A policy describes how services (either individually or as a whole) ought to behave. More specifically, a policy describes which states of the cloud are permitted and which are not. Policies are used to assess, audit, and evaluate the configurations of your cloud resources, so that those resources stay compliant with your corporate standards and service level agreements.
CoreStack supports the following types of policies:
You can bring any of these policies into CoreStack with ease and re-use them outside of CoreStack later if required.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. With AWS Config, you can ensure compliance with internal policies and best practices. You do this by creating AWS Config policies, which represent your ideal configuration settings.
AWS Config provides customizable, predefined rules called managed rules to help you get started. You can also create your own custom rules. CoreStack supports both managed rules and custom AWS Config rules.
CoreStack requires following permissions to execute managed AWS Config Policy.
Custom Config rules will require Lambda and IAM permissions other than this.
Azure Policy helps to enforce organizational standards and to assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost and management. Policies for these common use cases are already available in your CoreStack environment as part of the Marketplace policies. You can also upload custom policies as required.
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as Policy Definitions.
Azure Policy Execution through CoreStack requires access to the following services.
Roles required:
Note: Contributor role has only read access to Azure Policy and hence cannot be used to execute policies.
Navigate to GuardRails submenu under Governance in the Left navigation menu and select Policies option to land in Policies (Marketplace).
The tabs at the top represent the scope of the policies. You can see 2 tabs: Marketplace and My Policies.
CoreStack provides a wide range of pre-defined policies which can help in realizing multiple use cases. The marketplace lists the policies available across multiple clouds. These are pre-loaded for all subscriptions and are FREE to be executed on-demand or scheduled.
These policies are available across all tenants and are usually created by the Product Administrator. In our SaaS version, it is managed by CoreStack. In on-premises installations, it will be managed by the on-site administrator.
Tip: These policies have the scope value set to Global.
These policies have been created by users within the tenant. These are available only for users within the tenant. You can add more policies or edit/delete existing policies in this tab based on your role and access policies.
Tip: These policies have the scope value set to Tenants.
CoreStack offers search and filter functions to help quickly look for the policies you need to execute. The Search bar is available just above the policies list. To Filter Policies, you can click on the “Filter” icon placed to the right end above the templates list.
The Text Search helps you search using any string available in the following fields:
The text search is thus quite useful in refining your search results based on any little information you have on the preferred result set.
CoreStack also offers Filters to help you narrow down the list of policies by using one or a combination of filters. On clicking the Filter icon, you will see the list of Filter options available as shown below. Select the preferred options and click on “Apply Filter” button at the bottom of this box.
Tip: Use the Reset button to quickly remove all selected filters and view all results.
Once you decide on a policy that you would like to try out, you can execute it on-demand or schedule it for a one-time or recurring execution(s) in future.
To get more information about a specific policy, click on the policy row to open the ‘Policy Detail’ page. It will show 4 tabs Metadata, Content, Compliance and Remediation.
The actions that can be performed on a policy will be shown when you hover your mouse on a policy. The list of actions depends on the scope of the policy (Marketplace, My Policies) and the RBAC access for the user.
Lists all policy execution schedules of the current tenant. The tabs at the top right represents the schedule status. You can see 2 tabs: Upcoming and Past.
“Upcoming” will list the schedules which are active and are to be executed in future. “Past” will list the schedules which were already executed. A sample screenshot is shown below:
Policy Schedules page has search and filter functions to help quickly look for the schedules. The Search bar is available just above the schedules list. To Filter Jobs, you can click on the “Filter” icon placed to the right end above the Schedule detail tab.
Policy Schedules list show the following columns in the list.
The details of the schedule will be shown on the right panel for the selected schedule from the list. This will show the execution history of the schedule which will redirect to Job history page and filter by this schedule. It also supports the following actions on schedule.
Lists all policy executions of the current tenant. A sample screenshot is shown below. The tabs at the top right represents the archive status of jobs. You can see 2 tabs: Active Jobs and Archived Jobs.
Policy Job History page offers search and filter functions to help quickly look for the executions. The Search bar is available just above the jobs list. To Filter Jobs, you can click on the “Filter” icon placed to the right end above the Job detail tab.
Policy Job History page also has Archive, Un-Archive and Delete Actions. These actions can be used to have limited number of executions in Job history page.
Policy Jobs list show the following columns in the list.
Policy Job Detail will be shown on clicking Job from the list. This will show two tabs. Inputs and Execution Logs.
Inputs – Cloud Account details and input parameters passed for the execution
Execution Logs – Short list of non-compliant resources from the Cloud Account for the executed Policy. You can click on “VIEW FULL LOG” button to view all the resources.
Executes the policy against Cloud Accounts and returns the non-compliant resources in ‘Job History' execution results. Execute requires following inputs:
Schedules the policy execution to be run later once or multiple times. Schedule requires the following details:
CoreStack also provides the option for users to upload their own policies and use them to execute against their accounts.
To start, first navigate to “My Policies” tab of the Policies and then use the ‘+’ button next to the ‘Search’ bar at top right to create a policy.
Policy create involves 2 tabs:
Policy tab – The Metadata of the Policy and the Policy content are required here.
This tab has 3 sections, Properties, Policy Content and Metadata.
Properties:
The table below describes the property fields:
Policy Content:
CoreStack supports “File” and “Git” options for policy content upload.
File – Policy content file can be uploaded by using ‘browse’ button
Git – Policy content can be maintained in public or private Git repositories. CoreStack will access the content from Git whenever required. Git option requires following details to access policy content.
Metadata:
Mark it as System Policy – System policies will be executed by CoreStack for all the cloud accounts added for the specific cloud (AWS / Azure). Hence this must be selected only if it is a policy that has to be executed by default for all cloud accounts to be onboarded.
Remediation Tab:
When a Policy Violation is detected, the actions required to remediate / resolve this violation needs to be readily available. This will help the cloud engineers to immediately trigger the appropriate action to remediate the violation.
You can configure multiple actions that can help remediate the cloud resource violating this policy, in order to make it compliant. The cloud engineer taking action after seeing a violation, can apply any one of these actions on violated resources through Recommendations dashboard.
Note: Each action is essentially a cloud API call or an existing template in CoreStack. Hence you need to ensure that there are templates already uploaded or available in the Templates module if the action is based on template.
Click on “Add New Action” button to add actions:
Trigger Tab:
Cloud-native actions that are specific for the resource type can be configured in this section to resolve the policy violation. The configured action(s) will be triggered automatically for the resource when a policy violation is detected. You can configure multiple triggers for each policy.
Based on the resources involved in the policy, the list of cloud-native actions will be available for configuration in this section.
Select the required action(s) that needs to be triggered to resolve the policy violation from the list.
Click on “Next” to save the triggers.
Notification Tab:
The policy violations can be resolved by making required changes in specific resources. It is imperative that all stakeholders who are involved in managing and shares responsibility over the impacted resources must be informed.
You can configure notifications that are available in your existing tools/platforms or specify the mail addresses / mailing lists that must be intimated about the policy violation and the corresponding changes.
The supported notification methods are:
The defined notifications will be initiated in the respective tools/platforms automatically and helps in integrating the cloud account management with the existing ITSM and other monitoring mechanism in the organization.
Click on “Add” button in the Custom Notifications field and the available notification methods will be listed.
To configure external tools/platforms (such as JIRA, ServiceNow) for notifications, enable the corresponding checkbox from the list. Select the configured tools/platforms from the resulting dropdown list.
To configure email notifications, you can specify the email addresses and mailing lists that needs to be notified in the Email Address field.
To finish creating the policy, click on the “Save” button.