Cloud Custodian 是一个用于 AWS 资源管理的规则引擎。允许用户通过图表、格式化输出制定策略来增强云资源的管理。包含很多特别的脚本,这是一个轻量级而且灵活的工具。
用户可以通过它来管理 AWS 环境,确保安全策略、asg 以及无用资源垃圾收集策略被正确使用,降低资源管理的成本。
可以使用简单的 YAML 配置文件来编写 Custodian 策略和指定资源类型( (ec2, asg, redshift 等)。Custodian 的出现是为了统一大量的各种脚本和工具来管理 AWS 账号。提供统一的操作和报表功能。
Custodian 集成了 lambda 和 cloudwatch 事件来提供实时增强策略和内置配置来查询和操作账号资源。
配置示例:
policies: - name: remediate-extant-keys description: | Scan through all s3 buckets in an account and ensure all objects are encrypted (default to AES256). resources: s3 actions: - encrypt-keys - name: ec2-require-non-public-and-encrypted-volumes resource: ec2 description: | Provision a lambda and cloud watch event target that looks at all new instances not in an autoscale group and terminates those with unencrypted volumes. mode: type: cloudtrail events: - RunInstances filters: - Encrypted: false actions: - terminate - name: tag-compliance resources: ec2 description: Schedule a resource that does not meet tag compliance policies to be stopped in four days. filters: - State.Name: running - "tag:Environment": absent - "tag:AppId": absent - or: - "tag:OwnerContact": absent - "tag:DeptID": absent actions: - type: mark-for-op op: stop days: 4
运行:
# Directory for outputs $ mkdir out # Validate the configuration $ custodian validate -c policy.yml # Dryrun on the policies (no actions executed) $ custodian run --dryrun -c policy.yml -s out # Run the policy $ custodian run -c policy.yml -s out
