Compliance Policies

Note:Click the link in the Policy Name column to access the corresponding policy template.

Enterprises typically have multiple compliance requirements but struggle to automate them which leads to downtime as well as resource waste. By having a strong compliance strategy but also ability to quickly automate it provides peace of mind and avoids business interruption.

Policy Name	Description
AWS Disallowed Regions	Checks for instances that are in a disallowed region with the option to terminate them.
AWS EC2 Instances not running FlexNet Inventory Agent	Checks for instances that are not running the IT Asset Management Agent.
AWS IAM Role Audit	Verifies whether the provided roles exist in an account.
AWS Long-Stopped EC2 Instances	Checks for EC2 instances that have been stopped for a long time with the option to terminate them after approval.
AWS Service Control Policy Audit	Verifies whether the provided service control policy is applied across all accounts in an AWS organization.
AWS Untagged Resources	Finds all taggable AWS resources missing any of the user provided tags with the option to update the tags.
AWS Unused ECS Clusters	Reports and remediates any ECS clusters that are not currently in use.
Azure AHUB Utilization with Manual Entry	Reports when AHUB usage in Azure falls outside or inside the number of licenses specified by the user.
Azure Disallowed Regions	Check for instances that are in a disallowed region with the option to power off or delete them.
Azure Instances not running FlexNet Inventory Agent	Checks for instances that are not running the IT Asset Management Inventory Agent.
Azure Long Stopped Compute Instances	Checks for virtual machines that have been stopped for a long time with the option to terminates them after approval.
Azure Policy Audit	Checks for policies applied to Azure Subscriptions.
Azure Regulatory Compliance	Provides an overview for the various Regulatory Compliance controls and generates an email with the results.
Azure Subscription Access	Lists anyone who has been granted Owner or Contributor access to an Azure subscription.
Azure Tag Resources with Resource Group Name	Scans all resources in an Azure Subscription, raises an incident if any resources are not tagged with the name of their Resource Group, and remediates by tagging the resource.
Azure Untagged Resources	Finds all taggable Azure resources missing any of the user-provided tags with the option to update the tags.
Azure Untagged Virtual Machines	Checks for Azure virtual machines missing the user-specified tags. An incident is raised containing the untagged virtual machines, and the user has the option to power off, delete, or tag the virtual machines. Note:This policy is specific to virtual machines (Microsoft.Compute/virtualMachines). The Azure Untagged Resources policy is recommended for finding untagged resources that are not virtual machines.
Billing Center Access Report	Generates an access report by Billing Center.
Flexera IAM Explicit User Roles	Identifies users in Flexera IAM that have explicit user roles assigned.
GitHub.com Available Seats Report	Gets the number of available seats for a licensed GitHub Org and creates an incident if they are out of the policy range.
GitHub.com Repositories without Admin Team	Gets the repositories under a GitHub.com Organization and creates incidents for any that do not have at least 1 Team assigned with the “admin” role.
GitHub.com Repository Branches without Protection	Gets the repositories and branches under a GitHub.com Organization and creates incidents for any that do not have protection enabled for their default branch.
GitHub.com Unpermitted Outside Collaborators	Gets all the Outside Collaborators (Users that have been granted access to a repository, but are not Members of the repository owner's Organization) under GitHub.com Organization(s) and creates an incident for each user that is not included in the specified username safelist.
GitHub.com Unpermitted Repository Names	Gets the names of all repositories under GitHub.com Organization(s) and creates incidents for any that do not match any of the safelisted regex strings.
GitHub.com Unpermitted Sized Repositories	Gets all repositories under GitHub.com Organization(s) and creates incidents for any that were created longer than a specified number of days ago, and are smaller than a specified size.
GitHub.com Unpermitted Top-Level Teams	Gets the top-level / parent Teams for a GitHub.com Org and creates an incident if any do not match the safelisted values.
Google Long-Stopped VM instances	Reports on any Google VM instances that have been stopped for a long time with the option to delete them.
Google Unlabeled Resources	Finds all Google Cloud resources (disks, images, instances, snapshots, buckets, vpn Gateways) missing any of the user-provided labels with the option to update the resources with the missing labels.
ITAM Expiring Licenses	Looks up active IT Asset Management Licenses expiring within a defined time period and sends the result as an email.
ITAM Ignored Recent Inventory Dates	Looks for machines that are ignored but have been inventoried recently and sends the result as an email.
ITAM Missing Active Machines	Looks for machines that are active but haven't checked in and sends the result as an email.
ITAM Overused Licenses	Looks up software licenses and reports in an email any licenses that are overused.
ITAM VMs Missing Host ID	Looks for virtual machines that are active but are missing a Host ID.