Guardrails (Policies)

Overview

A policy describes how services (either individually or as a whole) ought to behave. More specifically, a policy describes which states of the cloud are permitted and which are not. Policies are used to assess, audit, and evaluate the configurations of your cloud resources, so that those resources stay compliant with your corporate standards and service level agreements.

CoreStack supports the following types of policies:

  • AWS Config
  • AWS Organization Policy
  • Azure Policy
  • OpenStack Congress
  • Chef Inspec
  • CoreStack Policy
  • GCP Policy
  • GCP Organization Policy

You can bring any of these policies into CoreStack with ease and re-use them outside of CoreStack later if required.

AWS Config

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. With AWS Config, you can ensure compliance with internal policies and best practices. You do this by creating AWS Config policies, which represent your ideal configuration settings.

AWS Config provides customizable, predefined rules called managed rules to help you get started. You can also create your own custom rules. CoreStack supports both managed rules and custom AWS Config rules.

CoreStack requires following permissions to execute managed AWS Config Policy.

  • config:DeleteConfigRule
  • config:DescribeConfigRuleEvaluationStatus
  • config:GetComplianceDetailsByConfigRule
  • config:PutConfigRule

Custom Config rules will require Lambda and IAM permissions other than this.

Azure Policy

Azure Policy helps to enforce organizational standards and to assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost and management. Policies for these common use cases are already available in your CoreStack environment as part of the Marketplace policies. You can also upload custom policies as required.

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as Policy Definitions.

Azure Policy Execution through CoreStack requires access to the following services.

  • Microsoft.Authorization
  • Microsoft.PolicyInsights

Roles required:

  • Resource Policy Contributor (for Azure Policy related operations)
  • Contributor (to perform remediation actions on the resources)

📘

Note: Contributor role has only read access to Azure Policy and hence cannot be used to execute policies.

UI Navigation

Navigate to GuardRails submenu under Governance in the Left navigation menu and select Policies option to land in Policies (Marketplace).

The tabs at the top represent the scope of the policies. You can see 2 tabs: Marketplace and My Policies.

Marketplace

CoreStack provides a wide range of pre-defined policies which can help in realizing multiple use cases. The marketplace lists the policies available across multiple clouds. These are pre-loaded for all subscriptions and are FREE to be executed on-demand or scheduled.

These policies are available across all tenants and are usually created by the Product Administrator. In our SaaS version, it is managed by CoreStack. In on-premises installations, it will be managed by the on-site administrator.

📘

Tip: These policies have the scope value set to Global.

My Policies

These policies have been created by users within the tenant. These are available only for users within the tenant. You can add more policies or edit/delete existing policies in this tab based on your role and access policies.

📘

Tip: These policies have the scope value set to Tenants.

Search and Filter

CoreStack offers search and filter functions to help quickly look for the policies you need to execute. The Search bar is available just above the policies list. To Filter Policies, you can click on the "Filter" icon placed to the right end above the templates list.

286

The Text Search helps you search using any string available in the following fields:

  • Name of the Policy
  • Description of the Policy
  • Engine Type
  • Classification
  • Service

The text search is thus quite useful in refining your search results based on any little information you have on the preferred result set.

CoreStack also offers Filters to help you narrow down the list of policies by using one or a combination of filters. On clicking the Filter icon, you will see the list of Filter options available as shown below. Select the preferred options and click on "Apply Filter" button at the bottom of this box.

📘

Tip: Use the Reset button to quickly remove all selected filters and view all results.

Once you decide on a policy that you would like to try out, you can execute it on-demand or schedule it for a one-time or recurring execution(s) in future.

347 347

View Policy Details

To get more information about a specific policy, click on the policy row to open the 'Policy Detail' page. It will show 4 tabs Metadata, Content, Compliance and Remediation.

  • Metadata – Properties collected during Policy creation
  • Content – Policy content uploaded using file can be viewed
  • Compliance – Details of compliance controls which are configured with this Policy
  • Remediation – Details of Policy Remediation Action and the mapped template(s)
1271

Policy Actions

The actions that can be performed on a policy will be shown when you hover your mouse on a policy. The list of actions depends on the scope of the policy (Marketplace, My Policies) and the RBAC access for the user.

270
Action IconAction NameAction DescriptionMarketplace PoliciesMy Policies (Shared)
View SchedulesView SchedulesWill redirect to Schedules page and filters the schedules by selected PolicyYesYes
View ExecutionsView ExecutionsWill redirect to Job history page and filters the Jobs by selected PolicyYesYes
ExecuteExecuteExecutes the policy immediately and redirects to "Job history" where you can see the execution resultYesYes
EditEditModifies the properties, content, metadata and remediation details of the Policy (same as Policy Create workflow)NoYes
ScheduleScheduleSimilar to Execute but schedules the execution to be run later once/multiple timesYesYes
DeleteDeleteDeletes the PolicyNoYes
Auto RemediationAuto RemediationConfigures remediation actions for the policy violations.
Note: This option is available only for system policies.
YesYes

View Schedules

Lists all policy execution schedules of the current tenant. The tabs at the top right represents the schedule status. You can see 2 tabs: Upcoming and Past.

"Upcoming" will list the schedules which are active and are to be executed in future. "Past" will list the schedules which were already executed. A sample screenshot is shown below:

1272

Policy Schedules page has search and filter functions to help quickly look for the schedules. The Search bar is available just above the schedules list. To Filter Jobs, you can click on the "Filter" icon placed to the right end above the Schedule detail tab.

Policy Schedules list show the following columns in the list.

  • Schedule Name – Name of the schedule
  • Policy – Name of the Policy Scheduled
  • Recurrence – Recurrence of the Schedule (Once/ Daily / Weekly / Monthly / Yearly)
  • Next Run Time – Date and Time of the Next execution
  • Requested By – CoreStack username who created the schedule.

The details of the schedule will be shown on the right panel for the selected schedule from the list. This will show the execution history of the schedule which will redirect to Job history page and filter by this schedule. It also supports the following actions on schedule.

  • Edit (All Occurrences) – Modifies the Schedule and impacts all occurrences
  • Delete (All Occurrences) – Deletes the Schedule and removes all future occurrences
  • Edit Next Occurrence – Modify the execution time for next immediate occurrence alone
  • Delete Next Occurrence – Delete the next immediate occurrence alone

View Executions (Job History)

Lists all policy executions of the current tenant. A sample screenshot is shown below. The tabs at the top right represents the archive status of jobs. You can see 2 tabs: Active Jobs and Archived Jobs.

1272

Policy Job History page offers search and filter functions to help quickly look for the executions. The Search bar is available just above the jobs list. To Filter Jobs, you can click on the "Filter" icon placed to the right end above the Job detail tab.

Policy Job History page also has Archive, Un-Archive and Delete Actions. These actions can be used to have limited number of executions in Job history page.

Policy Jobs list show the following columns in the list.

  • Policy Name – Name of the policy executed
  • Job Name – Name of the Job which is generated by the CoreStack with Policy Name and some random characters.
  • Cloud Accounts – Name of the Cloud Account selected when executing
  • Run Date – Date & Time of the Job execution
  • Type – Execution Type (On-Demand, Scheduled or System)
  • Status – Status of the Job execution.

Policy Job Detail will be shown on clicking Job from the list. This will show two tabs. Inputs and Execution Logs.

  • Inputs – Cloud Account details and input parameters passed for the execution
  • Execution Logs – Short list of non-compliant resources from the Cloud Account for the executed Policy. You can click on "VIEW FULL LOG" button to view all the resources.
1274

Execute Policy

Executes the policy against Cloud Accounts and returns the non-compliant resources in 'Job History' execution results. Execute requires following inputs:

  • Cloud Account – Cloud Account in which the Policy check is to be done.
  • Cloud Account Additional Info – Scope on Cloud Account (Eg. Resource Group, Location, Region). These details will be prompted based on the policy content. For example, Policies which can configured at subscription level will not require Resource Group.
  • Execution Parameters – Additional parameters from the Policy. Eg. "Azure Allowed Locations" policy will prompt for array of Allowed locations.

While executing a policy, the Remediation section will allow you to configure the remediation types and actions.

  1. Auto Trigger: For this remediation type, the remediation action will be triggered automatically whenever policy violations are detected. You can configure the action to be performed for remediation in the Remediation Action field.
  2. User Triggered: For this remediation type, the remediation action must be triggered manually whenever policy violations are detected.
844

Schedule Policy

Schedules the policy execution to be run later once or multiple times. Schedule requires the following details:

  • Name – Name of the schedule
  • Description – Detailed description about the schedule
  • Schedule Settings – Execution options. Policy can be scheduled to execute Once or to repeatafter specified Minutes, Hours, Daily, Weekly, Monthly, and Yearly.
  • Cloud Account – Cloud Account need to be used for executions.
  • Cloud Account Additional Info – Scope on Cloud Account (Eg. Resource Group, Location, Region). These details will be prompted based on the policy content. For example, Policies which can configured at subscription level will not require Resource Group.
  • Execution Parameters – Additional parameters from the Policy. Eg. "Azure Allowed Locations" policy will prompt for array of Allowed locations.
683

Auto Remediation

You can enable auto remediation for system policies that will be performed if any policy violations are detected during the execution of the specific system policy. Perform the following steps to enable auto-remediation:

  1. Navigate to Policies screen.
  2. Mouse-over the required system policy. The Auto Remediation option will appear for the system policy.
  3. Enable the Auto Remediation option using the toggle button.
  4. Click Enable button in the confirmation dialog box.

Auto remediation will be enabled for the selected system policy.

📘

Note

If the selected system policy has input parameters, the Auto Remediation cannot be enabled.

The actions defined in the Remediation section of the policy template will be executed in case of any policy violations.

You can view the remediation actions of the policy template by clicking on the system policy and selecting the Remediation tab.

Once the system policy is enabled with auto remediation, the policy will be executed automatically every 12 hours.

Create Custom Policies

CoreStack also provides the option for users to upload their own policies and use them to execute against their accounts.

To start, first navigate to "My Policies" tab of the Policies and then use the '+' button next to the 'Search' bar at top right to create a policy.

Policy create involves 2 tabs:

  • Policy
  • Remediation

Policy tab – The Metadata of the Policy and the Policy content are required here.

This tab has 3 sections, Properties, Policy Content and Metadata.

Properties

677

The table below describes the property fields:

FieldDescription
NameName of the Policy – any preferred name for identification
DescriptionDetailed description about Policy – free format text
Engine TypeEngine Type of Policy. Choose from one of the supported types (Azure Policy, AWS Config, Congress, Chef Inspec)
ServicesCloud Service that is relevant for this Policy (AWS, Azure)

Note: This is loaded based on the Engine Type selected
Resource TypeThe Resource Type(s) within the selected cloud that are relevant to this policy. Can select multiple.
ResourcesResources from the selected resource type(s) that are relevant to this policy. Can select multiple.
SeveritySeverity of the Policy (High/Medium/Low)
ClassificationClassification of Policy (Security/Cost/Operation)
Sub ClassificationSub Classification of Policy (Choose from values in the dropdown)
ScopeScope of Policy (Defaults to tenant for custom policies)

Policy Content

CoreStack supports "File" and "Git" options for policy content upload.

File – Policy content file can be uploaded by using 'browse' button

Git – Policy content can be maintained in public or private Git repositories. CoreStack will access the content from Git whenever required. Git option requires following details to access policy content.

FieldDescription
URLClone URL of the Git project which has the policy content
UsernameGit username if the project is not public
Password or Private SSH keyPassword or SSH Key file if the project is not public
Content PathFolder path to the Policy content file from the root directory of project

Metadata

Mark it as System Policy – System policies will be executed by CoreStack for all the cloud accounts added for the specific cloud (AWS / Azure). Hence this must be selected only if it is a policy that has to be executed by default for all cloud accounts to be onboarded.

Remediation Tab

When a Policy Violation is detected, the actions required to remediate / resolve this violation needs to be readily available. This will help the cloud engineers to immediately trigger the appropriate action to remediate the violation.

You can configure multiple actions that can help remediate the cloud resource violating this policy, in order to make it compliant. The cloud engineer taking action after seeing a violation, can apply any one of these actions on violated resources through Recommendations dashboard.

📘

Note: Each action is essentially a cloud API call or an existing template in CoreStack. Hence you need to ensure that there are templates already uploaded or available in the Templates module if the action is based on template.

Field Description
Name Name of the Remediation
Description Detailed description about the actions involved in the remediation
Actions Name Name of Remediation action
Actions Description Detailed Description about the action
Actions Action Type Defaults to Template
Actions Template Template to execute for this action
Actions Map Template Inputs Mapping the resource details to template input parameters. If any input parameters are not mapped, those parameters will be prompted when applying the action on violated resources.

Click on "Add New Action" button to add actions:

691

Trigger Tab

Cloud-native actions that are specific for the resource type can be configured in this section to resolve the policy violation. The configured action(s) will be triggered automatically for the resource when a policy violation is detected. You can configure multiple triggers for each policy.

Based on the resources involved in the policy, the list of cloud-native actions will be available for configuration in this section.

Select the required action(s) that needs to be triggered to resolve the policy violation from the list.

Click on "Next" to save the triggers.

697

Notification Tab

The policy violations can be resolved by making required changes in specific resources. It is imperative that all stakeholders who are involved in managing and shares responsibility over the impacted resources must be informed.

You can configure notifications that are available in your existing tools/platforms or specify the mail addresses / mailing lists that must be intimated about the policy violation and the corresponding changes.

The supported notification methods are:

  • Email
  • Webhook
  • JIRA
  • ServiceNow

The defined notifications will be initiated in the respective tools/platforms automatically and helps in integrating the cloud account management with the existing ITSM and other monitoring mechanism in the organization.

Click on "Add" button in the Custom Notifications field and the available notification methods will be listed.

To configure external tools/platforms (such as JIRA, ServiceNow) for notifications, enable the corresponding checkbox from the list. Select the configured tools/platforms from the resulting dropdown list.

To configure email notifications, you can specify the email addresses and mailing lists that needs to be notified in the Email Address field.

687

To finish creating the policy, click on the Save button.