This repo is meant to house some example Cloud Custodian policies that are in use by Code42 as of this writing. While we hope these examples drive value for you and your organization, it is important to note that these policies may need to be tuned to your specifc environments needs. We are not currently accepting PRs at this time but wanted to share with the community.
It is important to understand how the Cloud Custodian works, please refer to the documentation in the support resources section, specifically the
getting started guide and the
code42 custodian blog post may be the most helpful if this is new material.
Once you're ready for policies, you may clone this repo and begin working with the contents! Note, these policies will need to be tuned to your specific needs, they are not applicable or tuned for all enviroments.
Some specific callouts to make it easier to work with these files:
There are several variables that are capitalized throughout, some include
MESSAGEQUEUENAME, BUCKETNAME, and REQUIREDTAGS These should be substituted and variablized to your environment needs.
This specific option is used to send the cusotdian run log and resources log to an s3 bucket. The data in the s3 bucket may be ingested by SIEM or other tools for customized metrics and data visualization.
Note, there are other ways to ingest these files that can be found in the
custodian reporting features link below
Here you can see the configuration in how we use SQS to send to directly to SLACK. This actually sends the content of the "resources.json.gz" file directly into a slack channel. This option requires you to create a message queue that is used by the Custodian to send to slack. We speak more about the logs/metrics file contents in our blog post below.