Syndicate Rule Engine is a solution that allows checking and assessing virtual infrastructures in AWS, Azure, GCP infrastructures against different types of standards, requirements and rulesets. By default, the solution covers hundreds of security, compliance, utilization and cost effectiveness rules, which cover world-known standards like GDPR, PCI DSS, CIS Benchmark, and a bunch of others.
All the technical details described below are actual for the particular version, or a range of versions of the software.
This lambda is designed as a handler for all API resources:
/jobs POST- initiates the custodian scan for the requested account;/jobs GET- returns job details for the requested query with the paths to result reports (if any);/jobs DELETE- terminates the custodian scan;/signin POST- returns access and refresh tokens for specific user. This user must be in Cognito user pool (first go through the signup resource);/signup POST- resource for registering a new Custodian user. Saves the user in Cognito user pool;/scheduled-job GET|POST|PATCH|DELETE- resource for retrieving/registering/updating/deregistering a scheduled job which will be executed according to the given cron;/event POST- resource for starting job in event-driven;
Refer to custodian-api-handler for more details.
This lambda is designed to update Jobs state in CaaSJobs DynamoDB table.
Triggered by CloudWatch Rule custodian-job-state-update.
Refer to custodian-job-updater for more details.
This lambda is designed to pull the latest data from rules GIT repository and
store the data in CaaSRules DynamoDB table. The Rule model:
id (str). Format:name_versionname (str)description (str)cloud (str). Possible values:AWS/GCP/AZUREversion (str)creator (str)updated_date (str)source (str)
Refer to custodian-rule-meta-updater for more details.
This lambda generates statistics reports based on a Batch jobs result.
Refer to custodian-report-generator for more details.
This lambda is designed to handle the API for Accounts, Rulesets, Rule Sources and Account Regions configurations
Refer to custodian-configuration-api-handler for more details.
Each rule file in the repository must be in the following format:
policies:
- name: name
description: description
metadata:
version: version
cloud: AWS/GCP/Azure
source: source
article: article
remediation: remediation
service_section: service_section
standard:
standard_name_1:
- point 1
- point 2
standard_name_2:
- point 1
- point 2
- point 3
some more: content
- and: moreAll fields are required.
To run tests use the command below:
pytest tests/If there is no need to scan the entire cloud account, but only certain resources and only after their changes (for example, an ec2 instance was created, the content of an s3 bucket was updated, etc.), then the solution is event-driven scans.
Using /account/credentials-manager endpoint or c7n account credentials-manager add command add credentials
configuration: cloud name, cloud identifier, trusted role ARN using which service can get temporary credits from
specified account for event-driven scan.
Temporary credentials are stored in the CaaSCredentials table along with their expiration. If expiration time is
less than 15 minutes, the new credentials will be obtained from the assumed role, otherwise the existing credentials
will be used.
The trigger for executing event-driven scans is a request from the client lambda received at the /event endpoint.
Event-driven scans use rulesets that have the event_driven field set to true.