Create a custom policy to meet your specific needs for
compliance or monitoring of cloud resources.
Create a custom policy with remediation rules
that are tailored to meet the requirements of your organization.
When creating a new policy, you can either build the query using RQL or you use a saved
search to automatically populate the query you need to match on
your cloud resources. For Prisma Cloud DevOps Security, you can
also create configuration policies to scan your Infrastructure as
Code (IaC) templates that are used to deploy cloud resources. The
policies used for scanning IaC templates use a JSON query instead
of RQL.
If you want to enable auto-remediation, Prisma Cloud
requires write access to the cloud platform to successfully execute
the remediation commands.
You can create three types of policies:
Config
—Configuration policies monitor your resource configurations
for potential policy violations. Configuration policies on Prisma Cloud
can be of two sub-types—Build and Run—to enable a layered approach. Build
policies enable you to check for security misconfigurations in the
IaC templates and ensure that these issues do not make their way
into production. The Run policies monitor resources and check for
potential issues once these cloud resources are deployed. See Create a Configuration Policy.
—Event policies monitor audit events in
your environment for potential policy violations. You create audit
policies to flag sensitive events such as root activities or configuration
changes that may potentially put your cloud environment at risk.
See Create a Network or Audit Event Policy.
Create a Configuration Policy
Use these instructions to add a custom configuration policy,
for checking resources in the build or run phase of your application
lifecycle. Because building the rules takes practice, before you
start, take a look at a few Prisma Cloud default policies for directly
on the administrative console, and review the query format within
the rules.
Select
Policies
and click
New Policy
Config
.
Enter a
Policy Name
.
You can optionally add a
Description
and
Labels
.
Select the policy subtype and click
Next
.
You can choose one or both the policy subtypes options:
Run
subtype
enables you to scan cloud resources that are already deployed on
a supported cloud platform.
Build
subtype
enables you to scan IaC templates—Terraform, CloudFormation, Kubernetes
manifest—that are used to deploy cloud resources.
Select the
Severity
for the policy
and click
Next
.
For a Run policy, an alert will be generated on a policy
violation.
Build the query to define the match criteria for your policy.
Add
a rule for the
Run
phase.
The Configuration—Run policies use RQL. If you are using
a
Saved Search
, you can select from predefined
options to auto-populate the query. For building a
New
Search
, enter
config where
and
use the auto-suggestion to select the available attributes and complete
the query.
Config
queries require some mandatory attributes. It should at a minimum have
api.name
in
conjunction with
json.rule
or it can have
hostfinding.type
or
it can have two
api.name
attributes with
a
filter
attribute.
config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1
config where hostfinding.type = 'Host Vulnerability'
config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
When creating a custom
policy, as a best practice do not include cloud.account, cloud.account.group
or cloud.region attributes in the RQL query. If you have a saved
search that includes these attributes, make sure to edit the RQL
before you create a custom policy. While these attributes are useful
to filter the results you see on the
Investigate
tab,
they are ignored when used in a custom policy.
Add
a rule for the
Build
phase.
If your policy will include both Run and Build checks,
and you have added the RQL query, your cloud type for the build
rule is automatically selected. It is based on the cloud type referenced
in the RQL query.
Select the
Template Type
you
want to scan—CloudFormation, Kubernetes, or Terraform. You can add
one or more types.
For scanning Terraform templates, you
must select the Cloud Type and the Terraform version. Terraform
versions 0.11 and 0.12 are supported.
If
you choose to upload a template in the next step, the query you entered
above is validated against the template. Each time you modify the query
or upload a new template, the JSON query is re-validated.
(
Optional
) Upload a file to validate the JSON query.
The
JSON Template Validation is optional. You can upload a single file or
a .zip file. The supported file formats are HCL,YAML, JSON. The
uploaded file is converted to JSON and displayed on-screen.
In
addition, you can include a variable name and value to pass to the sample
file and verify that the build rule works before you save the policy.
For example, if you want to check whether EC2 instances include
tags to identify the owner, the variables enable you to quickly
validate against the sample template you attached.
Add the
compliance standards to your policy.
Choose the compliance
Standard
,
Requirement
,
and
Section
.
Click
+
to add more standards
as required and click
Next
.
Enter details
in the remediation section, if you want to automatically remediate
alerts on a policy violation.
Select
Run
or
Build
Build phase policies do not support remediation CLI. You
can however add the instructions for manually fixing the issue in
the
Recommendation for Remediation
.
(
Configuration—Run policies only
) Enter Command Line
remediation commands in
CLI Remediation
.
CLI remediation is available for
config where
queries
only. You can add up to 5 CLI commands, and use a semi-colon to
separate the commands in the sequence. The sequence is executed in
the order defined in policy, and if a CLI command fails, the execution
stops at that command. The parameters that you can use to create
remediation commands are displayed on the interface as CLI variables,
and a syntax example is:
gcloud -q compute --project=${account} firewall-rules delete ${resourceName}; gsutil versioning set off gs://${resourceName};
:
$account
—Account is the Account ID
of your account in Prisma Cloud.
$azurescope
—
(Azure only)
Allows
you to specify the node in the Azure resource hierarchy where the resource
is deployed.
$gcpzoneid
—
(GCP only)
Allows
you to specify the zone in the GCP project, folder, or organization where
the resource is deployed.
$region
—Region is the name of the
cloud region to which the resource belongs.
resourcegroup
—
(Azure only)
Allows
you to specify the name of the Azure Resource Group that triggered the
alert.
$resourceid
—Resource ID is the identification
of the resource that triggered the alert.
$resourcename
—Resource name is the name
of the resource that triggered the alert.
Click
Validate syntax
to validate
the syntax of your code.
If you would like to see an example of the CLI syntax in
the default remediable policies on Prisma Cloud, clone any existing
policy and edit it.
The default policies include additional
variables that are restricted for use in default policies only,
and are not supported in custom policies. Syntax validation displays
an error if you use the restricted variables.
Click
Save
.
All your System Administrators and Account Administrators
are notified when there is a change to the CLI commands.
Config queries require some mandatory attributes. It should at a minimum haveapi.namein conjunction withjson.ruleor it can havehostfinding.typeor it can have twoapi.nameattributes with afilterattribute.config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1config where hostfinding.type = 'Host Vulnerability'config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;When creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on theInvestigatetab, they are ignored when used in a custom policy.
If you choose to upload a template in the next step, the query you entered above is validated against the template. Each time you modify the query or upload a new template, the JSON query is re-validated.
