AWS Config, Cloud Custodian, or Both?

Aditya Nama
6 min readJan 4, 2023

--

By the end of this blog, you will understand the similarities and differences between AWS Config and Cloud Custodian, allowing you to decide which tool to use or how to use both of them together.

What is?

AWS Config: It is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides you with an inventory of your AWS resources and the relationships between them, as well as historical data for resource configurations. You can use this information to identify and troubleshoot issues, as well as ensure compliance with internal policies and external regulations.

Pros:

  • Fully managed service: AWS Config is a fully managed service, which means that it is easy to set up and requires minimal maintenance.
  • Comprehensive resource inventory: AWS Config provides a comprehensive inventory of your AWS resources and their configurations, which can be useful for troubleshooting and identifying issues.
  • Historical data: AWS Config maintains a history of resource configurations, which can be useful for auditing and compliance purposes.

Cons:

  • Cost: AWS Config charges a fee for its services, which may not be suitable for all budgets.
  • Limited customization: AWS Config provides a limited set of predefined rules that you can use to assess and evaluate your resource configurations. This may not be sufficient for users who have more specific or complex requirements.

Cloud Custodian: It is an open-source tool that allows you to manage your AWS resources in a more automated and secure way. It provides a flexible framework for defining policies that control your resource management, including how resources are created, modified, and deleted. You can use Cloud Custodian to define rules for automating tasks such as turning off non-production instances during off-hours, deleting stale resources, and enforcing security and compliance controls.

Pros:

  • Automation: Cloud Custodian allows you to automate resource management tasks, which can save time and reduce the risk of errors caused by manual processes.
  • Customization: Cloud Custodian provides a flexible framework for defining custom policies that are tailored to your specific needs.
    Open-source: Cloud Custodian is an open-source tool that is free to use.

Cons:

  • Requires setup and maintenance: Unlike AWS Config, which is a fully managed service, Cloud Custodian requires you to set up and maintain the tool yourself. This may require additional effort and expertise.
  • Limited visibility: Cloud Custodian does not provide the same level of visibility into resource configurations as AWS Config. It is primarily focused on automating resource management tasks rather than providing a comprehensive view of your resources.

Differences?

Implementation?

Here are the steps you can follow to enable AWS Config:

  • Sign in to the AWS Management Console and navigate to the AWS Config dashboard.
  • Click the “Get Started Now” button to start the configuration process.
  • On the Select Resource Types page, select the resource types that you want to track with AWS Config. You can choose to track all supported resource types, or you can select specific resource types.
  • On the Select Recorders page, choose how you want to record resource configurations. You can choose to use the AWS Management Console, the AWS Config API, or the AWS Config command-line interface (CLI).
  • On the Select Delivery Channel page, choose how you want to receive AWS Config notifications. You can choose to receive notifications via Amazon Simple Notification Service (SNS) or Amazon CloudWatch Events.
  • On the Review page, review your configuration settings and click the “Confirm and Start Recording” button to start recording resource configurations.

That’s it! Once you have completed these steps, AWS Config will start recording resource configurations for the resource types and delivery channel you have chosen. You can view your resource configurations and compliance status in the AWS Config dashboard.

How to enable Cloud Custodian on your AWS organization using the command line:

To install Cloud Custodian

python3 -m venv custodian
source custodian/bin/activate
pip install c7n # This includes AWS support
pip install c7n-org

Alternatively, you can install it using Docker or install the pre-built AMI on AWS.

Link: https://cloudcustodian.io/docs/quickstart/index.html

Once Cloud Custodian is installed, you will need to configure it to use your AWS credentials. You can do this by creating an AWS access key and secret key, and then adding them to your Cloud Custodian configuration file. For example:

c7n-org init --key <aws-access-key> --secret <aws-secret-key>

Next, you will need to define policies for managing your AWS resources. You can do this using the YAML markup language, which allows you to specify rules for creating, modifying, and deleting resources. For example, the following policy will delete any EC2 instance that are tagged with the “adiintify” tag:

policies:
- name: stop-ec2
resource: aws.ec2
filters:
- "tag:adiintify": present
actions:
- stop

Once you have defined your policies, it is a good idea to test them to ensure that they are working as expected. You can do this by running the policies in dry run mode, which will simulate the execution of the policies without making any changes to your resources.

c7n-org run --dryrun

After you have tested your policies, you can deploy them to your AWS organization. You can do this by running the policies in the live environment, which will apply the rules and make the necessary changes to your resources.

c7n-org run

Once your policies are deployed, it is important to monitor them to ensure that they are working as expected and making the desired changes.

Can AWS Config and Cloud Custodian be integrated together?

Yes, AWS Config and Cloud Custodian can be integrated together to manage and monitor your AWS resources. Here are a few ways you can integrate these tools:

  • Use Cloud Custodian to automate resource management tasks based on AWS Config rules: You can use Cloud Custodian to define custom policies that trigger actions based on the rules defined in AWS Config. For example, you can use Cloud Custodian to automatically delete resources that are not compliant with your AWS Config rules.
  • Use AWS Config to monitor resource changes made by Cloud Custodian: You can use AWS Config to track and record resource changes made by Cloud Custodian. This can be useful for auditing and compliance purposes, as it allows you to see the impact of your Cloud Custodian policies on your resources.
  • Use Cloud Custodian to enforce AWS Config rules: You can use Cloud Custodian to enforce compliance with your AWS Config rules by defining custom policies that prevent non-compliant resources from being created or modified. This can help you ensure that your resources are always in compliance with your internal policies and external regulations.

There are a number of ways you can integrate AWS Config and Cloud Custodian to manage and monitor your AWS resources. The specific integration approach will depend on your specific needs and requirements.

Overall, the choice of which tool to use will depend on your specific needs and requirements. Both AWS Config and Cloud Custodian can be useful tools for managing and monitoring your AWS resources, and you may find it helpful to use both tools in combination to meet your specific needs.

Please share your thoughts about this blog post in the comments box below. Reach out to me on Twitter at @adiintify if you have any questions.

--

--

Aditya Nama
Aditya Nama

Written by Aditya Nama

Security Engineer | AWS Community Builder

Responses (1)