Trend Micro Cloud One™ – Conformity provides rules for:
Procedure
- Supported Standards and Frameworks
- Commonly used cloud services across AWS, Azure and GCP
- Critical and high-risk vulnerabilities, as well as high impact vulnerabilities
What to do next
However, your organization may have additional specific controls or policies that
are not supported by Conformity out of the box. You have the option to develop and
maintain your own custom rules through a few different mechanisms.
Custom Rule Types 
You can create custom rules using three approaches:
Procedure
- AWS Config Service (AWS accounts only): findings from AWS Config are ingested and presented as checks via CS-001 - AWS Custom Rule.
- Conformity Custom Checks APIs: Checks can be created and managed directly via API using your own custom-built code functions.
- Conformity Custom Rules: Conformity provides built-in API-managed JSON custom rules feature integrated with Conformity scans. Conformity Custom Rules allow you to create JSON-style rules that assert logic over any cloud resource data already consumed by Conformity.
Comparison
|
Properties
|
Conformity Rules
|
AWS Config Rules
|
Custom Checks API
|
Conformity Custom Rules
|
|
Development
|
Developed and maintained by Conformity
|
You maintain the rules via the AWS Config Service
|
You maintain your own externally operated code to trigger the
Checks API
|
You maintain your own custom rules and save them to your
Conformity Organization via API
|
|
Execution
|
Executed by the Conformity Bot
|
Rules executed by AWS Config, findings ingested by
Conformity
|
Fully executed by your own external code
|
Executed by the Conformity Bot and can be tested manually using
a 'dry run' feature
|
|
Configuration
|
Conformity Rules settings Rules Configuration
|
Managed entirely within the AWS Config service
|
Fully configurable using your own code
|
Highly configurable using Conformity's JSON Custom Rules
engine
|
|
Behavior
|
Produces a wide range of cloud best practice results quickly
without any additional configuration
|
AWS Config Service allows you to script rules and automate
the evaluation of recorded configurations against desired
attributes. The scripted AWS Config rules produce
"Compliance Details". Conformity consumes the "Evaluation
Result" from these "Compliance Details" and converts each
result into a check.For more information, see AWS Config Rules Evaluation Results
|
Conformity Custom Checks (via API) are pushed to Conformity
from an external system developed by the users. Each check
belongs to a "Custom" rule with a limit of one Custom rule.
These Custom rules can have any arbitrary name or service,
but their rule ID always starts with
CUSTOM-.For more information, see Conformity Custom Checks API
|
Conformiy Custom Rules uses a JSON rules engine
implementation to provide a flexible platform to create
custom logic that runs against cloud resource data already
consumed by Conformity. You can create Rules for any
provider or service but can only run them against the
resource data already vaialble. Custom Rules are managed via
API.For more information, see Conformity Custom Rules Overview
|
|
Execution Cost
|
No additional cost
|
Cost is based on AWS
Service Config pricing
|
Cost depends on the nature of your external code. There is no
additional charge from Conformity
|
No additional execution charge from Conformity
|
|
Maintenance Effort
|
Low - configuration optional
|
Medium - you maintain the rule set within AWS Config
|
High - you maintain the code to trigger checks
|
Medium - the Custom Rules framework is more effortless than
advanced coding but more technical than managing Conformity
Rule configurations
|
|
Flexibility
|
Low - most rules run out of the box with standard
configuration options
|
Medium - all AWS Config rule options available
|
Very High - no restrictions on the processes to trigger the
creation of checks because you run the code
|
Medium - Create flexible rules that focus on single resource
types based on availble cloud data
|