Required Compliance Policy Fields
When you're writing compliance policies, you'll need to include the webhook action logic to ensure findings are posted to Kion and shows up in the compliance overview. You can read more about that and the basics of writing compliance policies in our Writing Cloud Custodian Compliance Policies article.
Within the webhook action, you'll see
resource_type fields, which must be updated with the correct values in order for the policy to work.
data_json are values that the Cloud Custodian API call returns.
resource_type is a Kion concept and is free-form text.
There are two way you can determine what to put in these fields to display the most impactful information:
- You can run the policy locally without the action portion, which will generate several output files. If you look at the
resources.jsonoutput file, any of the attributes of the returned JSON structure are available to be used as the
data_jsonin your policy.
- You can find the underlying API call that Cloud Custodian makes to AWS to determine the best values for
resource_name. As an example, if you look at the security group code (https://github.com/cloud-custodian/cloud-custodian/blob/master/c7n/resources/vpc.py#L511), you'll notice that the name is 'GroupName' and the enum_spec is
describe_security_groups. Cloud Custodian is written in python and uses Boto3 to communicate with AWS, so you can do a search in your web browser for the enum_spec using the phrase "Boto3 describe_security_groups" and look at what that API call returns in order to understand what fields are available for the
data_jsonfields (i.e. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_security_groups).