Table of contents

Custom Rules Vs Conformity Rules

Trend Micro Cloud One™ – Conformity provides rules for:

  1. Supported Standards and Frameworks
  2. Commonly used cloud services
  3. General and extensive coverage of AWS security and governance best practices
  4. Critical and high-risk vulnerabilities, as well as high impact vulnerabilities

The list is always growing, but your organization may have specific controls or policies that are not yet supported by Conformity. For such instances, you have the option to develop, host, and maintain your own custom rules and import them into Conformity.

You can create custom rules using:

  1. AWS Config Service

  2. Custom Lamda Function using Conformity Custom Checks APIs

  3. Conformity Custom Rules

Custom Rules vs Conformity Rules

Differences Custom Rules Conformity Rules
Development lifecycle perspective You develop yourself and are responsible for maintenance and validity of those rules Developed and maintained by Conformity
Execution Executed outside of Conformity environment (e.g. in your AWS account Lambda function or applications running in EC2 instances) Executed in Conformity Bot within Conformity AWS Environment
Freshness Controlled outside Conformity and may be refreshed at any time Run every time Conformity Bot runs
Cost Cost for you is either based on AWS Service Config pricing or based on how you implement and execute your own Custom rules Do not add any extra cost to customers.

If you would like Conformity to support a new rule, see Custom Rules Overview.

Create Custom Rules via AWS Config Service Vs Conformity Custom Checks API

Differences AWS Config Service Conformity Custom Checks API
Behaviour AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce "Compliance Details". Conformity consumes the "Evaluation Result" from these "Compliance Details" and converts each to a check.

For more information, see AWS Config Rules Evaluation Results
Cloud Conformity Custom Checks (via API) are pushed to Conformity from an external system that users develop. Each check belongs to a "Custom" rule and there can be more than one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-.

For more information, see Conformity Custom Checks API
Environment Rules can be scripted and run if they are within AWS infrastructure Rules can be scripted and run if they are within AWS infrastructure
Complexity Rules are not built to address cross-resource-type or cross-account logic Rules support cross-resource type or cross-account logic
Execution Cost Depending on the use case and number of accounts, AWS Config Service may become very expensive for smaller organisations with many accounts. Does not add any extra cost to customers
Maintenance Cost AWS Config Service rules run within AWS-managed environment, therefore there is no extra maintenance cost There is no extra maintenance cost for Custom rules created via API