Skip to content

compliance-framework/plugin-cloud-custodian-policies

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Policies for use in the Cloud Custodian plugin

Testing

This policy bundle uses import rego.v1, so opa test / make test require an OPA release with Rego v1 support. In practice, use OPA 1.x or newer.

opa test policies

Bundling

Policies are built into a bundle to make distribution easier.

make build

Writing policies

Policies are written in Rego.

Use the standardized per-resource payload generated by the Cloud Custodian plugin as policy input. The plugin evaluates one resource/check pair at a time with schema_version: v2; matched resources are marked assessment.status: non_compliant, and baseline resources that did not match the Cloud Custodian check are marked assessment.status: compliant.

Cloud Custodian policies may include a plugin-only non_compliance_message string. When a resource is marked non_compliant, that message is appended to the evidence description. The plugin removes this field before executing the Cloud Custodian policy.

Risk templates should dedupe by individual cloud resource using the payload labels resource_type and resource_id.

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors