Can We Improve How Capital One Enforced Policies in AWS with Cloud Custodian in 2017?

3 minute read | Last updated 8-Nov-2021 |  AWS, Cloud

In late 2017, Capital One did an AWS “This is My Architecture” video. The video talks about how they built Cloud Custodian and how that tool helps them enforce policies in the AWS Cloud.

Now, a few years later, I react to that video and see what’s stood the test of time, what could be done simpler given today’s technology, and generally critique the design against the AWS Well-Architected Framework.

The AWS Well-Architected Framework

The AWS Well-Architected Framework is designed to help you and your team make informed trade offs while building in the AWS Cloud. It’s built on five pillars;

• Operational Excellence
• Security
• Cost Optimization
• Reliability
• Performance Efficiency

There pillars cover the primary concerns of building and running any solution. And as much as we’d all love to have everything, that’s just not possible.

…enter the framework.

It’ll help you strike the right balance for your goals to make sure that your build is the best it can be now and moving forward.

Why Architecture?

I often get asked why I talk about building in the cloud and architectural choices so often…aren’t I a security person?

Yes, I do focus on security and architecture is a critical part of that.

There’s really two types of security design work. The first is when you’re handed something and need to make sure the risks of that technology matches the risk appetite of the users.

The second type is when you’re building the technology. This is where making choices informed by security early in the process can have profound effects. You’re no longer bolting security on but building it in by design.

That’s why I talk about architecture and building so much. It’s where we all can have the largest possible security impact!

This video—and the ones that will come after—looks at a specific set of design decisions and how they balance the concerns of the AWS Well-Architected Framework…where security is one of the five pillars.

Capital One’s Design

Capital One was an early leader in cloud. They quickly realized that it was hard to enforce various security and compliance policies in the AWS Cloud.

In order to solve that problem, they built Cloud Custodian.

This open source tool allows you to write policies in a simple domain specific language (DSL) and then enforce them entire on a schedule or as a serverless design pattern.

Capital One open sourced the tool and since then, it’s taken on a life of it’s own. It’s wildly popular and with good reason. It’s simple to use and addresses a key pain point for teams who want to build well in the cloud.

Learn more in the reaction video 👆.

Btw, I’ve updated my course, “Mastering The AWS Well-Architected Framework” on A Cloud Guru. If you want a solid walk through of the ideas behind the framework and how to apply it to your work in the AWS Cloud, check it out!