Table of contents
Topics on this page

Automatically assign policies using cloud provider tags/labels

AWS tags, Azure tags, and GCP labels allow you to categorize your resources by assigning metadata to AWS EC2 instances, Azure VMs, or GCP VM instances in the form of keys and values. You can also tag Amazon WorkSpaces with the similar key and value pair. Workload Security can use this metadata to trigger the automatic assigning of a policy to an agent when that agent is activated. This is done by creating an event-based task in Workload Security and defining the event, policy, and metadata. Event-based tasks are used to monitor protected resources for specific events and then perform tasks based on certain conditions. In this example, the event is agent-initiated activation and a specific AWS instance tag is the condition:

  • Policy: AIA_Policy
  • AWS tag key: Group
  • AWS tag value: development

The example below is based on the assumption that the policy AIA_Policy has already been created.

  1. Go to Administration > Event-Based Tasks in the Workload Security console and click New.

  2. Select Agent-Initiated Activation from the Event list and click Next.

  3. Select the Assign Policy check box, select AIA_Policy from the list, and click Next.

  4. Select Cloud Instance Metadata from the list, type Group and development into the key and value fields, and click Next.

    Match conditions

  5. (Optional) To restrict the scope to only one cloud vendor, select Cloud Vendor from the list and select AWS, Azure, or GCP as the matching criteria. If you want to apply the rule to all three, don't define the Cloud Vendor condition.

  6. Click Next.

  7. Type a name for the event-based task and click Finish to save it.

You have now created an event-based task that will apply the AIA_Policy to an instance tagged with the key "Group" and the value "development" when the agent is activated on that instance.