You can leverage YAML templates to create complex rules tailored to specific compliance or security requirements. Cortex Cloud Application Security rules support attribute-based and connection-state rules.
Rule attributes properties (YAML)
The following YAML attributes are used to define the properties of the rules.
provider: Specifies the cloud provider or source for the resources
definition: Contains the logic and conditions for the rule, including attributes, operators, and resource connections
resource_type: Defines the type of the specific cloud resource
cond_type: Represents the condition type for applying the rule. Options: attributes, connection, filter, resource
attribute: Refers to the specific attribute or property of the cloud resource being evaluated
value: Represents the value that the attribute of the cloud resource should meet for the rule condition
Attribute-based rules
Attributes define resource property configurations. The YAML syntax for attribute configurations aligns with the framework targeted by the rule, such as Terraform, to define the desired resource state. Cortex Cloud Application Security IaC rules identify and flag any resource that deviates from this defined state as a violation.
Each resource must include one of the following conditions:
Contain the specified attribute values. For example, if a rule states that the
regionattribute must beus-west-2, then a resource will only pass this part of the rule if it includes theregionattribute, and the value of that attribute isus-west-2Match the attribute's presence. For example, if a rule states "the
encryptionEnabledattribute must be present," then a resource will only pass if it includes theencryptionEnabledattribute, regardless of its valueMatch the attribute's absence: For example, if a rule says "the
publicAccessAllowedattribute must be absent," then a resource will only pass if it does not include thepublicAccessAllowedattribute
In this example, the attribute check flags any aws_redshift_cluster resource where the automated_snapshot_retention_period is not 0.
definition:
cond_type: "attribute"
resource_types:
- "aws_redshift_cluster"
attribute: "automated_snapshot_retention_period"
operator: "not_equals"
value: "0"Supported Operators: Attribute operators apply differently based on the scan type:
For
IaCscans: All attribute operators are supportedFor
Secretsscans: You must implicitly use theregexoperator. Even ifregexis not explicitly defined, pattern matching is applied automatically. For example, in the following secret rule, regex is implicitly applied:cond_type: "secrets" value: - "[A-Za-z0-9]{8,20}" - "my-super-secret-password-regex"
The table below explains how to use attributes with matching keys and values.
Operators | Values |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Limitation of nesting in NOT blocks
Nesting connection condition types within a NOT block is not currently supported. The following example displays an unsupported 'NOT' block for connection condition types.
Using JSONPath with operators
Operators within this system support advanced attribute targeting through JSONPath expressions. To apply an operator to a JSONPath result, prefix the operator with jsonpath_. This allows for flexible and precise data extraction and comparison. For example: jsonpath_length_equals or jsonpath_length_exists .
Connection-based rules
Connection state in a rule defines whether resources of different types are connected or disconnected. This helps enforce security controls and architectural constraints by specifying allowed or prohibited relationships between resources.
In this example, aws_lb and aws_elb must be connected to aws_security_group or aws_default_security_group to be compliant.
definition:
cond_type: "connection"
resource_types:
- "aws_elb"
- "aws_lb"
connected_resource_types:
- "aws_security_group"
- "aws_default_security_group"
operator: "exists"
The table below explains how to use Connection State types with matching keys and values.
Key | Type | Value |
|---|---|---|
| string | A connection must exist between the specified resources |
| collection of strings | Use either |
| collection of strings | Use either |
| string |
|
The table below explains how to use Connection State operators:
Connection State Operators | Value |
|---|---|
Exists | exists |
Not Exists | not_exists |
Logical operators (AND/OR)
A rule can include layers of defined attributes, connection state, or both. To define the relationship between them, use AND/OR logical operators. You can customize the attributes, connection state, or both across multiple layers.
In this example, the attribute property is evaluated using OR logic to enforce compliance checks for ensuring all AWS databases have a backup policy.
In this example, both AND/OR logical operators are utilized to evaluate both attribute and connection state properties in order to enforce compliance checks for ensuring that all Application Load Balancers (ALBs) are only connected to HTTPS listeners.
In this example, OR logic is applied to custom secrets defined as part of a policy aiming to enforce security measures by restricting the addition of certain types of secrets.