31min

Rules Engine

The CloudGraph rules engine validates compliance checks for the various benchmarks we currently support. It is responsible for executing each rule using various operators that allow for the building of the required conditions necessary to validate. If you are interested in writing your own compliance checks (or any kind of. checks for that matter) then this section is for you.

Basic Operators

daysAgo

Calculates how many days have passed by giving a specific date. Returns an integer that represents the number of days between the provided date and the current one.

Example

In the following rule, you can see how to use the daysAgo operator. In this case, passwordLastUsed is a valid date that will be converted to days before comparing with another operator to match a result.

JS
|

daysDiff

Calculates the difference in days between a given date and today. Returns an integer that represents the number of days between the provided date and the current one.

Example

In the following rule, you can see how to use the daysDiff operator. In this case, nextRotationTimeisa valid date that will be converted to days before comparing with another operator to match a result.

JS
|

equal

Compares that two elements are equal. Returns a boolean that determines when the comparison matches or not.

Example

The next rule shows how to use the equal operator. Notice that the mfaActive field is a boolean.

JS
|



notEqual

Compares that two elements aren't equal. Returns a boolean that determines when the comparison matches or not.

Example

The next rule shows how to use the notEqual operator. Notice that the mfaActive field is a boolean.

JS
|



lessThan

Indicates when the provided data is less than the value to compare. Returns a boolean that represents when the condition matches or not.

Example

The following rule indicates that the field maxPasswordAge should be less than 30.

JS
|



lessThanInclusive

Indicates when the provided data is equal or less than the value to compare. Returns a boolean that represents when the condition matches or not.

Example

The following rule indicates that the field maxPasswordAge should be less than or equal to 90.

JS
|



greaterThan

Indicates when the provided data is greater than the value to compare. Returns a boolean that represents when the condition matches or not.

Example

The following rule indicates that the field minimumPasswordLength should be greater than 24.

JS
|



greaterThanInclusive

Indicates when the provided data is equal or greater than the value to compare. Returns a boolean that represents when the condition matches or not.

Example

The following rule indicates that the field minimumPasswordLength should be equal to or greater than 14.

JS
|



in

Search for a group of elements is present in an Array. Returns a boolean that represents when the condition matches or not.

Example

The next rule says that the field source should be between the range between 0.0.0.0/0 and::/0.

JS
|



notIn

Search for a group of elements that isn't present in an Array. Returns a boolean that represents when the condition matches or not.

Example

The next rule says that the field source shouldn't be between the range between 0.0.0.0/0 and::/0.

JS
|



isEmpty

Verify that a specific Array is empty or not depending on the given parameter. Returns a boolean that represents when the condition matches or not.

Example

The following rule demonstrates the use of the isEmpty operator. When isEmtpy is false it expects the field, in this case, flowLogs, to be a non-empty array. Conversely, if isEmpty was true, that indicates that the compared array should be empty.

JS
|



match

Verifies that the field doesn't follow the given regular expression. Returns true when the condition matches and false when it doesn't.

Example

The next condition validates when a user is using a valid email or not with the regular expression below

JS
|



mismatch

Verifies that the field doesn't follow the given regular expression. Returns false when the condition matches and true when it doesn't.

Example

The next condition validates when a user is using a valid email with the regular expression below

JS
|



Nested Operators

and

Joins two or more conditions. When they are all true it returns true, if one of them is false the whole clause is false.

Example

The rule will pass when both conditions inside the and array are true.

JS
|



or

Joins two or more conditions. When they are all false it returns false, if one of them is true the whole clause is true.

Example

The rule should pass if at least one of the conditions within the or array is true.

JS
|



array_any

This operator detects when at least one of the elements of the given array match one of the provided conditions. It can be combined with other nested operators like and/or

Example

The following rule verifies that the access keys should satisfy the condition that all S3 buckets should have logging enabled.

JS
|

Evaluators

jq

This evaluator uses node-jq wrapper for jq. jq is a lightweight and flexible command-line JSON processor. You can slice, filter, map and transform structured data in a simple and powerful way.

You can check out the official manual and fiddle around in the online playground jqplay.org.

Examples

The following rule verifies that IAM have hardware MFA enabled for the root account.

If any MFA Serial Number is queal to the following SerialNumber: arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device, it means the MFA is virtual, not hardware.

JS
|

The following rule verifies a log metric filter and alarm exist for unauthorized API calls

The jq query makes a join between cloudwatch and metricFilters by the metric name to get the metricFilters of each cloudwatch.

JS
|



Updated 17 May 2022
Did this page help?
Yes
No