Organizations want to create different policies for different accounts. For example, you have a baseline security policy that is the minimum set of requirements acceptable to you. Some accounts may require more stringent requirements (e.g. HIPAA compliance for certain products). You want to have the flexibility to disable certain rules for certain accounts. Or sometimes you may want to enforce the policy only for new resources. To provide you with more granular control, we are excited to introduce two new policy enforcement levels:
You can turn off a rule for a specific policy by setting a rule to “Ignore”. As opposed to disabling a rule, which stops it from running completely across the board, ignoring the rule omits it from that policy for specific account(s).
Let’s look at an example. In some accounts that do not require HIPAA compliance, it may be acceptable that your S3 bucket is not encrypted. In this case, you would create a policy to include the “Ensure S3 buckets are set to be encrypted at rest” as one of the rules. You would attach this policy to those accounts and set the rule to “Ignore”. This way, the rule would not be run. Contrast that to those accounts that require HIPAA compliance, the rule would run. If encryption at rest is not enabled, it would flag as a policy violation.
2. Mandate on New Resources
You can make certain rules mandatory on new resources. This means that existing resources with certain violations will not be impacted.
Let’s look at an example. When Cloudrail detects a bunch of security issues, they will likely take time to fix. You want to give the development team time to fix those issues, but you don’t want any new issues to appear while you’re waiting (which would cause you to chase your tail on this). Therefore, you use “mandate new resource only” to effectively “close the door” on new violations entering, and later will handle those that already exist.
This enforcement level is particularly helpful if you have environments with pre-existing violations.
Remediation Steps to help you fix security violations
From the violations that we find, we provide remediations steps and a breakdown in the “Evidence” field that displays what was exactly evaluated to come to our conclusion. The remediation steps can help you address the security issues quickly.
The remediation steps are also included in the Cloudrail container’s results (in the text format as well as in the JUnit format).