Getting CloudCustodian Up and Running

Getting CloudCustodian Up and Running

Picking up from my previous post, Tagging and Governance in the Cloud, wrangling AWS accounts and forming a standard going forward can be an intense process. To alleviate some of that burden, you can use c7n-org from CloudCustodian which allows you to run the Custodian policies against multiple accounts. We’ll focus on AWS here, but Microsoft Azure and Google Cloud Platform are also supported. Let’s get into a quick setup.

First, we’ll assume we’re running a Linux instance; in this case it’s an Amazon Linux 2 AMI. Then we’ll install python, pip, CloudCustodian, and c7n-org. While you could install CloudCustodian using pip install c7n & pip install c7n-org, I’m going to show how to pull from GitHub. Note: some subcommands for c7n-org don’t currently work.

yum install python37 -y
yum install python-pip -y
yum install git -y
pip install botocore –upgrade
pip install boto3 –upgrade
git clone https://github.com/capitalone/cloud-custodian
cd cloud-custodian
make install
source bin/activate
cd tools/c7n_org
python setup.py develop

Once installed, the next step for c7n-org is to configure your accounts.yml, which defines your account information and determines which roles have access to subaccounts. If you’re using AWS Organization, Azure Resource Management, or GCP Resource Management, you can easily run some of the premade script from within the c7n_org/scripts folder to generate the file. For AWS, it’s similar to below:


accounts:
- account_id: '012345678912'
  name: MyAWSAccount
  regions:
    - ap-northeast-1
    - ap-northeast-2
    - ap-south-1
    - ap-southeast-1
    - ap-southeast-2
    - ca-central-1
    - eu-central-1
    - eu-west-1
    - eu-west-2
    - sa-east-1
    - us-east-1
    - us-east-2
    - us-west-1
    - us-west-2
  role: arn:aws:iam::012345678912:role/CloudCustodianRole
  tags:
    - type:Production

- account_id: '123456789123'
  name: MyAWS2ndAccount
  regions:
    - ap-northeast-1
    - ap-northeast-2
    - ap-south-1
    - ap-southeast-1
    - ap-southeast-2
    - ca-central-1
    - eu-central-1
    - eu-west-1
    - eu-west-2
    - sa-east-1
    - us-east-1
    - us-east-2
    - us-west-1
    - us-west-2
  role: arn:aws:iam::123456789123:role/CloudCustodianRole
  tags:
    - type:Development

As shown, it’s a fairly quick install to get CloudCustodian and c7n-org running. In a future post, we’ll wrap it up by giving our policies a test across accounts and running it through an automate pipeline. In the meantime we at Anexinet have years of experience working with cloud platforms—in governance, compute, devops, and much more. We’d love to help you on your cloud journey, so please don’t hesitate to reach out with any questions or concerns.

 

Related Content

Reasons Why SQL Server Database Views Lead to Better Reporting

Moving SQL to the Cloud? What to Choose?

Read More →
Lenses of the Well Architected Framework

The Lenses of the AWS Well Architected Framework

Read More →

When Encryption Goes Wrong and RDS is Inaccessible

Read More →
Advantages of Azure Automation

Help, I’m locked out of Azure!

Read More →
by John Kovolski
Share on

Facebook sharing Linkedin sharing button Twitter sharing button