Visual Editor

Select
Policies > Add Policy > Config > Add Policy Details
and then select
Next
.
In this example, you see the policy details for S3 Bucket ACL where log delivery is not recommended.

Code Editor appears as a default view.
Select
Visual Editor
.

Select
Category
Type
.
Category Type
is where the policy is grouped based on either Elasticsearch, General, IAM, Kubernetes, Logging, Monitoring, Networking, Public, Secrets, Serverless, Storage and Vulnerabilities. You can use the category type to search or filter specific policies.

Select
Cloud Provider
.
You can create rules only for Cloud Service Providers that are supported on Prisma Cloud.

Select
Resource Type
.
Resource Type is relevant to the selection of the Cloud Provider. You can also add the syntax of the resource to search for the same.

In this example add s3 to and you should be able to locate relevant resources.

Select
Attribute
,
Operator
and then add
Value
for the query.
The query defines the match condition to verify if a resource does contain a specific value, or if the specific value exists.

In this example the query for S3 Bucket ACL policy will include
Attribute
as acl, the
Operator
is Not equals and the
Value
is log-delivery-write.

For more examples on custom policies see the table.
Policy name	Cloud Provider	Resource Type	Attribute	Operator	Value
aws-restrict-all-vpc-traffic	aws	aws_default_network_acl	ingress	Equal	0
azurerm-block-allow-all-cidr	azurerm	azurerm_network_security_group	source_address_prefix	Not Equal	0.0.0.0/0, "*"
gcp-restrict-machine-type	google	google_compute_instance	machine_type	Equal	n1-standard-1
aws-networking-deny-public-ssh	aws	aws_security_group_rule	cidr_blocks	Not equal	0.0.0.0/0
The Custom Policy "aws-networking-deny-public-ssh" uses 2 rules with arguments for cidr_blocks and to_port. You can create multiple nested arguments for this policy. In this example, to express a more complex ingress policy for an AWS security group you can use arguments like; ingress.from_port, ingress.to_port, ingress.protocol, ingress.cidr_blocks.
You can use And/OR logic to create a rule with more than one query.
A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used.
In this example you see the AND logic used.

Select
Test
to verify your custom code.
If your custom code has no error, Prisma Cloud will display 30 resource results.
In this example, you see results for the S3 Bucket ACL query.

Select
Next
to access Compliance Standards and to complete the process to create a custom Build-time check policy.

You are in Step 2 of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console.