Skip to main content
McAfee Enterprise MVISION Cloud

Security Configuration Audit Policy Syntax

The Security Configuration Audit Policy syntax used by the Policy Builder is as follows:

You start building the policy by selecting resource type. Resource type is a service provided by IaaS CSPs such as EC2, S3, or an Azure storage account. 

Policy Syntax : IF <policy_ruleset> THEN Severity is <severity>

  • policy_ruleset. A set of one or multiple policy rules. The first policy rule always starts with IF statement.
  • Policy Rule. A conditional statement that can start either with AND or OR. 
    For example, AND <resource_attribute> <operator> <resource_attribute_value(s)>.
  • resource_attribute. Each resource type has specific attributes. Some attributes are simple and some are complex. Complex attributes are from the sub-resource type that are related to the parent resource type. For example, the attribute VPC is where the EC2 instance is located. Here EC2 is a resource type, VPC is a sub-resource type, and the complex resource attribute is VPC.VPCFlowLog.VPCFlowLogId.

NOTE: Resource attribute names appear as defined by IaaS CSPs.

  • attribute group. A policy rule can also have an attribute group, which is a group of attributes. Attribute groups can't be given a value, but the content of the groups can be defined. If no attribute under an attribute group is set, then the group is considered NOT SET. Supported operators for attribute group are Count, Is set, and Is not set.
  • resource_attribute_value. A value assigned to a resource attribute. Depending on the type of resource attribute, you can assign single or multiple values. The policy builder pre-populates sample attribute values wherever applicable.
  • Severity. Defines the severity of the incident generated upon execution of the policy. Supported values are Critical, Major, Minor, Warning, and Info.

config_audit_policy_syntax_5.4.2.png

Errors

While creating a Config Audit Policy, you may see the following errors: 

  • Evaluate on can't be same as selected resource type. This error occurs when you select the same attribute value as the Resource Type against Evaluate ON. 
  • Only one Having rule condition allowed. You can not use multiple Count operations in a policy.
  • Unable to cast a value to %s for the property. This error occurs when you provide an invalid value type.
  • Failed to save Policy. This error occurs when there is an internal server error while saving the policy. Try again. 
  • The duplicate entry of the policy. If you try to create a policy with the same name as that of the existing policy, you will see this error. Use a unique name for the policy. 

Supported Resource Types

Supported resource types and their APIs are listed here for AWS, Azure, and Google Cloud Platform (GCP). 

NOTE: For the complete list of supported attributes for each resource type, refer to the corresponding API links.

AWS

Resource Types

Supported APIs

AWS Account get-public-access-block

list-distributions
Athena Query Execution

listQueryExecutions

getQueryExecution

AMI describeImages
AWS Internet Gateway describeInternetGateways
AWS Region

describeVpcs

describeInstances

describe-customer-gateways

describe-account-attributes

describe-configuration-recorders

AWS ECR Registry describe-repositories
AWS ECR Repository describe-repositories
CloudFront

listDistributions

listTagsForResource

CloudFormation

describeStacks

getTemplate

getStackPolicy

CloudTrail

describeTrails

getTrailStatus

getEventSelectors

listTags

CloudWatch describeAlarms
Dynamo DB

describeEndpoints

describeLimits

listTables

describeTable

listBackups

describeContinuousBackups

describeTimeToLive

describeGlobalTable

describeGlobalTableSettings

listTagsOfResource

EBS Snapshot describeSnapshots
EBS Volume describeVolumes
EC2 describeInstances
AWS Elastic Cache describeCacheClusters
ELB

V2

describeLoadBalancers

describeLoadBalancerAttributes

describeTags

describeListeners

describeSSLPolicies

Classic

describeLoadBalancers

describeLoadBalancerAttributes

describeTags

ECR Image describe-repositories
ECS

describe-services

list-services

list-tasks

describe-task-definition

describe-container-instances

ECS Fargate

describe-services

describe-clusters

list-tasks

describe-task-definition

EKS

 

list-Clusters

list-Nodegroups

describe-Nodegroup

describe-AutoScalingGroups

EKS Fargate

 

list-Clusters

list-Nodegroups

describe-Nodegroup

describe-AutoScalingGroups

EKS Worker Node

 

describeCluster

getWorkerNodeList

EMR Cluster

listClusters

describeCluster

listInstance

AWS Glue getSecurityConfigurations
AWS IAM

get-credential-report

list-virtual-mfa-devices

get-account-authorization-details

list-entities-for-policy

AWS IAM Policy listPolicies (PolicyScopeType.Local)
AWS IAM Server Certificate listServerCertificates
AWS Kinesis

listStreams

describeStream

listTagsForStream

AWS KMS

listKeys

describeKey

getKeyRotationStatus

listResourceTags

AWS Lambda

listFunctions

listAliases

listEventSourceMappings

listTags

AWS Network ACLs describeNetworkAcls
AWS NAT Gateway describeNatGateways
AWS Network Interface describeNetworkInterfaces
RDS

describeDBInstances

listTagsForResource

describeEventSubscriptions

RDS Cluster

describeDBClusters

describeEventSubscriptions

listTagsForResource

RDS Cluster Snapshot

describeDBClusterSnapshots

describeDBClusterSnapshotAttributes

listTagsForResource

RDS Snapshot

describeDBSnapshots

describeDBSnapshotAttributes

listTagsForResource

AWS Redshift describeClusters
Route53

listHostedZones

listResourceRecordSets

listTagsForResource

Route 53 Domains

listDomains

getDomainDetail

listTagsForDomain

AWS Route Table describeRouteTables
S3

listBuckets

getBucketAcl

getBucketLoggingConfiguration

getBucketVersioningConfiguration

getBucketLifecycleConfiguration

getBucketTaggingConfiguration

getBucketPolicy

getBucketLocation

getBucketNotificationConfiguration

getPublicAccessBlock

Security Group describeSecurityGroups
SNS listTopics
SQS

listQueues

getQueueAttributes

AWS Subnet describeSubnets
AWS User

listAccessKeys

listUserTags

getLoginProfile

listMFADevices

listAttachedUserPolicies

listSSHPublicKeys

AWS VPC

describeVpcs

describeFlowLogs

describeVpcAttribute

AWS VPC Peering Connections describeVpcPeeringConnections
AWS Elastic File System describeFileSystems
AWS API Gateway

getRestApis

getStages

AWS Elastic Search

describeElasticsearchDomains

describeElasticsearchDomainConfig

ACM Managed Certificate describeCertificate

AWS Codebuild

listProjects

batchGetProjects

listBuildsForProject

Microsoft Azure

Resource Types

Supported APIs

Azure Activity Log Alert

listbyresourcegroup

Azure Activity Log logprofiles

Azure AD User

 

organization-get

user-list

Azure Application

 

webapps

diagnosticsettings

Azure Application Gateway

 

applicationgateways

diagnosticsettings  

AKS

 

getAKSClusters

listWorkerNodes

getClusterPodPolicyConfig

AKS Worker Node 

getAKSClusters

listWorkerNodes

getClusterPodPolicyConfig

Azure Cosmos DB

 

databaseaccounts

listcassandrakeyspaces

listconnectionstrings

listgremlindatabases

listkeys

listmetricdefinitions

listmongodbdatabases

listreadonlykeys

listsqldatabases

listtables

listusages

diagnosticsettings  

Azure Security Center

 

getsecuritypolicy

getsecuritycenterpolicy

Azure Disk list

Azure Event Hub

 

list

diagnosticsettings 

Azure Functions

 

webapps

listfunctions

listfunctionsecrets

Azure Key Vault

 

list

diagnosticsettings 

Azure Load Balancer

 

list

diagnosticsettings

Azure Management Locks listatsubscriptionlevel

Azure Maria DB

 

listbyresourcegroup

listbyserver-configurations

diagnosticsettings

Azure MySQL Database

 

listbyresourcegroup

listbyserver-configurations  

diagnosticsettings

Azure PostGreSQL Database

 

listbyresourcegroup

listbyserver-configurations  

diagnosticsettings

Azure NAT Gateway list
Azure Network Interface list

Network Security Group

 

listall-network-watchers

list

diagnosticsettings

Azure Public IP Address

 

list

diagnosticsettings

Azure Redis Cache

 

listbyresourcegroup

listbyredisresource-firewall-rules

diagnosticsettings
Resource Group list
Azure Route Table list
Azure VM Scale Set list

Azure Service Bus

 

listbyresourcegroup-namespaces

listbynamespace-queues

listbynamespace-topics

diagnosticsettings

Azure SQL Database

 

list-servers

list-by-server

security-alert-policies

auditing-settings

transparent-data-encryption

diagnosticsettings

Azure SQL Server

 

list-servers

firewall-rules

security-alert-policies

encryption-protector

failover-groups

ad-administrators

Azure Storage Account

 

list-by-rg

get-properties

diagnosticsettings

Subscription list

Azure Virtual Machine

 

list

vm-extension

diagnosticsettings

Azure Virtual Network

 

list

diagnosticsettings

Azure Subnet list
Azure Workspace list-by-rg

GCP

Resource Types

Supported APIs

GCP API Service projects.serviceAccounts/list
GCP Cloud Storage

buckets/list

buckets/getIamPolicy

GCP Disk Snapshot snapshots/get
GCP DNS Managed Zone managedZones/get
GCP Firewall Rule

firewalls/get

networks/get

GCP Cloud Functions projects.locations.functions/get
GCP IAM

auditLogs and linked attributes

GCP IAM Policy projects/getIamPolicy
GCP Image images/list
Virtual Machine Image

images/get

GCP KMS

 

projects.locations/get

projects.locations.keyRings/get

GCP Load Balancer urlMaps/get

GCP LB Target Https Proxy

 

targethttpsproxies/list

 

GCP Network networks/list

Project

 

projects.sinks/get

projects.metrics/get

GCP PubSub Snapshot projects.snapshots/list

GCP PubSub Subscription

projects.subscriptions/get
GCP PubSub Topic projects.topics/get 
GCP Service Account

serviceAccount, roles

GCP SQL Databases instances/get
GCP SSL Policy listsslpolicy
GCP User Email , Roles
GCP Disk disks/get
GCP Virtual Machine instances/list 

GKE

 

getGKEClusters

getWorkerNodeList

GKE Worker Node

 

getGKEClusters

getWorkerNodeList

getWorkerNodeKubeletConfig

GCP Virtual network Subnet

getSubnets

GCP Container Respository getContainers
GCP container Image getContainerImages

 

Supported Operators

The following operators are supported. 

NOTE: While creating a policy rule, operators are populated based on the type of resource attribute. Not all operators are applicable to an attribute. 

Operator

Description

is in Allows you to specify multiple values
is not in Allows you to exclude the specified multiple values
equals to Allows you to compare attribute value against a specific value
not equals to Inequality operator - opposite of "equals to"
greater than Allows you to compare if attribute value is greater than the specified value
greater than equal to Allows you to compare if attribute value is greater than equal to the specified value
less than Allows you to compare if attribute value is less than the specified value
less than equal to Allows you to compare if attribute value is less than equal to the specified value
contains Allows you verify if list of attribute values contain a specific item
not contains Allows you verify if list of attribute values does not contain a specific item
starts with Allows you to verify if the attribute value "starts with" specified string value
not starts with Opposite of "starts with"
ends with Allows you to verify if the attribute value "ends with" specified string value
not ends with Opposite of "not with"
time is in next

Allows you to provide time value between current time and future given days(unit)

time is in last

Allows you to provide value that is between past given days(unit) and current time.

time is older than

Allows you to provide value that is older than given past days(unit)

is set Allows you to verify if attribute value is set
is not net Allows you to verify if attribute value is not set
count Allows you to find the total number of occurrences per resource. This operator is visible only for the attribute group
Evaluate On Provides the ability to generate violation against the parent resource type like Region and Account.

Supported Value Types

  • String/Text: Case sensitive
  • Numbers
  • Boolean
  • Date/Time
  • List

NOTE: Regex is currently not supported.

  • Was this article helpful?