Create a custom policy to meet your specific needs for
compliance or monitoring of cloud resources.
Create a custom policy with remediation rules
that are tailored to meet the requirements of your organization.
When creating a new policy, you can either build the query using RQL or you use a saved
search to automatically populate the query you need to match on
your cloud resources. For Prisma Cloud DevOps Security, you can
also create configuration policies to scan your Infrastructure as
Code (IaC) templates that are used to deploy cloud resources. The
policies used for scanning IaC templates use a JSON query instead
of RQL.
If you want to enable auto-remediation, Prisma Cloud
requires write access to the cloud platform to successfully execute
the remediation commands.
You can create any of the following
types of policies:
Config
—Configuration policies
monitor your resource configurations for potential policy violations.
Configuration policies on Prisma Cloud can be of two sub-types—Build
and Run—to enable a layered approach. Build policies enable you
to check for security misconfigurations in the IaC templates and
ensure that these issues do not make their way into production. The
Run policies monitor resources and check for potential issues once
these cloud resources are deployed. See Create a Configuration Policy.
Data
—Data policies protect against malware and enable data
classification. To identify sensitive data in cloud storage buckets,
it uses machine learning and pattern matching. See Use Data Policies to Scan for Data Exposure or Malware.
—Event policies monitor audit events in
your environment for potential policy violations. You create audit
policies to flag sensitive events such as root activities or configuration
changes that may potentially put your cloud environment at risk.
See Create a Network or Audit Event Policy.
IAM
—IAM policies monitor the identities in your cloud
environment for excess-or-unused permissions. See Create an IAM Policy.
Create a Configuration Policy
Use these instructions to add a custom configuration policy,
for checking resources in the build or run phase of your application
lifecycle. Because building the rules takes practice, before you
start, take a look at a few Prisma Cloud default policies for directly
on the administrative console, and review the query format within
the rules.
Select
Policies
and click
New Policy
Config
.
Enter a
Policy Name
.
You can optionally add a
Description
and
Labels
.
Select the policy subtype and click
Next
.
You can choose one or both the policy subtypes options:
Run
subtype
enables you to scan cloud resources that are already deployed on
a supported cloud platform.
Build
subtype
enables you to scan IaC templates—Terraform, CloudFormation, Kubernetes
manifest—that are used to deploy cloud resources.
Select the
Severity
for the policy
and click
Next
.
For a Run policy, an alert will be generated on a policy
violation.
Build the query to define the match criteria for your policy.
Add
a rule for the
Run
phase.
The Configuration—Run policies use RQL. If you are using
a
Saved Search
, you can select from predefined
options to auto-populate the query. For building a
New
Search
, enter
config from
and
use the auto-suggestion to select the available attributes and complete
the query.
Config
queries require some mandatory attributes. It should begin with
config where cloud.resource where
and
at a minimum have
api.name
in conjunction
with
json.rule
or it can have an attribute
from completion suggestions, or it can have two
api.name
attributes
with a
filter
attribute.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1
config from cloud.resource where finding.type = 'Host Vulnerability'
config cloud.resource where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
config from cloud.resource where resource.status = Active AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'domainValidationOptions[*].domainName contains *'
When creating a custom policy, as a best
practice do not include cloud.account, cloud.accountgroup or cloud.region
attributes in the RQL query. If you have a saved search that includes
these attributes, make sure to edit the RQL before you create a
custom policy. While these attributes are useful to filter the results
you see on the
Investigate
tab, they are
ignored when used in a custom policy.
Add
a rule for the
Build
phase.
If your policy will include both Run and Build checks,
and you have added the RQL query, your cloud type for the build
rule is automatically selected. It is based on the cloud type referenced
in the RQL query.
Select the
Template Type
you
want to scan—CloudFormation, Kubernetes, or Terraform. You can add
one or more types.
If
you choose to upload a template in the next step, the query you entered
above is validated against the template. Each time you modify the query
or upload a new template, the JSON query is re-validated.
(
Optional
) Upload a file to validate the JSON query.
The
JSON Template Validation is optional. You can upload a single file or
a .zip file. The supported file formats are HCL,YAML, JSON. The
uploaded file is converted to JSON and displayed on-screen.
In
addition, you can include a variable name and value to pass to the sample
file and verify that the build rule works before you save the policy.
For example, if you want to check whether EC2 instances include
tags to identify the owner, the variables enable you to quickly
validate against the sample template you attached.
Add the
compliance standards to your policy.
Choose the compliance
Standard
,
Requirement
,
and
Section
.
Click
+
to add more standards
as required and click
Next
.
Enter details
in the remediation section, if you want to automatically remediate
alerts on a policy violation.
Select
Run
or
Build
Build phase policies do not support remediation CLI. You
can however add the instructions for manually fixing the issue in
the
Recommendation for Remediation
.
(
Configuration—Run policies only
) Enter Command Line
remediation commands in
CLI Remediation
.
CLI remediation is available for
config from
queries
only. You can add up to 5 CLI commands, and use a semi-colon to
separate the commands in the sequence. The sequence is executed
in the order defined in policy, and if a CLI command fails, the
execution stops at that command. The parameters that you can use
to create remediation commands are displayed on the interface as
CLI variables, and a syntax example is:
gcloud -q compute --project=${account} firewall-rules delete ${resourceName}; gsutil versioning set off gs://${resourceName};
:
$account
—Account is the Account ID
of your account in Prisma Cloud.
$azurescope
—
(Azure only)
Allows
you to specify the node in the Azure resource hierarchy where the resource
is deployed.
$gcpzoneid
—
(GCP only)
Allows
you to specify the zone in the GCP project, folder, or organization where
the resource is deployed.
$region
—Region is the name of the
cloud region to which the resource belongs.
resourcegroup
—
(Azure only)
Allows
you to specify the name of the Azure Resource Group that triggered the
alert.
$resourceid
—Resource ID is the identification
of the resource that triggered the alert.
$resourcename
—Resource name is the name
of the resource that triggered the alert.
Click
Validate syntax
to validate
the syntax of your code.
If you would like to see an example of the CLI syntax in
the default remediable policies on Prisma Cloud, Manage Prisma Cloud Policies any existing
policy and edit it.
The default policies include additional variables
that are restricted for use in default policies only, and are not
supported in custom policies. Syntax validation displays an error
if you use the restricted variables.
Click
Save
.
All your System Administrators and Account Administrators
are notified when there is a change to the CLI commands.
Config queries require some mandatory attributes. It should begin withconfig where cloud.resource whereand at a minimum haveapi.namein conjunction withjson.ruleor it can have an attribute from completion suggestions, or it can have twoapi.nameattributes with afilterattribute.config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1config from cloud.resource where finding.type = 'Host Vulnerability'config cloud.resource where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;config from cloud.resource where resource.status = Active AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'domainValidationOptions[*].domainName contains *'When creating a custom policy, as a best practice do not include cloud.account, cloud.accountgroup or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on theInvestigatetab, they are ignored when used in a custom policy.
If you choose to upload a template in the next step, the query you entered above is validated against the template. Each time you modify the query or upload a new template, the JSON query is re-validated.
