Policies

A Policy in OpenComply is the technical implementation of a compliance control.

It's reusable logic (like a CloudQL query) that defines how a control is evaluated, checking resource configurations and producing findings.

For example, the aws_iam_access_keys_policy checks the age of IAM access keys using a SQL query. Policies can be parameterized (like using {{.awsIamAccessKeyAge}}) and reused across controls.

Example

id: aws_iam_access_keys_policy           # REQUIRED (unique Policy ID)
title: AWS IAM Access Key Policy
description: Specifies the maximum age for IAM Access Keys
language: sql                            # REQUIRED (type of query)
primary_resource: aws_iam_access_key     # REQUIRED (resource for attributing incidents)
definition: |                            # REQUIRED (the policy logic)
  SELECT
    access_key_id AS resource,
    platform_integration_id AS platform_integration_id,
    platform_resource_id AS platform_resource_id,
    CASE
      WHEN status <> 'Active' THEN 'skip'
      WHEN create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < NOW() THEN 'alarm'
      ELSE 'ok'
    END AS status,
    CASE
      WHEN status <> 'Active' THEN 'key is not activated'
      WHEN create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < NOW() THEN 'key is too old'
      ELSE 'key is not old yet'
    END AS reason,
    region,
    account_id
  FROM
    aws_iam_access_key v

Specification

Required:

id: The unique identifier for this Policy (e.g., aws_iam_access_keys_policy).
language: Specifies the type of logic or query used in the Policy (e.g., sql, rego).
primary_resource: Identifies the primary data source used for the query (e.g., aws_iam_access_key).
definition: The query or code block that evaluates compliance.

Recommended:

title: A brief summary of what the Policy checks (e.g., "maximum IAM Access Key age").
description: A brief description of the Policy.

PreviousControls with References Policies NextSummary

Last updated 3 months ago

id: aws_iam_access_keys_policy # REQUIRED (unique Policy ID) title: AWS IAM Access Key Policy description: Specifies the maximum age for IAM Access Keys language: sql # REQUIRED (type of query) primary_resource: aws_iam_access_key # REQUIRED (resource for attributing incidents) definition: | # REQUIRED (the policy logic) SELECT access_key_id AS resource, platform_integration_id AS platform_integration_id, platform_resource_id AS platform_resource_id, CASE WHEN status <> 'Active' THEN 'skip' WHEN create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < NOW() THEN 'alarm' ELSE 'ok' END AS status, CASE WHEN status <> 'Active' THEN 'key is not activated' WHEN create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < NOW() THEN 'key is too old' ELSE 'key is not old yet' END AS reason, region, account_id FROM aws_iam_access_key v