|
Custom Rules
Cloud Conformity provides rules for:
The list is always growing, but your organisation may have specific controls or policies that are not yet supported by Cloud Conformity. For such instances, you have the option to develop, host, and maintain your own custom rules and import them into Cloud Conformity.
| Differences | Custom Rules | Cloud Conformity Rules |
|---|---|---|
| Development lifecycle perspective | You develop yourself and are responsible for maintenance and validity of those rules | Developed and maintained by Cloud Conformity |
| Execution | Executed outside of Cloud Conformity environment (e.g. in your AWS account Lambda function or applications running in EC2 instances) | Executed in Conformity Bot within Cloud Conformity AWS Environment |
| Freshness | Controlled outside Cloud Conformity and may be refreshed at any time | Run every time Conformity Bot runs |
| Cost | Cost for you is either based on AWS Service Config pricing or based on how you implement and execute your own Custom rules | Do not add any extra cost to customers. |
If you would like Cloud Conformity to support a new rule, follow the instructions to submit a new rule request.
| Differences | AWS Config Service | Cloud Conformity Custom Checks API |
|---|---|---|
| Behaviour | AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce “Compliance Details”. Cloud Conformity consumes the “Evaluation Result” from these “Compliance Details” and converts each to a check. For more information, see AWS Config Rules Evaluation Results |
Cloud Conformity Custom Checks (via API) are pushed to Cloud Conformity from an external system that users develop. Each check belongs to a “Custom” rule and there can be more than one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-. For more information, see Cloud Conformity Custom Checks API |
| Environment | Rules can be scripted and run if they are within AWS infrastructure | Rules can be scripted and run if they are within AWS infrastructure |
| Complexity | Rules are not built to address cross-resource-type or cross-account logic | Rules support cross-resource type or cross-account logic |
| Execution Cost | Depending on the use case and number of accounts, AWS Config Service may become very expensive for smaller organisations with many accounts. | Does not add any extra cost to customers |
| Maintenance Cost | AWS Config Service rules run within AWS-managed environment, therefore there is no extra maintenance cost | There is no extra maintenance cost for Custom rules created via API |
You can submit rule requests via the Support channel. Cloud Conformity will provide feedback on whether we plan to support the rule, and if approved, we will add to our rule development pipeline.
Follow the instructions below to submit a request
Is there any special configuration I need to enable capturing AWS Config custom rule outputs?
You need to ensure that: