execution time you can deploy Cloud Custodian in spoke execution mode by specifying