Custom Policies

Introduction

Custom Policies allow monitoring and enforcing of cloud infrastructure configuration in accordance with your organization's specific needs. For example, for certain resource types, you may want to enforce a tagging methodology or a special secure password policy; or you may want to restrict usage of a new service depending on the types of other services it is connected to.

Bridgecrew Cloud handles Custom Policies in a manner similar to the handling of built-in policies:

  • They are checked in each scan.
  • They are reflected in the Incident list.
  • For each Incident, relevant information is displayed, including a list of affected Resources, Guidelines, statistics, etc.
  • You can Suppress an Error by account, resource, tag, or for all instances.
  • You can create a Jira issue for an incident.

πŸ“˜

Bridgecrew Tools for Creating Custom Policies

You can choose either:

  • Visual Editor - for quick creation of attribute checks (but not Connection State) and one layer of AND/OR logic.
  • Code Editor - for more complex Custom Policies whose definition may include both attribute and Connection-State with no limitation on the number of layers of AND/OR logic.

Preparing to Build a Custom Policy

Before building a Custom Policy you should gather the following:

  • Policy Name

  • Guidelines - as with built-in Policies, the Guidelines are displayed with the details of each Error to explain the issue to the user and related personnel for investigation and prevention in the future.

  • Benchmark (optional, only via Visual Policy Editor) - you can associate a Custom Policy with a benchmark and section. The Custom Policy will be checked in every scan but, when exporting Reports, will only appear in reports for the associated benchmark, in the section defined.

  • Cloud Provider and Resource Type - each Custom Policy must be associated with a Provider and specific Resource Type.

  • Details for Policy Definition - attributes, values, and resource connection types to be checked.

πŸ“˜

Note

The Bridgecrew platform utilizes the Terraform attribute library and syntax. See the Terraform Registry for lists of supported attributes and connection types per cloud provider.

Custom Policy - Components

Custom policies include:

  • Metadata - Policy name, guidelines, severity and category.
  • Scope - cloud provider to which the Policy is applied
  • Definition - the conditions and logic for compliance with the Policy.

Policy Examples

The table below presents examples of Custom Policies.

DescriptionProviderResource TypeArgumentOperatorValue
aws-restrict-all-vpc-trafficawsaws_default_network_aclingressEqual0
azurerm-block-allow-all-cidrazurermazurerm_network_security_groupsource_address_prefixNot Equal0.0.0.0/0, "*"
gcp-restrict-machine-typegooglegoogle_compute_instancemachine_typeEqualn1-standard-1
aws-networking-deny-public-ssh - see note below awsaws_security_group_rulecidr_blocksNot equal0.0.0.0/0
awsaws_security_group_ruleto_portNot equal"*"

πŸ“˜

Note

The Custom Policy "aws-networking-deny-public-ssh" uses 2 rules with arguments for cidr_blocks and to_port.
You can create Policies with as many nested arguments as needed.
For example to express a more complex ingress policy for an AWS security group you could use all of the following arguments:
ingress.from_port
ingress.to_port
ingress.protocol
ingress.cidr_blocks