To get started quickly, visit here
For a quick reference of currently supported Azure resources, and more, visit here
As enterprises evolve their computing environments from their on-premises data centers to include deployment across multiple public clouds, they are concerned about new business risk exposures that might arise.
These risk exposure concerns generally center around:
- Security Vulnerabilities
- Cost Controls
- Audit compliance and governance
Cloud Custodian is a solution for unifying the diverse landscape of tools most organizations use for managing these issues into one, consistent policy enforcement paradigm. Cloud Custodian uses open source (Python) technology to provide a stateless rules engine for cross-cloud policy definition and enforcement, metrics and detailed reporting.
Organizations can use Cloud Custodian to ensure compliance to security policies, tag deployed service instances, shut down unused resources, and provide cost management via off-hours resource management. This is all managed and executed from a single point of control with policies written in simple, YAML-based configuration files.
Cloud Custodian also provides the flexibility to deploy to a variety of execution environments: local command line interface or scripting, virtual machine servers, or serverless (eg., Docker, Kubernetes). As a result, versioning and deployment of the Cloud Custodian Python-based executables and YAML-based configuration files can all be managed via standard, existing IT DevOps processes.
The Cloud Custodian policies are based on a common vocabulary of FILTERS, RESOURCES and ACTIONS. The policies define filters to select a subset of cloud resources. The policies also instruct Cloud Custodian what action or actions to take on this subset. This approach and vocabulary is comparable across public cloud providers.
When a user runs Cloud Custodian, the Cloud Custodian application uses the specified policy to create a filter against the specified Azure resource. Based on subscription specified by the user, Cloud Custodian iterates over all resources defined in the policy filter and produces a subset of matching resources within that subscription. Then Cloud Custodian executes the action(s) specified in the policy again that subset of resources. Cloud Custodian use the Azure native API to access the resources and execute the required actions.
Some typical use cases where Cloud Custodian policies enforce corporate controls:
- Disable Port 22 on all Virtual Machines within an Azure Security Group
- Shut down any Virtual Machines not provisioned to use SSH Key user authentication
- Limit Virtual Machine deployment to a set of economical SKUs
- Remove un-used Azure Storage Disks
- Shut down Cloud services between certain hours
To-Do: Need Azure Version https://cloudcustodian.io/docs/overview/deployment.html
Each policy can generate metrics that are sent to a predefined location that the user has access to. The run will also generate structured record output and logs that can be sent to an Azure Blob Storage Account object. in the account Custodian was run from.
TO-DO: Azure flow?
If Custodian is being run without TO-DO: Azure flow? Assume Roles, all output will be put into the same account.
Custodian is built with the ability to be run from different accounts and leverage STS Role Assumption for cross-account access. Users can leverage the metrics that are being generated after each run by creating Custodian Dashboards in TO-DO Azure flow?Azure OMS (other?).
The language also supports compound querying. This essentially allows you to filter for things like running VM instances with attached disks that are not set to delete on instance termination or stopped instances. This filtering can take into account external data sources. It also provides for resource specific actions around deletion, stopping, starting, encryption, tagging, etc.
Custodian is built with the ability to be run from different accounts and leverage STS Role Assumption for cross-account access. Users can leverage the metrics that are being generated after each run by creating Custodian Dashboards in CloudWatch.
Multi Subscription: https://github.com/cloud-custodian/cloud-custodian/tree/master/tools/c7n_org
The stateless design of Custodian greatly simplifies feature development and operations. It also provides flexibility around execution environment (local cli, vm-based server or serverless container).
TO-DO Resource
TO-DO Run Mode
Filters - Metric/Tag/Marked for Op
Getting Started and writing your first policy
TO-DO: Confirm install details (Windows, Linux, Mac, Docker)
Setting up Azure Authentication
NOTE: These Azure Security Roles are required for the Cloud Custodian Service Principal
- Set Role to Contributor
- Storage Roles
- If writing logs to Azure Blob Storage or leveraging Storage Queues for Mailer use case, also assign Storage roles, either at the subscription level or resource group/storage account level.
- Blob Data Contributor
- Queue Data Contributor
For reference: Why/What of Authentication on Azure
To-Do: Azure ARM templates to set up and demonstrate policy execution results
- Automatically tag the creator of a resource or resource group
- VM Tagging
- Filtering
- Take Action
- Remove Empty Resource Groups
- Enforce SSH Keys **To-Do: From Brown Bag **
- Deny access to Network Security Group
- Resize an Application Service Plan
To-Do: Additional Set-Up or Instructions needed?
- Examples and documentation for specific Azure Services
- Specialized Features
- KeyVault Whitelist Filters
- Related services, eg., frontend-public-ip on load balancer
- Network Security Groups: Ingress / Egress; Open / Close
- TO-DO Azure Policy - compare / contrast?
- TO-DO VM filters / actions - drill down / scenarios?
- Advanced Architecture
- Mailer Notification
- Azure Functions
- Architecture
- Flow (eg, auto-create Azure resources, etc)
- Provision and Execution Options
- Event Grid Functions
- Managing Cloud Custodian across multiple Azure Subscriptions
- Logging - Blob Storage
- Using Azure Functions and Logic Apps
- Installation for Developers
- **To-Do: ** Notes / Guidance from H/F?