Cloud Configuration Governance policies
Summarize
Summary of Cloud Configuration Governance Policies
Cloud Configuration Governance policies define non-compliant configurations for specific cloud resource types. Each policy includes details on the cloud platform, resource type, and definitions of both non-compliant configurations and audit violation reports. Beginning with version 1.3.7, base system contents are organized in the CCG Content Pack, which must be installed to access these resources.
Show less
Key Features
- Base System Policies: Several pre-defined policies are available, which you can customize to fit your organization's requirements.
- Policy Creation Methods: Policies can be created using a condition builder, Integration Hub flow, or through scripting, catering to various levels of familiarity with the ServiceNow AI Platform.
- Policy Sets: Policies must be added to a policy set, which can contain multiple policies.
Key Outcomes
By implementing Cloud Configuration Governance policies, organizations can maintain compliance by ensuring resources like AWS S3 buckets and IAM accounts meet security standards. The provided base system policies can serve as a foundation, while custom policies can be developed to address specific compliance needs. This structured approach enables proactive governance and oversight of cloud environments.
Cloud Configuration Governance policy defines the non-compliant configurations for a given cloud resource type.
Each Cloud Configuration Governance policy contains the following information:
- The cloud on which the resource is provisioned.
- The cloud resource type.
- Definition of the non-compliant configuration. For example, unencrypted Amazon Web Services (AWS) S3 buckets or insecure Identity and Access Management (IAM) accounts.
- Definition of the audit violation (policy violation) report.
Cloud Configuration Governance provides several base system policies. You can either use these policies or create custom policies as per the needs of your organization. Depending on the need and your familiarity with the ServiceNow AI Platform, you can use any one of the following methods to create the policy:
- Create a policy with the condition builder
- Create a policy with Integration Hub flow
- Create a policy through script
To use the policy, add the policy to a policy set. Each policy set can contain one or more policies. For more information on creating policy sets, see Create policy set.
| Name | Type | Description |
|---|---|---|
| AWS IAM User Activity policy | Condition builder | Policy to check if the password is enabled for the AWS IAM user. To use this policy, ensure that the AWS IAM user account has the following permissions:
|
| AWS S3 Enforce Bucket encryption | Condition builder | Policy to check if the AWS S3 buckets are encrypted. |
| AWS Sample flow policy | Integration Hub flow | Policy to illustrate an Integration Hub flow-based policy. |
| AWS VM HardwareType | Condition builder | Policy to check if the deployed EC2 VMs are using only the approved hardware types. |
| AWS VM IPAddress | Script | Policy to check if the IP address of the EC2 VM is matching with the Configuration Management Database (CMDB) record. |
| AWS VM Monitoring State | Condition builder | Policy to check if detailed monitoring is enabled for the EC2 VM. |
| Azure VM HardwareType | Condition builder | Policy to check if the deployed Azure VMs are using only the approved hardware types. |
| Azure VM IP Address | Script | Policy to check if the IP address of the Azure VM is matching with the CMDB record. |
| Azure VM Monitoring State | Condition builder | Policy to check if detailed monitoring is enabled for the Azure VM. |
-
For more information on creating policy sets, see Create policy set.
-
For more information on base system policies and policy sets, see AWS policies, Azure policies, and Policy sets.