218-cloud-custodian.sh

# Source: https://gist.github.com/eb3ec8fdb12a91c7c8d3806bd2558eff

####################################################################
# Cloud Custodian - Policies? Resource Management? Something Else? #
# https://youtu.be/AuXWI-Mkz9Q                                     #
####################################################################

# Additional Info:
# - Cloud Custodian: https://cloudcustodian.io
# - eksctl - How to Create and Manage AWS EKS clusters: https://youtu.be/pNECqaxyewQ
# - How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: https://youtu.be/14lGc7xMAe4
# - Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA
# - Admission Controllers Or CLI? Kubernetes Policy Validations with Datree: https://youtu.be/WTh84BPHC4o

#########
# Setup #
#########

# The demo is using AWS.
# If you are using Azure, Google Cloud (GCP), or some other provider, you might need to modify the manifests and commands.

git clone https://github.com/vfarcic/cloud-custodian-demo

cd cloud-custodian-demo

python3 -m venv custodian

source custodian/bin/activate

# The default installation already includes the AWS provider
pip install c7n

# Execute the command that follows only if you are using Azure
pip install c7n_azure

# Execute the command that follows only if you are using Google Cloud (GCP)
pip install c7n_gcp

pip install c7n_kube

# Replace `[...]` with your access key ID`
export AWS_ACCESS_KEY_ID=[...]

# Replace `[...]` with your secret access key
export AWS_SECRET_ACCESS_KEY=[...]

export AWS_DEFAULT_REGION=us-east-1

# Please watch https://youtu.be/pNECqaxyewQ if you are not familiar with eksctl
eksctl create cluster --name dot --region $AWS_DEFAULT_REGION \
    --nodes-min 1 --nodes-max 10 --nodes 1

kubectl create namespace production

kubectl --namespace production apply --filename k8s/

############################
# Cloud Custodian With AWS #
############################

cat tag-compliance-report.yaml

custodian run --dry-run --output-dir . tag-compliance-report.yaml

cat ec2-tag-compliance/resources.json

custodian run --output-dir . tag-compliance-report.yaml

cat tag-compliance-enforce.yaml

custodian run --output-dir . tag-compliance-enforce.yaml

custodian schema aws

custodian schema aws.ec2

custodian schema aws.ec2.actions.mark-for-op

custodian schema aws.ec2.filters.marked-for-op

cat tag-compliance-instant.yaml

custodian run --output-dir . tag-compliance-instant.yaml \
    --cache-period 0

###################################
# Cloud Custodian With Kubernetes #
###################################

cat k8s-labels-compliance-instance.yaml

custodian run --output-dir . \
    k8s-labels-compliance-instance.yaml --dry-run \
    --cache-period 0

custodian run --output-dir . \
    k8s-labels-compliance-instance.yaml \
    --cache-period 0

kubectl --namespace production get pods

custodian schema k8s

###########
# Destroy #
###########

eksctl delete cluster --name dot --region $AWS_DEFAULT_REGION

I love me some c7n. I have implemented a lot of policies to put guardrails around various services and actions. Some of my favorite are if someone creates a security group that is open to the world (0.0.0.0/0) it will tag the security group with the creator's name, then send out a slack message and email to a group and to that individual shaming them. Same thing with launching EC2 instances that are not tag compliant; I'll tag them with the creator's name, then shut their EC2 instance down in 1 day until they tag it correctly, while shaming them on Slack and email.

Another policy monitors Cloudtrail to monitor if anyone logs in with AWS root credentials, and it emails our security team along with pinging the DevOps channels.

The only negative is there are no webhooks native to Teams, but you can just do a generic webhook with a json body to it. https://gist.github.com/chrisswanda/4770d59ac0c90fb403a9b6ad4f224174

c7n is great.