31min
Rules Engine

The CloudGraph rules engine validates compliance checks for the various benchmarks we currently support. It is responsible for executing each rule using various operators that allow for the building of the required conditions necessary to validate. If you are interested in writing your own compliance checks (or any kind of. checks for that matter) then this section is for you.
Basic Operators
daysAgo
Calculates how many days have passed by giving a specific date. Returns an integer that represents the number of days between the provided date and the current one.
Example
In the following rule, you can see how to use the daysAgo operator. In this case, passwordLastUsed is a valid date that will be converted to days before comparing with another operator to match a result.
JS
|
daysDiff
Calculates the difference in days between a given date and today. Returns an integer that represents the number of days between the provided date and the current one.
Example
In the following rule, you can see how to use the daysDiff operator. In this case, nextRotationTimeisa valid date that will be converted to days before comparing with another operator to match a result.
JS
|
equal
Compares that two elements are equal. Returns a boolean that determines when the comparison matches or not.
Example
The next rule shows how to use the equal operator.  Notice that the mfaActive field is a boolean.
JS
|
﻿
notEqual
Compares that two elements aren't equal. Returns a boolean that determines when the comparison matches or not.
Example
The next rule shows how to use the notEqual operator.  Notice that the mfaActive field is a boolean.
JS
|
﻿
lessThan
Indicates when the provided data is less than the value to compare. Returns a boolean that represents when the condition matches or not.
Example
The following rule indicates that the field maxPasswordAge should be less than 30. 
JS
|
﻿
lessThanInclusive
Indicates when the provided data is equal or less than the value to compare. Returns a boolean that represents when the condition matches or not.
Example
The following rule indicates that the field maxPasswordAge should be less than or equal to 90.
JS
|
﻿
greaterThan
Indicates when the provided data is greater than the value to compare. Returns a boolean that represents when the condition matches or not.
Example
The following rule indicates that the field minimumPasswordLength should be greater than 24.
JS
|
﻿
greaterThanInclusive
Indicates when the provided data is equal or greater than the value to compare. Returns a boolean that represents when the condition matches or not.
Example
The following rule indicates that the field minimumPasswordLength should be equal to or greater than 14.
JS
|
﻿
in
Search for a group of elements is present in an Array. Returns a boolean that represents when the condition matches or not. 
Example
The next rule says that the field source should be between the range between 0.0.0.0/0 and::/0.
JS
|
﻿
notIn
Search for a group of elements that isn't present in an Array. Returns a boolean that represents when the condition matches or not. 
Example
The next rule says that the field source shouldn't be between the range between 0.0.0.0/0 and::/0.
JS
|
﻿
isEmpty
Verify that a specific Array is empty or not depending on the given parameter. Returns a boolean that represents when the condition matches or not. 
Example
The following rule demonstrates the use of the isEmpty operator. When isEmtpy is false it expects the field, in this case, flowLogs, to be a non-empty array. Conversely, if isEmpty was true, that indicates that the compared array should be empty.
JS
|
﻿
match
Verifies that the field doesn't follow the given regular expression. Returns true when the condition matches and false when it doesn't.
Example
The next condition validates when a user is using a valid email or not with the regular expression below
JS
|
﻿
mismatch
Verifies that the field doesn't follow the given regular expression. Returns false when the condition matches and true when it doesn't.
Example
The next condition validates when a user is using a valid email with the regular expression below
JS
|
﻿
Nested Operators
and
Joins two or more conditions. When they are all true it returns true, if one of them is false the whole clause is false.
Example
The rule will pass when both conditions inside the and array are true.
JS
|
﻿
or
Joins two or more conditions. When they are all false it returns false, if one of them is true the whole clause is true.
Example
The rule should pass if at least one of the conditions within the or array is true.
JS
|
﻿
array_any
This operator detects when at least one of the elements of the given array match one of the provided conditions. It can be combined with other nested operators like and/or
Example
The following rule verifies that the access keys should satisfy the condition that all S3 buckets should have logging enabled.
JS
|
Evaluators
jq
This evaluator uses node-jq wrapper for jq. jq is a lightweight and flexible command-line JSON processor. You can slice, filter, map and transform structured data in a simple and powerful way.
You can check out the official manual and fiddle around in the online playground jqplay.org.

Examples
The following rule verifies that IAM have hardware MFA enabled for the root account.
If any MFA Serial Number is queal to the following SerialNumber: arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device, it means the MFA is virtual, not hardware.
JS
|
The following rule verifies a log metric filter and alarm exist for unauthorized API calls
The jq query makes a join between cloudwatch and metricFilters by the metric name to get the metricFilters of each cloudwatch.
JS
|