Skills2026年4月16日·1 分钟阅读

Cloud Custodian — Cloud Security & Cost Governance Rules Engine

A YAML-based rules engine for managing cloud resources across AWS, Azure, and GCP. Cloud Custodian enforces security policies, optimizes costs, and ensures compliance through automated actions on non-compliant resources.

Script Depot
Script Depot · Community
Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Cloud Custodian Overview
直接安装命令
npx -y tokrepo@latest install 7b0e8ddf-39d2-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

TL;DR
Cloud Custodian enforces security, cost, and compliance policies across AWS, Azure, and GCP using simple YAML rules.
§01

What it is

Cloud Custodian is a CNCF-hosted rules engine that lets teams define cloud governance policies in YAML. Each policy specifies a resource type (EC2 instances, S3 buckets, Azure VMs), filters to match non-compliant resources, and actions to remediate (tag, stop, terminate, encrypt, notify). It supports AWS, Azure, GCP, and Kubernetes.

Cloud Custodian is built for DevOps engineers, security teams, and FinOps practitioners who need automated enforcement of security posture, compliance mandates, and cost optimization rules across multi-cloud environments.

§02

How it saves time or tokens

Without Custodian, teams write ad-hoc scripts per cloud provider to audit resources. Custodian replaces those scripts with a declarative DSL -- one YAML file per policy. The engine handles API pagination, rate limiting, credential management, and retry logic. Policies run as Lambda functions or Cloud Functions for real-time event-driven enforcement, eliminating cron-based audit lag. For AI workflows, the YAML format is concise enough that generating or reviewing policies consumes minimal tokens.

§03

How to use

  1. Install the CLI: pip install c7n (add c7n-azure or c7n-gcp for non-AWS clouds).
  2. Write a policy YAML file defining resource type, filters, and actions.
  3. Run the policy: custodian run -s output policy.yml. Results are written to the output directory.
§04

Example

policies:
  - name: s3-require-encryption
    resource: s3
    filters:
      - type: bucket-encryption
        state: false
    actions:
      - type: notify
        subject: 'Unencrypted S3 bucket found'
        to:
          - security-team@example.com
        transport:
          type: sqs
          queue: custodian-notifications

This policy scans all S3 buckets, filters those without encryption enabled, and sends a notification via SQS.

§05

Related on TokRepo

§06

Common pitfalls

  • Running policies with destructive actions (terminate, delete) without first doing a dry run. Always test with --dryrun before applying actions that modify or remove resources.
  • Forgetting to scope policies by region. By default Custodian runs in your default region only. Use --region all or specify regions explicitly for global coverage.
  • Not setting up proper IAM roles for Lambda-mode policies. Custodian needs permissions to both read resources and perform the configured actions.

常见问题

What cloud providers does Cloud Custodian support?+

Cloud Custodian supports AWS natively with the core c7n package. Azure support is available via c7n-azure, GCP via c7n-gcp, and Kubernetes via c7n-kube. Each provider has its own set of resource types, filters, and actions.

Can Cloud Custodian run policies in real time?+

Yes. Custodian can deploy policies as AWS Lambda functions triggered by CloudTrail events, enabling real-time enforcement. When a non-compliant resource is created, the policy runs immediately rather than waiting for a scheduled scan.

How does Cloud Custodian handle cost optimization?+

Custodian includes filters for identifying underutilized resources (low CPU, zero connections), unattached volumes, old snapshots, and untagged resources. Actions can stop, resize, or terminate wasteful resources automatically.

Is Cloud Custodian suitable for large-scale environments?+

Yes. Custodian is used in production by organizations managing thousands of AWS accounts. It supports multi-account execution via c7n-org, which runs policies across an AWS Organization or a list of accounts in parallel.

What is the difference between Cloud Custodian and AWS Config Rules?+

AWS Config Rules are AWS-native and limited to AWS resources. Cloud Custodian is open-source, multi-cloud, and offers richer filter logic and action types. Custodian policies are portable YAML files rather than Lambda code tied to AWS Config.

引用来源 (3)
TokRepo 相关
DevOps AI toolsSecurity AI toolsMonitoring tools

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

Prowler — Cloud Security Assessment for AWS, Azure and GCP

Prowler is an open-source security tool that audits your cloud infrastructure against hundreds of compliance checks for AWS, Azure, GCP, and Kubernetes, generating actionable reports.

Skills
Script Depot

ScoutSuite — Multi-Cloud Security Auditing Tool

ScoutSuite is an open-source multi-cloud security auditing tool that collects configuration data from AWS, Azure, GCP, and other providers to identify security risks through automated rule-based analysis.

Skills
AI Open Source

Quickwit — Cloud-Native Sub-Second Search Engine

Quickwit is a cloud-native search engine built in Rust for log management and distributed search on object storage. It indexes data directly to S3-compatible stores, enabling cost-efficient search at petabyte scale.

Skills
Script Depot

CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance

CloudQuery is an open-source ELT framework that extracts configuration data from cloud APIs, SaaS platforms, and databases into PostgreSQL or data lakes for security, compliance, and asset visibility.

Skills
Script Depot
首页🔍搜索👤我的