Prisma Cloud supports the capability of a Visual Editor where you can create custom build policies for your templates using the existing fields. The Visual Editor is a suitable option when you want to create custom policies that include Attribute checks with a support of AND/OR logic. To help you create a custom policy using the Visual Editor, you will see an example of custom build policy for S3 Bucket ACL where log delivery is not recommended.
- SelectPolicies > Add Policy > Config > Add Policy Detailsand then selectNext.In this example, you see the policy details for S3 Bucket ACL where log delivery is not recommended.Code Editor appears as a default view.
- SelectVisual Editor.
- SelectCategoryType.Category Typeis where the policy is grouped based on either Elasticsearch, General, IAM, Kubernetes, Logging, Monitoring, Networking, Public, Secrets, Serverless, Storage and Vulnerabilities. You can use the category type to search or filter specific policies.
- SelectCloud Provider.You can create rules only for Cloud Service Providers that are supported on Prisma Cloud.
- SelectResource Type.Resource Type is relevant to the selection of the Cloud Provider. You can also add the syntax of the resource to search for the same.In this example add s3 to and you should be able to locate relevant resources.
- SelectAttribute,Operatorand then addValuefor the query.The query defines the match condition to verify if a resource does contain a specific value, or if the specific value exists.For more examples on custom policies see the table.Policy nameCloud ProviderResource TypeAttributeOperatorValueaws-restrict-all-vpc-trafficawsaws_default_network_aclingressEqual0azurerm-block-allow-all-cidrazurermazurerm_network_security_groupsource_address_prefixNot Equal0.0.0.0/0, "*"gcp-restrict-machine-typegoogle_compute_instancemachine_typeEqualn1-standard-1aws-networking-deny-public-sshawsaws_security_group_rulecidr_blocksNot equal0.0.0.0/0The Custom Policy "aws-networking-deny-public-ssh" uses 2 rules with arguments for cidr_blocks and to_port. You can create multiple nested arguments for this policy. In this example, to express a more complex ingress policy for an AWS security group you can use arguments like; ingress.from_port, ingress.to_port, ingress.protocol, ingress.cidr_blocks.You can use And/OR logic to create a rule with more than one query.A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used.In this example you see the AND logic used.
- SelectTestto verify your custom code.If your custom code has no error, Prisma Cloud will display 30 resource results.In this example, you see results for the S3 Bucket ACL query.
- SelectNextto access Compliance Standards and to complete the process to create a custom Build-time check policy.You are in Step 2 of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console.
Recommended For You
Recommended videos not found.