Cloud Custodian, also known as c7n, is a rules engine for managing public cloud accounts and resources across AWS, Azure, GCP, Kubernetes, OCI, and Tencent Cloud. Written in Python, it enables organizations to define policies in simple YAML configuration files that query, filter, and take actions on cloud resources to enforce security, compliance, and cost optimization requirements. The project consolidates ad-hoc cloud management scripts into a unified, lightweight tool with integrated metrics and reporting capabilities.
The core functionality revolves around policy definition and execution. Users specify policies for particular resource types such as EC2 instances, S3 buckets, ASGs, Redshift clusters, CosmosDB, or Pub/Sub topics, constructing them from a vocabulary of filters and actions with support for arbitrary filtering using nested boolean conditions. Policies can be validated and executed in dry-run mode before enforcement. Cloud Custodian automatically provisions serverless functions and event sources native to each cloud provider, including AWS CloudWatch Events and Config Rules, Azure EventGrid, and GCP AuditLog and Pub/Sub, enabling real-time policy enforcement. Alternatively, it can run as a scheduled cron job against large existing resource fleets. The tool supports multi-account, multi-subscription, and multi-project deployments and includes intelligent caching to minimize API calls.
The project maintains a comprehensive suite of additional tools extending its capabilities. These include c7n-org for multi-account policy execution, c7n-left for shift-left security by running policies against infrastructure-as-code assets like Terraform, c7n-policystream for tracking policy changes through git history, Salactus for scaled S3 scanning, c7n-mailer for user notifications, c7n-trailcreator for retroactive resource tagging from CloudTrail, TrailDB for CloudTrail indexing, c7n-logexporter for CloudWatch log export, Cask for Docker-based execution, c7n-guardian for multi-account GuardDuty setup, and Omni SSM for EC2 Systems Manager automation.
According to GitGenius activity tracking across 685 issues and pull requests, the project demonstrates strong community engagement with a median response latency of 0.0 hours and mean latency of 4783.3 hours. The most active issue categories are kind/enhancement with 402 items and kind/bug with 215 items, reflecting ongoing feature development and maintenance. Top contributors ajkerrigan, kapilt, and calebsyring have driven 232, 211, and 122 tracked events respectively. The repository shares contributors with major projects including Microsoft VSCode, Microsoft TypeScript, and Rust-lang/Rust, indicating cross-pollination with the broader open-source ecosystem.
Cloud Custodian is a CNCF Incubating project led by a community of hundreds of contributors and has been battle-tested in production on large cloud environments. The project provides cloud provider-specific getting started guides for AWS, Azure, and GCP, with comprehensive documentation, community meetings, and multiple communication channels including Slack, Gitter, mailing lists, Reddit, and StackOverflow. The project maintains active security practices with a dedicated security team and adheres to the CNCF Code of Conduct.