Configuring CloudGuard Policies

In CloudGuard, you configure a Policy with three components:

• Environment - After you onboard your environment to CloudGuard, it appears on the Environments page of the Assets menu.

• Ruleset - CloudGuard provides a wide range of rules for each security feature (Intelligence, Compliance, Admission Control, etc.) and each cloud platform. CloudGuard applies these rules as a bundle called a ruleset, for the selected environments. You can customize the predefined rulesets and create your own rules.

• Notification - All your means and channels to receive information about violated rules:

  • All events and findings listed in the CloudGuard portal (Alerts console)

  • Email messages or reports

  • HTTP endpoints (ServiceNow, QRadar, SumoLogic, etc.)

  • Slack and Teams channels

  • Security management systems

  • Issue management systems

General Workflow

To configure a policy in CloudGuard:

1. Select a platform, environment, or both.

2. Select rulesets. For more details, see Rules and Rulesets.

3. Select notifications. For more details, see Notifications.

After you have onboarded your environments and clusters to CloudGuard, you can configure these policies:

• Getting Started with Posture Management Policy

• Getting Started with Intelligence Policy

• Getting Started with Image Assurance Policy

• Getting Started with Admission Control Policy

Policy Deletion

Each policy in CloudGuard is a combination of an environment, a ruleset, and a notification. When you delete a policy, you break the association between these three components. After it, none of the components is deleted, that is:

• Your environment remains onboarded to CloudGuard.

• The ruleset exists in the list of the available rulesets based on the applicable feature, for example, Intelligence or Image Assurance.

• The notification exists in the list of available notifications.

However, the events generated because of the policy application are no longer valid. The findings created before the policy deletion become resolved or passed because no rule is violated. The passed indication is sent to all targets (except for the email) enabled in the associated notification, such as:

• SNS

• HTTP endpoints, such as:

  • JSON JavaScript Object Notation. A lightweight data interchange format.-based third-party applications

  • Splunk

  • ServiceNow

  • QRadar

  • Sumo Logic

  • Jira

• Slack channel

• Teams channel

• Security Management systems

• Issue Management systems

To delete a policy:

1. Navigate to the Policies page in one of the CloudGuard features, for example, CSPM > Continuous Posture, CIEM > Policies, or Workload Protection > Admission Control > Policies.

2. Select one or more policies to delete.

3. On the top menu, click Unassociate.

4. Click Yes to confirm the operation.