Over 10 years we helping companies reach their financial and branding goals. Onum is a values-driven SEO agency dedicated.

Cloud Native

Cloud Agnostic Compliance-as-code

Manage public cloud accounts and resources compliance by defining policies as code for a well managed cloud infrastructure.

Cloud Custodian

is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that’s both secure and cost optimized.

Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift) and are constructed from a vocabulary of filters and actions.


  • Comprehensive support for public cloud services and resources with a rich library of actions and filters to build policies with.
  • Supports arbitrary filtering on resources with nested boolean conditions.
  • Dry run any policy to see what it would do.
  • Automatically provisions serverless functions and event sources (AWS CloudWatch Events, AWS Config Rules, etc)
  • Cloud provider native metrics outputs on resources that matched a policy
  • Structured outputs into cloud native object storage of which resources matched a policy.
  • Intelligent cache usage to minimize api calls.

Three parts:

Cloud Custodian policies contains 3 parts:

  • Type of resource to run the policy against (eg: EC2)
  • Filters to narrow down the resources (eg: missing a tag)
  • Actions to perform on those filtered resources (eg: stop)


Enable AWS VPC flow logs if disabled

  - name: vpc-flow-log-check
    resource: vpc
      - not:
           - type: flow-logs
             enabled: true
             set-op: or
             op: equal
             traffic-type: all
             log-group: infoservices-VPCFlowLogs
             status: active
      - type: notify
        template: default.html
        priority_header: 1
        subject: "VPC Flow Log(s) Not Setup Properly"
        violation_desc: "The Following Flow Logs Are Invalid:"
        action_desc: "Actions Taken:  Notification Only"
           - blah-support@infoservices.com
           type: sqs
           queue: https://sqs.us-east-1.amazonaws.com/99999999999/info-services-mailer
           region: us-east-1

Delete unencrypted AWS EBS volume:

   - name: delete-unencrypted-ebs
     description: |
       Delete all unencrypted EBS volumes upon creation
     resource: ebs
       type: cloudtrail
         - CreateVolume
       - Encrypted: false
       - delete

Delete Unmanaged Azure disk:

  - name: unmanaged-disk
    resource: azure.disk
      - type: value
        key: managedBy
        value: null
      - type: delete

Sample Commands:

# Validate policy for any errors
custodian validate policy.yml
# Perform dry run without impacting the resources
custodian run --dryrun -s . custodian.yml
# Run policy against multiple regions
custodian run -s out --region us-east-1 --region us-west-1 policy.yml
# Run policy against all applicable regions
custodian run -s out --region all policy.yml
# Enable C7n metrics on AWS
$ custodian run -s output -m aws policy.yml

# Enable C7n metrics on Azure
$ custodian run -s output -m azure policy.yml
# Enable C7n logs to AWS CloudWatch Logs
$ custodian run -s output -l policy.yml

# Enable C7n logs to Azure App Insights Logs
$ custodian run -s output -l policy.yml

Deployment Options:

Continuous Integration of Policies

What Next?

In the next blog installment, we will cover Alert-as-code to see how Python can be used to create alerts on any logs and send notifications to Slack, PagerDuty and others.

Author: Raghavan Madabusi