added

Additional custom policies operators 🖊️

Bridgecrew now allows users to have additional customized policies capabilities by expanding the vast number of operators supported in our scheme. Newly supported operators include:

  • JSON Path Equals - evaluate a JSON input if it equals a given value
  • JSON Path Exists - evaluate a JSON input if it exists
  • Subset - evaluate that all variables in the list exist in the policy subset list
  • Not Subset - evaluate that at least one of the variables in the list does not exist in the policy subset

The following example combines some of these operators into a policy that requires every security group to have each of the following ingress rules:

  • Port 22 from the IP 192.168.0.122/32
  • Port 443 from the IP 8.0.4.19/32
---
metadata:
 name: “AWS Security Group rule check”
 guidelines: “Security groups must allow port 22 from the bastion host and port 443 from 8.0.4.19”
 category: “general”
 severity: “critical”
scope:
  provider: “aws”
definition:
  and:
    - cond_type: “attribute”
      resource_types:
        - “aws_security_group”
      attribute: “ingress[?(@.to_port == 22 & @.from_port == 22)].cidr_blocks[*]”
      operator: “jsonpath_equals”
      value: "192.168.0.122/32"  # bastion host IP
    - cond_type: “attribute”
      resource_types:
        - “aws_security_group”
      attribute: “ingress[?(@.to_port == 443 & @.from_port == 443)].cidr_blocks[?(@ == ‘8.0.4.19/32’)]”
      operator: “jsonpath_exists”

The following example requires that all IPs in any security group ingress rule use CIDR blocks from a closed list of valid values. (It also skips any egress rules.)

---
metadata:
 name: “AWS Security Group rule check”
 guidelines: “All ingress rules must include IPs from specific servers”
 category: “general”
 severity: “critical”
scope:
  provider: “aws”
definition:
  or:
    - cond_type: “attribute”
      resource_types:
        - “aws_security_group_rule”
      attribute: “type”
      operator: “equals”
      value: "egress"
    - cond_type: “attribute”
      resource_types:
        - “aws_security_group_rule”
      attribute: “cidr_blocks”
      operator: “subset”
      value:
        - “1.2.3.4/32”
        - “2.3.4.5/32”