...
Description for the violation, when input object is INAPPLICABLE (if a policy sets this status), for example:
This policy is inapplicable for this object since the object has been deleted on %DELETED_FROM_AMAZON%, and the policy only checks the objects that still existDescription for the violation, when input object is COMPLIANT with the policy:
This account is compliant with the policy, because it has %NUMBER_OF_PASSWORDS_TO_REMEMBER% number of passwords to remember, which is greater than %NUMBER_OF_PASSWORDS_SAFE_LIMIT_FROM_POLICY_CONFIGURATION%Description for the violation, when input object is INCOMPLIANT with the policy:
%POLICY.DESCRIPTION%
This security group has %NUMBER_OF_VIOLATING_RULES% incompliant rules:// - please iterate rules
%PROTOCOL% %DIRECTION% [%FROM PORT% - %TO PORT% if not empty] %CIDRIP OR GROUP% - please iterate descriptions for each rule
Sample description for the policy evaluating AWS EC2 Security Groups and Security Group Rules attached:
This security group has 3 incompliant rules:
TCP inbound [port range] 0.0.0.0/0
TCP inbound [port range] 0.0.0.0/0
TCP inbound [port range] 0.0.0.0/0
...
Objects that policy will evaluate as COMPLIANT
[optional] Objects that policy will evaluate as INAPPLICABLE (if policy uses INAPPLICABLE state)
Objects that policy will evaluate as INCOMPLIANT
For complex policies that evaluate multiple states of objects as INCOMPLIANT - customer must provide a test object for each of these states.
If policy accommodates for absence of data due to insufficient collector permissions - customer must provide objects from multiple test environments with different permissions applied.
Other objects that can illustrate the edge cases of the policy.
...