CoreStack also provides the option for users to upload their own policies and use them to execute against their accounts.

To start, first navigate to “Shared” tab of the Policies and then use the button next to the ‘Search’ bar at top right to create a policy.

Policy create involves 2 tabs:

  • Policy
  • Remediation

Policy Tab

The Metadata of the Policy and the Policy content are required here. This tab has 3 sections, Properties, Policy Content and Metadata.

Properties:

The table below describes the property fields:

Field Description
Name Name of the Policy – any preferred name for identification
Description Detailed description about Policy – free format text
Engine Type Engine Type of Policy. Choose from one of the supported types (Azure Policy, AWS Config, Congress, Chef Inspec)
Services Cloud Service that is relevant for this Policy (AWS, Azure)
Note: This is loaded based on the Engine Type selected
Resource Type The Resource Type(s) within the selected cloud that are relevant to this policy. Can select multiple.
Severity Severity of the Policy (High/Medium/Low)
Classification Classification of Policy (Security/Cost/Operation)
Sub Classification Sub Classification of Policy (Choose from values in the dropdown
Scope Scope of Policy (Defaults to tenant for custom policies)

Policy Content:

CoreStack supports “File” and “Git” options for policy content upload.

File – Policy content file can be uploaded by using ‘browse’ button

Git – Policy content can be maintained in public or private Git repositories. CoreStack will access the content from Git whenever required. Git option requires following details to access policy content.

Field Description
URL Clone URL of the Git project which has the policy content
Username Git username if the project is not public
Password or Private SSH key Password or SSH Key file if the project is not public
Content Path Folder path to the Policy content file from the root directory of project

Metadata:

Mark it as System Policy – System policies will be executed by CoreStack for all the cloud accounts added for the specific cloud (AWS / Azure). Hence this must be selected only if it is a policy that has to be executed by default for all cloud accounts to be onboarded.

Remediation Tab

When a Policy Violation is detected, the actions required to remediate / resolve this violation needs to be readily available. This will help the cloud engineers to immediately trigger the appropriate action to remediate the violation.

You can configure multiple actions that can help remediate the cloud resource violating this policy, in order to make it compliant. The cloud engineer taking action after seeing a violation, can apply any one of these actions on violated resources through Recommendations dashboard.

Note: Each action is essentially an existing template in CoreStack. Hence you need to ensure that there are templates already uploaded or available in the Templates module.

Field Description
Name Name of the Remediation
Description Detailed description about Policy – free format text
Actions
Name Name of the Remediation
Description Detailed description about Policy – free format text
Action Type Defaults to Template
Template Template to execute for this action
Map
Template
Inputs
Mapping the resource details to template input parameters. If
any input parameters are not mapped, those parameters will be
prompted when applying the action on violated resources.

Screenshot showing Remediation Name and Description:

Click on “Add New Action” button to add actions:

Screenshot showing:

Screenshot showing Sample Action – 2:

Screenshot showing actions added:

To finish creating the policy, click on the “Save” button.