Table of contents
Topics on this page

Custom Rules Vs Conformity Rules

Trend Micro Cloud One™ – Conformity provides rules for:

  1. Supported Standards and Frameworks
  2. Commonly used cloud services across AWS, Azure and GCP
  3. Critical and high-risk vulnerabilities, as well as high impact vulnerabilities

However, your organization may have additional specific controls or policies that are not supported by Conformity out of the box. You have the option to develop and maintain your own custom rules through a few different mechanisms.

Custom Rule Types

You can create custom rules using three approaches:

  1. AWS Config Service (AWS accounts only): findings from AWS Config are ingested and presented as checks via CS-001 - AWS Custom Rule.

  2. Conformity Custom Checks APIs: Checks can be created and managed directly via API using your own custom-built code functions.

  3. Conformity Custom Rules: Conformity provides built-in API-managed JSON custom rules feature integrated with Conformity scans. Conformity Custom Rules allow you to create JSON-style rules that assert logic over any cloud resource data already consumed by Conformity.

Comparison

Properties Conformity Rules AWS Config Rules Custom Checks API Conformity Custom Rules
Development Developed and maintained by Conformity You maintain the rules via the AWS Config Service You maintain your own externally operated code to trigger the Checks API You maintain your own custom rules and save them to your Conformity Organization via API
Execution Executed by the Conformity Bot Rules executed by AWS Config, findings ingested by Conformity Fully executed by your own external code Executed by the Conformity Bot and can be tested manually using a 'dry run' feature
Configuration Conformity Rules settings Rules Configuration Managed entirely within the AWS Config service Fully configurable using your own code Highly configurable using Conformity's JSON Custom Rules engine
Behavior Produces a wide range of cloud best practice results quickly without any additional configuration AWS Config Service allows you to script rules and automate the evaluation of recorded configurations against desired attributes. The scripted AWS Config rules produce "Compliance Details". Conformity consumes the "Evaluation Result" from these "Compliance Details" and converts each result into a check.

For more information, see AWS Config Rules Evaluation Results
Conformity Custom Checks (via API) are pushed to Conformity from an external system developed by the users. Each check belongs to a "Custom" rule with a limit of one Custom rule. These Custom rules can have any arbitrary name or service, but their rule ID always starts with CUSTOM-.

For more information, see Conformity Custom Checks API
Conformiy Custom Rules uses a JSON rules engine implementation to provide a flexible platform to create custom logic that runs against cloud resource data already consumed by Conformity. You can create Rules for any provider or service but can only run them against the resource data already vaialble. Custom Rules are managed via API.

For more information, see Conformity Custom Rules Overview
Execution Cost No additional cost Cost is based on AWS Service Config pricing Cost depends on the nature of your external code. There is no additional charge from Conformity No additional execution charge from Conformity
Maintenance Effort Low - configuration optional Medium - you maintain the rule set within AWS Config High - you maintain the code to trigger checks Medium - the Custom Rules framework is more effortless than advanced coding but more technical than managing Conformity Rule configurations
Flexibility Low - most rules run out of the box with standard configuration options Medium - all AWS Config rule options available Very High - no restrictions on the processes to trigger the creation of checks because you run the code Medium - Create flexible rules that focus on single resource types based on availble cloud data