ZCSPM
Creating Custom Security Policies for AWS
ZCSPM support creating custom security policies for Amazon Web Services (AWS). To create a custom security policy:
- Simulate an AWS Config Aggregator query on ZCSPM
To simulate an AWS Config Aggregator query on ZCSPM:
- On the ZCSPM Admin Portal, go to Configurations > Security Policies.
- Under License level, select AWS.
- Click Add Custom Policy and select the required cloud accounts using the Cloud Account drop-down menu.
- Enter the AWS Config Aggregator Name and the AWS Config Aggregator Region. ZCSPM uses AWS Config for custom security policies.
- Enter your Query Statement and click Run Simulation.
The simulation result will display a table listing the top 5 rows and all the columns as possible criteria to build your policy.
Important information regarding simulating queries:
- You must attach an AWS IAM policy with config:select* permission for your ZCSPM data collection role:
- On the ZCSPM Admin Portal, go to Configurations > Cloud Accounts.
- For your selected AWS cloud account, click Configure Account, then click Update Cloud Account.
- Copy the AWS Role Name. You will need the role name to enable Select Query Policy on your AWS deployment.
- On the AWS Admin Portal, go to Roles.
- Search for your AWS role name and select the role.
- Click Attach policies, then click Create Policy.
- Select the JSON tab and paste the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ZCSPMCustomQueryPolicy", "Effect": "Allow", "Action": [ "config:SelectAggregateResourceConfig", "config:Select*" ], "Resource": "*" } ] }- Click Review policy, then enter a Name.
- Click Create Policy.
- On the attach policy page, search for the policy created above.
- Select the policy, then click Attach Policy.
- ZCSPM supports only those queries which return a single resource type.
- ZCSPM does not support those queries which return only the count attribute.
Suppose you want to create a custom security policy to ensure that all EC2 volumes are encrypted. For this example, the query on AWS Config Aggregator is:
SELECT resourceId, resourceType, configuration.volumeType, tags, configuration.availabilityZone, configuration.encrypted WHERE resourceType = 'AWS::EC2::Volume'
Close
- Define the pass criteria for the custom security policy
After the query has successfully run, you can define the pass criteria. Based on the pass criteria that you define, ZCSPM determines if your cloud resources pass the policy or not.
To define the pass criteria:
- Select the attribute for which you want to create a rule from the Criteria 1 drop-down menu.
- Select an operator and enter a Value. The Operator drop-down menu is populated based on the attribute selected in the previous step.
- Equals
- Not Equals
- Contains
- Greater than Equal to
- Less than Equal to
- To add more rules to your pass criteria, click Add Condition and then select a condition to combine the rules. The condition can be:
- AND
- OR
For our example, the configuration.volumeType criteria is used to build the custom policy.
Important information regarding pass criteria:
- Ensure that you do not have conflicting conditions on the same criteria.
- ZCSPM does not support nested conditions.
- Specify the custom security policy details and map to a benchmark
After you have determined the pass criteria for your policy, you can specify the custom security policy details:
- Enter the Policy Title, Risk Impact, and the associated Cloud Account.
- Optionally, you can also specify the audit and remediation procedures.
- Click Next.
- Map your custom policy to a Benchmark and choose a Benchmark Category, and click Next.
- Review all the information, then click Save.
You can view the custom policy on the CSBP page.
Close