The workflow will help you create new custom rules for particular accounts and apply exceptions to their existing scanning framework.
Custom Rules only allows SUCCESS, FAILURE, ERROR results and is designed to strip
back the complex business logic of Cloud Risk Management’s existing check framework.
(Note: ERROR results represent issues with resource data and/or rule logic and are
not saved by the scan but are returned by the run endpoint to aid in development.)
There are ways to implement equivalents to exceptions by building conditions that
automatically pass SUCCESS for a resource that matches certain parameters.
Here is an example of a configuration which checks both S3 encryption and public access
block, but automatically succeeds for any bucket whose name contains ‘test'.
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 encrypted and public access block - with safelist for 'test'",
"description": "Check S3 has encryption AND public access block, but safelist 'test' buckets",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["security"],
"remediationNote": "To remediate, follow these steps:\n1. Do as you wish \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
},
{
"name": "publicAccessBlockConfiguration",
"path": "data.PublicAccessBlockConfiguration",
"required": true
},
{
"name": "safeList",
"path": "data.resourceId",
"required": true
}
],
"eventRules": [
{
"conditions": {
"any": [
{
"fact": "safeList",
"operator": "pattern",
"value": ".*test.*"
},
{
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
},
{
"fact": "publicAccessBlockConfiguration",
"operator": "notEqual",
"value": null
}
]
}
]
},
"description": "Bucket has encryption enabled"
}
]
}
}