Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Create a Security Configuration Audit Policy

There are two ways to create a policy for Security Configuration: you can create a policy from a template, or you can create a policy using the Configuration Audit Policy Builder. 

Create a Policy from a Policy Template 

To use preconfigured Configuration Audit Policy Template:

  1. Go to Policy > Policy Templates.
  2. Filter for Policy Type > Security Configuration
  3. Filter for Service Applicable to and select your service. Then select the policies you want to import into your instance. 
  4. Click Create Policy

    config_audit_gcr_policy_templates.png
  5. The new policies display on the Policy > Configuration Audit page.  
  6. Edit the policy as needed for your implementation. 

Create a Policy using the Policy Builder

Use the Configuration Audit Policy Builder to create custom Security Configuration Audit policies to meet your organization's requirements. It supports policies for AWS, Azure, and GCP and provides compliance against industry standards such as CIS, PCI, HIPAA, and NIST 800-53. 

The Policy Builder supports conditions as exceptions to the policy. It also allows you to test the policy and see sample results before you save it.

For information about policy builder syntax, errors, supported resource types, operators, and value types see Security Configuration Audit Policy Syntax

To create a Security Configuration Audit Policy:

  1. Go to Policy > Configuration Audit
  2. Click Actions > Create Policy
  3. The policy builder wizard opens. On the Description page, configure the following fields:

    inactive_user_1.png
    • Name. Enter a unique name for the policy. 
    • Description. Enter an optional description for the policy. 
    • Services. Select the service you want the policy to apply to. 
  4. Click Next
  5. Select one or more Resource Types.

    clipboard_e6b65da02c5c516cb2baf11a1514c34c2.png
  6. IF. Add Policy Rules based on your requirements. Click + to add more and choose AND/OR
    • Attribute values are auto-populated wherever applicable. If the value you want to provide is not there in the auto-populated list, you can still manually add them. To add a value, enter it in the search bar and click enter.

      clipboard_e38764a845a74553bb0c9207503137886.png 
  7. THEN. Select a Severity, either Critical, Major, Minor, Warning, and Info.

    config_audit_iaas_5.4.2.png
  8. ADD AN EXCEPTION. If you do not want to apply rules on some accounts, or you want to skip the policy evaluation for a specific resource instance based on some conditions, you can add a negation condition within your IF section. For example, you may want to exclude resources that are tagged with env as sandbox. Click + to add more.
    NOTE: You can also specify the exclusions via optional exceptions, but this is not recommended as a best practice.
    resource_env.png
  9. Click Test Rule. This tests your policy and reports the total number of resources that are violating the policy. It also returns a maximum of 50 records as a sample result and displays and more if there are additional records which are not processed.
    Screenshot 2021-12-03 at 11.41.20 AM (1).png
  10. Click Next
  11. Responses. Add a Response Action to your policy. 
    inactive_user_5.png
  12. Click Next
  13. Review your policy and click Save. By default, the policy is made active. 
    config_audit_iaas_3_5.4.2.png

NOTES:

  • Support for creating compliance policies against new services/ resource types added by vendors can be added dynamically by Skyhigh CASB in 2 weeks. This allows you to create custom policies for your organization's requirements.
  • The Skyhigh CASB Configuration Audit Policy Builder now supports AWS-Managed IAM Policy and collects specific AWS-Managed Policies’ data to create custom policies. For custom policies, provide policy ARNs for the specific IAM policies. For example, if you have AmazonGuardDutyServiceRolePolicy as the AWS-Managed IAM policy, provide ARN as shown in the following format:
arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyServiceRolePolicy
  • Currently, we are collecting data only for AmazonGuardDutyServiceRolePolicy. To support more AWS-Managed IAM Policy, contact Skyhigh Security Support.

Sample Policies

For information about policy builder syntax, supported resource types, operators, and value types see Security Configuration Audit Policy Syntax

List EC2 Instances with Unrestricted TCP Access

iaas_config_sample1.png

Publicly accessible S3 Buckets

iaas_config_sample2.png

Find Inactive IAM Users

iaas_config_sample_3.png

Storage Accounts with Unrestricted Access to Azure Activity Logs

iaas_config_sample_4.png

EC2 Instances with More Than 10 Security Groups Attached

iaas_config_sample_5.png

CloudTrail Trails not Integrated with CloudWatch Logs

iaas_config_sample_6.png

CloudTrail Logging Disabled for the Account

iaas_config_sample_7.png

Security Group Should not Allow Inbound Traffic

No target tags set or target in a production environment. 
iaas_config_sample_8.png

  • Was this article helpful?