Writing Cloud Custodian Compliance Policies

Follow

Writing Cloud Custodian Compliance Policies

Kion includes the open-source Cloud Custodian (c7n) rules engine, so you can easily write and run YAML policies against your cloud resources, like EC2 instances, VPCs, root users, etc. This article explains the basics of writing your own Cloud Custodian compliance policy and how webhook actions work in Kion. We suggest also reading the Cloud Custodian documentation for more in depth information and for example policies.

These policies are implemented using Kion compliance checks. For information about adding policies to compliance checks, see Add a Compliance Check.

Policy Development Environment Setup

It is best practice to develop policies in a standalone environment where immediate feedback can be received. Once policies have been tested and verified, they can be deployed to production by Kion

Requirements

To configure the development environment for policies, ensure you have access to:

  • Python 3.

  • A cloud account with control over applicable resources for policy testing
    This account should have an associated Cloud Access Role in Kion that allows for the generation of short-term access keys for AWS. Credentials will need to be created natively for all other cloud providers.

  • (Highly recommended) An editor supporting YAML syntax highlighting and validation.

Setting Up the Policy Development Environment

  1. Determine the version of c7n used in your version of Kion. Connect to a Kion node and execute one of the following commands as root (for older installations, the container name may be `cloudtamer_compliance_1`):

    • For AWS-focused development: docker exec kion_compliance_1 pip3 show c7n | grep '^Version:'

    • For Azure-focuseed development: docker exec kion_compliance_1 pip3 show c7n-azure | grep '^Version:'

    • For GCP-focused development: docker exec kion_compliance_1 pip3 show c7n-gcp | grep '^Version:'

  2. Create a new folder for testing. This will contain both the policy documents and the required outputs that c7n should generate.

  3. Change directories to the new folder in the command line.

    If using Visual Studio Code, execute the command Install 'code' in PATH from the Command Palette for a shortcut for opening files in the editor.

  4. Generate a new virtual environment for c7n development: python3 -m venv python-custodian

  5. Activate the virtual environment.

    • For bash/zsh: source python-custodian/bin/activate

    • For other environments, see this article.

  6. Install c7n:

    • For AWS development: pip3 install c7n==[VERSION]

    • For Azure development: pip3 install c7n-azure==[VERSION]

    • For GCP development: pip3 install c7n-gcp==[VERSION]

    • Replace [VERSION] above with the version found in Step 1.

  7. c7n is now installed in the virtual environment and ready for testing.

Policy Development Cycle

Follow this cycle each time you work on a policy:

  1. Change directories to the new folder from the command line.

  2. Activate the virtual environment using the same instructions outlined above in "Setting Up the Policy Environment".

  3. Configure your environment:

    ClosedAWS

    1. Navigate to the account you plan to use for testing in Kion

    2. Select the cloud account icon, choose your role, and select Short-term Access Keys.

    3. Copy the block from the dialog box.

    4. Paste the block into the same terminal being used for testing.

    5. Set the appropriate AWS region for the shell using the variables: AWS_DEFAULT_REGION and AWS_REGION.

      • For bash/zsh: export AWS_DEFAULT_REGION=[region] && export AWS_REGION=[region]

    ClosedAzure

    Configure the environment using these instructions.

    ClosedGoogle Cloud

    Configure your environment appropriately using these instructions. You must also specify the GOOGLE_CLOUD_PROJECT environment variable as your GCP Project ID.

  4. Create or edit your policy file.

    If you are using Visual Studio Code and have installed the code tool from the above tip, you can enter code [filename] in the built-in terminal to open the files in editor.

  5. Validate your policy: custodian validate [policyfile]. You should see a line validating the configuration.

  6. Execute your policy: custodian run --cache-period 0 -s [output dir] [policyfile]

    • For example, you can store our output in the directory out and execute the policy test-tags.yml with this command: custodian run --cache-period 0 -s out test-tags.yml

  7. Check the output to ensure that the appropriate resources are listed: custodian report -s [output dir] [policyfile]

    • Following the previous example, you can run this command: custodian report -s out test-tags.yml

  8. Test each filter top confirm that they work as intended before developing actions. Be sure to test each portion of filters and actions you enact.

Compliance Policy Basics

The remainder of this guide provides tips on developing policies.

A Cloud Custodian policy should define, at a minimum:

  • name. A unique name for the policy.
  • resource. The type of resource the policy runs against.
  • filters. Filters narrow down the resources that the policy runs against. Filters can include tag, type, key, value, and logic statements (and, or, not).
  • actions. Actions to take on the resources. This must include an action that posts the findings to Kion via a webhook. Optionally, it can also include actions to automatically remediate the finding.

The name, resource, and filters sections are native c7n YAML. You can copy/paste pre-written policies from other sources (such as GitHub repos), and add the webhook to post to Kion.

The actions section contains a webhook for posting to Kion and automatic remediation actions. The actions section typically includes the following variables:

  • {{CT::CheckId}}. The check ID that will be scanned.
  • {{CT::Authorization}}. The authorization token for ingesting findings via the public scan API.
  • {{CT::CallbackURL}}. The callback URL cloud custodian will POST to for ingesting findings via the public scan API.

The compliance check frequency and regions are set when creating a compliance check and do not need to be included in the policy code.

When adding or editing a compliance check, the Validate Policy button ensures your policy code is valid.

AWS

ClosedPolicy creation example for AWS

AWS Policy References

  • Resource types. You can find a list of resources and their common actions in Cloud Custodian's article: AWS Reference.
  • Filters. You can find a list of common filters in Cloud Custodian's article: AWS Common Filters.
  • Actions. Remember, the actions section contains a webhook for posting to Kion and automatic remediation actions. In most cases, you can use the webhook in the example above to post to Kion. You can find a list of common remediation actions in Cloud Custodian's article: AWS Common Actions.

Azure

ClosedPolicy creation example for Azure

Azure Policy References

  • Resource type. You can find a list of resources and their common actions and filters in Cloud Custodian's article: Azure Reference.
  • Filters. You can find a list of common filters in Cloud Custodian's article: Azure Common Filters.
  • Actions. Remember, the actions section contains a webhook for posting to Kion and automatic remediation actions. In most cases, you can use the webhook in the example above to post to Kion. You can find a list of common remediation actions in Cloud Custodian's article: Azure Common Actions.

Including Metadata

Metadata is information that is not typically captured by Kion. You can add metadata fields to any policy to capture additional information like IP addresses, instance state, launch time, and more.

ClosedPolicy with metadata example

Advanced Logic for Compliance Policies

Cloud Custodian supports various types of advanced and conditional logic.

The following policy is an example using or and not logic. This checks if the default security group has a value for either IpPermissions OR IpPermissionsEgress. Use this as a guideline to incorporate this logic into your own policies. The or could be replaced with and to only find cases where the default security group has a value for BOTH IpPermissions AND IpPermissionsEgress.

policies:
- name: cis_sg-default-allowing-traffic
resource: aws.security-group description: | CIS 1.2.0 - 4.3 Ensure the default security group for every VPC restricts all traffic filters: - GroupName: default - or: - not: - IpPermissions: empty - not: - IpPermissionsEgress: empty actions: - type: webhook url: '{{CT::CallbackURL}}' method: POST batch: true headers: Authorization: '`{{CT::Authorization}}`' body: |- { "compliance_check_id": `{{CT::CheckId}}`, "account_number": account_id, "region": region, "scan_started_at": execution_start, "findings": resources[].{resource_name: GroupId, resource_type: `security-group`, data_json: {ingress_rules: IpPermissions, egress_rules: IpPermissionsEgress}} }

Advanced Logic References