Topics on this page
Custom Rules Vs Conformity Rules
Trend Micro Cloud One™ – Conformity provides rules for:
- Supported Standards and Frameworks
- Commonly used cloud services
- General and extensive coverage of AWS security and governance best practices
- Critical and high-risk vulnerabilities, as well as high impact vulnerabilities
The list is always growing, but your organization may have specific controls or policies that are not yet supported by Conformity. For such instances, you have the option to develop, host, and maintain your own custom rules and import them into Conformity.
You can create custom rules using:
AWS Config Service
Custom Lamda Function using Conformity Custom Checks APIs
Conformity Custom Rules
Custom Rules vs Conformity Rules
|Differences||Custom Rules||Conformity Rules|
|Development lifecycle perspective||You develop yourself and are responsible for maintenance and validity of those rules||Developed and maintained by Conformity|
|Execution||Executed outside of Conformity environment (e.g. in your AWS account Lambda function or applications running in EC2 instances)||Executed in Conformity Bot within Conformity AWS Environment|
|Freshness||Controlled outside Conformity and may be refreshed at any time||Run every time Conformity Bot runs|
|Cost||Cost for you is either based on AWS Service Config pricing or based on how you implement and execute your own Custom rules||Do not add any extra cost to customers.|
If you would like Conformity to support a new rule, see Custom Rules Overview.
Create Custom Rules via AWS Config Service Vs Conformity Custom Checks API
|Differences||AWS Config Service||Conformity Custom Checks API|
|Behaviour||AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce "Compliance Details". Conformity consumes the "Evaluation Result" from these "Compliance Details" and converts each to a check.
For more information, see AWS Config Rules Evaluation Results
|Cloud Conformity Custom Checks (via API) are pushed to Conformity from an external system that users develop. Each check belongs to a "Custom" rule and there can be more than one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-.
For more information, see Conformity Custom Checks API
|Environment||Rules can be scripted and run if they are within AWS infrastructure||Rules can be scripted and run if they are within AWS infrastructure|
|Complexity||Rules are not built to address cross-resource-type or cross-account logic||Rules support cross-resource type or cross-account logic|
|Execution Cost||Depending on the use case and number of accounts, AWS Config Service may become very expensive for smaller organisations with many accounts.||Does not add any extra cost to customers|
|Maintenance Cost||AWS Config Service rules run within AWS-managed environment, therefore there is no extra maintenance cost||There is no extra maintenance cost for Custom rules created via API|