Ensure that you have created a query for resource data to use for your custom rules.
To query resource data:
-
Retrieve check data for an existing rule.
-
Choose an existing rule, service or resource type from your cloud environment that is already supported by Cloud Risk Management.
-
Query the checks endpoint using appropriate filters - List account checks.
-
From the check response, note the
provider,service,descriptorTypeandresourceof your chosen resource.
-
-
Query the data using the Custom Rules 'run' endpoint.
-
Set up a POST command to the Test custom rule configuration.
-
-
For the request body, use the below template. Insert the values for
provider,service,descriptorTypeandresourcefrom the checks API response into the valuesprovider,service,resourceTypeandresourceIdrespectively. The remaining values are placeholders. - The response should have a
resultsarray. The object for the array item should have the following properties a) the check response ("status": "SUCCESS"), and b) theextraData.{ "accountId": "dfc5c4f0-b480-4bf5-9668-20ef9a79a8eb", "configuration": { "name": "S3 bucket has any Encryption", "description": "We want to demonstrate Custom Rules V1", "categories": [ "security" ], "riskLevel": "MEDIUM", "provider": "aws", "enabled": true, "service": "S3", "resourceType": "s3-bucket", "remediationNote": "To remediate, follow these steps:\n1. Step one \n2. Step two\n", "attributes": [ { "name": "bucketEncryption", "path": "data.Encryption", "required": true } ], "eventRules": [ { "conditions": { "all": [ { "fact": "bucketEncryption", "operator": "notEqual", "value": null } ] }, "description": "Bucket has encryption enabled" } ] } }