Simple AWS tag enforcement with Cloud Custodian
Resource Groups? They are nice if you are used to Azure. However, when we switch over to AWS… well, if you have any experience with AWS, you know resource groups are dependent upon tags and are not created automatically… unlike Azure. The solution? Automatic tag enforcement with Cloud Custodian!
Cloud Custodian is a neat and compact tool, built in python, that uses policies which filters by the given criteria and take action on the resource (the amount of actions can range from tagging the resource to terminating the resource). Simple and powerful right? The best part is that you can either run on an instance (for scheduled actions) or as a lambda function.
For the sake of simplicity and to make it quick, we’ll run Cloud Custodian from an instance (I’ll list the resources needed if you want to create a CloudFormation Template)
- Ec2 Instance
- Role & Instance Profile (the policies should match what you want Cloud Custodian to do, for this example we only need tagging on ec2 resources)
- Default Security Group should do the trick
Setup the EC2 with Cloud Custodian
Alright, let’s create a new Amazon Linux 2 instance with default free tier values (we really don’t need a lot of power on this one). If you have an existent security group with SSH enabled, please use it; Otherwise use the launch wizard default.
Let’s SSH onto our machine and make sure it’s up to date and also make sure that Python3 is installed by running the following commands…
sudo yum update -y && sudo yum install python3 -ynow with an up to date machine with python+pip installed, we can proceed to install cloud custodian…
sudo pip3 install c7nto confirm that custodian is all set, you can run the command…
custodian -hCreate your first policy
Now we can go ahead and create our first policy. Please note that custodian policies are yaml files. For this example we are going to create a simple policy that fetches Ec2 instances with the tag value Environment: Production and with missing Backup tags. If any of the instances returns true, it will add the tag and the value.
BONUS: This can be paired with some sort of lambda function to make AMIS of ec2s with this tag
sudo nano backuptags.ymlthe above will start a text editor for the new policy file under /home/ec2-user/ for contents, we’re going to type the following:
policies:- name: missing-prod-backup-tagsresource: ec2description: |Add tags to Prod Ec2 instances launched without the tag:Backup and value TRUE.
filters:
- and:
- "tag:Backup": absent - type: value key: "tag:Environment" value: '.*(Production).*' op: regexactions:- type: tagkey: "Backup"value: "TRUE"
That’s it! now all we have to do is save the file and either create a script that runs from a cron location or do a custom cron job.
This is just a very simple vanilla demonstration of the ample uses we can give Cloud Custodian. The possibilities are endless! Specially knowing that we can use Lambda functions with Cloudwatch events! I hope this gives you a cool idea on how to implement this for your organization / clients.
