Cloud Custodian — Cloud Security & Cost Governance Rules Engine

Introduction

Cloud Custodian is a CNCF project that lets teams write simple YAML policies to audit, enforce, and remediate cloud resource configurations in real time. It replaces ad-hoc scripts with a declarative DSL that works across AWS, Azure, GCP, and Kubernetes.

What Cloud Custodian Does

• Evaluates cloud resources against YAML-defined policies with 400+ built-in filters
• Automatically remediates non-compliant resources (tag, stop, terminate, encrypt)
• Runs as a Lambda/Cloud Function for real-time event-driven enforcement
• Generates compliance reports and sends alerts via email, Slack, or webhooks
• Manages cost optimization by identifying idle, underused, or untagged resources

Architecture Overview

Custodian policies are YAML documents that specify a resource type, filters to match, and actions to take. The engine queries cloud provider APIs, applies filter chains, and executes actions. In serverless mode, policies deploy as Lambda functions triggered by CloudTrail events or CloudWatch schedules, enabling real-time enforcement without running infrastructure.

Self-Hosting & Configuration

• Install via pip and configure cloud provider credentials (AWS profiles, Azure CLI, GCP service accounts)
• Run policies on a schedule via cron, CI/CD pipelines, or Kubernetes CronJobs
• Deploy serverless mode with custodian deploy for event-driven real-time enforcement
• Use c7n-org to run policies across multiple accounts and subscriptions in parallel
• Store policy outputs in S3, Azure Blob, or GCS for audit trails and dashboards

Key Features

• Supports AWS (300+ resource types), Azure (200+), GCP (100+), and Kubernetes
• Serverless execution mode eliminates infrastructure management overhead
• c7n-org enables multi-account governance across hundreds of accounts
• Real-time mode reacts to CloudTrail events within seconds of resource creation
• Extensible plugin system for custom resource types and actions

Comparison with Similar Tools

• AWS Config Rules — AWS-only and per-rule pricing; Custodian is multi-cloud and free
• Open Policy Agent — general policy engine needing custom integration; Custodian is purpose-built for cloud resources
• Terraform Sentinel — policy-as-code for Terraform plans only; Custodian audits live running resources
• Prowler — security auditing tool; Custodian also remediates and manages costs
• ScoutSuite — read-only cloud auditor; Custodian takes automated corrective actions

FAQ

Q: Can Custodian modify or delete resources automatically? A: Yes. Actions like stop, terminate, and delete are available. Use dry-run mode first and restrict permissions carefully.

Q: How does multi-cloud work? A: Install provider-specific packages (c7n for AWS, c7n-azure, c7n-gcp). Policies use the same YAML structure with provider-specific resource types and filters.

Q: What is the performance for large environments? A: Custodian uses parallel API calls and pagination. It routinely audits environments with millions of resources across hundreds of accounts.

Q: Is there a UI? A: The core tool is CLI-based. Third-party dashboards and the c7n-traildb tool provide visualization.

Sources

• https://github.com/cloud-custodian/cloud-custodian
• https://cloudcustodian.io