Review IaC Assessments

Now that you have successfully run a scan, you have two ways to look at the assessment. You can view it from the CLI output or from the WebUI.

By default, all rules are set to Advisory, so any violation will be hidden from the results in the CLI. This is intentional as we want the CLI to only showcase violations that you care about. If you want to skip to that step, you can look at our documentation on how you can set your own policies and rule enforcements here.

To view violated rules in Warning in the CLI, it’s actually very easy. You just need to add the flag “-v” to run the assessment in verbose mode in future evaluations.

Since you already ran the assessment, let’s view the results from the WebUI:

Here, you can find overall statistics and context around the assessment results:

All rule violations, regardless of enforcement, are shown at the top. You will find an explanation of our rules. Some will be using context and have a category set to “Context Aware”. Below is an example:

Also, note that you should see remediation instructions to fix the violation in the cloud console or in Terraform.

Each violation will flag a resource that is “exposed” and “violated”. A resource will be marked as the “violating resource” if it contains the configuration parameter responsible for this violation. However, we have found that the configuration may be unrelated to the resource that is deemed at risk. As such, we mark the “risky” resource as the Exposed Resource.

The evidence field will explain the rationale behind Cloudrail’s assessment of the violation. This can involve many parameters and Evidence organizes the logic for you.

The assessment tab is great to visualize security violations. Please note, Cloudrail only suggests rules to you. To make any Mandatory, you will need to create your own policy, which acts as a container for your rule configurations. Cloudrail will make recommendations from your existing IaC scans and mark them as Tasks under the Task Center.