Apart from the pre-installed policies that you get with Accurics, you can create your own custom policies and custom rules to use within custom policies.
Creating a Custom Policy
You can create a custom policy with pre-installed and custom rules.
To create a custom policy:
- Login to the Accurics console.
- Select your Environment, click Policies in the left hand menu, and then click ADD POLICY.
- Provide the policy name, cloud provider, policy mode, and click Next.
- Select the pre-installed and custom rules that you want to include in your custom policy and click Next.
- In case of a Self-Heal policy, you can provide new default values for some of the rules. These default values will be replaced in the repository for any violations found.
- Review the information and then click Finish. The new policy is now visible on the Policies page.
About Policy Modes
Consider a situation when you do not want your CI/CD tool to deploy cloud resources if Accurics detects a serious violation in your IaC.
The Accurics CLI helps you by providing special status codes that are based on the policy modes. You can then configure your CI/CD to catch this code and decide on failing the builds.
- Monitor – This is a default mode. Accurics CLI always output status 0 (Success) even if, it detects violation in your IaC.
Accurics CLI output for a policy in monitor mode:
- Enforce – If Accurics CLI detects a high priority violation in your IaC, it outputs status 1 (failure).
Accurics CLI output for a policy in enforce mode:
- Self-Heal – A Self-Heal policy works when Auto-Remediate is enabled on the repository. After scanning the IAC resources, if the scan finds any violations, a Self-Heal policy will replace values related to violations in the the IAC with the default values specified in the policy. You can change the default values for some of the rules. See Creating a Custom Policy.
Creating a Custom Rule
You can create custom rules that you can then add to custom policies.
Prerequisite: Run a scan to fetch the cloud resources: resource types and resources.
To create a custom rule:
- Login to the Accurics console.
- Select your Environment, click Policies in the left hand menu, and then click ADD RULE.
- The Custom Policy Builder appears.
- In the Custom Policy Builder, provide the following information:
Note: Even though the Custom Policy Builder identifies your cloud provider and fetches the resources from a cloud scan you have previously run, you can tryout and create rules for all supported cloud providers listed in the Provider drop-down.
|Provider||Select a cloud provider.|
|Resource Type||Select the resource type for which you want to create the rule. Selecting a Resource Type provides the schema / inputs under the Rule Input for all resources of that resource type.|
|Select Resource||Using this field you can drill down to a specific resource of the selected resource type. The schema for the selected resource then appears under the Rule Input. Identify the attribute for which you want to create the rule. For example, if you select the resource type as a virtual machine it could have an attribute called “public_ip_address”. Now, if you want to ensure that the resource should not have a public IP address, then add the following in the Rule Template: obj.config.publich_ip_address != “” When you run this policy, a violation is detected against this resource if the resource has a public IP address configured. Note: The Rule Input window is editable for you to make temporary changes to a parameter value and test the Rule Template against it. Your changes are used only for testing purposes and not saved.|
|Severity||Select the Severity: High, Medium, Low, Info.|
|Category||Select the appropriate category.|
|Vulnerability Title||Provide a title for the rule.|
|Remediation Steps||Specify the remediation steps. For example, you can say “Remove Public IP Access”.|
|Applicable Benchmark||Specify the applicable Benchmark.|
|Applicable Sections||Add sections specific to the benchmark which are applicable for this rule. You can add one or multiple sections.|
- Click TEST to check the rule against the resource. Click SAVE to save the rule. The rule gets saved in the “Custom Rules for <cloud_provider>” policy. For example, Custom Rules for Azure.
- You can then use this custom rule in custom policies.