Last active
February 18, 2023 19:47
-
-
Save vfarcic/eb3ec8fdb12a91c7c8d3806bd2558eff to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: https://gist.github.com/eb3ec8fdb12a91c7c8d3806bd2558eff | |
#################################################################### | |
# Cloud Custodian - Policies? Resource Management? Something Else? # | |
# https://youtu.be/AuXWI-Mkz9Q # | |
#################################################################### | |
# Additional Info: | |
# - Cloud Custodian: https://cloudcustodian.io | |
# - eksctl - How to Create and Manage AWS EKS clusters: https://youtu.be/pNECqaxyewQ | |
# - How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: https://youtu.be/14lGc7xMAe4 | |
# - Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA | |
# - Admission Controllers Or CLI? Kubernetes Policy Validations with Datree: https://youtu.be/WTh84BPHC4o | |
######### | |
# Setup # | |
######### | |
# The demo is using AWS. | |
# If you are using Azure, Google Cloud (GCP), or some other provider, you might need to modify the manifests and commands. | |
git clone https://github.com/vfarcic/cloud-custodian-demo | |
cd cloud-custodian-demo | |
python3 -m venv custodian | |
source custodian/bin/activate | |
# The default installation already includes the AWS provider | |
pip install c7n | |
# Execute the command that follows only if you are using Azure | |
pip install c7n_azure | |
# Execute the command that follows only if you are using Google Cloud (GCP) | |
pip install c7n_gcp | |
pip install c7n_kube | |
# Replace `[...]` with your access key ID` | |
export AWS_ACCESS_KEY_ID=[...] | |
# Replace `[...]` with your secret access key | |
export AWS_SECRET_ACCESS_KEY=[...] | |
export AWS_DEFAULT_REGION=us-east-1 | |
# Please watch https://youtu.be/pNECqaxyewQ if you are not familiar with eksctl | |
eksctl create cluster --name dot --region $AWS_DEFAULT_REGION \ | |
--nodes-min 1 --nodes-max 10 --nodes 1 | |
kubectl create namespace production | |
kubectl --namespace production apply --filename k8s/ | |
############################ | |
# Cloud Custodian With AWS # | |
############################ | |
cat tag-compliance-report.yaml | |
custodian run --dry-run --output-dir . tag-compliance-report.yaml | |
cat ec2-tag-compliance/resources.json | |
custodian run --output-dir . tag-compliance-report.yaml | |
cat tag-compliance-enforce.yaml | |
custodian run --output-dir . tag-compliance-enforce.yaml | |
custodian schema aws | |
custodian schema aws.ec2 | |
custodian schema aws.ec2.actions.mark-for-op | |
custodian schema aws.ec2.filters.marked-for-op | |
cat tag-compliance-instant.yaml | |
custodian run --output-dir . tag-compliance-instant.yaml \ | |
--cache-period 0 | |
################################### | |
# Cloud Custodian With Kubernetes # | |
################################### | |
cat k8s-labels-compliance-instance.yaml | |
custodian run --output-dir . \ | |
k8s-labels-compliance-instance.yaml --dry-run \ | |
--cache-period 0 | |
custodian run --output-dir . \ | |
k8s-labels-compliance-instance.yaml \ | |
--cache-period 0 | |
kubectl --namespace production get pods | |
custodian schema k8s | |
########### | |
# Destroy # | |
########### | |
eksctl delete cluster --name dot --region $AWS_DEFAULT_REGION |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I love me some c7n. I have implemented a lot of policies to put guardrails around various services and actions. Some of my favorite are if someone creates a security group that is open to the world (0.0.0.0/0) it will tag the security group with the creator's name, then send out a slack message and email to a group and to that individual shaming them. Same thing with launching EC2 instances that are not tag compliant; I'll tag them with the creator's name, then shut their EC2 instance down in 1 day until they tag it correctly, while shaming them on Slack and email.
Another policy monitors Cloudtrail to monitor if anyone logs in with AWS root credentials, and it emails our security team along with pinging the DevOps channels.
The only negative is there are no webhooks native to Teams, but you can just do a generic webhook with a json body to it. https://gist.github.com/chrisswanda/4770d59ac0c90fb403a9b6ad4f224174
c7n is great.