Policies
Panther enables easy scanning and evaluation of cloud infrastructure configurations.
Policies are Python3 functions used to identify misconfigured infrastructure and generate alerts for your team.
Policy Components
- A
policyfunction with aresourceargument that returnsTrueif the resource is compliant and the policy should not send an alert, orFalseif the resource is not complaint and the policy should send an alert - Metadata containing context for triage
- An association with a specific Resource Type
As an example, the policy below checks if an S3 bucket allows public read access:
1
# A list of grantees that represent public access
2
GRANTEES = {
3
'http://acs.amazonaws.com/groups/global/AuthenticatedUsers',
4
'http://acs.amazonaws.com/groups/global/AllUsers'
5
}
6
PERMISSIONS = {'READ'}
7
​
8
​
9
def policy(resource):
10
for grant in resource['Grants']:
11
if grant['Grantee']['URI'] in GRANTEES and grant[
12
'Permission'] in PERMISSIONS:
13
return False
14
​
15
return True
Copied!
Policy Writing Workflow
Panther policies can be written, tested, and deployed either with the Panther Console or the panther_analysis_tool CLI utility.
Policy Body
The policy body MUST:
- Be valid Python3
- Define a
policy()function that accepts one argument - Return a
boolfrom the policy function
1
def policy(resource):
2
return True
Copied!
The Python body SHOULD:
- Name the argument to the
policy()functionresource
The Python body MAY:
- Import standard Python3 libraries
- Import from the user defined
aws_globalsmodule - Import from the Panther defined
panthermodule - Define additional helper functions as needed
- Define variables and classes outside the scope of the rule function
Using the schemas in supported resources provides details on all available fields in resources. Top level keys are always present, although they may contain
NoneType values.Example Policy
1
{
2
"AccountId": "123456789012",
3
"AllowUsersToChangePassword": true,
4
"AnyExist": true,
5
"ExpirePasswords": true,
6
"HardExpiry": null,
7
"MaxPasswordAge": 90,
8
"MinimumPasswordLength": 14,
9
"Name": "AWS.PasswordPolicy",
10
"PasswordReusePrevention": 24,
11
"Region": "global",
12
"RequireLowercaseCharacters": true,
13
"RequireNumbers": true,
14
"RequireSymbols": true,
15
"RequireUppercaseCharacters": true,
16
"ResourceId": "123456789012::AWS.PasswordPolicy",
17
"ResourceType": "AWS.PasswordPolicy",
18
"Tags": null,
19
"TimeCreated": null
20
}
Copied!
This example policy alerts when the password policy does not enforce a maximum password age:
1
def policy(resource):
2
if resource['MaxPasswordAge'] is None:
3
return False
4
return resource['MaxPasswordAge'] <= 90
Copied!
In the
policy() body, returning a value of True indicates the resource is compliant and no alert should be sent. Returning a value of False indicates the resource is non-compliant.First Steps with Policies
When starting your policy writing/editing journey, your team should decide between a UI or CLI driven workflow.
Then, configure the built in policies by searching for the
Configuration Required tag. These policies are designed to be modified by you, the security professional, based on your organization's business logic.Writing Policies in the Panther UI
Navigate to Cloud Security > Policies, and click
Create New in the top right corner. You have the option of creating a single new policy, or uploading a zip file containing policies created with the panther_analysis_tool. Clicking single will take you to the policy editor page.
Policy Editor
Set Attributes
Keeping with the Password Policy example above, set all the necessary rule attributes:
Attributes Set
Write Policy Body
Then write our policy logic in the
policy() function.
Policy Body
Configure Tests
Next, configure test cases to ensure our policy works as expected:
Unit Tests
Policy Writing Tips
Constructing Test Resources
Manually building test cases is tedious and error prone. We suggest one of two alternatives:
- 1.Open
Cloud Security>Resources, and apply a filter of the resource type you intend to emulate in your test. Select a resource in your environment, and on theAttributescard you can copy the full JSON representation of that resource by selecting copy button next to the wordroot. - 2.Open the Panther Resources documentation, and navigate to the section for the resource you are trying to emulate. Copy the provided example resource.
Paste this in to the resource editor if you're working in the web UI, or into the
Resource field if you are working locally. Now you can manually modify the fields relevant to your policy and the specific test case you are trying to emulate.Option 1 is best when it is practical, as this can provide real test data for your policies. Additionally, it is often the case that you are writing/modifying a policy specifically because of an offending resource in your account. Using that exact resource's JSON representation as your test case can guarantee that similar resources will be caught by your policy in the future.
Debugging Exceptions
Debugging exceptions can be difficult, as you do not have direct access to the python environment running the policies.
When you see a policy that is showing the state
Error on a given resource, that means that the policy threw an exception. The best method for troubleshooting these errors is to use option 1 in the Constructing test resources section above and create a test case from the resource causing the exception.Running this test case either locally or in the web UI should provide more context for the issue, and allow you to rapidly modify the policy to debug the exception without having to run the policy against all resources in your environment.
Note: Anything printed to stdout in the python logic will end up in CloudWatch. For SaaS/CPaaS customers, panther engineers can see these CloudWatch logs during routine application monitoring.
​
Last modified 2mo ago