How Policies Work in Tenable Cloud Security
Tenable Cloud Security defines policies as policy templates in the Rego policy language. Tenable Cloud Security includes the Open Policy Agent (OPA) in its policy engine that uses these policies for detecting any configuration violations in resources. Tenable Cloud Security reads the cloud and IaC resources and assesses these resources against the defined policies for those resources. Tenable Cloud Security displays the misconfigurations if any violations are detected.
The following image shows how policies work in Tenable Cloud Security:
The following process describes how Tenable Cloud Security reports misconfigurations:
-
Tenable Cloud Security reads the cloud resources in a schema specific to the cloud provider and converts it into a common resource configuration format. Similarly, Tenable Cloud Security converts the Terraform schema of IaC resources to the common resource configuration format.
-
The Tenable Cloud Security policy engine then compares these resources against the policies for that resource type.
-
If any violations are detected, Tenable Cloud Security reports these as misconfigurations.
Benefits
Tenable Cloud Security includes a set of built-in policies for each resource type of a cloud provider. For example, Tenable Cloud Security defines a set of policies for AWS EC2 instances. Tenable Cloud Security uses the same policy to detect violations in both cloud and IaC for a particular resource type.
Tenable Cloud Security provides a vast coverage of policies to verify compliance across various resource types.
By default, Tenable Cloud Security automatically assigns the Accurics Security Best Practices policy group for the selected cloud provider to your project. You can modify the policy group for the project, if required.