{"id":13820664,"url":"https://github.com/GSA/devsecops-cloud-custodian-rules","last_synced_at":"2025-05-16T10:31:58.000Z","repository":{"id":137793305,"uuid":"104910562","full_name":"GSA/devsecops-cloud-custodian-rules","owner":"GSA","description":"[WORK IN PROGRESS] A repo containing rule sets for cloud-custodian inside GSA AWS accounts. This repo does not contain cloud-custodian itself.","archived":true,"fork":false,"pushed_at":"2017-12-04T17:47:53.000Z","size":17,"stargazers_count":30,"open_issues_count":0,"forks_count":12,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-08-05T08:09:13.302Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GSA.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-26T16:30:03.000Z","updated_at":"2023-01-28T16:46:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"f8b359e9-503f-4855-9972-d1f51f5549a7","html_url":"https://github.com/GSA/devsecops-cloud-custodian-rules","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GSA%2Fdevsecops-cloud-custodian-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GSA%2Fdevsecops-cloud-custodian-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GSA%2Fdevsecops-cloud-custodian-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GSA%2Fdevsecops-cloud-custodian-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GSA","download_url":"https://codeload.github.com/GSA/devsecops-cloud-custodian-rules/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225423658,"owners_count":17472160,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:01:06.866Z","updated_at":"2024-11-19T20:30:54.046Z","avatar_url":"https://github.com/GSA.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# devsecops-cloud-custodian-rules\nA repo containing rule sets for cloud-custodian inside GSA AWS accounts. This repo does not contain cloud-custodian itself.\n\n## What is this\nCloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their AWS\naccounts into one open source tool. It’s a stateless rules engine for policy definition and enforcement, with metrics and reporting for AWS.\n\nhttp://www.capitalone.io/cloud-custodian/docs/\nhttps://github.com/capitalone/cloud-custodian\n\n## Whats here\nsee `/policies/operational` for rules that take actions (i.e. stop/start instances, block creation of non-compliant resources, automate encryption/backups)\nsee `/policies/compliance` for rules that verify compliance (i.e. users w/ console access have MFA enabled, resources are tag appropriate, check that encryption/backups are configured)\n\n## Use Cases\nCost Savings:\n* Resource Off Hours: Easy way to cut expenses by turning on/off resources on a automated schedule.\n* Resource Resizing: Ability to automatically resize resources based on metrics over time.\n* Garbage Collection: Automatic notifications and removal of stale and unused resources.\n\nCompliance:\n* Encryption: Verify and enforce encryption across numerous resources.\n* Backups: Performs automated snapshots of servers and databases.\n* Tag Enforcement: Proper tags are necessary for resource support and tracking.\n* Security: Puts up automated safeguards to detect, remediate, and notify customers of non-compliant actions\n* Standards: Ensure certain standards are used with consistency across all managed AWS accounts.\n\nExamples:\n* Verifies CloudTrail Logging is enabled and configured properly\n* Verifies Network Logging is enabled and configured properly\n* Verifies Root user’s access keys have been deleted\n* Verifies MFA Token has been applied to Root user\n* Verifies proper IAM password policy is enforced for users\n\n## Getting Started\nCloud custodian requires [python, pip, virtualenv](https://virtualenv.pypa.io/en/stable/installation/) on client machine or [with docker using `docker exec` or `docker run`](https://github.com/capitalone/cloud-custodian/blob/master/Dockerfile) \n\n```\n$ virtualenv --python=python2 custodian\n$ source custodian/bin/activate\n(custodian) $ pip install c7n aws-cli\n(custodian) $ aws-cli configure\n\n# Validate the configuration\n$ custodian validate test.yml\n\n# Perform a dryrun on the policies (no actions executed) to see what would change\n$ custodian run --dryrun -s out test.yml\n\n# Run the policy\n$ custodian run -s out some/policy.yml\n```\n\u003eNote - you can create an IAM user/roles with using `security audit` role if you are only using rules under `policies/compliance`\nif you plan to use Cloud Custodian to enforce rules as lambda functions from Cloudtrial or perform actions on resources (e.g. turn on encyrption/backups, resize/start/stop resources that IAM will need `FullAccess` for those resources using least-priviledge principles for only those resources managed by Cloud Custodian)\n\n## Concepts\n```\nname: Name for the policy\nresource: Which resource type to check (ec2, rds, ebs, etc 100+)\ndescription: |\n    Brief statement of what the policy does\nmode: How the policy will be executed (event(API Triggered), periodic(Cron Scheduled), config(Config Change Triggered), no mode for manual runs)\n- filters: Narrow down resource matches with 1 or more of these (See filters below)\n- actions: What to do with the resulting resource set found. (notify by email/sns/webhook or perform an operation `mark-for-op` stop, start, terminate, tag, resize, etc)\n```\n\n## Filters\n\n* Operator matching (in, not-in, absent, not-null, gte, regex, etc)\n* Arbitrary nesting of filters with ‘or’ and ‘and’ blocks.\n* Simple key/value are equality matches with value expressions\n\n`regex` fliters use Jmespath expressions: http://jmespath.org/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGSA%2Fdevsecops-cloud-custodian-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGSA%2Fdevsecops-cloud-custodian-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGSA%2Fdevsecops-cloud-custodian-rules/lists"}