|   Trend Micro Cloud One™
Open menu

Custom Rules

Last updated: 12 January 2020

Contents

Cloud Conformity provides rules for:

  1. Supported Standards and Frameworks
  2. Commonly used cloud services
  3. General and extensive coverage of AWS security and governance best practices
  4. Critical and high-risk vulnerabilities, as well as high impact vulnerabilities

The list is always growing, but your organisation may have specific controls or policies that are not yet supported by Cloud Conformity. For such instances, you have the option to develop, host, and maintain your own custom rules and import them into Cloud Conformity.

Custom Rules vs Cloud Conformity Rules

Differences Custom Rules Cloud Conformity Rules
Development lifecycle perspective You develop yourself and are responsible for maintenance and validity of those rules Developed and maintained by Cloud Conformity
Execution Executed outside of Cloud Conformity environment (e.g. in your AWS account Lambda function or applications running in EC2 instances) Executed in Conformity Bot within Cloud Conformity AWS Environment
Freshness Controlled outside Cloud Conformity and may be refreshed at any time Run every time Conformity Bot runs
Cost Cost for you is either based on AWS Service Config pricing or based on how you implement and execute your own Custom rules Do not add any extra cost to customers.

If you would like Cloud Conformity to support a new rule, follow the instructions to submit a new rule request.

Create Custom Rules via

Differences AWS Config Service Cloud Conformity Custom Checks API
Behaviour AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce “Compliance Details”. Cloud Conformity consumes the “Evaluation Result” from these “Compliance Details” and converts each to a check.

For more information, see AWS Config Rules Evaluation Results
Cloud Conformity Custom Checks (via API) are pushed to Cloud Conformity from an external system that users develop. Each check belongs to a “Custom” rule and there can be more than one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-.

For more information, see Cloud Conformity Custom Checks API
Environment Rules can be scripted and run if they are within AWS infrastructure Rules can be scripted and run if they are within AWS infrastructure
Complexity Rules are not built to address cross-resource-type or cross-account logic Rules support cross-resource type or cross-account logic
Execution Cost Depending on the use case and number of accounts, AWS Config Service may become very expensive for smaller organisations with many accounts. Does not add any extra cost to customers
Maintenance Cost AWS Config Service rules run within AWS-managed environment, therefore there is no extra maintenance cost There is no extra maintenance cost for Custom rules created via API

Example Custom Rule

New Rule Request

You can submit rule requests via the Support channel. Cloud Conformity will provide feedback on whether we plan to support the rule, and if approved, we will add to our rule development pipeline.

Follow the instructions below to submit a request

  1. Submit a new ticket via Customer Support portal or email to support@cloudconformity.com
  2. Provide the following details
    1. Cloud (e.g. AWS, Azure) Service the rule would belong to
    2. Security or governance issue this rule would check for
    3. Any configurations you would like to provide for the rule
    4. Proposed behavior of the rule

FAQs

Is there any special configuration I need to enable capturing AWS Config custom rule outputs?

You need to ensure that:

  1. RTM is enabled,
  2. The Config rule on AWS is enabled and is creating results, and
  3. The ConfigService (not Config) rule CS-001 is enabled and configured while setting up your communication channel.