{"id":1955,"library":"c7n-org","title":"Cloud Custodian - Parallel Execution","description":"c7n-org is a command-line tool designed to execute Cloud Custodian policies across multiple cloud accounts (AWS, Azure, GCP, OCI) in parallel. It centralizes policy definition and enforcement for large cloud environments, simplifying governance and compliance at scale. The current version is 0.6.49, and it is regularly updated in conjunction with the main Cloud Custodian project.","status":"active","version":"0.6.49","language":"en","source_language":"en","source_url":"https://github.com/cloud-custodian/cloud-custodian/tree/main/tools/c7n_org","tags":["cloud-governance","aws","azure","gcp","oci","policy-as-code","multi-account","cli"],"install":[{"cmd":"pip install c7n-org","lang":"bash","label":"Install c7n-org"}],"dependencies":[{"reason":"c7n-org acts as a runner for Cloud Custodian policies; Cloud Custodian (c7n) must also be installed.","package":"c7n","optional":false}],"imports":[],"quickstart":{"code":"import os\n\n# Create a dummy accounts.yml for demonstration\naccounts_yaml_content = '''\naccounts:\n  - account_id: '123456789012'\n    name: dev-account\n    regions:\n      - us-east-1\n      - us-west-2\n    role: arn:aws:iam::123456789012:role/CloudCustodian\n  - account_id: '987654321098'\n    name: prod-account\n    regions:\n      - us-east-1\n    role: arn:aws:iam::987654321098:role/CloudCustodian\n'''\n\n# Create a simple Custodian policy to find untagged S3 buckets\npolicy_yaml_content = '''\npolicies:\n  - name: untagged-s3-buckets\n    resource: aws.s3\n    filters:\n      - \"tag:Project\": absent\n    actions:\n      - type: notify\n        subject: Untagged S3 Bucket Found\n        to:\n          - email@example.com # Replace with a valid email for actual use\n        transport:\n          type: sqs\n          queue: https://sqs.us-east-1.amazonaws.com/123456789012/my-notification-queue\n'''\n\n# Write content to files\nwith open('accounts.yml', 'w') as f:\n    f.write(accounts_yaml_content)\n\nwith open('policy.yml', 'w') as f:\n    f.write(policy_yaml_content)\n\n# Simulate running c7n-org via subprocess for demonstration\n# In a real scenario, you would run this command in your shell\nprint(\"Simulating c7n-org execution...\")\nprint(\"Command: c7n-org run -c accounts.yml -s output -p policy.yml\")\nprint(\"\\n--- Output Directory Structure ---\")\nprint(\"output/\")\nprint(\"├── dev-account/\")\nprint(\"│   ├── us-east-1/\")\nprint(\"│   │   └── untagged-s3-buckets/\")\nprint(\"│   └── us-west-2/\")\nprint(\"│       └── untagged-s3-buckets/\")\nprint(\"└── prod-account/\")\nprint(\"    └── us-east-1/\")\nprint(\"        └── untagged-s3-buckets/\")\nprint(\"----------------------------------\")\n\n# Cleanup dummy files\nos.remove('accounts.yml')\nos.remove('policy.yml')\n","lang":"python","description":"c7n-org operates via the command line, requiring an `accounts.yml` file that defines the target cloud accounts and regions, and Custodian policy files (e.g., `policy.yml`). This example demonstrates setting up these files and shows the command to run `c7n-org` to execute policies across multiple accounts and regions. For AWS, the `accounts.yml` can be dynamically generated using `c7n-org aws-accounts -f accounts.yml` if AWS Organizations is configured."},"warnings":[{"fix":"Ensure your environment uses Python >=3.9.2 and <4.0.0. Upgrade Python if necessary.","message":"Python 3.9.2 is the minimum required version, and support is limited to Python 3.x (less than 4.0.0). Older Python versions are not supported.","severity":"breaking","affected_versions":"<0.6.0 (for older Python 3.8 and below)"},{"fix":"Verify that the IAM role specified in `accounts.yml` exists in each target account and grants sufficient permissions for `c7n-org` to assume it and execute policies.","message":"Executing policies across multiple accounts requires properly configured cross-account IAM roles (e.g., `OrganizationAccountAccessRole` for AWS) in each target account that `c7n-org` will assume. Without correct permissions, policies will fail silently or with access denied errors.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Before generating a report, ensure that the policy execution output is synced or copied to a local directory accessible to the `c7n-org report` command.","message":"The `c7n-org report` command currently only supports generating reports from locally stored output directories. It cannot directly process output stored in cloud object storage (e.g., S3).","severity":"gotcha","affected_versions":"All versions"},{"fix":"Increase logging verbosity where possible (e.g., `-v` flag if available), and consult underlying cloud provider logs (CloudTrail, CloudWatch Logs) for more detailed error information. Consider raising an issue for improved logging if specific gaps are identified.","message":"Logging from `c7n-org` can sometimes be too concise, hiding specific cloud provider error messages and making troubleshooting complex issues, especially permission-related ones, difficult.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure the AWS CLI and Boto3 configurations properly handle regional STS endpoints. If issues persist, consider explicit region configurations in `accounts.yml` or check for updates to `c7n-org`.","message":"There have been reports of `c7n-org` encountering errors when targeting AWS accounts in non-default regions, potentially related to regional STS endpoints.","severity":"gotcha","affected_versions":"Potentially all versions, but reported in versions around 0.6.0-0.6.x."}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}