• Comprehensive support for AWS services and resources (> 100), along with 400+ actions and 300+ filters to build policies with.
• Supports arbitrary filtering on resources with nested boolean conditions.
• Dry run any policy to see what it would do.
• Automatically provisions AWS Lambda functions, AWS Config rules, and Cloudwatch event targets for real-time policies.
• AWS Cloudwatch metrics outputs on resources that matched a policy
• Structured outputs into S3 of which resources matched a policy.
• Intelligent cache usage to minimize api calls.
• Battle-tested - in production on some very large AWS accounts.
• Supports cross-account usage via STS role assumption.
• Supports integration with custom/user supplied Lambdas as actions.
• Supports both Python 2.7 and Python 3.6 (beta) Lambda runtimes

Quick Install

$ virtualenv --python=python2 custodian
$ source custodian/bin/activate
(custodian) $ pip install c7n

Usage
First a policy file needs to be created in YAML format, as an example:

policies:
- name: remediate-extant-keys
  description: |
    Scan through all s3 buckets in an account and ensure all objects
    are encrypted (default to AES256).
  resource: s3
  actions:
    - encrypt-keys

- name: ec2-require-non-public-and-encrypted-volumes
  resource: ec2
  description: |
    Provision a lambda and cloud watch event target
    that looks at all new instances and terminates those with
    unencrypted volumes.
  mode:
    type: cloudtrail
    events:
        - RunInstances
  filters:
    - type: ebs
      key: Encrypted
      value: false
  actions:
    - terminate

- name: tag-compliance
  resource: ec2
  description: |
    Schedule a resource that does not meet tag compliance policies
    to be stopped in four days.
  filters:
    - State.Name: running
    - "tag:Environment": absent
    - "tag:AppId": absent
    - or:
      - "tag:OwnerContact": absent
      - "tag:DeptID": absent
  actions:
    - type: mark-for-op
      op: stop
      days: 4

Given that, you can run Cloud Custodian with:

# Validate the configuration (note this happens by default on run)
$ custodian validate policy.yml

# Dryrun on the policies (no actions executed) to see what resources
# match each policy.
$ custodian run --dryrun -s out policy.yml

# Run the policy
$ custodian run -s out policy.yml

Custodian supports a few other useful subcommands and options, including outputs to S3, Cloudwatch metrics, STS role assumption. Policies go together like Lego bricks with actions and filters.
Consult the documentation for additional information, or reach out on gitter.

Get Involved
Mailing List - https://groups.google.com/forum/#!forum/cloud-custodian
Gitter - https://gitter.im/capitalone/cloud-custodian

Additional Tools
The Custodian project also develops and maintains a suite of additional tools here https://github.com/capitalone/cloud-custodian/tree/master/tools:

Salactus

Scale out s3 scanning.

Mailer

A reference implementation of sending messages to users to notify them.

TrailDB

Cloudtrail indexing and timeseries generation for dashboarding

LogExporter

Cloud watch log exporting to s3

Index

Indexing of custodian metrics and outputs for dashboarding

Sentry

Log parsing for python tracebacks to integrate with https://sentry.io/welcome/