Required Compliance Policy Fields

Follow

Required Compliance Policy Fields

When you're writing compliance policies, you'll need to include the webhook action logic to ensure findings are posted to Kion and shows up in the compliance overview. You can read more about that and the basics of writing compliance policies in our Writing Cloud Custodian Compliance Policies article.

Within the webhook action, you'll see resource_name and resource_type fields, which must be updated with the correct values in order for the policy to work.

resource_name and data_json are values that the Cloud Custodian API call returns. 

resource_type is a Kion concept and is free-form text.

There are two way you can determine what to put in these fields to display the most impactful information:

  • You can run the policy locally without the action portion, which will generate several output files. If you look at the resources.json output file, any of the attributes of the returned JSON structure are available to be used as the resource_name, resource_type, or data_json in your policy.
  • You can find the underlying API call that Cloud Custodian makes to AWS to determine the best values for resource_name. As an example, if you look at the security group code (https://github.com/cloud-custodian/cloud-custodian/blob/master/c7n/resources/vpc.py#L511), you'll notice that the name is 'GroupName' and the enum_spec is describe_security_groups. Cloud Custodian is written in python and uses Boto3 to communicate with AWS, so you can do a search in your web browser for the enum_spec using the phrase "Boto3 describe_security_groups" and look at what that API call returns in order to understand what fields are available for the resource_name or data_json fields (i.e. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_security_groups).

 

Was this article helpful?
0 out of 0 found this helpful