Custom Rules

Managing Conformity custom rules.

This is an experimental feature and is currently in a private beta. To request access for your organisation or for more information please contact your account manager.

List All Organisation Custom Rules

get/custom-rules

This endpoint allows you to query your organisations custom rules.

SecurityApiKeyAuth

Responses

200

403

Forbidden. This happens when your organisation does not have access to the custom rules beta. Please reach out to your account manager to request access or for more information.

Response samples

application/json

{"data": [{"type": "CustomRules",
"id": "CUSTOM-123ABC",
"attributes": {"name": "S3 Bucket Name Length Check",
"description": "We want to make sure bucket names do not exceed some length",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"service": "S3",
"resourceType": "s3-bucket",
"severity": "MEDIUM",
"enabled": true,
"categories": ["operational-excellence"
],
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"all": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
}
}
]
}

Create Custom Rule

post/custom-rules

This endpoint allows you to create custom rules for your organisation.

Enabled custom rules are immediately available to all your organisations accounts.

This endpoint is only available to ADMIN users.

SecurityApiKeyAuth

Request

Request Body schema: application/vnd.api+json

required	Array of objects non-empty Attributes of the resource data that will be evaluated
categories required	Array of strings (categories) Items Enum: "security" "cost-optimisation" "reliability" "performance-efficiency" "operational-excellence" "sustainability"
description required	string Custom rule description
enabled required	boolean Flag indicating status of a rule, disabled rules will not be run by Conformity Bot or Real-Time Threat Monitoring (RTM).
name required	string Custom rule name
provider required	string (provider) Name of the cloud provider. Enum: "aws" "azure" "gcp"
remediationNotes	string Optional text description of notes relevant to remediation
resourceType required	string The type of resource this custom rule applies to. For a complete list, please refer to Conformity Resource Types Endpoint
required	Array of objects Rules defined within the custom rule
service required	string The cloud provider service name. For a complete list, please refer to Conformity Services Endpoint
severity required	string (severity) Severity of the Conformity rule. Enum: "LOW" "MEDIUM" "HIGH" "VERY_HIGH" "EXTREME"
slug	string Custom rule slug, specified on create only to form the rule ID

Responses

200

403

Forbidden. The requesting user does not have enough privilege or organisation does not have access to the custom rules beta. Please reach out to your account manager to request access or for more information.

422

Unprocessable Entity

Request samples

Payload

application/vnd.api+json

{"name": "S3 Bucket Custom Rule",
"slug": "s3-bucket-name-length-check",
"description": "This custom rule ensures S3 buckets follow our best practice",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"service": "S3",
"resourceType": "s3-bucket",
"categories": ["security"
],
"severity": "HIGH",
"provider": "aws",
"enabled": true,
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"any": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
}

Response samples

application/json

{"data": {"type": "CustomRules",
"id": "CUSTOM-123ABC",
"attributes": {"name": "S3 Bucket Custom Rule",
"description": "This custom rule ensures S3 buckets follow our best practice",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"service": "S3",
"resourceType": "s3-bucket",
"categories": ["security"
],
"severity": "HIGH",
"provider": "aws",
"enabled": true,
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"any": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
}
}
}

Get Custom Rule

get/custom-rules/{ruleId}

This endpoint allows you to query your organisation custom rules.

SecurityApiKeyAuth

Request

path Parameters

ruleId

required

string

Responses

200

403

Forbidden. This happens when your organisation does not have access to the custom rules beta. Please reach out to your account manager to request access or for more information.

404

Custom rule not found

Response samples

application/json

{"data": [{"type": "CustomRules",
"id": "CUSTOM-123ABC",
"attributes": {"name": "S3 Bucket Name Length Check",
"description": "We want to make sure bucket names do not exceed some length",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"service": "S3",
"resourceType": "s3-bucket",
"severity": "MEDIUM",
"enabled": true,
"categories": ["operational-excellence"
],
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"all": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
}
}
]
}

Delete Custom Rule

delete/custom-rules/{ruleId}

This endpoint allows you to delete a custom rule. This is a permanent action.

This endpoint is only available to ADMIN users.

SecurityApiKeyAuth

Request

path Parameters

ruleId

required

string

Responses

200

403

404

Custom rule not found

Response samples

application/json

{"meta": {"status": "deleted"
}
}

Update Custom Rule

put/custom-rules/{ruleId}

This endpoint allows you to update a custom rule.

This endpoint is only available to ADMIN users.

SecurityApiKeyAuth

Request

path Parameters

ruleId

required

string

Request Body schema: application/vnd.api+json

required	Array of objects non-empty Attributes of the resource data that will be evaluated
categories required	Array of strings (categories) Items Enum: "security" "cost-optimisation" "reliability" "performance-efficiency" "operational-excellence" "sustainability"
description required	string Custom rule description
enabled required	boolean Flag indicating status of a rule, disabled rules will not be run by Conformity Bot or Real-Time Threat Monitoring (RTM).
name required	string Custom rule name
provider required	string (provider) Name of the cloud provider. Enum: "aws" "azure" "gcp"
remediationNotes	string Optional text description of notes relevant to remediation
resourceType required	string The type of resource this custom rule applies to. For a complete list, please refer to Conformity Resource Types Endpoint
required	Array of objects Rules defined within the custom rule
service required	string The cloud provider service name. For a complete list, please refer to Conformity Services Endpoint
severity required	string (severity) Severity of the Conformity rule. Enum: "LOW" "MEDIUM" "HIGH" "VERY_HIGH" "EXTREME"
slug	string Custom rule slug, specified on create only to form the rule ID

Responses

200

403

404

Custom rule not found

422

Unprocessable Entity

Request samples

Payload

application/vnd.api+json

{"name": "S3 Bucket Custom Rule",
"slug": "s3-bucket-name-length-check",
"description": "This custom rule ensures S3 buckets follow our best practice",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"service": "S3",
"resourceType": "s3-bucket",
"categories": ["security"
],
"severity": "HIGH",
"provider": "aws",
"enabled": true,
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"any": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
}

Response samples

application/json

{"data": {"type": "CustomRules",
"id": "CUSTOM-123ABC",
"attributes": {"name": "S3 Bucket Custom Rule",
"description": "This custom rule ensures S3 buckets follow our best practice",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"service": "S3",
"resourceType": "s3-bucket",
"categories": ["security"
],
"severity": "HIGH",
"provider": "aws",
"enabled": true,
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"any": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
}
}
}

Run Custom Rule

post/custom-rules/run

This endpoint allows you to dry run a custom rule template or saved custom rule.

Executing a custom rule via this endpoint is for development and testing purposes and only returns results or related data. It does not affect saved data or events, such as, checks, notifications, reports etc. If there are no related resources, then an empty array will be returned.

This endpoint is only available to ADMIN users.

This endpoint can run against saved data and/or data that is provided in the request body.

Saved custom rule id against a Conformity account accountId
Saved custom rule id against mock/test resource data
Custom rule template/configuration against a Conformity account accountId
Custom rule template/configuration against mock/test resource data

When executing a custom rule against a Conformity account, the resource data related to the Conformity account is only accurate up until the last Conformity Bot run.

SecurityApiKeyAuth

Request

query Parameters

accountId	string A Conformity account ID in which to run a custom rule against.
id	string The ID of a saved custom rule to run.
resourceData	boolean Default: false Enables the return of the resource data that was used to evaluate the custom rule. This can only return data for one resource and requires a custom rule configuration to have property `resourceId` defined.

Request Body schema: application/vnd.api+json

	object Custom rule configuration to test run. This allows for development, testing, validation of a custom rule configuration. If the request includes `configuration` in the body and rule `id` query parameter, this endpoint will ignore the parameter `id`.
	object Mock resource data to use as the input to the custom rule. This allows for development, testing, and validation of a custom rule against specific data/scenarios. If the request includes `resource` in the body and `accountId` query parameter, the endpoint will ignore the parameter `accountId`.

Responses

200

403

404

Custom rule not found

422

Unprocessable Entity

Request samples

Payload

application/vnd.api+json

{"configuration": {"name": "S3 Bucket Name Length Check",
"slug": "s3-bucket-name-length-check",
"description": "We want to make sure bucket names do not exceed some length",
"service": "S3",
"resourceType": "s3-bucket",
"severity": "MEDIUM",
"provider": "aws",
"enabled": true,
"categories": ["operational-excellence"
],
"attributes": [{"name": "bucketName",
"path": "data.Name",
"required": true
}
],
"rules": [{"conditions": {"all": [{"fact": "bucketName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,32}$"
}
]
},
"event": {"type": "Bucket name is longer than 32 characters"
}
}
]
},
"resource": {"accountId": "r1gyR4cqg",
"organisationId": "abc123AbcC",
"resourceId": "CloudConformityMonitoring",
"service": "S3",
"descriptorType": "s3-bucket",
"ccrn": "ccrn:aws:r1gyR4cqg:S3:us-west-2:CloudConformityMonitoring",
"region": "us-west-2",
"name": "S3 Bucket",
"provider": "aws",
"data": {"resourceId": "CloudConformityMonitoring",
"Name": "CloudConformityMonitoring"
}
}
}

Response samples

application/json

[{"region": "us-west-2",
"resource": "CloudConformityMonitoring",
"ccrn": "ccrn:aws:r1gyR4cqg:CloudFormation:us-west-2:CloudConformityMonitoring",
"status": "SUCCESS",
"message": "S3 Bucket CloudConformityMonitoring passed 'Bucket name is longer than 32 characters' rule condition.",
"extradata": [{"label": "successEvent",
"name": "Passed Condition Event",
"type": "META",
"value": "Bucket name is longer than 32 characters"
}
]
}
]

➔ Next to Custom Compliance Standards