Create a Configuration Policy

Use these instructions to add a custom configuration policy, for checking resources in the build or run phase of your application lifecycle. Because building the rules takes practice, before you start, take a look at a few Prisma Cloud default policies for directly on the administrative console, and review the query format within the rules.

Select
Policies
and click
New Policy
Config
.
Enter a
Policy Name
.
You can optionally add a
Description
and
Labels
.
Select the policy subtype and click
Next
.
You can choose one or both the policy subtypes options:
Run
subtype enables you to scan cloud resources that are already deployed on a supported cloud platform.
Build
subtype enables you to scan IaC templates—Terraform, CloudFormation, Kubernetes manifest—that are used to deploy cloud resources.

Select the
Severity
for the alert that will be generated on a policy violation and click
Next
.
Build the query to define the match criteria for your policy.
Add a rule for the
Run
phase.
The Configuration—Run policies use RQL. If you are using a
Saved Search
, you can select from predefined options to auto-populate the query. For building a
New Search
, enter
config where
and use the auto-suggestion to select the available attributes and complete the query.

Config queries require some mandatory attributes. It should at a minimum have
api.name
in conjunction with
json.rule
or it can have
hostfinding.type
or it can have two
api.name
attributes with a
filter
attribute.
config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1
config where hostfinding.type = 'Host Vulnerability' 
config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
When creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the
Investigate
tab, they are ignored when used in a custom policy.
Add a rule for the
Build
phase.
If your policy will include both Run and Build checks, and you have added the RQL query, your cloud type for the build rule is automatically selected. It is based on the cloud type referenced in the RQL query.
Select the
Template Type
you want to scan—CloudFormation, Kubernetes, or Terraform. You can add one or more types.
For scanning Terraform templates, you must select the Cloud Type and the Terraform version. Terraform versions 0.11 and 0.12 are supported.

Add the JSON query that specifies the properties or objects for which you want to apply policy checks.

(
Optional
) Upload a file to validate the JSON query.
You can upload a single file or a .zip file. In addition, you can include a variable name and value to pass to the sample file and verify that the build rule works before you save the policy. For example, if you want to check whether EC2 instances include tags to identify the owner, the variables enable you to quickly validate against the sample template you attached.
Add the compliance standards to your policy.
Choose the compliance
Standard
,
Requirement
, and
Section
.
Click
+
to add more standards as required and click
Next
.
Enter details in the remediation section, if you want to automatically remediate alerts on a policy violation.
Select
Run
or
Build
Build phase policies do not support remediation CLI. You can however add the instructions for manually fixing the issue in the
Recommendation for Remediation
.
(
Configuration—Run policies only
) Enter Command Line remediation commands in
CLI Remediation
.
CLI remediation is available for
config where
queries only. You can add up to 5 CLI commands, and use a semi-colon to separate the commands in the sequence. The sequence is executed in the order defined in policy, and if a CLI command fails, the execution stops at that command. The parameters that you can use to create remediation commands are displayed on the interface as CLI variables, and a syntax example is:
gcloud -q compute --project=${account} firewall-rules delete ${resourceName}; gsutil versioning set off gs://${resourceName};
:
$account
—Account is the Account ID of your account in Prisma Cloud.
$azurescope
—
(Azure only)
Allows you to specify the node in the Azure resource hierarchy where the resource is deployed.
$gcpzoneid
—
(GCP only)
Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed.
$region
—Region is the name of the cloud region to which the resource belongs.
resourcegroup
—
(Azure only)
Allows you to specify the name of the Azure Resource Group that triggered the alert.
$resourceid
—Resource ID is the identification of the resource that triggered the alert.
$resourcename
—Resource name is the name of the resource that triggered the alert.
Click
Validate syntax
to validate the syntax of your code.
If you would like to see an example of the CLI syntax in the default remediable policies on Prisma Cloud, clone any existing policy and edit it.
The default policies include additional variables that are restricted for use in default policies only, and are not supported in custom policies. Syntax validation displays an error if you use the restricted variables.
Click
Save
.
All your System Administrators and Account Administrators are notified when there is a change to the CLI commands.