Cloud Custodian - Responsive and Detective Controls for AWS services

Table of Contents

1. What is Cloud Custodian?
2. Cloud Custodian Learning Resources
3. Solution Overview
4. What does each control do?
5. What does a Cloud Custodian policy contain?
6. How do I deploy a cloud custodian policy?

---

1. What is Cloud Custodian?

Cloud Custodian enables users to be well managed in the cloud. The simple YAML DSL allows you to easily define rules to enable a well-managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the ad-hoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

Cloud Custodian can provide real-time compliance by actively enforcing the security policies you define.

Cloud Custodian is open source.

2. Cloud Custodian Learning Resources

• Cloud Custodian Overview
• Cloud Custodian Documentation
• Cloud Custodian GitHub
• Cloud Custodian Gitter
• Cloud Custodian AWS Reference

3. Solution Overview

This solution utilizes Cloud Custodian to create Responsive Controls and Detective Controls. Each responsive control consists of an AWS Lambda Function, CloudWatch Event Rule, and an AWS Lambda Permission. Together, they respond to events in the AWS Cloud account and ACT to uphold compliance standards.

4. What does a each control do?

Responsive Controls

Each responsive control is unique. Depending on the AWS Service being monitored and the CloudWatch Event Rule, different actions will need to occur. Here's an example workflow of a responsive control:

1. API Call is made in the account.
2. Responsive Control (CloudWatch Event Rule) is triggered and Lambda Function is initiated
3. Lambda Function Code determines resource compliance
4. If Compliance check fails, Lambda Function .
5. Sends the result to the SNS Topic

Detective Controls

Each detective control is unique. Depending on the AWS Service being monitored and the CloudWatch Event Rule, different actions will need to occur. Here's an example workflow of a responsive control:

1. API Call is made in the account.
2. Detective Control (CloudWatch Event Rule) is triggered and Lambda Function is initiated
3. Lambda Function Code determines resource compliance
4. When Compliance check fails/succeeds, Lambda Function forwards results to Config Rule.
5. User can view the AWS Config Rule console to determine compliance of their service resources.

5. What does a Cloud Custodian policy contain?

5a. Name, resource, description.

The overview for the cloud custodian policy. resource defines which AWS service will be monitored/reported on

Sample:

    name: s3-bucket-encryption
        resource: aws.s3
        description: >
            Event: CreateBucket. Compliance: Bucket Encryption. Remediation: Delete

5b. Mode

The "Mode" defines how cloud custodian will deploy/run the policy. For responsive controls, we'll use type: cloudtrail. This mode creates a CloudWatch Event Rule and a Lambda Function. the CloudWatch event rule that listens in on CloudTrail API Calls (the "events" you specify in the policy). The CloudWatch Event Rule will trigger the lambda function. Lambda function properties (timeout, delay, tags) can be defined here.

Sample:

    mode:
        type: cloudtrail
        events:
        - CreateBucket
        role: "arn:aws:iam::{account_id}:role/\
                custodian-responsivecontrol-role"
        timeout: 200
        delay: 20
        tags:
            CostCenter: abc
            __Exception-LambdaEncryption: "0123456789"

5c. Filters

Filters determine whether the monitored resource is "compliant." Each Cloud Custodian AWS Resource will have different filters to utilize.

Sample:

    filters:
    - and:
        - type: bucket-encryption
            state: false
        - "tag:__Exception-S3Encryption": absent

5d. Actions

The actions available to you are dependent on the AWS resource being monitored. For Responsive Controls, we'll usually delete and notify. In the sample below, we are sending a report to an SNS topic.

Sample:

    actions:
    - type: delete
        remove-contents: false
    - type: notify
        to:
        - "arn:aws:sns:us-east-1:{account_id}:{topic-name}"
        Subject: "Bucket NONCOMPLIANT"
        Message: "encryption not enabled"
        transport:
        type: sns
        topic: {topic-name}

6. How do I deploy a cloud custodian policy?

This solution is under the assumption that you already have an IAM Role created ex.custodian_detective_role and/or custodian_responsive_role with permissions to all resources or fine-grained for better security.

It also assumes that you have an SNS topic created for notifications from responsive controls. This topic arn and topic name will need to be inserted into the custodian policies.

Here is the quickest and simplest way to deploy a cloud custodian policy:

1. Create a python virtual environment
2. Activate virtual environment
3. Install c7n

python3 -m venv .env
source .env/bin/activate 
python3 -m pip install c7n

4. Choose a control. example: d_dms_public_access.yaml
5. Update the custodian policy for that control to include your {account id}, {role name}, {topic name}
6. Run the following CLI command:

custodian run detective_controls/d_dms_public_access.yaml --output-dir .

This will create the AWS resources required for the detective control (lambda, cloudwatch event rule, config rule).