Getting started with Cloud Custodian and AWS

2 minute read

Cloud Custodian is an open-source tool for managing your cloud resources across multiple cloud platforms, including Amazon Web Services (AWS). It is a policy automation framework that helps you maintain compliance and security in your cloud infrastructure. In this blog post, we will explain how to use Cloud Custodian with AWS.

Install Cloud Custodian

First, you need to install Cloud Custodian on your local machine. You can install it using pip, a package manager for Python. Open your command line interface and run the following command:

pip install c7n

This command will install Cloud Custodian on your machine.

Configure AWS Credentials

Next, you need to configure your AWS credentials to access your AWS account. There are two ways to do this:

Set up AWS CLI: You can install AWS CLI on your machine and configure your credentials using the aws configure command. This command will prompt you to enter your AWS access key ID and secret access key.

Set up Environment Variables: You can also set your AWS credentials as environment variables on your machine. The two environment variables you need to set are AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Write a Custodian Policy

Once you have set up Cloud Custodian and configured your AWS credentials, you need to write a Custodian policy. A policy is a set of rules that define how you want to manage your cloud resources. For example, you can create a policy to stop EC2 instances that are not in use for a specified period of time.

Custodian policies are written in YAML format. Here is an example policy that stops all EC2 instances that are not in use for 7 days:

  - name: stop-unused-instances
    resource: ec2
      - type: instance-state
        key: state
        value: running
      - type: not-regex
        key: name
        value: '.*prod.*'
      - type: value
        key: LaunchTime
        op: less-than
        value: 7
      - stop

This policy filters running instances that do not have ‘prod’ in their name and have been running for less than 7 days. The stop action stops the matching instances.

Run Custodian

To run the policy, save it as a YAML file and run the following command:

custodian run --output-dir output/ my_policy.yml

This command runs the policy defined in the my_policy.yml file and stores the output in the output/ directory.


Cloud Custodian is a powerful tool for managing your AWS resources. It helps you maintain compliance and security in your cloud infrastructure by defining policies that automate resource management. With the steps outlined above, you can get started using Cloud Custodian with AWS to manage your cloud resources.