Policies

• 1: Policy Overview
• 2: AWS Policies
• 3: Azure Policies
• 4: GCP Policies
• 5: GitHub Policies
• 6: Docker Policies
• 7: Kubernetes Policies

1 - Policy Overview

Terrascan policies are written using the Rego policy language. With each rego policy, a JSON “rule” file is included which defines metadata for the policy. Policies included within Terrascan are stored in the pkg/policies/opa/rego directory.

Updating Terrascan with the latest policies

The first time using Terrascan, if the -p flag is not specified, Terrascan will download the latest policies from the Terrascan repository. You can update your local environment to the latest policies published in the repository by running terrascan init.

Ignoring Policies on a scan

Terrascan keeps a copy of policies on your local filesystem on the ~/.terrascan/pkg/policies/opa/rego directory. You can also specify a particular directory with rego policies to scan by using the -p flag. Terrascan allows you to ignore policies from scans by using the –skip-rules flag or using in-file instrumentation to skip policies on a particular resource.

Adding policies

For each policy, there are 2 files required by Terrascan, a rule .json file with metadata for the policy and a .rego rego file for the policy itself.

Writing an OPA rego policy file

The input for the rego policies is the normalized input from the IaC provider. When writing policies you can obtain this as a normalized .json by using the --config-only flag of the scan command in combination with -o json. Let’s use this Terraform HCL file for example:

resource "github_repository" "example" {
  name        = "example"
  description = "My awesome codebase"

  private = false

  template {
    owner = "github"
    repository = "terraform-module-template"
  }
}

Here’s the output of the --config-only flag.

$ terrascan scan -i terraform --config-only -o json
{
  "github_repository": [
    {
      "id": "github_repository.example",
      "name": "example",
      "source": "main.tf",
      "line": 1,
      "type": "github_repository",
      "config": {
        "description": "My awesome codebase",
        "name": "example",
        "private": false,
        "template": [
          {
            "owner": "github",
            "repository": "terraform-module-template"
          }
        ]
      }
    }
  ]
}

You can use this .json output as the input in the rego playgound. The following policy can be used on the above Terraform to flag if the GitHub repository has been created with private = false.

package accurics

privateRepoEnabled[api.id] {
    api := input.github_repository[_]
    not api.config.private == true
    not api.config.visibility == "private"
}

A successful policy will trigger the following output:

{
    "privateRepoEnabled": [
        "github_repository.example"
    ]
}

The Rule JSON file

The rule files follow this naming convention: AC_<policy_type>_<next_available_rule_number>.json where <policy_type> is the upper case of any supported policy types by terrascan. The supported policy types can be fetched from Terrascan’s help menu: terrascan scan -h | grep "policy-type".

Note: The previous naming convention was: <cloud-provider>.<resource-type>.<rule-category>.<severity>.<next-available-rule-number>.json. This has been deprecated.

Here’s an example of the contents of a rule file:

{
	"name": "unrestrictedIngressAccess",
	"file": "unrestrictedIngressAccess.rego",
	"policy_type": "aws",
	"resource_type": "aws_db_security_group",
	"template_args": {
		"name": "unrestrictedIngressAccess",
		"prefix": "",
		"suffix": ""
	},
	"severity": "HIGH",
	"description": "It is recommended that no security group allows unrestricted ingress access",
	"category": "NETWORK_SECURITY",
	"version": 1,
	"id": "AC_AWS_0001"
}

2 - AWS Policies

aws_iam_role_policy

aws_route53_record

aws_elasticsearch_domain_policy

aws_lb_target_group

aws_api_gateway_method_settings

aws_workspaces_workspace

aws_vpc

aws_iam_account_password_policy

aws_mq_broker

aws_db_instance

aws_secretsmanager_secret_policy

aws_ebs_volume

aws_api_gateway_rest_api

aws_iam_role

aws_iam_user_policy_attachment

aws_ebs_encryption_by_default

aws_sns_topic

aws_apigatewayv2_api

aws_efs_file_system

aws_lb_listener

aws_sqs_queue

aws_docdb_cluster

aws_cloudwatch_log_group

aws_instance

aws_config

aws_cloudformation_stack

aws_iam_user_policy

aws_ecs_task_definition

aws_ecr_repository_policy

aws_iam_policy

aws_dynamodb_table

aws_apigatewayv2_stage

aws_ecr_repository

aws_cloudfront_distribution

aws_cloudwatch

aws_ami_launch_permission

aws_launch_configuration

aws_athena_database

aws_api_gateway_stage

aws_elasticsearch_domain

aws_iam_user_login_profile

aws_iam_group_policy

aws_load_balancer_policy

aws_s3_bucket

aws_eks_cluster

aws_elb

aws_redshift_cluster

aws_elasticcache_replication_group

aws_kinesis_stream

aws_config_configuration_aggregator

aws_s3_bucket_object

aws_route53_query_log

aws_secretsmanager_secret

aws_iam_access_key

aws_neptune_cluster

aws_dax_cluster

aws_guardduty_detector

aws_db_security_group

aws_s3_bucket_policy

aws_ami

aws_elasticache_cluster

aws_kinesis_firehose_delivery_stream

aws_rds_cluster

aws_cloudtrail

aws_sagemaker_notebook_instance

aws_lambda_function

aws_kms_key

aws_security_group

aws_api_gateway_method

aws_efs_file_system_policy

aws_ecs_service

aws_globalaccelerator_accelerator

aws_api_gateway_rest_api_policy

3 - Azure Policies

azurerm_storage_container

azurerm_mysql_server

azurerm_sql_firewall_rule

azurerm_key_vault

azurerm_resource_group

azurerm_storage_account_network_rules

azurerm_storage_account

azurerm_sql_server

azurerm_postgresql_configuration

azurerm_sql_database

azurerm_redis_cache

azurerm_mssql_server

azurerm_kubernetes_cluster

azurerm_managed_disk

azurerm_network_watcher_flow_log

azurerm_key_vault_secret

azurerm_key_vault_key

azurerm_security_center_contact

azurerm_network_security_rule

azurerm_cosmosdb_account

azurerm_security_center_subscription_pricing

azurerm_sql_active_directory_administrator

azurerm_container_registry

azurerm_virtual_network

azurerm_role_assignment

azurerm_application_gateway

azurerm_postgresql_server

4 - GCP Policies

google_container_node_pool

github_repository

google_bigquery_dataset

google_compute_project_metadata

google_compute_subnetwork

google_project_iam_audit_config

google_sql_database_instance

google_compute_instance

google_storage_bucket_iam_binding

google_container_cluster

google_project

google_compute_firewall

google_dns_managed_zone

google_compute_disk

google_project_iam_member

google_storage_bucket_iam_member

google_compute_ssl_policy

google_storage_bucket

google_kms_crypto_key

google_project_iam_binding

5 - GitHub Policies

github_repository

github_repository_webhook

github_organization_webhook

6 - Docker Policies

docker_from

docker_expose

docker_run

docker_workdir

7 - Kubernetes Policies

kubernetes_endpoint_slice

kubernetes_service

kubernetes_ingress

kubernetes_pod

kubernetes_role

kubernetes_namespace