Policies

A Policy in OpenComply is the technical implementation of a compliance control.

It's reusable logic (like a CloudQL query) that defines how a control is evaluated, checking resource configurations and producing findings.

For example, the aws_iam_access_keys_policy checks the age of IAM access keys using a SQL query. Policies can be parameterized (like using {{.awsIamAccessKeyAge}}) and reused across controls.

Example

id: aws_iam_access_keys_policy           # REQUIRED (unique Policy ID)
title: AWS IAM Access Key Policy
description: Specifies the maximum age for IAM Access Keys
language: sql                            # REQUIRED (type of query)
primary_resource: aws_iam_access_key     # REQUIRED (resource for attributing incidents)
definition: |                            # REQUIRED (the policy logic)
  SELECT
    access_key_id AS resource,
    platform_integration_id AS platform_integration_id,
    platform_resource_id AS platform_resource_id,
    CASE
      WHEN status <> 'Active' THEN 'skip'
      WHEN create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < NOW() THEN 'alarm'
      ELSE 'ok'
    END AS status,
    CASE
      WHEN status <> 'Active' THEN 'key is not activated'
      WHEN create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < NOW() THEN 'key is too old'
      ELSE 'key is not old yet'
    END AS reason,
    region,
    account_id
  FROM
    aws_iam_access_key v

Specification

Required:

id: The unique identifier for this Policy (e.g., aws_iam_access_keys_policy).
language: Specifies the type of logic or query used in the Policy (e.g., sql, rego).
primary_resource: Identifies the primary data source used for the query (e.g., aws_iam_access_key).
definition: The query or code block that evaluates compliance.

Recommended:

title: A brief summary of what the Policy checks (e.g., "maximum IAM Access Key age").
description: A brief description of the Policy.

PreviousControls with References Policies NextSummary

Last updated 4 months ago