Security Configuration Audit Policy Syntax
The Security Configuration Audit Policy syntax used by the Policy Builder is as follows:
You start building the policy by selecting resource type. Resource type is a service provided by IaaS CSPs such as EC2, S3, or an Azure storage account.
Policy Syntax : IF <policy_ruleset> THEN Severity is <severity>
- policy_ruleset. A set of one or multiple policy rules. The first policy rule always starts with IF statement.
- Policy Rule. A conditional statement that can start either with AND or OR.
For example, AND <resource_attribute> <operator> <resource_attribute_value(s)>. - resource_attribute. Each resource type has specific attributes. Some attributes are simple and some are complex. Complex attributes are from the sub-resource type that are related to the parent resource type. For example, the attribute VPC is where the EC2 instance is located. Here EC2 is a resource type, VPC is a sub-resource type, and the complex resource attribute is VPC.VPCFlowLog.VPCFlowLogId.
NOTE: Resource attribute names appear as defined by IaaS CSPs.
- attribute group. A policy rule can also have an attribute group, which is a group of attributes. Attribute groups can't be given a value, but the content of the groups can be defined. If no attribute under an attribute group is set, then the group is considered NOT SET. Supported operators for attribute group are Count, Is set, and Is not set.
- resource_attribute_value. A value assigned to a resource attribute. Depending on the type of resource attribute, you can assign single or multiple values. The policy builder pre-populates sample attribute values wherever applicable.
- Severity. Defines the severity of the incident generated upon execution of the policy. Supported values are Critical, Major, Minor, Warning, and Info.
Errors
While creating a Config Audit Policy, you may see the following errors:
- Evaluate on can't be same as selected resource type. This error occurs when you select the same attribute value as the Resource Type against Evaluate ON.
- Only one Having rule condition allowed. You can not use multiple Count operations in a policy.
- Unable to cast a value to %s for the property. This error occurs when you provide an invalid value type.
- Failed to save Policy. This error occurs when there is an internal server error while saving the policy. Try again.
- The duplicate entry of the policy. If you try to create a policy with the same name as that of the existing policy, you will see this error. Use a unique name for the policy.
Supported Resource Types
Supported resource types and their APIs are listed here for AWS, Azure, and Google Cloud Platform (GCP).
NOTE: For the complete list of supported attributes for each resource type, refer to the corresponding API links.
AWS
Resource Types |
Supported APIs |
---|---|
AWS Account | get-public-access-block list-distributions |
Athena Query Execution | |
AMI | describeImages |
AWS Internet Gateway | describeInternetGateways |
AWS Region |
describe-customer-gateways |
AWS ECR Registry | describe-repositories |
AWS ECR Repository | describe-repositories |
CloudFront | |
CloudFormation | |
CloudTrail | |
CloudWatch | describeAlarms |
Cloud Watch Log Group | describeLogGroups |
Dynamo DB | |
EBS Snapshot | describeSnapshots |
EBS Volume | describeVolumes |
EC2 | describeInstances |
AWS Elastic Cache | describeCacheClusters |
ELB |
V2 describeLoadBalancerAttributes Classic |
ECR Image | describe-repositories |
ECS | |
ECS Fargate | |
EKS
|
|
EKS Fargate
|
|
EKS Worker Node
|
|
EMR Cluster | |
AWS Glue | getSecurityConfigurations |
AWS IAM | |
AWS IAM Policy | listPolicies (PolicyScopeType.Local) |
AWS IAM Server Certificate | listServerCertificates |
AWS Kinesis | |
AWS KMS | |
AWS Lambda | |
AWS Network ACLs | describeNetworkAcls |
AWS NAT Gateway | describeNatGateways |
AWS Network Interface | describeNetworkInterfaces |
RDS | |
RDS Cluster | |
RDS Cluster Snapshot | |
RDS Snapshot | |
AWS Redshift | describeClusters |
Route53 | |
Route 53 Domains | |
AWS Route Table | describeRouteTables |
S3 |
getBucketVersioningConfiguration getBucketLifecycleConfiguration |
Security Group | describeSecurityGroups |
SNS | listTopics |
SQS | |
AWS Subnet | describeSubnets |
AWS User | |
AWS VPC | |
AWS VPC Peering Connections | describeVpcPeeringConnections |
AWS Elastic File System | describeFileSystems |
AWS API Gateway | |
AWS Elastic Search | |
ACM Managed Certificate | describeCertificate |
AWS Codebuild |
Microsoft Azure
Resource Types |
Supported APIs |
---|---|
Azure Activity Log Alert |
|
Azure Activity Log | logprofiles |
Azure AD User
|
|
Azure Application
|
|
Azure Application Gateway
|
|
AKS
|
|
AKS Worker Node |
|
Azure Cosmos DB
|
listmongodbdatabases listusages |
Azure Security Center
|
|
Azure Disk | list |
Azure Event Hub
|
|
Azure Functions
|
listfunctionsecrets |
Azure Key Vault
|
|
Azure Load Balancer
|
|
Azure Management Locks | listatsubscriptionlevel |
Azure Maria DB
|
listbyserver-configurations |
Azure MySQL Database
|
|
Azure PostGreSQL Database
|
|
Azure NAT Gateway | list |
Azure Network Interface | list |
Network Security Group
|
|
Azure Public IP Address
|
|
Azure Redis Cache
|
listbyredisresource-firewall-rules diagnosticsettings |
Resource Group | list |
Azure Route Table | list |
Azure VM Scale Set | list |
Azure Service Bus
|
listbyresourcegroup-namespaces listbynamespace-topics |
Azure SQL Database
|
|
Azure SQL Server
|
|
Azure Storage Account
|
|
Subscription | list |
Azure Virtual Machine
|
|
Azure Virtual Network
|
|
Azure Subnet | list |
Azure Workspace | list-by-rg |
GCP
Resource Types |
Supported APIs |
---|---|
GCP API Service | projects.serviceAccounts/list |
GCP Cloud Storage | |
GCP Disk Snapshot | snapshots/get |
GCP DNS Managed Zone | managedZones/get |
GCP Firewall Rule | |
GCP Cloud Functions | projects.locations.functions/get |
GCP IAM |
auditLogs and linked attributes |
GCP IAM Policy | projects/getIamPolicy |
GCP Image | images/list |
Virtual Machine Image | |
GCP KMS
|
|
GCP Load Balancer | urlMaps/get |
GCP LB Target Https Proxy
|
|
GCP Network | networks/list |
Project
|
|
GCP PubSub Snapshot | projects.snapshots/list |
GCP PubSub Subscription |
projects.subscriptions/get |
GCP PubSub Topic | projects.topics/get |
GCP Service Account |
serviceAccount, roles |
GCP SQL Databases | instances/get |
GCP SSL Policy | listsslpolicy |
GCP User | Email , Roles |
GCP Disk | disks/get |
GCP Virtual Machine | instances/list |
GKE
|
|
GKE Worker Node
|
|
GCP Virtual network Subnet |
|
GCP Container Respository | getContainers |
GCP container Image | getContainerImages |
Supported Operators
The following operators are supported.
NOTE: While creating a policy rule, operators are populated based on the type of resource attribute. Not all operators are applicable to an attribute.
Operator |
Description |
---|---|
is in | Allows you to specify multiple values |
is not in | Allows you to exclude the specified multiple values |
equals to | Allows you to compare attribute value against a specific value |
not equals to | Inequality operator - opposite of "equals to" |
greater than | Allows you to compare if attribute value is greater than the specified value |
greater than equal to | Allows you to compare if attribute value is greater than equal to the specified value |
less than | Allows you to compare if attribute value is less than the specified value |
less than equal to | Allows you to compare if attribute value is less than equal to the specified value |
contains | Allows you verify if list of attribute values contain a specific item |
not contains | Allows you verify if list of attribute values does not contain a specific item |
starts with | Allows you to verify if the attribute value "starts with" specified string value |
not starts with | Opposite of "starts with" |
ends with | Allows you to verify if the attribute value "ends with" specified string value |
not ends with | Opposite of "ends with" |
time is in next |
Allows you to provide time value between current time and future given days(unit) |
time is in last |
Allows you to provide value that is between past given days(unit) and current time. |
time is older than |
Allows you to provide value that is older than given past days(unit) |
is set | Allows you to verify if attribute value is set |
is not net | Allows you to verify if attribute value is not set |
count | Allows you to find the total number of occurrences per resource. This operator is visible only for the attribute group |
Evaluate On | Provides the ability to generate violation against the parent resource type like Region and Account. |
Supported Value Types
- String/Text: Case sensitive
- Numbers
- Boolean
- Date/Time
- List
NOTE: Regex is currently not supported.