Using Guardrails to Detect Violations and Risk
Cloud Access Management can continuously run search queries against the cloud access and activity that it's monitoring to detect common security threats such as data exposure, public objects, shadow access, illegitimate network access, and privilege escalation. These search queries are called guardrails.
As you learned in Getting Started, Cloud Access Management generates a security access graph of all cloud objects and their access relationships and activities. When a guardrail is enabled, it will continuously search this access graph for alerts that meet the criteria of the search query.
To get you started, Cloud Access Management provides a set of pre-built guardrails. When you're more familiar with the monitoring and alerting capabilities of Cloud Access Management and the specific types of access and activity your organization wants to detect, you can also create custom guardrails using an intuitive search interface.
Using Pre-Built Guardrails
Cloud Access Management provides the following pre-built guardrails to detect some of the most common security threats, so you can begin to experience the benefits of this powerful feature right away.
Select the associated folder to view the specific guardrail rules that comprise each category of guardrails. For more information, see Using Guardrails.
Cross Source Access — These guardrails are designed to detect access across sources or subscriptions, which may indicate illegitimate access to cloud resources.
Data Access — These guardrails are designed to detect accidental or malicious exposure of data in workloads running on a cloud platform.
Privileged Access — These guardrails are designed to detect high-risk privileged access that may pose a significant risk to your cloud infrastructure.
Security Best Practices — These guardrails are designed to detect relationships between objects and identities that may represent security risks, such as cloud instances that are exposed to the public, security groups that are accessible from external networks, and Lambda functions with admin access.
Service Access — These guardrails are designed to detect service identities and sources with highly sensitive admin access that may pose a significant risk to your cloud infrastructure.
Shadow Access — These guardrails are designed to detect access from unknown cloud sources or subscriptions that may indicate illegitimate or "shadow" access to cloud resources.
Select Guardrails in the left menu to view the guardrails that are currently available to use.
Guardrails are stored in folders, so you can group them based on cloud platform, access type, alert type, or another category that's meaningful to your organization. Select a folder to view the set of guardrails with that category in the list below.
To create a new folder for related guardrails, select the empty placeholder folder labeled + ADD and enter a unique name for the new folder.
Folders are deleted once their last guardrail is removed. To retain your folder, keep at least one guardrail in it.
To filter the list to only those guardrails that are currently enabled, check the Show Only Enabled Guardrails check box above the set of folders.
N/A in the Last Alert column means that the guardrail
hasn't generated an alert, an
N/A in the Alerts column means
that the guardrail rule hasn't been violated, and an
N/A in the Query column means that the guardrail is not query based.
If a guardrail name appears as a blue link, select it to view the associated query and the type of alert that a guardrail violation will generate.
To help reduce potential "noise" generated by a guardrail, you can configure Cloud Access Management to ignore delete or create actions on identities and/or objects that would otherwise be detected by the query. Cloud Access Management will still detect those actions, they just won't trigger a guardrail violation and resulting alert.
To associate the query with a particular category of guardrails, use the Category field to select from a list of generated categories. The guardrail query will be added to the folder with the corresponding label.
If you edit a guardrail in any of the ways mentioned above, be sure to select UPDATE GUARDRAIL QUERY to save your changes.
You can also use an existing guardrail as the basis for a new guardrail by simply giving it a new unique name.
To enable a guardrail to generate alerts — via email, Slack, or SysLog — simply change the slider in the Actions column for the specific guardrail to the "on" position. Cloud Access Management will use the information you provided when you configured alert settings to direct the alert appropriately.
After you enable alerting for a guardrail, an alert will be sent whenever a new violation is detected.
In addition to issuing alerts, Cloud Access Management also provides a separate Compliance dashboard that summarizes all guardrail activity. See Viewing a Summary of All Compliance Alerts for more information.
Creating Custom Guardrails from Search
Cloud Access Management provides an auto-completing search utility that you can use to query your cloud workloads in real time. You can save a specific search query as a guardrail, which you can then use to continuously monitor the security access graph for changes.
Search is at the top of all dashboards so it's always accessible when you need it.
To begin a search query:
Select the Filter icon to the right of the Search field.
Select the cloud source to run the search against and select APPLY NOW.
You cannot currently search against multiple cloud sources at one time.
Select the Search field to view a list of suggested categories, and either select one of the categories shown, or begin typing until you see a category you want to base your search on and select it.
When the category you selected is displayed in the Search field, select the field again and press the Spacebar on your keyboard to see the next set of suggestions that are relevant to your previous selection.
Continue to build and refine your query by adding categories this way until you are satisfied with results.
Press Enter/Return on your keyboard to run the search query. Any results that match the search criteria are displayed in the table below.
To adjust the query to discover new results, you can select the down arrow and add or remove query conditions as needed. Select EXECUTE to run the new query.
All autocomplete queries that include the pattern
used-in <1-90>will return a maximum of 1,000 records. Create a more specific query to avoid returning an incomplete data set.
To create a guardrail from a search query:
After running the search query, select the large red CREATE GUARDRAIL RULE button to the right of the query.
Enter a unique name and description for the guardrail query.
Specify the type of alert you want the guardrail to generate if the query conditions are met.
To help reduce potential "noise" generated by a guardrail, you can optionally configure it to ignore, delete, or create actions on identities and/or objects that would otherwise be detected by the query.
To associate the query with a search category, enter one or more labels in the Category field (separating multiple entries with commas). A folder is created for each category you enter, and the current guardrail is associated with each folder.
Select CREATE GUARDRAIL QUERY to save the guardrail.
Advanced Guardrails for Compliance Governance
To support your governance and compliance efforts, you can create more advanced guardrails to address compliance-specific use cases such as the following:
Workload Governance: Isolate access to a specific workload due to PCI or dev/prod isolation
Data Governance: Secure access to sensitive data due to GDPR, CCPA, or other regulations
Privilege Governance: Control access to sensitive privileges from high-risk user groups
This type of guardrail can be used to restrict access to sensitive production or compliance (PCI) workloads from instances, Lambda functions, or users. A workload can refer to thousands of objects and hundreds of security policies and controls which are continuously changing. Cloud Access Management dynamically controls access to your sensitive workloads by continuously monitoring the security access graph for guardrail violations.
instance with-attribute not accountid with-access any withattribute accountid
user with-attribute not accountid with-access any withattribute accountid
aws_lambda with-attribute not accountid with-access any with-attribute accountid
This type of guardrail can be used to restrict access to sensitive data based on attributes such as location or tags. For example, to enforce GDPR you can restrict access to GDPR data from Lambda functions or instances not in the European Union.
aws_lambda with-access aws_s3 with-attribute regionname eu-west-3
instance with-attribute publicrisk true with-access aws_s3 with-attribute isencrypted true
role with-access aws_dynamo_db_table with-attribute tag-compliance gdpr
user with-attribute not group dbadmin with-privilege admin with-access aws_rds
This type of guardrail can be used to prevent unauthorized users from gaining access to sensitive privileges tied to your cloud infrastructure. For example, you can restrict access to administrator-type privileges from users who are not in an Admin group.
user with-attribute not group admins with-privilege admin
aws_lambda with-privilege admin with-access any with-attribute tag-env prod
role with-privilege ec2 deletevpc
instance with-attribute publicrisk true with-privilege kms decrypt with-access aws_s3 withattribute regionname eu-west-3
Viewing a Summary of All Compliance Alerts
Select Compliance in the left menu to view the results being generated based on all guardrails that are currently enabled across the entire cloud environment.
The tiles at the top of the Compliance Reports page represent the following information:
Total Tests — the total number of guardrail checks that Cloud Access Management is currently running
Passing Tests — the number of guardrail checks that are currently passing successfully
Failing Tests — the number of guardrail checks that are currently failing, resulting in alerts
Select a tile to view additional details about the subset of guardrail queries responsible for generating those test results in the list below.
You can see the total number of checks being run for each guardrail, as well as the number that are currently failing and passing.
The guardrail list is sorted by the most recent status change, with the guardrail category that triggered the most recent failure listed first.
To download a report for offline use, simply select the download icon in the Report column for a specific guardrail. An
.xlsx file is generated and named using the current day, date, and time (based on your time zone).
If, after taking a closer look, you find information that warrants alert notifications, you can configure Cloud Access Management to send them for the associated guardrail(s). For more information, see Enabling Alerts.
Select a guardrail name to take a closer look at the set of guardrail rules that comprise that category. Each guardrail rule represents a specific check that Cloud Access Management performs against your cloud infrastructure.
The Rule list is sorted by the most recent status change with the rule that triggered the most recent failure listed first.
To filter the list by severity of the alert, select the appropriately colored icon above the list, where red = High, orange = Medium, and yellow = Low.
You can change the severity of alerts triggered by a specific guardrail rule by editing the guardrail. For more information, see Using Guardrails.
Select a guardrail rule in the list to view details about the specific alerts on that rule as well as suggested steps to remediate the issue.
From this view you can choose how you want to handle each alert:
To ignore a specific alert and no longer display it, select the Dismiss icon in the Actions column. You can also use the Dismiss button to dismiss a set of selected alerts or all alerts in a single click.
Select the Copy Cloud Resource Name icon in the Actions column to copy the ID of the cloud source associated with that alert to the clipboard. You can then paste this identifier into the cloud platform's UI to search for the specific instance and perform necessary diagnostics or troubleshooting.
To take a closer look at the identity, object, or network involved in an alert, select the name to open it in the corresponding dashboard.