About Custom Rules Based on Tags
Skyhigh CASB allows you to leverage your existing tags to customize Configuration Audit rules. Tags, which are metadata-based, help you manage EC2 deployments by categorizing AWS resources in ways that make sense for your organization, especially if you have many resources of the same type. Tags allow a great deal of flexibility; they can be applied to an individual resource, or they can be applied in bulk.
In AWS, each tag has an identifier and a value: <Tag> = <Value>. They can be used in any number of ways. See the following examples:
- Region = APAC
- Region = EMEA
- Cost center = IT
- Cost center = Development
Once tags are applied to AWS resources, they provide a way for you to report on AWS resources, for example:
- Show me all S3 buckets with Region = APAC
- Show me all EC2 instances with Cost center = IT
- Show me all S3 buckets that don't have a Region tag set
Once an AWS resource is tagged, Skyhigh CASB can use these tags to build a custom configuration audit policy rule to check for the absence of a specific tag. Note that not all services in AWS support tags.
Violations generated from these policies appear in the Policy Incident page. The policy that was violated in our example below was triggered by all EC2 instances that were not tagged with Cost_center: