Governance

Policies that improve the configuration of your assets to increase performance, usefulness, and security. Use KICS built-in policies or create your own.

Built-in Policies

After integrating your data source(s), Firefly uses KICS to scan your assets and discover vulnerabilities in your assets. KICS queries are written in Open Policy Agent (OPA) Rego language and defined by the following categories:

  • Access Control

  • Availability

  • Backup

  • Best Practices

  • Build Process

  • Encryption

  • Insecure Configurations

  • Insecure Defaults

  • Networking and Firewall

  • Observability

  • Resource Management

  • Secret Management

  • Structure and Semantics

  • Supply-Chain

Custom Policies

Policies you create using the Rego language to monitor and improve the configuration of your assets.

Creating Custom Policies

  1. Select Governance > + Custom Policy.

  2. Enter a descriptive name in the Name field.

  3. Select a category or create a new one > Add.

    • If using AI, select only one data source and asset type.

  4. Select the Severity.

    • TRACE: Information used for debugging

    • INFO: General information about system operation

    • LOW: Minor issues with a slight impact

    • MEDIUM: Moderate risk

    • HIGH: Significant risk requiring immediate attention

    • CRITICAL: Severe issues needing urgent resolution.

  5. Select the data source(s).

  6. Select the asset type(s).

  7. Enter a description in the Policy description field. For example:

    • instance of type in t family

    • instance has instance_state stopped

    • Auto Scaling Groups with a single AZ

    • elastic ip that have empty association_id

  • (Optional) Select Generate with Thinkerbell AI.

  • Select an asset and use the INPUT SCHEMA to construct your rule in the Firefly Rego Playground.

    • The configuration in the Rego Playground must contain the Firefly keyword: firefly { }.This keyword determines whether the asset matches the rule.

    • In the expression, input represents an asset. To access an asset attribute, write input.the attribute name. For example:

      • input.instance_type == "t2.micro"

    • The Rego language supports Regex expressions and conditionals.

    • The code in the Rego Playground must contain conditions that result in a Boolean value. These conditions determine whether the asset matches the rule.

  1. To view the assets that match your rule from the Rego code you created, select Evaluate.

    • SELECT ASSET: scope of assets according to your selection in the Insight Details.

    • INPUT SCHEMA: configuration of the rule you created.

    • MATCHING RESULTS: assets that match your rule.

  2. To send a notification to your notification tool or email, select the checkbox and destination.

  3. Select Create when the MATCHING RESULTS section displays the assets you want included in your rule.

Troubleshooting

If the assets that are supposed to match the rule you created are not displayed in the MATCHING RESULTS section:

  • To improve your rule, examine the code from the INPUT SCHEMA . Verify that all attributes match the schema described in the INPUT SCHEMA.

  • Copy one of the input assets, and use the Rego Playground to troubleshoot until your code is correct.

If the rule you created does not contain any MATCHING RESULTS:

Change the scope of the data source and asset you selected above.

If when I select Evaluate I receive the following error message, Could not test the Rego expression, make sure the syntax is valid.

Try selecting a different asset or adjusting the rule in the Rego Playground.

Filters

Apply the following filters to view details about your asset:

FilterDescription

Frameworks

Structured set of compliance guidelines

Categories

Policy type

Providers

Integrated service providers

Data Sources

Information resources

Scopes

Range of resources

Severities

Severity of the policy violation according to risk

Production

Assets in the production environment

Violating Assets

Assets that violate the policy

Notifications

Notification enabled for the policy

Enabled

Policy detection is enabled to locate matching assets

Governance table

The Governance table presents detailed information about your assets and their policies, organized into the following columns:

TitleDescription

Category

Policy type

Name

Name of the policy

Severities

Severity of the policy violation according to risk

Data Source

Integrated resource

Asset Types

Type of service or object provided

Insights

Recommendation for remediation

Compliance

Percentage of assets that passed the policy detection check

Violating Assets

Assets that violate the policy

Notification

Notification enabled for the policy

Enabled

Policy detection is enabled to locate matching assets

  • To view the assets that match the policy, select the kebab > View Assets.

  • To change the policy code, select the kebab > Edit Policy > Update.

  • To create a ticket in Jira, select Issue Ticket.

Implementing Remediations

Firefly creates code to implement the improvements to your AWS assets that Firefly recommends. Run this code in your AWS CLI, and the desired changes are made automatically.

Procedure

  1. Select the kebab > Remediation.

  2. Copy and run the commands in your AWS CLI.

Frameworks

Structured sets of guidelines and standards designed to systematically manage compliance, security, efficiency, and optimization.

PCI DSS

A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

SOC 2

A compliance framework developed by the AICPA that evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

HIPAA

US legislation that provides data privacy and security provisions to safeguard medical information.

Cloud Waste

A term referring to the unnecessary or inefficient use of cloud resources, leading to excess costs. Practices and tools aimed at reducing cloud waste focus on optimizing resource utilization and cost management.

Google Cloud Insights

After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, enable the Recommender API.

Tagging Policies

Policies that identify resources which are lacking the appropriate tags.

Last updated