Getting Started with Resmo Rules

Resmo looks at asset security and compliance from a ‘continuous’ perspective. That is to say, manually auditing your cloud and SaaS resources from time to time alone (i.e., with annual compliance audits) is not enough. Cybersecurity should be an iterative process. It should be implemented before the beginning of a development process and throughout the product life cycle. 

Vulnerabilities can creep and find their way into your resources at any point. Nonetheless, conducting manual security checks can be time-consuming and error-prone. That’s why Resmo’s rules/policies are designed to streamline the process, making it more effective and constant. Let’s get you more acquainted with Resmo rules.

What are the rules/policies on Resmo?

rules on Resmo

Resmo rules are a set of policies that continuously evaluate your assets’ conformance with security and compliance best practices. They help you automate asset vulnerability scans instead of having your security and engineering teams perform them manually. Once you set up a rule, it evaluates your resources for validity at regular intervals. 

There are two types of rules on Resmo:

  • Managed rules: Managed policies come out of the box and are managed by Resmo. Each integrated tool has its own set of rules.
  • Custom rules: These are rules that you create using custom/managed SQL queries.

Note: If configured as a notification rule, you will get alerted when there’s anything that goes against your rule. 

Benefits of using Resmo rules

  • Continuous assessment of cloud and SaaS resources
  • Automated asset vulnerability scans
  • Less time spent on manual cyber asset security and compliance activities
  • Conformance with security best practices on an ongoing basis
  • Ability to create custom rules that apply to your organization’s specific needs

Asset security checks in detail

There is more to rules than what meets the eye. Every rule has a detail page containing a set of critical information. In other words, it is where you can observe rule overview, activities, status changes, date of a change, severity, remediation instructions, evaluation results, suppressions, related resources, and resource groups (if any). Let’s examine the essential elements more closely.

Resmo rule detail elements

Rule severity: Each rule must have a severity level to categorize alerts and streamline prioritization.

Status: There are five statuses available: Warning, OK, Error, Internal Error, and No Data. A rule’s status can change depending on the evaluation results. You can also filter your rules based on statuses to determine which ones to act upon first.

Remediation: Most of the managed rules come with remediation descriptions. For custom rules, you can, optionally, define the remediation process. It helps expedite remediation processes for responsible team members.

Activity: The rule detail page comprises an activity tab to display each related activity that occurs to a rule, such as a rule status change, suppression, etc. This tab helps you detect retrospective activities and statuses.

Suppression: There might be some resources you wish to exclude from a rule check. For example, if you left an S3 bucket intentionally public, you can suppress it inside a rule. Each suppression is observable within a rule. 

Common use cases for Resmo rules

Most of the managed rules come with remediation suggestions. Plus, you can add your own remediation steps to custom rules to accelerate vulnerability response times and remediation processes. 

1. Continuously monitor your cloud assets

Resmo integrates with the major cloud service providers. Below are a few rules that will help you enhance your cloud security.

S3 bucket encryption check

AWS

Resmo offers more than 400 resources and over 500 questions and rule checks for AWS asset security.

  • AWS S3 buckets must be encrypted

It’s more common than you would expect to encounter data leaks due to S3 bucket misconfigurations. Therefore, there are a few best practices that you can apply to prevent leaky buckets. For example: ensuring that your S3 buckets are not publicly accessible or that they are encrypted. Resmo provides all the queries and rules necessary to check your AWS S3 bucket security.

  • AWS IAM Role must not have AdminstratorAccess policy attached 

You can attach specific policies (permissions) to IAM roles. Since the AdministratorAccess policy has full access and can delegate permissions to all resources and services in AWS, you shouldn’t attach that policy to an IAM role. You can easily and automatically check your conformance with IAM role security best practices with Resmo rules. 

Interested in secure AWS integration with third parties? Check out our blog post; Everything You Need to Know About AWS Assume Role.

Azure

  • Azure Storage Account public access must be blocked.

Allowing public access to your Azure Storage account might lead to security risks. To prevent undesired anonymous access and data breach, you should disallow public access. 

  • Azure Container Registry must not allow unrestricted network access.

Azure container registries permit connections over the internet from any host on a network by default. To prevent unauthorized access to your Azure container registries, you should allow access from only specific public IP addresses or address ranges.

Google Cloud Platform

  • GCP BigQuery dataset must restrict public access.

Properly managing access controls is a key part of ensuring security in the cloud. If you store sensitive data in your dataset, ensure that public access is not allowed.

You might also like our free guide on multi-cloud asset visibility.  

  • GCP KMS crypto keys must not be anonymously or publicly accessible.

It is recommended to make sure that anonymous and/or public access to your GCP Cloud KMS (Key Management Service) crypto keys are restricted. Especially if you store sensitive data in your cloud, such access permissions must not be allowed. 

Otherwise, whether or not you’re running complex workloads or just mid-way through a migration, you might be exposed to data breaches and other vulnerabilities. Resmo has a managed query for this potential vulnerability, along with many others. Moreover, you can run SQL queries manually and instantly check your resources for security. 

Good to know: Ensure that GCP Cloud KMS crypto keys are regularly rotated to improve your security posture. There’s a query for that, too!

2. Assess security best practices for SaaS resources

You can integrate a wide range of SaaS tools with Resmo and start securing your resources. Some rule examples are as in the following.

github rules on Resmo

GitHub

  • GitHub Organization 2FA must be enabled.

Two Factor Authentication (2FA) puts an extra layer of protection between your assets and malicious threat actors. Therefore, turning 2FA on can highly improve your business’s cybersecurity posture.

  • Github Organization settings must block public repository creation.

To protect your organization’s data from being compromised, you can configure and disallow public repository creation. This way, you will minimize undesired public repositories from going unnoticed and risking data breaches.

Bitbucket

  • Bitbucket Repositories must prevent forking.

When creating one, you can specify whether a Bitbucket Cloud repository is private or public. This setting can be changed anytime, but it’s a best practice to keep repositories private and determine who can access them and whether they can fork them. 

  • Bitbucket Projects must be private.

To keep your data protection intact, you should ensure that Bitbucket projects remain private unless explicitly specified. 

GitLab

  • GitLab Groups 2FA enforcement must be enabled.

2FA provides an additional layer of security for your GitLab Groups. An unauthorized person to access your GitLab Groups would need your username, password, and 2FA. Therefore, it’s also recommended to enable Two-Factor Authentication.

  • Handle opened GitLab merge requests with security labels as soon as possible.

Merge requests classified with a security label might contain issues your team should handle as soon as possible. Resmo alerts when a GitLab merge request with a security label opens.

3. Prioritize vulnerability remediation for each rule

Although identifying vulnerabilities should be top of mind, properly prioritizing them is just as important. Otherwise, engineering and security teams might fail to focus on the most critical issues as soon as they arise. 

As a solution, you can configure a severity level and add remediation instructions for each rule on Resmo. Plus, rule evaluation statuses can also help you understand which rule to address first.

Time to try them out!

Now that you know what you can achieve with Resmo rules, it’s time for you to see how they work. You can sign up for free with the free trial, integrate with your favorite services, and start your asset security journey. In case you need more instructions, check out the developer documentation.

Continue Reading