Governance

Policies that improve the configuration of your assets to increase performance, usefulness, and security. Use Firefly's built-in policies or create your own.

Policies are created using the Open Policy Agent (OPA) Rego language. Rego is a declarative language used to define rules and constraints for policy evaluation. OPA provides the platform to write complex policies to identify anomalies, misconfigurations, and poor practices. Firefly uses OPA to identify policies on your assets.

Built-in Policies (By Firefly)

After integrating your data source(s), Firefly scans your assets and discovers built-in policies and categorizes them into three types:

  • Optimization: Reduce costs and eliminate waste

  • Reliability: Increase reliability, throughput, performance, and eliminate the risk of downtime

  • Misconfiguration: Reduce the attack surface and increase security

Custom Policies

Policies you create using the Rego language to monitor and improve the configuration of your assets.

Creating Custom Policies

  1. Select Governance > + Custom Policy.

  2. Enter a descriptive name in the Name field.

  3. Select a category or create a new one > Add.

    • If using AI, select only one data source and asset type.

  4. Select the Severity.

    • TRACE: Information used for debugging

    • INFO: General information about system operation

    • LOW: Minor issues with a slight impact

    • MEDIUM: Moderate risk

    • HIGH: Significant risk requiring immediate attention

  5. Select the data source(s).

  6. Select the asset type(s).

  7. Enter a description in the Control description field. For example:

    • instance of type in t family

    • instance has instance_state stopped

    • Auto Scaling Groups with a single AZ

    • elastic ip that have empty association_id

  • (Optional) Select Generate using AI.

  • Select an asset and use the INPUT SCHEMA to construct your rule in the Firefly Rego Playground.

    • The configuration in the Rego Playground must contain the Firefly keyword: firefly { }.This keyword determines whether the asset matches the rule.

    • In the expression, input represents an asset. To access an asset attribute, write input.the attribute name. For example:

      • input.instance_type == "t2.micro"

    • The Rego language supports Regex expressions and conditionals.

    • The code in the Rego Playground must contain conditions that result in a Boolean value. These conditions determine whether the asset matches the rule.

  1. To view the assets that match your rule from the Rego code you created, select Evaluate.

    • SELECT ASSET: scope of assets according to your selection in the Insight Details.

    • INPUT SCHEMA: configuration of the rule you created.

    • MATCHING RESULTS: assets that match your rule.

  2. To send a notification to your notification tool or email, select the checkbox and destination.

  3. Select Create when the MATCHING RESULTS section displays the assets you want included in your rule.

Troubleshooting

If the assets that are supposed to match the rule you created are not displayed in the MATCHING RESULTS section:

  • To improve your rule, examine the code from the INPUT SCHEMA . Verify that all attributes match the schema described in the INPUT SCHEMA.

  • Copy one of the input assets, and use the Rego Playground to troubleshoot until your code is correct.

If the rule you created does not contain any MATCHING RESULTS:

Change the scope of the data source and asset you selected above.

If when I select Evaluate I receive the following error message, Could not test the Rego expression, make sure the syntax is valid.

Try selecting a different asset or adjusting the rule in the Rego Playground.

Governance table

View the details below for :

TitleDescription

Category

Name

Name of the policy

Severity

Severity of the policy violation according to risk

Data Source

Integrated service provider

Asset Types

Type of service or object provided

Insights

Recommendation for remediation

Matching Assets

Assets that match the policy

Notification

Notification enabled for the policy

Enabled

Policy detection is enabled to locate matching assets

To view the assets that match the policy, select the kebab > View Assets.

To change the policy code, select the kebab > Edit Policy > Update.

To create a ticket in Jira, select Issue Ticket.

Implementing Remediations

Firefly creates code to implement the improvements to your AWS assets that Firefly recommends. Run this code in your AWS CLI, and the desired changes are made automatically.

Procedure

  1. Select the kebab > Remediation.

  2. Copy and run the commands in your AWS CLI.

Last updated