Custom Rules Vs Conformity Rules
Trend Micro Cloud One™ – Conformity provides rules for:
- Supported Standards and Frameworks
- Commonly used cloud services across AWS, Azure and GCP
- Critical and high-risk vulnerabilities, as well as high impact vulnerabilities
However, your organization may have additional specific controls or policies that are not supported by Conformity out of the box. You have the option to develop and maintain your own custom rules through a few different mechanisms.
Custom Rule Types
You can create custom rules using three approaches:
AWS Config Service (AWS accounts only): findings from AWS Config are ingested and presented as checks via CS-001 - AWS Custom Rule.
Conformity Custom Checks APIs: Checks can be created and managed directly via API using your own custom-built code functions.
Conformity Custom Rules: Conformity provides built-in API-managed JSON custom rules feature integrated with Conformity scans. Conformity Custom Rules allow you to create JSON-style rules that assert logic over any cloud resource data already consumed by Conformity.
|Properties||Conformity Rules||AWS Config Rules||Custom Checks API||Conformity Custom Rules|
|Development||Developed and maintained by Conformity||You maintain the rules via the AWS Config Service||You maintain your own externally operated code to trigger the Checks API||You maintain your own custom rules and save them to your Conformity Organization via API|
|Execution||Executed by the Conformity Bot||Rules executed by AWS Config, findings ingested by Conformity||Fully executed by your own external code||Executed by the Conformity Bot and can be tested manually using a 'dry run' feature|
|Configuration||Conformity Rules settings Rules Configuration||Managed entirely within the AWS Config service||Fully configurable using your own code||Highly configurable using Conformity's JSON Custom Rules engine|
|Behavior||Produces a wide range of cloud best practice results quickly without any additional configuration||AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce "Compliance Details". Conformity consumes the "Evaluation Result" from these "Compliance Details" and converts each result into a check.
For more information, see AWS Config Rules Evaluation Results
|Conformity Custom Checks (via API) are pushed to Conformity from an external system developed by the users. Each check belongs to a "Custom" rule with a limit of one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-.
For more information, see Conformity Custom Checks API
|Conformiy Custom Rules uses a JSON rules engine implementation to provide a flexible platform to create custom logic that runs against cloud resource data already consumed by Conformity. You can create Rules for any provider or service but can only run them against the resource data already vaialble. Custom Rules are managed via API.
For more information, see Conformity Custom Rules Overview
|Execution Cost||No additional cost||Cost is based on AWS Service Config pricing||Cost depends on the nature of your external code. There is no additional charge from Conformity||No additional execution charge from Conformity|
|Maintenance Effort||Low - configuration optional||Medium - you maintain the rule set within AWS Config||High - you maintain the code to trigger checks||Medium - the Custom Rules framework is more effortless than advanced coding but more technical than managing Conformity Rule configurations|
|Flexibility||Low - most rules run out of the box with standard configuration options||Medium - all AWS Config rule options available||Very High - no restrictions on the processes to trigger the creation of checks because you run the code||Medium - Create flexible rules that focus on single resource types based on availble cloud data|