Table of contents
Topics on this page

Automatically assign policies using cloud provider tags and labels

Amazon Web Services (AWS) tags, Azure tags, and GCP labels allow you to categorize your resources by assigning metadata to AWS EC2 instances, Azure VMs, or GCP VM instances in the form of keys and values. You can also tag Amazon WorkSpaces with the similar key and value pair. Workload Security can use this metadata to trigger the automatic assigning of a policy to an agent when that agent is activated. This is done by creating an event-based task in Workload Security and defining the event, policy, and metadata. Event-based tasks are used to monitor protected resources for specific events and then perform tasks based on certain conditions. In this example, the event is agent-initiated activation and a specific AWS instance tag is the condition:

  • Policy: AIA_Policy
  • AWS tag key: Group
  • AWS tag value: development

Note that the following sample procedure is based on the assumption that the policy AIA_Policy has already been created.

  1. Go to Administration > Event-Based Tasks in the Workload Security console and click New.

  2. Select Agent-Initiated Activation from the Event list and click Next.

  3. Select Assign Policy, then select AIA_Policy from the list, and then click Next.

  4. Select Cloud Instance Metadata from the list, type Group and development into the key and value fields, and click Next.

    Match conditions

  5. Optionally, to restrict the scope to only one cloud vendor, select Cloud Vendor from the list and select AWS, Azure, or GCP as the matching criteria. If you want to apply the rule to all three, do not define the Cloud Vendor condition.

  6. Click Next.

  7. Type a name for the event-based task and click Finish to save it.

You have now created an event-based task that applies the AIA_Policy to an instance tagged with the key Group and the value development when the agent is activated on that instance.