Skip to content

Latest commit

 

History

History
144 lines (96 loc) · 9.65 KB

README.md

File metadata and controls

144 lines (96 loc) · 9.65 KB

To get started quickly, visit here

For a quick reference of currently supported Azure resources, and more, visit here

Guide to Cloud Custodian on Azure

What is Cloud Custodian?

As enterprises evolve their computing environments from their on-premises data centers to include deployment across multiple public clouds, they are concerned about new business risk exposures that might arise.

These risk exposure concerns generally center around:

  1. Security Vulnerabilities
  2. Cost Controls
  3. Audit compliance and governance

Cloud Custodian is a solution for unifying the diverse landscape of tools most organizations use for managing these issues into one, consistent policy enforcement paradigm. Cloud Custodian uses open source (Python) technology to provide a stateless rules engine for cross-cloud policy definition and enforcement, metrics and detailed reporting.

Organizations can use Cloud Custodian to ensure compliance to security policies, tag deployed service instances, shut down unused resources, and provide cost management via off-hours resource management. This is all managed and executed from a single point of control with policies written in simple, YAML-based configuration files.

Cloud Custodian also provides the flexibility to deploy to a variety of execution environments: local command line interface or scripting, virtual machine servers, or serverless (eg., Docker, Kubernetes). As a result, versioning and deployment of the Cloud Custodian Python-based executables and YAML-based configuration files can all be managed via standard, existing IT DevOps processes.

The Cloud Custodian policies are based on a common vocabulary of FILTERS, RESOURCES and ACTIONS. The policies define filters to select a subset of cloud resources. The policies also instruct Cloud Custodian what action or actions to take on this subset. This approach and vocabulary is comparable across public cloud providers.

When a user runs Cloud Custodian, the Cloud Custodian application uses the specified policy to create a filter against the specified Azure resource. Based on subscription specified by the user, Cloud Custodian iterates over all resources defined in the policy filter and produces a subset of matching resources within that subscription. Then Cloud Custodian executes the action(s) specified in the policy again that subset of resources. Cloud Custodian use the Azure native API to access the resources and execute the required actions.

Some typical use cases where Cloud Custodian policies enforce corporate controls:

  • Disable Port 22 on all Virtual Machines within an Azure Security Group
  • Shut down any Virtual Machines not provisioned to use SSH Key user authentication
  • Limit Virtual Machine deployment to a set of economical SKUs
  • Remove un-used Azure Storage Disks
  • Shut down Cloud services between certain hours

Architecture

"Basic Cloud Custodian model"

"Cloud Custodian uses simple Yaml to enforce policy"

"Cloud Custodian enables a consistent policy enforcement across clouds"

Deployment

To-Do: Need Azure Version https://cloudcustodian.io/docs/overview/deployment.html

Process Flow & How it Works

Each policy can generate metrics that are sent to a predefined location that the user has access to. The run will also generate structured record output and logs that can be sent to an Azure Blob Storage Account object. in the account Custodian was run from.

TO-DO: Azure flow?

If Custodian is being run without TO-DO: Azure flow? Assume Roles, all output will be put into the same account.

Custodian is built with the ability to be run from different accounts and leverage STS Role Assumption for cross-account access. Users can leverage the metrics that are being generated after each run by creating Custodian Dashboards in TO-DO Azure flow?Azure OMS (other?).

The language also supports compound querying. This essentially allows you to filter for things like running VM instances with attached disks that are not set to delete on instance termination or stopped instances. This filtering can take into account external data sources. It also provides for resource specific actions around deletion, stopping, starting, encryption, tagging, etc.

Custodian is built with the ability to be run from different accounts and leverage STS Role Assumption for cross-account access. Users can leverage the metrics that are being generated after each run by creating Custodian Dashboards in CloudWatch.

Multi Subscription: https://github.com/cloud-custodian/cloud-custodian/tree/master/tools/c7n_org

The stateless design of Custodian greatly simplifies feature development and operations. It also provides flexibility around execution environment (local cli, vm-based server or serverless container).

Concepts

Policy

TO-DO Resource

TO-DO Run Mode

Action

Filters - Metric/Tag/Marked for Op

On/Off Hours

Getting Started

Getting Started and writing your first policy

TO-DO: Confirm install details (Windows, Linux, Mac, Docker)

Setting up Azure Authentication

NOTE: These Azure Security Roles are required for the Cloud Custodian Service Principal

  • Set Role to Contributor
  • Storage Roles
  • If writing logs to Azure Blob Storage or leveraging Storage Queues for Mailer use case, also assign Storage roles, either at the subscription level or resource group/storage account level.
    • Blob Data Contributor
    • Queue Data Contributor

For reference: Why/What of Authentication on Azure

Cloud Custodian Drill down - Basic Examples

To-Do: Azure ARM templates to set up and demonstrate policy execution results

Cloud Custodian Drill down - Advanced

To-Do: Additional Set-Up or Instructions needed?