Bridgecrew Custom Policies: A simple standard for policy-as-code

Bridgecrew Custom Policies Example

For today’s teams developing and deploying infrastructure, there are several ways to write and enforce security policies.

With cloud providers’ pre-built configuration and compliance solutions, you get basic controls that can instantly be employed on existing infrastructure. Framework-agnostic projects like Checkov or Open Policy Agent, on the other hand, provide more flexibility when it comes to introducing governance throughout the development lifecycle and testing policies pre-production.

Regardless of the approach, implementing a new policy enforcement tool requires dedication—from learning a new syntax and writing new policies, to operationalizing new components in an already functioning CI/CD pipeline.

We built Bridgecrew to help teams avoid those tradeoffs with a centralized platform for enforcing security best practices across the infrastructure development lifecycle and hundreds of pre-defined policies.

Today we’re extending our flexibility and coverage even further with the availability of Bridgecrew Custom Policies. đź’ˇ

You can now define and test your own infrastructure security policies and ship them directly from the Bridgecrew platform.

Configuration isn’t one-size-fits-all

When it comes to developing consistent and secure infrastructure, every product is unique, and every team has its own goals. Let’s say your data privacy team wants to enforce a tagging convention, your infrastructure team wants to restrict who can spin up certain services, and your security team wants to enforce a secure password policy for specific resources.

With Bridgecrew Custom Policies, you can create everything from the most basic checks to the most complex policies to fit your needs.

Access is everything

As cloud development shifts left and becomes more declarative, it’s more important than ever to have centralized and flexible configuration enforcement. But authoring and enforcing policies shouldn’t slow your team down. With our no-code policy authoring, everyone on your team can write policies that get enforced wherever infrastructure is governed—without needing to know a domain-specific language.

By making policy authoring accessible to everyone and automating the enforcement of those policies, you’ll spend less time fixing misconfigurations after the fact, and more time staying compliant in the first place.

How Custom Policies work

Bridgecrew makes it incredibly foolproof to build and test new policies.

Start by filling out your policy details:

When naming your Custom Policy, we recommend utilizing standard conventions to make it clear what the policy is intended to check and what kind of resource it is checking.

As with our built-in policies, Guidelines provide context around the severity, impacted resources, and information to help you investigate and fix the issue. You can use our Description, Rational, and Remediation structure (here’s a simple EC2 tagging policy example) or follow a structure that works better for you.

Associate your policy with a specific category (Logging, Encryption, etc.) and compliance benchmarks (CIS AWS, SOC2, etc.). Defining these fields is useful when monitoring areas of your code and cloud posture over time and when exporting reports for compliance audits.

Defining the cloud provider and resource type will set the available arguments when defining the arguments for your Custom Policy in the next step.

Custom Policies use simple building blocks—arguments and values. Arguments follow the official Terraform resource-to-argument dictionary. To describe a nested argument, just use a dot [.] to represent the sub-argument. For example, to check for S3 bucket versioning, append the versioning argument and the enabled argument: versioning.enabled and input true for the value.

As you add arguments, Bridgecrew tests your policy against existing resources and will populate a preview with failing checks. In the screenshot below, you can see that line 17 of the previewed resource is not compliant with our Custom Policy, which restricts EC2 resouce_type to t3.small.

Once you Save your new Custom Policy, it will show up in your Policies list alongside the rest of Bridgecrew’s pre-built policies, and Bridgecrew will check your resources against it in all subsequent scans.

We hope that by providing teams with a fully-customizable policy engine, Bridgecrew can enable teams of all shapes and sizes to securely and consistently deploy infrastructure at scale.

Stay tuned for additional updates to Custom Policies and check it out for yourself in the Bridgecrew platform—it’s free to get started.