macOS
brew install c7nlocal Homebrew formula metadata
brew
Rules engine for cloud security, cost optimization, and governance. Version 0.9.51.0 via Homebrew; verified 2026-06-15.
install
brew install c7nlocal Homebrew formula metadata
sudo apt install python-custodian-docDebian stable package indexes · python-custodian-doc · source: deb.debian.org
overview
Rules engine for cloud security, cost optimization, and governance
history
Cloud Custodian, packaged as c7n, is a policy-as-code rules engine for public-cloud governance, security, cost control, and compliance automation. It is a CNCF incubating project and one of the better-known cloud governance CLIs.
Cloud Custodian began at Capital One as a way to replace many ad hoc cloud-management scripts with a shared policy engine. Its README describes the project as a rules engine for managing public cloud accounts and resources, using simple YAML policies composed from resource types, filters, actions, and execution modes.
The project expanded from an AWS-oriented governance tool into a multi-cloud framework supporting AWS, Azure, GCP, OCI, Tencent Cloud, Kubernetes, and related tools. Its documentation presents compliance-as-code as a central model: users validate, dry-run, and review policies before applying them to cloud resources.
The CNCF project page records Cloud Custodian's acceptance into CNCF on June 25, 2020 and its move to incubating maturity on September 14, 2022.
Cloud Custodian's adoption story is unusually strong for a CLI governance tool because it grew out of large-scale production cloud use and then moved into CNCF stewardship. The README describes it as led by a community of hundreds of contributors and battle-tested in very large cloud environments.
The project is distributed as the c7n Python package family, a Docker image, and OS-package-manager formulas such as Homebrew. Its docs also cover companion tools such as c7n-org, c7n-mailer, c7n-left, c7n-kube, and c7n-logexporter, reflecting an ecosystem around core policy evaluation.
Users write YAML policies, validate them, dry-run them, and run them with the custodian CLI. Policies can check resources for tag compliance, encryption, public exposure, age, cost waste, and other conditions, then take actions such as tagging, stopping, deleting, notifying, or invoking provider-native eventing.
Cloud Custodian can run as a local or CI job against existing fleets, or it can provision serverless/event-driven execution through cloud provider facilities such as AWS CloudWatch Events, AWS Config rules, Azure Event Grid, GCP Audit Log and Pub/Sub, and similar mechanisms.
For package nerds, c7n is significant because the tiny package name hides a broad cloud-governance platform. Installing a single CLI brings in a policy language, schema tooling, multi-cloud resource providers, serverless deployment paths, reporting, and a family of c7n-* companion packages.
It is also a canonical example of Python CLI tooling becoming infrastructure governance plumbing: a package-manager install turns YAML files into enforceable cloud controls.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
custodian | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/cloud-custodian/cloud-custodian
install metadata
| Package key | brew:c7n |
|---|---|
| Version | 0.9.51.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/c7n |
| Homepage | https://cloudcustodian.io |
| Repository | https://github.com/cloud-custodian/cloud-custodian |
| Upstream docs | https://cloudcustodian.io/docs |
| License | Apache-2.0 |
| Source archive | https://github.com/cloud-custodian/cloud-custodian/archive/refs/tags/0.9.51.0.tar.gz |
| Last updated | 2026-06-15T10:20:11-04:00 |
| Pulse | updated |
| Dependencies | cryptography, libyaml, python@3.14, rpds-py |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | c7n |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
python-custodian-doc 2024.10.16-1
flexible just-in-time job management framework in Python (doc)
https://github.com/materialsproject/custodian
sudo apt install python-custodian-docpython3-custodian 2024.10.16-1
flexible just-in-time job management framework in Python
https://github.com/materialsproject/custodian
sudo apt install python3-custodiansource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.