Tag Archives: Cloud Custodian


Cloud Custodian

Cloud Custodian is a tool that combines dozens of tools and scripts that most organizations use for managing their AWS accounts into one open source tool. It is a stateless rule engine for policy definition and enforcement, with metrics and detailed reporting for AWS.

Companies can use Custodian to manage their AWS environments by certifying compliance to security policies, tag policies, garbage collection of unused resources, and cost management through off-hours resource management. Custodian policies are written in simple YAML configuration files that specify given resource types and are constructed from a vocabulary of filters and actions.

Cloud computing has created and managed web resources very easily. The user can now spin up quite a few computing, database, and storage resources with the click of a button or the stroke of a return key. However, if the user uses the company account, then the user is likely to spin up those resources often for demonstration and testing purposes, without considering the price or clutter you might be creating along with it.

Cloud Custodian feature-set has grown exponentially with its popularity because they are good at responding to feature requests. It has now grown to the point where there is not much in the AWS world that you cannot do with it. Here is a short list of things you might be surprised what Cloud Custodian can do.

  1. Encryption
  2. Backups
  3. Garbage Collection
  4. Unused Resources
  5. Tag Compliance
  6. SG Compliance

Below is a basic example of custodian.yml file that stops EC2 instances tagged with custodian.

– name: stop-instances
resource: ec2
– “tag:Custodian”: present
– stop

Cloud Custodian is always good for mid to large sized organizations that give access to a large number of their employee’s to organizations AWS account. Usually, the account quickly becomes cluttered with dozens of Cloud Formation stacks, VPCs, old test instances, and Lambda functions.

Cloud Custodian is very well documented, if you are excited to start taking out the digital trash in your AWS account there is no other best place than this.