Open menu

Custom Rules

Last updated: 12 January 2020

Contents

Trend Micro Cloud One™ – Conformity provides rules for:

  1. Supported Standards and Frameworks
  2. Commonly used cloud services
  3. General and extensive coverage of AWS security and governance best practices
  4. Critical and high-risk vulnerabilities, as well as high impact vulnerabilities

The list is always growing, but your organisation may have specific controls or policies that are not yet supported by Conformity. For such instances, you have the option to develop, host, and maintain your own custom rules and import them into Conformity.

Custom Rules vs Conformity Rules

Differences Custom Rules Conformity Rules
Development lifecycle perspective You develop yourself and are responsible for maintenance and validity of those rules Developed and maintained by Conformity
Execution Executed outside of Conformity environment (e.g. in your AWS account Lambda function or applications running in EC2 instances) Executed in Conformity Bot within Conformity AWS Environment
Freshness Controlled outside Conformity and may be refreshed at any time Run every time Conformity Bot runs
Cost Cost for you is either based on AWS Service Config pricing or based on how you implement and execute your own Custom rules Do not add any extra cost to customers.

If you would like Conformity to support a new rule, follow the instructions to submit a new rule request.

Create Custom Rules via

Differences AWS Config Service Conformity Custom Checks API
Behaviour AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce “Compliance Details”. Conformity consumes the “Evaluation Result” from these “Compliance Details” and converts each to a check.

For more information, see AWS Config Rules Evaluation Results
Cloud Conformity Custom Checks (via API) are pushed to Conformity from an external system that users develop. Each check belongs to a “Custom” rule and there can be more than one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-.

For more information, see Conformity Custom Checks API
Environment Rules can be scripted and run if they are within AWS infrastructure Rules can be scripted and run if they are within AWS infrastructure
Complexity Rules are not built to address cross-resource-type or cross-account logic Rules support cross-resource type or cross-account logic
Execution Cost Depending on the use case and number of accounts, AWS Config Service may become very expensive for smaller organisations with many accounts. Does not add any extra cost to customers
Maintenance Cost AWS Config Service rules run within AWS-managed environment, therefore there is no extra maintenance cost There is no extra maintenance cost for Custom rules created via API

Example Custom Rule

New Rule Request

You can submit rule requests via the Support channel. Conformity will provide feedback on whether we plan to support the rule, and if approved, we will add to our rule development pipeline.

Follow the instructions below to submit a request

  1. Submit a new ticket via Customer Support portal or email to support@cloudconformity.com
  2. Provide the following details
    1. Cloud (e.g. AWS, Azure) Service the rule would belong to
    2. Security or governance issue this rule would check for
    3. Any configurations you would like to provide for the rule
    4. Proposed behavior of the rule

FAQs

Is there any special configuration I need to enable capturing AWS Config custom rule outputs?

You need to ensure that:

  1. RTM is enabled,
  2. The Config rule on AWS is enabled and is creating results, and
  3. The ConfigService (not Config) rule CS-001 is enabled and configured while setting up your communication channel.