Applying Policies

Policy managers and designers have the ability to apply policies in any account they have permissions to. Policies can be applied from the Catalog or, for policy designers, from the Templates page. When applying a policy, the applier will have to fill out configuration information for the policy, some of which is common across all policies and some of which is specific to the policy that is being applied. Once applied, the policy can be managed using the Applied Policy page. Once a policy is applied, it continues to run indefinitely until terminated by a policy manager.

This section describes the following features for applying policies:

Common Policy Configuration Options
Selecting Credentials
Policy-Specific Configuration Options
Evaluating Policies for Your Environment

Common Policy Configuration Options

For every applied policy, there are a set of configuration options that are generally applicable. This section describes each of those options.

Policy Name
Policy Description
Policy Schedule
Test Mode
Skip Action Approvals
Severity
Log Level
Selecting Accounts

Policy Name

The name entered here is what is shown in the Applied Policies page. By default, the policy name is the policy template name, but it can be customized to more accurately describe the behavior of this specific application of the policy.

Policy Description

The name entered here is what is shown in the Applied Policies page. By default, the policy name is the policy template name, but it can be customized to more accurately describe the behavior of this specific application of the policy.

Policy Schedule

Policies are run on an interval defined by the options available in this drop-down menu. When a policy is applied, it is run immediately. Once a policy run has completed, the interval timer is started for the next run. The system supports only a pre-defined set of intervals:

15 minutes
1 hour
24 hours
7 days
1 month

For example, if a policy is applied at 2:00 PM and 15 minutes is selected, the policy will run again 15 minutes after the current run completes. Most policies run fairly quickly, so this drift will be small and the policy may run again at approximately 2:16 PM. In cases where a policy takes a long time to run, or in all cases where policies run over a long period of time, the exact time that a policy runs will drift later and later.

Important:A policy using the monthly option will run on that day of the month every month. If the month doesn't have that day in it, the policy won't run that month. For example, a monthly policy applied on January 31st will never run in the month of February or any month that doesn't have 31 days.

Test Mode

When test mode is enabled, no actions will be taken when a policy triggers an incident, with the exception of the email notification. This setting can be used to test the behavior of a policy but provides assurance that no remediation actions will actually be taken. Enabling test mode means that a policy can safely be run and will not make any changes to your environment. When enabled, the policy will show as a Test policy in the Applied Policies view

Skip Action Approvals

Many policies define actions that occur when an incident is detected, but they guard against those actions automatically running by including Manual Approval Steps before the action is run. When the approval step exists, actions are paused until a policy approver approves the action. When this setting is turned on, all manual approval steps are skipped and actions are run automatically.

Severity

Severity indicates how urgently this type of incident should be treated in your organization. It is shown on the Automation Dashboard view as well as the Incidents view. A default value is defined in the policy template, and the user applying the policy can adjust it as needed based on the policy configuration.

The severity must be labeled one of the following:

Low
Medium
High
Critical

Log Level

This parameter enables you to control the amount of information that you want to log during policy evaluation. The following three log levels are available:

Full—Records policy summary, errors encountered, API calls made, and results of API calls.
Context—Records policy summary, errors encountered, and API calls made. It does not log results of API calls.
Error—Records policy summary and any errors encountered.

Note:By default, the log level is set to “Full”. By choosing a lower log level, such as “Context” or “Error”, you can optimize policy evaluation performance.

Selecting Accounts

When applying a policy, users are permitted to apply the policy to any account to which they have access. The drop-down menu shows all accounts to which users have policy manager access. Users can select individual accounts or the Select all option to select all available accounts.

In some cases, policies are designed such that they should only be run in 1 account. In these cases, users are only able to select one account.

Selecting Credentials

When a policy fetches data from an external API, users must select the appropriate credentials. The credential selector shows only those credentials that match various rules set in the policy template. Credentials can be overridden by selecting View all credentials. In this case any compatible credential is shown, even if it may not work with the policy itself.

The documentation of the Policy should describe the resources accessed and the permissions needed to perform any actions.

Policy-Specific Configuration Options

Every policy is different and can contain a variety of configuration options, depending on the defined behaviors of the policy checks and remediation actions. Generally speaking, the policy documentation should provide a sufficient explanation of each configuration option and its effect. If not, contact the policy publisher to gather more context.

Evaluating Policies for Your Environment

Since policies can contain complex rules for checking violation states and can run actions against your infrastructure to remediate issues, you should always test policies out before allowing them to take automated actions.

Perform the general recommended sequence for evaluating a policy.

To evaluate a policy for your environment:

1. Apply the policy with the Test Mode enabled and, if applicable, only your email for notification.
2. Update the policy with different configuration values until you are happy with the incidents reported.
3. Once you are satisfied with the incidents reported, update the policy with Test Mode disabled and a broader set of notification emails.
4. After the policy has been in service for some time and you are satisfied with the actions it takes after manual approvals, optionally turn on Skip Action Approvals to run the policy in a fully automated fashion.

If the policy doesn't quite get the results you require, you might consider customizing the policy logic itself to better match your specific use case. For details, see Create a Custom Policy.