Skip to content

Compliance and Cloud Custodian

Advanced 20 minutes

Overview

RosettaHub integrates Cloud Custodian for automated compliance scanning. Compliance standards group custodian policies, and executions run those policies against your cloud accounts. In this tutorial you will create compliance standards, run scans, review results, and share standards across your organization.

Prerequisites

Steps

Step 1: List Compliance Standards

rh compliance ls

Filter by visibility:

rh compliance ls --private
rh compliance ls --shared
rh compliance ls --public

Step 2: Create a Compliance Standard

rh compliance create --label "CIS Benchmark" --description "CIS controls for AWS"

Step 3: Browse Available Policies

List Cloud Custodian policies that can be included in compliance standards:

rh compliance ls-policies

Filter by resource type or policy type:

rh compliance ls-policies --resource "ec2"
rh compliance ls-policies --policy-type "security"
rh compliance ls-policies --compliance-standard <standardUid>

Step 4: Manage Custodian Policies Directly

For fine-grained policy management, use the custodian command group:

rh custodian ls                              # list all policies
rh custodian create --label "Unused EBS"     # create a policy
rh custodian clone <policyUid>               # duplicate a policy
rh custodian update <policyUid>              # modify a policy
rh custodian delete <policyUid>              # remove a policy

Step 5: Execute Compliance Scans

Run a compliance standard against specific cloud accounts and regions:

rh compliance execute \
  --portfolio-uid <standardUid> \
  --cloud-account-uid <accountUid> \
  --region-id us-east-1

Preview without executing:

rh compliance execute \
  --portfolio-uid <standardUid> \
  --cloud-account-uid <accountUid> \
  --dry-run

Step 6: Execute on All Users (Admin)

Run compliance checks across all users in the organization:

rh compliance execute-on-users --portfolio-uid <standardUid>

Execute individual policies across users:

rh compliance execute-policies-on-users --policy-uid <policyUid>

Step 7: Execute Custodian Policies Directly

rh custodian execute --policy-uid <policyUid> --cloud-account-uid <accountUid>
rh custodian execute-on-users --policy-uid <policyUid>

Step 8: View Execution Results

Get a summary of execution output by cloud account:

rh compliance output --portfolio-uid <standardUid>

Filter results:

rh compliance output \
  --portfolio-uid <standardUid> \
  --last-only \
  --has-resource

Use --managed for organization-wide admin results:

rh compliance output --portfolio-uid <standardUid> --managed

Step 9: View Detailed Execution Output

Get full details for specific executions:

rh compliance output-detail <executionUid1> <executionUid2>

Include execution files:

rh compliance output-detail <executionUid> --include-files

Custodian-level output:

rh custodian output --policy-uid <policyUid>
rh custodian output-detail <executionUid> --include-files

Step 10: Share Compliance Standards

Share a compliance standard with another user or organization:

rh compliance share <standardUid> --tenant <tenantUid> --tenant-type user

Replace existing shares:

rh compliance share <standardUid> --tenant <tenantUid> --tenant-type org --replace

Remove sharing:

rh compliance unshare <standardUid>

Next Steps

Troubleshooting

No policies listed

Policies may not be available for your cloud provider. Check with rh compliance ls-policies.

Execution shows no results

Empty results mean no policy violations were found — this is a good sign.

What is the difference between compliance and custodian commands?

Compliance commands work with compliance standards (groups of policies). Custodian commands work with individual Cloud Custodian policies. Use compliance for governance workflows; use custodian for granular policy management.