CIEM Policies, Exclusions, and Remediation

Policies

To receive notifications about CIEM events, it is necessary to create a policy. You define the CIEM policy like other CloudGuard policies. For more information, see Configuring CloudGuard Policies.

The findings that the CIEM policy discovers already exist in the system, so no new findings are created.

Start to configure the policy from CIEM > Policies > Add Policy > Environment Policy.

You can select these types of notifications in your CIEM policy:

• Immediate Notification - Send findings immediately to one or more of the given destinations:

  • Separate Message - By email, to a list of email recipients.

  • SNS notifications - To an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. SNS topic; enter the ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. for the AWS SNS topic and select the format for the notification.

  • HTTP Endpoint - To an HTTP endpoint for third-party applications.

• Security Management Systems - Send notifications to a security management system.

• Issue Management Systems - Send notifications to an external ticketing system, such as PageDuty.

For more information about the options, see How to Configure a Notification.

Exclusions

You define the CIEM exclusions like other CloudGuard exclusions. For more information, see Configuring CloudGuard Exclusions.

Start to configure the exclusion from CIEM > Exclusions > Create New Exclusion.

The CIEM exclusions always apply to the preselected Entitlement Management ruleset. The exclusion is based on these parameters:

• Environment or Organization unit

• Date range

• Entity

• Account number

• Alerts severity

To create an exclusion from a finding, see Creating Exclusion for Finding.

To create an exclusion from scratch, see Creating an Exclusion.

Remediation

You define remediations for CIEM like other remediations for Posture Management. For more information, see Automatic Remediation with CloudBots.

Start to configure the remediation from CIEM > Remediation > Create New Remediation.

The CIEM remediation always applies to the preselected Entitlement Management ruleset.

To create a remediation, see Adding Remediation.

The applied CloudBot is iam_entity_create_and_attach_permission_boundary. The default policy name is CIEMSuggestion, but you can enter another permission boundary (policy) name. This policy is a permissions boundary policy added by the CloudBot from the finding as described in Option B.