A policy describes how services (either individually or as a whole) ought to behave. More specifically, a policy describes which states of the cloud are permitted and which are not. Policies are used to assess, audit, and evaluate the configurations of your cloud resources, so that those resources stay compliant with your corporate standards and service level agreements.

CoreStack supports the following types of policies:

  • AWS Config
  • Azure Policy
  • OpenStack Congress
  • Chef Inspec

You can bring into CoreStack any of these policies with ease and re-use them outside of CoreStack later
if required.

AWS Config

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. With AWS
Config, you can ensure compliance with internal policies and best practices. You do this by creating AWS
Config policies, which represent your ideal configuration settings.
AWS Config provides customizable, predefined rules called managed rules to help you get started. You can
also create your own custom rules. CoreStack supports both managed rules and custom AWS Config rules.

CoreStack requires following permissions to execute managed AWS Config Policy.

  • config:DeleteConfigRule
  • config:DescribeConfigRuleEvaluationStatus
  • config:GetComplianceDetailsByConfigRule
  • config:PutConfigRule

Custom Config rules will require Lambda and IAM permissions other than this.

Azure Policy

Azure Policy helps to enforce organizational standards and to assess compliance at scale. Common use cases
for Azure Policy include implementing governance for resource consistency, regulatory compliance, security,
cost and management. Policies for these common use cases are already available in your CoreStack
environment as part of the Marketplace policies. You can also upload custom policies as required.

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules.
These business rules, described in JSON format, are known as Policy Definitions.

Azure Policy Execution through CoreStack requires access to the following services.

  • Microsoft.Authorization
  • Microsoft.PolicyInsights

Roles required:

  • Resource Policy Contributor (for Azure Policy related operations)
  • Contributor (to perform remediation actions on the resources)Note: Contributor role has only read access to Azure Policy and hence cannot be used to
    execute policies.

Note: : Contributor role has only read access to Azure Policy and hence cannot be used to execute policies.