Picking up from my previous post, Tagging and Governance in the Cloud, wrangling AWS accounts and forming a standard going forward can be an intense process. To alleviate some of that burden, you can use c7n-org from CloudCustodian which allows you to run the Custodian policies against multiple accounts. We’ll focus on AWS here, but Microsoft Azure and Google Cloud Platform are also supported. Let’s get into a quick setup.
First, we’ll assume we’re running a Linux instance; in this case it’s an Amazon Linux 2 AMI. Then we’ll install python, pip, CloudCustodian, and c7n-org. While you could install CloudCustodian using pip install c7n & pip install c7n-org, I’m going to show how to pull from GitHub. Note: some subcommands for c7n-org don’t currently work.
yum install python37 -y
yum install python-pip -y
yum install git -y
pip install botocore –upgrade
pip install boto3 –upgrade
git clone https://github.com/capitalone/cloud-custodian
cd cloud-custodian
make install
source bin/activate
cd tools/c7n_org
python setup.py develop
Once installed, the next step for c7n-org is to configure your accounts.yml, which defines your account information and determines which roles have access to subaccounts. If you’re using AWS Organization, Azure Resource Management, or GCP Resource Management, you can easily run some of the premade script from within the c7n_org/scripts folder to generate the file. For AWS, it’s similar to below:
accounts:
- account_id: '012345678912'
name: MyAWSAccount
regions:
- ap-northeast-1
- ap-northeast-2
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
- eu-central-1
- eu-west-1
- eu-west-2
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
role: arn:aws:iam::012345678912:role/CloudCustodianRole
tags:
- type:Production
- account_id: '123456789123'
name: MyAWS2ndAccount
regions:
- ap-northeast-1
- ap-northeast-2
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
- eu-central-1
- eu-west-1
- eu-west-2
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
role: arn:aws:iam::123456789123:role/CloudCustodianRole
tags:
- type:Development
As shown, it’s a fairly quick install to get CloudCustodian and c7n-org running. In a future post, we’ll wrap it up by giving our policies a test across accounts and running it through an automate pipeline. In the meantime we at Anexinet have years of experience working with cloud platforms—in governance, compute, devops, and much more. We’d love to help you on your cloud journey, so please don’t hesitate to reach out with any questions or concerns.