Rules in Cloudrail can be enabled with one of the following enforcement levels. The enforcement level determines how Cloudrail presents the violation and how it should report back to your CI/CD platform.:
- Advise: Rules under this setting are used to disclaim a security concern, but not significant enough to break the developers workflow. If Cloudrail only finds violations for rules under Advise, Cloudrail CLI will return exit code 0. This means that rules under Advise can never cause your pipeline to break.
- Mandate: Rules under this setting are used to strongly enforce a security concern in the developer’s workflow. If a violation comes from a rule under Mandate enforcement, Cloudrail CLI will return exit code 1.
Future enforcement levels. Will be releasing soon!
- Mandate on New Resources:
By default, all the rules are set to “Advise” mode. Running Cloudrail will have zero impact on your developers’ workflows and you can embed Cloudrail CLI within CI/CD immediately if preferred.
Once you are ready to strongly enforce a rule from the task center, you will first need to create a Policy. A Policy acts as a container for all your rule configurations.
While you create the policy, you can define which accounts should be associated with said policy. You can have a separate policy for each stage of the development process (Dev, User Acceptance Testing, Staging, and Production).
Once the Policy is created, you can enable a rule to have a stronger enforcement level. Note, the rule’s behavior only affects the accounts attached with this policy.
Once you have enabled the rule, you are set! Now, Cloudrail CLI will also reference all your configured Policies when it runs any future evaluations. In the event that the environment is part of a Policy’s definition, Cloudrail will evaluate against the unique rule behaviors and override the default behavior.
In the event that you do not want a rule to be evaluated at all, you can disable the rule.