added
Additional custom policies operators 🖊️
almost 2 years ago by Gilad Mark
Bridgecrew now allows users to have additional customized policies capabilities by expanding the vast number of operators supported in our scheme. Newly supported operators include:
- JSON Path Equals - evaluate a JSON input if it equals a given value
- JSON Path Exists - evaluate a JSON input if it exists
- Subset - evaluate that all variables in the list exist in the policy subset list
- Not Subset - evaluate that at least one of the variables in the list does not exist in the policy subset
The following example combines some of these operators into a policy that requires every security group to have each of the following ingress rules:
- Port 22 from the IP 192.168.0.122/32
- Port 443 from the IP 8.0.4.19/32
---
metadata:
name: “AWS Security Group rule check”
guidelines: “Security groups must allow port 22 from the bastion host and port 443 from 8.0.4.19”
category: “general”
severity: “critical”
scope:
provider: “aws”
definition:
and:
- cond_type: “attribute”
resource_types:
- “aws_security_group”
attribute: “ingress[?(@.to_port == 22 & @.from_port == 22)].cidr_blocks[*]”
operator: “jsonpath_equals”
value: "192.168.0.122/32" # bastion host IP
- cond_type: “attribute”
resource_types:
- “aws_security_group”
attribute: “ingress[?(@.to_port == 443 & @.from_port == 443)].cidr_blocks[?(@ == ‘8.0.4.19/32’)]”
operator: “jsonpath_exists”
The following example requires that all IPs in any security group ingress rule use CIDR blocks from a closed list of valid values. (It also skips any egress rules.)
---
metadata:
name: “AWS Security Group rule check”
guidelines: “All ingress rules must include IPs from specific servers”
category: “general”
severity: “critical”
scope:
provider: “aws”
definition:
or:
- cond_type: “attribute”
resource_types:
- “aws_security_group_rule”
attribute: “type”
operator: “equals”
value: "egress"
- cond_type: “attribute”
resource_types:
- “aws_security_group_rule”
attribute: “cidr_blocks”
operator: “subset”
value:
- “1.2.3.4/32”
- “2.3.4.5/32”