-
Notifications
You must be signed in to change notification settings - Fork 277
PacBot Terminology
Asset groups are a powerful way to visualize compliance. In PacBot you can create asset group by defining an asset matching criteria. Asset Groups are dynamic in nature, if new resources are created, it will automatically show up in the Asset Group if the newly created resource matches the Asset Group criteria. You can create an asset group with just one Ec2 to all resources from an account. During the creation of an asset group you can specify resource matching condition based on the resource attributes. For example, you can add all EC2 instances with a particular tag name and value combination or you can create an asset group based on instance-state or AWS account number. Because of the ephemeral nature of the cloud, static asset groups are not useful, everytime you would need to change the list of assets in an asset group to get an accurate compliance stats for the group. With the dynamic criteria based resource selection, you could define an asset group and rest assured all matching resources that might be created in the future will be automatically added to the group. Asset groups will not include terminated/deleted resources.
For example:
- All resources under one account can be added to an asset group.
- All resources with a specific Tag Name and Value combination across multiple accounts can be added to a single asset group.
- All running EC2 across all accounts can be added to asset group.
- All assets from a list of Production AWS accounts can be added to an asset group.
In PacBot, 'Compliance Domains' allow you to view the compliance status by domain. It was created to simplify the compliance status view by grouping similar policies under one compliance domain. During policy and rule creation you could select the compliance domain. In the dashboard, you could switch the domain from the drop-down on the top right corner of the UI. There is an overall compliance summary page too to view your compliance across all compliance domains.
Think of this as grouping similar items into one list and measure how good are you against the list. Switching the compliance domain from the drop-down would change the background color of the UI as well to show the change is view scope.
PacBot Policies are codified versions of policies on paper. Each policy can have one or more rules associated. Each rule will evaluate a resource to check a specific condition. If all rule evaluations result in pass, the target resource is compliant against the policy. In case of failure, the resource is marked as non-compliant. Today only one rule can be mapped to a policy today.
A rule is the actual codified version of the checks and mandates established in any policy description. PacBot has some default managed rules for AWS, these are Java code bundled into a single jar. You can extend this to add more rules or host the rules elsewhere via API and use it in the PacBot system. You can create a REST API that would take the resource details as the input parameter and return whether the resource passed the check or not. While creating a rule in PacBot you can register the API. PacBot rule engine would invoke this API for every resource against the rule is configured to run. The API should adhere to the contract established by PacBot.
Target is the entity that is being evaluated by the rule. In the case of AWS it is the resources. In AWS case EC2, S3, RDS are types. Instance i-1234 is Target of type EC2. PacBot is built as a generic tool not just for the cloud. You could import all of your code repository information and write rules to gauge compliance.
There are cases where some resources should be exempted for a policy. You can add an exception to policy violation and the violation won't show up in the reports and high-level aggregations.
Sticky exceptions are dynamic exceptions. Resource matching criteria are used to create an exception. Whenever a resource matching the exception criteria is launched the rule engine would not create a policy violation.
Within PacBot you can define roles. You can control access to resource groups and admin functionalities as well.
Job execution manager would provide capabilities to manage the data collection, enriching and synching jobs.