Calculated policies - Example with VPC Endpoints and AWS policy

Calculated policies allow for Cloud Operation teams to write their own custom policies that Turbot uses to evaluate controls. In this example, we will investigate how to set a VPC Endpoint Approved policy to Not approved if the VPC Endpoint AWS policy has Action, Resource, or Principal values set to *.

First, navigate to the account where the policy will be set, then click on the Policies tab, then the New Setting button. 

Screen_Shot_2019-11-06_at_4.49.38_PM.png

This opens up the Create Policy screen. For the policy type, we will drill down in the menu to get AWS > VPC > Endpoint > Approved > Usage, then click Go, then Next.

Screen_Shot_2019-11-06_at_4.51.15_PM.png

Using the Scope drop down menu, we can set the level at which the policy will be set. In this tutorial we will be setting the policy at the VPC Endpoint level, but this can be also set at the account or regional level. Once the proper level is showing, click Go.

Screen_Shot_2019-11-06_at_4.54.06_PM.png

The policy window will default to Standard mode. This gives the simple option of ApprovedNot approved, or Approved if AWS > VPC > Enabled. However, we want to write a custom policy, so click on the Switch to calculated mode link to show the GraphQL query and template text field. 

This is where things can get tricky. The GraphQL text field will evaluate expressions in real time. In general, the query {resource{object}} will return all of the metadata of the specified resource. This tutorial is specific to the VPC Endpoint AWS policy, so we want to draft a specific query to return only the policy data. To do so, we can use the following query:

{ 
resource{
stmts: get(path: "PolicyDocument.Statement")
}
}

The string stmts is an attribute for our returned data and will be used in the policy template. This string can be set to whatever makes logical sense. In our example, the returned data is:

{
"resource": {
"stmts": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
}

Note the square bracket in the response - this indicates that the returned data is an array, and thus will affect the structure of the policy template. 

The goal is to have this particular policy value evaluate to Not Approved if Action, Resource, or Principal have a value of *. We can use the following template to achieve this goal:

{% set starValue = "False" %} # Create value and set it to False
{% for statement in $.resource.stmts %} #Iterate through all statements in the policy
{% if statement.Resource == "*" or statement.Action == "*" or statement.Principal == "*" %}
{% set starValue = "True" %} # If the Resource, Action, or Principal attribute is == to *, set the starValue variable to true
{% endif %}
{% endfor %}
{% if starValue == "True" %} # If true, the policy is in violation and the VPC Endpoint is not approved
"Not approved"
{% else %}
"Approved"
{% endif %}

Once the query and template are set and verified by Turbot to evaluate correctly, click the Next button if greater policy configuration is required, such as precedence and expiration, or simply click Finish. The policy will immediately be used to evaluate whether or not the VPC Endpoints within the scope are approved or not.

 

 

Was this article helpful?
0 out of 0 found this helpful