Skip to content
/ alpine-cloud-custodian Public

☑️ Cloud Custodian AWS Automation on Alpine as unprivileged User

8 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ellerbrock/alpine-cloud-custodian

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

policies

policies

 
 

.dockerignore

.dockerignore

 
 

.editorconfig

.editorconfig

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

build.sh

build.sh

 
 

readme.md

readme.md

 
 

run.sh

run.sh

 
 

Repository files navigation

docker

alpine-cloud-custodian

Docker Automated Build Docker Pulls Open Source Love Gitter Chat

What is it?

Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their AWS accounts into one open source tool. It’s a stateless rules engine for policy definition and enforcement, with metrics and detailed reporting for AWS.

Organizations can use Custodian to manage their AWS environments by ensuring compliance to security policies, tag policies, garbage collection of unused resources, and cost management via off-hours resource management, all from the same place. Custodian policies are written in simple YAML configuration files that specify given resource types and are constructed from a vocabulary of filters and actions.

Please go for further information to the official documentation.

Installation

docker pull ellerbrock/alpine-cloud-custodian

Usage

aws-cli

If you have the aws-cli configured your ready to run.
We can mapp your ~/.aws folder in readOnly mode inside the Container.

#!/usr/bin/env bash

function main () {
  docker run \
    -it \
    -v "${HOME}/.aws:/custodian/.aws:ro" \
    -v "${PWD}/logs:/tmp" \
    -v "${PWD}/.cache:/custodian/.cache" \
    -v "${PWD}/policies:/custodian/policies:ro" \
  ellerbrock/cloud-custodian run --output-dir=/tmp \
    policies/my-policy.yml
}

main

Environment Variables

Export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY so that we can pass them on in the next step inside the Container.

#!/usr/bin/env bash

export AWS_ACCESS_KEY_ID="your-key-here" 
export AWS_SECRET_ACCESS_KEY="your-sec-key-here"

#!/usr/bin/env bash

function main () {
  docker run \
    -it \
    -e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
    -e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
    -v "${PWD}/logs:/tmp" \
    -v "${PWD}/.cache:/custodian/.cache" \
    -v "${PWD}/policies:/custodian/policies:ro" \
  ellerbrock/cloud-custodian run --output-dir=/tmp \
    policies/my-policy.yml
}

main

Folder Structure

Since we run in a Container the logfiles are in the container and non of our policies is in there. Copying or build it each time is not an option, so what we do we simply map the folder inside the Container and have them in the same folder.

policies: here is the place to store your policies and run them like in the example with your name.

logs: all output logs get's stored there

.cache: is needed by the program

Links

Contact

GithubDockernpmTwitterFacebookGoogle+Gitter

About

☑️ Cloud Custodian AWS Automation on Alpine as unprivileged User

Topics

docker aws security automation cloud alpine audit infosec cloud-custodian cloudcustodian itsec

Resources

Readme
Activity

Stars

8 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages