Versions Compared

Old Version 4

changes.mady.by.user Daria Lebedeva

Saved on

compared with

New Version 5

changes.mady.by.user Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Use this This article is to define the criteria for a custom Compliance Engine policy request.

...

Policy create request workflow:

  1. Customer creates Create a service request for every required policy.

  2. Customer provides Provide the following information:

    1. Policy details

    2. Policy logic and evaluation criteria

    3. Violation details

    4. Set of test objects

  3. Policy The policy request is forwarded to policy development team.

  4. Policy The policy is coded and tested against set of test objects (2.d):

    1. Development team might require additional feedback and elaboration on the provided policy logic if they notice a discrepancy between the requested logic and provided test objects.

    2. SLA will be on hold while inconsistency will be addressed.

  5. Policy The policy is delivered to the organization where set of test objects (2.d) exists.

  6. Request The request is closed.


Policy update workflow:

  1. Customer opens Open a new service request and links link to the original Policy create request.

  2. Customer provides Provide updates to the original request and outline required changes. 

  3. Workflow continues from section 3 of the Policy create workflow.

...

  1. Severity*

  2. Policy Name*

  3. Description*

  4. Tags

* - Required Fields

Example A

...

Example B

Severity: Low

Policy Name: AWS EC2 Reserved Instance Renewal (180 days before expiration) 

Description: Ensure that your AWS EC2 Reserved Instances are renewed before expiration in order to get a significant discount (up to 75% depending on the commitment term) on the hourly charges. The renewal process consists of purchasing another EC2 Reserved Instance so that Amazon can keep charging you based on the chosen reservation term.

Tags: EC2, AWS, RI, Cost

Example B: 

Severity: High

Policy Name: AWS S3 Bucket Public 'READ' Access

Description: Ensure that your AWS S3 buckets content cannot be publicly listed in order to protect against unauthorized access. An S3 bucket that grants READ (LIST) access to everyone can allow anonymous users to list the objects within the bucket.

Tags: S3, AWS, Security

Policy Logic and Evaluation Criteria


The expected outcome should include all the objects and the condition they should be evaluated at.

Example A

...

Example B

The group will be INCOMPLIANT if:

The object A exists in the AWS

AND 

The object B has a name that contains "prod" 

AND 

The source of this rule is IP (not other security group)

AND 

...

Example B: 

The group will be INCOMPLIANT if the bucket name LIKE '%test% AND (NOT Name LIKE '%public%') AND AWS Account is not = '987654322345'

Violation Details

Provide details on how to convert input objects into a human-readable violation. Comment on what pattern to use, how to combine fields from objects, what additional fields and objects to update upon violation occurs, etc. 

...

The environment should remain static during the whole policy create/update workflow.


SLA and Support

All custom policy requests are handled by the policy development team. 

...