https://cloudcustodian.io/docs/quickstart/index.html#install-cc
pip install -r requirements.txt
Create BCGOV_CloudCustodian
IAM role in all accounts with the permissions required to run the policy checks and actions.
The script for generating an aws accounts config file is only distributed via git.
curl https://raw.githubusercontent.com/cloud-custodian/cloud-custodian/master/tools/c7n_org/scripts/orgaccounts.py -o orgaccounts.py
python orgaccounts.py \
-f accounts.yml \
--role 'arn:aws:iam::{Id}:role/BCGOV_CloudCustodian' \
python orgaccounts.py \
-f accounts-workload.yml \
--role 'arn:aws:iam::{Id}:role/BCGOV_CloudCustodian' \
--ou Dev --ou Test --ou Prod
python orgaccounts.py \
-f accounts-core.yml \
--role 'arn:aws:iam::{Id}:role/BCGOV_CloudCustodian' \
--ou core
# Find workload accounts that don't comply with the password policy
c7n-org run -c accounts-workload.yml --dryrun -s output -u policy/common/password.yml --region ca-central-1
Note: --dryrun
prevents actions from being executed
To report bugs/issues/feature requests, please file an issue.
If you would like to contribute, please see our CONTRIBUTING guidelines.
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
Copyright 2018 Province of British Columbia
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.