Cloud Custodian Useful Policies


CloudCustodian provides governance way to add compliance, to monitor resources, security checks to your AWS resources by by providing well defined yaml files to configure and automate your own policies, and to automatically provision and enforce into AWS once your run that Policy.

CloudCusodian documents lists few sample policies, however it still lacks some practical examples that really show its powerful features it supports. Here are some of policies that we created to manage our AWS Costs.

Here are couple of well tested policies:

1. Tag based compliance: Stop instances if certain tags are absent. Edit the role and replace with your account id and role name. Make sure IAM Role exists in AWS with all permissions your Policy needs

policies: - name: mandatoryTags resource: ec2 comments: | Stop instances if certain tags absent mode: type: periodic schedule: "cron(0/5 * ? * MON-FRI *)" role: arn:aws:iam::YOUR-ACCOUNT-ID:role/YOUR-ROLE filters: - or: [{"tag:TAG1": absent}, {"tag:TAG2": absent}, {"tag:TAG3": absent}] actions: - stop

2. Schedued Off-Hour Policy: Turn off machines during non office hours. This sample uses easter time zone (et).

policies: - name: stopoffhour resource: ec2 comments: | Daily stoppage at 7pm mode: type: periodic schedule: "cron(0/1 * ? * MON-FRI *)" role: arn:aws:iam::YOUR-ACCOUNT-ID:role/YOUR-ROLE filters: - type: offhour "tag:OptOut": absent offhour: 19 default_tz: et actions: - stop

- name: startonhour resource: ec2 mode: type: periodic schedule: "cron(0/1 * ? * MON-FRI *)" role: arn:aws:iam::YOUR-ACCOUNT-ID:role/YOUR-ROLE filters: - type: onhour "tag:OptOut": absent onhour: 7 default_tz: et actions: - start


Recent Posts

Archive Posts

Key Offerings
Company

© 2017 JVIT Consulting LLC