Write Your Own AWS Configuration Auditing Rules With Threat Stack’s Guided Rules Editor

Today Threat Stack is excited to announce a powerful and easy-to-use new feature of the  AWS Configuration Auditing capabilities — the Guided Rules Editor for AWS Configuration Auditing. With the Guided Rules Editor, available in the Threat Stack Audit Plan,  users can quickly tailor AWS Configuration Auditing rulesets to their organization’s specific security policies and adapt to changes in their environment.

What Does The Rules Editor Do?

For anyone using Threat Stack’s Configuration Auditing capabilities to achieve  AWS security best practices and to understand which configurations are non-compliant, the Guided Rules Editor finally makes it easy to  rapidly create, edit, or clone rules. Since it does not require users  to write code, have a knowledge of AWS syntax, or manage a repository of scripts, Security and Operations teams can easily create or modify configuration auditing rules to achieve more accurate and relevant security visibility across their AWS environments, saving hours of time.

Users can make a small modification to an existing rule (for example, change the length of a password), or write a completely new rule that evaluates a wide range of properties on supported AWS resource types. The guided interface eliminates the introduction of errors, the need to write code, and the need to understand the structure of the AWS API. All users need to know is their security policy, and the Rules Editor will do the rest.

Why Do Users Need the Ability to Write and Modify Rules?

Each organization is unique: no two companies have precisely the same security policies. While Threat Stack comes with a set of default Configuration Auditing rules that cover the CIS Benchmark and other security best practices for AWS, the Guided Rules Editor allows users to tailor these and to add appropriate new rules to match the exact security policies of their organization.

How Does the Editor Work?

The AWS API syntax is integrated into the Guided Rules Editor, allowing users to write rules without spending time researching AWS documentation. As the name suggests, the Editor guides users as they do everything from making minor changes to existing rules to creating sophisticated new rules that work as expected in a matter of minutes.

  • To create or edit a rule, the Editor walks a user through defining which service(s) need to be monitored, selecting an appropriate resource type, and defining evaluation statements to contain the rule to specific parameters.
  • As the user makes selections in the rule-writing process, the Editor understands what the user selected previously and provides the appropriate next step. For example, if the user selects “CloudTrail” as the AWS Service they want to check, and chooses “Trail” as the Resource Type they want to check, the UI provides a list of properties that apply to that resource type. And it knows that the “multi-region trail” property is expecting a true/false value while the name property is expecting a string.

The process is that easy! But take a look for yourself . . .

Use Case 1 – Writing New Rules

As the following screen demonstrates, the best way to learn how a rule is created is to see it happening. In this case, I am writing a rule that checks all passwords to ensure that each has been used in the last 90 days:


Use Case 2 – Editing, Modifying, & Cloning Rules

Here’s a simple example of how users can edit a rule to change a numeric value:


Final Words . . .

Part of Threat Stack’s commitment is to introduce new products and features that enable customers to strengthen their cloud security. Hand in hand with this, we want our customers to have a great user experience. The Guided Rules Editor combines these goals to bring customers a powerful, fast, and easy-to-use means of configuring and managing their cloud security.

To experience Threat Stack’s AWS Configuration Auditing, including its Guided Rules Editor, we invite you to sign up for a Free Cloud Security Audit Trial now.