Code Editor

Prisma Cloud supports Code Editor capability where you can create a policy rule for custom Configuration policies during Build-time checks. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console. The Code Editor is a suitable option when you want to create complex custom policies that include both Attribute and Connection-State with a support of AND/OR logic.
  • Attribute
    Attribute when defined in a policy describes attribute configurations for resources. Each resource must contain values the attribute configuration has specified or display the presence or absence of the attribute configuration. The syntax and attribute configurations used in YAML templates is similar to Terraform.
    In this example, the attribute defines a back-up configuration for Redshift clusters.
    definition: cond_type: "attribute" resource_types: - "aws_redshift_cluster" attribute: "automated_snapshot_retention_period" operator: "not_equals" value: "0"
For instructions on how to use the type of Attribute with key and values see in the table.
Key
Type
Values
cond_type
string
Must be attribute
resource_type
collection of strings
attribute
string
Attribute of defined resource types. For example, automated_snapshot_retention_period
operator
string
Value (not relevant for operator: exists, not_exists)
string
User input
For instructions on how to use Attribute Operators see in the table.
Attribute Operators
YAML values
Equals
Not Equals
Regex Match
Not Regex Match
Exists
Not Exists
One Exists
Any
Contains
Not Contains
Within
Starts With
Not Starts With
Ends With
Not Ends With
Greater Than
Greater Than Or Equal
Less Than
Less Than Or Equal
Subset
Not Subset
Json Path Equals
Json Path Exists
  • Connection State
    Connection State when defined in a policy specifies a connect or disconnect between resources of different types.
    In this example, aws_lb and aws_elb must have connection with aws_security_group or aws_default_secuirty_group to be compliant.
    definition: cond_type: "connection" resource_types: - "aws_elb" - "aws_lb" connected_resource_types: - "aws_security_group" - "aws_default_security_group" operator: "exists"
For instructions on how to use the type of Connection State with key and values see in the table.
Key
Type
Values
cond_type
string
Must be connection
resource_types
connected_resource_types
collection of strings
operator
string
For instructions on how to use Connection State Operators see in the table.
Connection State Operators
YAML values
Exists
Not Exists
  • AND/OR Logic
    A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used. Using Code Editor you can customize the Attribute, Connection State or both at multiple layers.
    In this example, you see the both AND/OR logic applied to Attribute.
    metadata: name: "Ensure all AWS databases have Backup Policy" guidelines: "In case of non-compliant resource - add a backup policy configuration for the resource" category: "storage" severity: "medium" scope: provider: "aws" definition: or: - cond_type: "attribute" resource_types: - "aws_rds_cluster" - "aws_db_instance" attribute: "backup_retention_period" operator: "not_exists" - cond_type: "attribute" resource_types: - "aws_rds_cluster" - "aws_db_instance" attribute: "backup_retention_period" operator: "not_equals" value: "0" - cond_type: "attribute" resource_types: - "aws_redshift_cluster" attribute: "automated_snapshot_retention_period" operator: "not_equals" value: "0" - cond_type: "attribute" resource_types: - "aws_dynamodb_table" attribute: "point_in_time_recovery" operator: "not_equals" value: "false" - cond_type: "attribute" resource_types: - "aws_dynamodb_table" attribute: "point_in_time_recovery" operator: "exists"
In this example, you see the AND/OR logic applied to both Attribute and the Connection State.
metadata: name: "Ensure all ALBs are connected only to HTTPS listeners" guidelines: "In case of non-compliant resource - change the definition of the listener/listener_rul protocol value into HTTPS" category: "networking" severity: "high" scope: provider: "aws" definition: and: - cond_type: "filter" value: - "aws_lb" attribute: "resource_type" operator: "within" - cond_type: "attribute" resource_types: - "aws_lb" attribute: "load_balancer_type" operator: "equals" value: "application" - or: - cond_type: "connection" resource_types: - "aws_lb" connected_resource_types: - "aws_lb_listener" operator: "not_exists" - and: - cond_type: "connection" resource_types: - "aws_lb" connected_resource_types: - "aws_lb_listener" operator: "exists" - cond_type: "attribute" resource_types: - "aws_lb_listener" attribute: "certificate_arn" operator: "exists" - cond_type: "attribute" resource_types: - "aws_lb_listener" attribute: "ssl_policy" operator: "exists" - cond_type: "attribute" resource_types: - "aws_lb_listener" attribute: "protocol" operator: "equals" value: "HTTPS" - or: - cond_type: "attribute" resource_types: - "aws_lb_listener" attribute: "default_action.redirect.protocol" operator: "equals" value: "HTTPS" - cond_type: "attribute" resource_types: - "aws_lb_listener" attribute: "default_action.redirect.protocol" operator: "not_exists" - or: - cond_type: "connection" resource_types: - "aws_lb_listener_rule" connected_resource_types: - "aws_lb_listener" operator: "not_exists" - and: - cond_type: "connection" resource_types: - "aws_lb_listener_rule" connected_resource_types: - "aws_lb_listener" operator: "exists" - or: - cond_type: "attribute" resource_types: - "aws_lb_listener_rule" attribute: "default_action.redirect.protocol" operator: "equals" value: "HTTPS" - cond_type: "attribute" resource_types: - "aws_lb_listener_rule" attribute: "default_action.redirect.protocol" operator: "not_exists"
  1. Select
    Policies > Add Policy > Config > Add Policy Details
    and then select
    Next
    .
    Code Editor appears as a default view. You can view an example of a YAML template.
  2. Select
    Clear Editor
    to remove the example YAML template.
  3. Add your custom YAML code.
  4. Select
    Test
    to validate your custom code.
    If your custom code has no error, Prisma Cloud will display 30 Test Results. This indicates Prisma Cloud has run a scan across all your repositories and has found upto 30 resources that are impacted by your custom code.
    Select any test result to view more details on the impacted resource and misconfiguration.
    However, if your code does have an error, the console will display a solution for the error.
  5. Select
    Next
    to access
    Compliance Standards
    and to complete the process to create a custom Build-time check policy.
    You are in Step 2 of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console.

Recommended For You