Table of contents

Conformity Custom Rules Example Templates

Available in Preview

AWS

S3 Bucket has any Encryption (single attribute)

{
  "name": "S3 bucket has any Encryption",
  "description": "We want to make sure there is any encryption",
  "service": "S3",
  "resourceType": "s3-bucket",
  "severity": "HIGH",
  "enabled": true,
  "provider": "aws",
  "categories": [
    "security"
  ],
  "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
  "attributes": [
    {
      "name": "bucketEncryption",
      "path": "data.Encryption",
      "required": true
    }
  ],
  "rules": [
    {
      "conditions": {
        "all": [
          {
            "fact": "bucketEncryption",
            "operator": "notEqual",
            "value": null
          }
        ]
      },
      "event": {
        "type": "Bucket has encryption enabled"
      }
    }
  ]
}

S3 Bucket has Server Side Encryption AES256 (single attribute, nested array)

{
  "name": "S3 bucket has Server Side Encryption",
  "description": "We want to make sure there is correct encryption",
  "service": "S3",
  "resourceType": "s3-bucket",
  "severity": "HIGH",
  "enabled": true,
  "provider": "aws",
  "categories": [
    "security"
  ],
  "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
  "attributes": [
    {
      "name": "encryptionAlgorithm",
      "path": "data.Encryption.Rules[*].ApplyServerSideEncryptionByDefault.SSEAlgorithm",
      "required": true
    }
  ],
  "rules": [
    {
      "conditions": {
        "all": [
          {
            "fact": "encryptionAlgorithm",
            "operator": "contains",
            "value": "AES256"
          }
        ]
      },
      "event": {
        "type": "has AES256 encryption"
      }
    }
  ]
}

S3 Bucket Encryption Enabled, Bucket Versioning Enabled, and Bucket Lifecycle Policy Enabled (multiple attributes, multiple rules)

{
  "name": "S3 bucket has Encryption Enabled, Versioning Enabled, and Lifecycle Enabled",
  "description": "We want to make sure there is any encryption and versioning enabled",
  "resourceId": "conformity-audit-manager",
  "service": "S3",
  "resourceType": "s3-bucket",
  "severity": "HIGH",
  "enabled": true,
  "provider": "aws",
  "categories": [
    "operational-excellence"
  ],
  "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
  "attributes": [
    {
      "name": "bucketEncryption",
      "path": "data.Encryption",
      "required": true
    },
    {
      "name": "bucketVersioning",
      "path": "data.BucketVersioning",
      "required": true
    },
    {
      "name": "bucketLifecycle",
      "path": "data.Lifecycle",
      "required": true
    }
  ],
  "rules": [
    {
      "conditions": {
        "all": [
          {
            "fact": "bucketEncryption",
            "operator": "notEqual",
            "value": null
          }
        ]
      },
      "event": {
        "type": "Bucket has encryption enabled"
      }
    },
    {
      "conditions": {
        "all": [
          {
            "fact": "bucketVersioning",
            "operator": "equal",
            "value": "Enabled",
            "path": "$.Status"
          }
        ]
      },
      "event": {
        "type": "Bucket has versioning enabled"
      }
    },
    {
      "conditions": {
        "all": [
          {
            "fact": "bucketLifecycle",
            "operator": "notEqual",
            "value": null
          },
          {
            "fact": "bucketLifecycle",
            "operator": "contains",
            "value": "Enabled",
            "path": "$.[*].Status"
          }
        ]
      },
      "event": {
        "type": "Bucket has lifecycle enabled"
      }
    }
  ]
}

EC2 Security Group with Port 22 (single attribute required false, missing attribute is allowed)

{
  "name": "EC2 Security Group with Port 22",
  "description": "Check the IpPermissions From Port",
  "service": "EC2",
  "resourceType": "ec2-securitygroup",
  "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
  "severity": "MEDIUM",
  "provider": "aws",
  "categories": [
    "performance-efficiency",
    "security"
  ],
  "enabled": true,
  "attributes": [
    {
      "name": "securityGroupIpPermissionsFromPort",
      "path": "data.IpPermissions[*].FromPort",
      "required": false
    }
  ],
  "rules": [
    {
      "conditions": {
        "all": [
          {
            "value": 22,
            "operator": "contains",
            "fact": "securityGroupIpPermissionsFromPort"
          }
        ]
      },
      "event": {
        "type": "securityGroupIpPermissionsFromPort"
      }
    }
  ]
}

IAM Role with right tag key, deployment region in name, and name length is less than 64 characters (multiple attributes and multiple conditionals in single rule)

{
  "name": "IAM Role with right tag key, region and name length",
  "description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name",
  "remediationNotes": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n",
  "service": "IAM",
  "resourceType": "iam-role",
  "attributes": [
    {
      "name": "roleName",
      "path": "data.RoleName",
      "required": true
    },
    {
      "name": "serviceTag",
      "path": "data.Tags",
      "required": true
    }
  ],
  "severity": "HIGH",
  "provider": "aws",
  "categories": [
    "security"
  ],
  "enabled": true,
  "rules": [
    {
      "conditions": {
        "any": [
          {
            "path": "$.length",
            "fact": "serviceTag",
            "value": 0,
            "operator": "equal"
          },
          {
            "all": [
              {
                "path": "$.[*].Key",
                "fact": "serviceTag",
                "value": "Service",
                "operator": "doesNotContain"
              },
              {
                "path": "$.[*].Key",
                "fact": "serviceTag",
                "value": "service",
                "operator": "doesNotContain"
              }
            ]
          },
          {
            "all": [
              {
                "fact": "roleName",
                "operator": "pattern",
                "value": "^([a-zA-Z0-9_-]){1,64}$"
              },
              {
                "fact": "roleName",
                "operator": "pattern",
                "value": "(us-west-2|us-east-1|ap-southeast-2|eu-west-1)"
              }
            ]
          }
        ]
      },
      "event": {
        "type": "Is tagged service, name not longer than 64 chars and has region in name"
      }
    }
  ]
}

Azure

Storage Blob with Public Access (single attribute, single rule)

{
  "name": "Storage Blob with Public Access",
  "description": "Checking public access for storage account blob container",
  "service": "StorageAccounts",
  "resourceType": "storage-accounts-blob-containers",
  "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
  "severity": "HIGH",
  "provider": "azure",
  "categories": [
    "security"
  ],
  "enabled": true,
  "attributes": [
    {
      "name": "blobPublicAccess",
      "path": "data.publicAccess",
      "required": true
    }
  ],
  "rules": [
    {
      "conditions": {
        "all": [
          {
            "value": "None",
            "operator": "notEqual",
            "fact": "blobPublicAccess"
          }
        ]
      },
      "event": {
        "type": "Storage blob has public access."
      }
    }
  ]
}

StorageAccounts Environment Tags (single attribute, single rule with nested attribute)

{
  "name": "StorageAccounts Environment Tags",
  "description": "Check for correct tag key and value for storage accounts",
  "service": "StorageAccounts",
  "resourceType": "storage-accounts",
  "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
  "severity": "MEDIUM",
  "provider": "azure",
  "categories": [
    "security"
  ],
  "enabled": true,
  "attributes": [
    {
      "name": "serviceTag",
      "path": "data.Tags",
      "required": true
    }
  ],
  "rules": [
    {
      "conditions": {
        "all": [
          {
            "path": "$.[?(@.Key=='Environment'&& @.Value=='Sandbox')].Value",
            "fact": "serviceTag",
            "value": "Sandbox",
            "operator": "contains"
          }
        ]
      },
      "event": {
        "type": "has tags Key: Environment and Value: Sandbox"
      }
    }
  ]
}