Governance
Policies that improve the configuration of your assets to increase performance, usefulness, and security. Use Firefly's built-in policies or create your own.
Policies are created using the Open Policy Agent (OPA) Rego language. Rego is a declarative language used to define rules and constraints for policy evaluation. OPA provides the platform to write complex policies to identify anomalies, misconfigurations, and poor practices. Firefly uses OPA to identify policies on your assets.
Built-in Policies (By Firefly)
After integrating your data source(s), Firefly scans your assets and discovers built-in policies and categorizes them into three types:
Optimization: Reduce costs and eliminate waste
Reliability: Increase reliability, throughput, performance, and eliminate the risk of downtime
Misconfiguration: Reduce the attack surface and increase security
Custom Policies
Policies you create using the Rego language to monitor and improve the configuration of your assets.
Creating Custom Policies
Select Governance > + Custom Policy.
Enter a descriptive name in the Name field.
Select a category or create a new one > Add.
If using AI, select only one data source and asset type.
Select the Severity.
TRACE: Information used for debugging
INFO: General information about system operation
LOW: Minor issues with a slight impact
MEDIUM: Moderate risk
HIGH: Significant risk requiring immediate attention
Select the data source(s).
Select the asset type(s).
Enter a description in the Control description field. For example:
instance of type in t family
instance has instance_state stopped
Auto Scaling Groups with a single AZ
elastic ip that have empty association_id
(Optional) Select Generate using AI.
Select an asset and use the INPUT SCHEMA to construct your rule in the Firefly Rego Playground.
The configuration in the Rego Playground must contain the Firefly keyword:
firefly { }.
This keyword determines whether the asset matches the rule.In the expression,
input
represents an asset. To access an asset attribute, write input.the attribute name. For example:input.instance_type == "t2.micro"
The Rego language supports Regex expressions and conditionals.
The code in the Rego Playground must contain conditions that result in a Boolean value. These conditions determine whether the asset matches the rule.
To view the assets that match your rule from the Rego code you created, select Evaluate.
SELECT ASSET: scope of assets according to your selection in the Insight Details.
INPUT SCHEMA: configuration of the rule you created.
MATCHING RESULTS: assets that match your rule.
To send a notification to your notification tool or email, select the checkbox and destination.
Select Create when the MATCHING RESULTS section displays the assets you want included in your rule.
Troubleshooting
If the assets that are supposed to match the rule you created are not displayed in the MATCHING RESULTS section:
To improve your rule, examine the code from the INPUT SCHEMA . Verify that all attributes match the schema described in the INPUT SCHEMA.
Copy one of the input assets, and use the Rego Playground to troubleshoot until your code is correct.
If the rule you created does not contain any MATCHING RESULTS:
Change the scope of the data source and asset you selected above.
If when I select Evaluate I receive the following error message, Could not test the Rego expression, make sure the syntax is valid.
Try selecting a different asset or adjusting the rule in the Rego Playground.
Governance table
View the details below for:
Title | Description |
---|---|
Category | |
Name | Name of the policy |
Severity | Severity of the policy violation according to risk |
Data Source | Integrated service provider |
Asset Types | Type of service or object provided |
Insights | Recommendation for remediation |
Matching Assets | Assets that match the policy |
Notification | Notification enabled for the policy |
Enabled | Policy detection is enabled to locate matching assets |
To view the assets that match the policy, select the kebab > View Assets.
To change the policy code, select the kebab > Edit Policy > Update.
To create a ticket in Jira, select Issue Ticket.
Implementing Remediations
Firefly creates code to implement the improvements to your AWS assets that Firefly recommends. Run this code in your AWS CLI, and the desired changes are made automatically.
Procedure
Select the kebab > Remediation.
Copy and run the commands in your AWS CLI.
Google Cloud Insights
After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, verify you have enabled Recommender API.
To view this feature, under Filters, select Frameworks > Google Cloud Insight.
Last updated