{"id":2422,"library":"c7n","title":"Cloud Custodian","description":"Cloud Custodian (c7n) is an open-source, cloud-native rules engine for managing public cloud accounts and resources. It enables users to define policies in simple YAML files to ensure well-managed, secure, and cost-optimized cloud infrastructure. It supports major cloud providers like AWS, Azure, and GCP, and can execute policies in real-time (via serverless functions) or periodically (via scheduled jobs). The current version is 0.9.50, and it maintains an active release cadence with frequent updates and feature additions.","status":"active","version":"0.9.50","language":"en","source_language":"en","source_url":"https://github.com/cloud-custodian/cloud-custodian","tags":["cloud","policy-engine","security","governance","aws","azure","gcp","finops"],"install":[{"cmd":"pip install c7n","lang":"bash","label":"Base (includes AWS support)"},{"cmd":"pip install c7n_azure","lang":"bash","label":"Azure Support"},{"cmd":"pip install c7n_gcp","lang":"bash","label":"GCP Support"},{"cmd":"pip install c7n_oci","lang":"bash","label":"OCI Support"}],"dependencies":[{"reason":"Runtime environment","package":"python","optional":false},{"reason":"Required for Azure policies","package":"c7n_azure","optional":true},{"reason":"Required for GCP policies","package":"c7n_gcp","optional":true},{"reason":"Required for OCI policies","package":"c7n_oci","optional":true}],"imports":[{"note":"Cloud Custodian is primarily a CLI tool. Direct Python imports are mostly for advanced use cases like building custom extensions, testing, or programmatic policy loading, not typical end-user policy execution.","symbol":"Policy","correct":"from c7n.policy import Policy"}],"quickstart":{"code":"# policy.yml\npolicies:\n - name: find-unencrypted-s3-buckets\n resource: aws.s3\n filters:\n - type: unencrypted\n actions:\n # Remove or comment out 'actions' for a pure dry-run without notification setup\n - type: notify\n violation_messages:\n - \"S3 bucket {resource_id} in {account_id} is not encrypted!\"\n to:\n - \"{{ resource_owner_email | default(owner@example.com) }}\"\n transport:\n type: sqs # Requires c7n-mailer and an SQS queue named 'cloud-custodian-notifications'\n queue: cloud-custodian-notifications\n\n# To run the policy (ensure AWS credentials are configured):\ncustodian run --dryrun -s . policy.yml","lang":"bash","description":"This quickstart demonstrates how to define a simple policy in a YAML file (`policy.yml`) to identify unencrypted S3 buckets in AWS and then execute it using the `custodian` CLI tool. The `--dryrun` flag allows you to preview actions without making actual changes. Ensure your AWS credentials are configured (e.g., via `~/.aws/credentials` or environment variables) for `custodian` to interact with your cloud environment."},"warnings":[{"fix":"Always install the base `c7n` package along with the specific package(s) for your target cloud(s), e.g., `pip install c7n c7n_azure`.","message":"Forgetting to install cloud-specific packages (e.g., `c7n_azure`, `c7n_gcp`) will lead to errors when trying to run policies for those providers, as the necessary resource modules will be missing.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Execute `custodian run --dryrun -s . policy.yml` to review policy impact before running without `--dryrun`.","message":"Always use the `--dryrun` flag when developing or testing new policies, especially those with `actions`. This prevents unintended modifications or deletions of cloud resources by showing what actions *would* be taken.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Use a YAML linter or editor with YAML validation. Ensure the policy file starts with `policies:` followed by a list of policy definitions.","message":"Cloud Custodian policies are written in YAML. Incorrect YAML syntax (e.g., indentation errors, missing `policies:` root key) is a common cause of `PolicyValidationError` or `YAMLError` during execution.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade your Python environment to a supported version (e.g., Python 3.10.x or 3.11.x).","message":"Cloud Custodian currently requires Python >=3.10.2 and <4.0.0. Using older Python versions will result in installation failures or runtime errors due to dropped support.","severity":"breaking","affected_versions":"<0.9.0 (earlier versions supported older Python)"},{"fix":"Refer to your cloud provider's SDK/CLI documentation for credential configuration. For AWS, ensure `~/.aws/credentials` and `~/.aws/config` are set up, or relevant environment variables are exported.","message":"Proper cloud provider credentials must be configured in the execution environment (e.g., AWS CLI configuration, environment variables like `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION` for AWS). Without them, policies cannot interact with cloud APIs.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Install `c7n-org` (`pip install c7n_org`) and use its configuration and commands for multi-target execution.","message":"For managing policies across multiple cloud accounts, subscriptions, or projects in parallel, the `c7n-org` tool is necessary. Running `custodian` directly will only target the configured account/region.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure the IAM role used by Cloud Custodian has the necessary permissions to provision cloud resources (e.g., Lambda functions, CloudWatch Events) and to perform the actions defined in your policies. Consult the Cloud Custodian documentation's 'IAM Setup' section for detailed requirements.","message":"When deploying real-time policies using 'mode' (e.g., `cloudtrail`, `periodic`), Cloud Custodian automatically provisions serverless functions (like AWS Lambda). Incorrect or insufficient IAM permissions for the Custodian execution role can lead to deployment failures or policy execution errors within the serverless environment.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}