Compliance Engine Cloud Entity Domain Model

In this topic:

    The Dome9 Compliance Engine is based on GSL (Governance Specification Language), which defines the syntax for compliance rules. It also includes cloud entities, which are the targets to which the the rules apply. These entities represent the real entities in the supported cloud platforms, such as instances or S3 buckets.

    Entities have attributes, some unique to specific entities. Some attributes are simple (for example, strings or numbers), and some are compound (usually sub-entities that are related to the entity, for example, the VPC in which an instance is located). The attributes can also contain list attributes.

    GSL includes entities for the cloud platforms supported by Dome9.

    The full list of supported entities are listed by the different platforms

    AWS Entities

    Here are the supported entities in AWS:

    • Instance

    • AMI Instance
    • Security Groups

    • VPC

    • ELB

    • RDS

    • Lambda

    • Region VPC

    • Subnet

    • NACL

    • ALB

    • CloudTrails

    • IAM

    • IAM Groups

    • IAM Role

    • IAM User

    • KMS

    • Redshift

    • Region

    • S3 Buckets

    • Direct connect

    • Internet Gateway

    • DynamoDB
     

    Azure Entities

    • Application Gateway

    • Load Balancer

    • Network Security Group

    • Resource Group

    • Subnet

    • Virtual Network

    • Virtual Machine

     

    Google Cloud Platform Entities

    • Network

    • Subnet

    • VM Instance

     

    Details for AWS entities

    The sections below contain detail for some of the Dome9 AWS entities.

     Click on Details below to see attributes for the AWS entities listed above. 

    Instance entity

    Attribute Name

    Type

    Description

    Values

    Comments

    image

    string

    Id of the instance image (AMI)

       

    kernelId

    string

    Id of the Instance Kernel 

     

    Example: aki-71665e05

    platform

    string

    OS Platform type

    windows
    linux

     

    launchTime

    integer

    Launch time of the instance, represented in Unix (epoch) format

       

    inboundRules

    [inboundRules]

    List of rules for inbound traffic

       

    outboundRules

    [outboundRule]

    List of rules for outbound traffic

       

    nics

    [nic]

    List of Network Interface Controller attached objects

       

    isPublic

    boolean

    Determines if the instance is public facing

       

    instanceType

    string

    The EC2 instance type

     

    Example: t2.micro

    isRunning

    boolean

    Determines if the instance is in running state

       

    volumes

    [volume]

    List of Amazon EBS volumes attached to the instance

       

    profileArn

    string

    IAM instance profile ARN

     

    Example: arn:aws:iam::<acc-id>:instance-profile/dbRole

    roles

    [role]

    List of roles applied to the instance

       

    inspector

    inspector

    Hold the AWS Inspector runs and findings for the instance.

     

    To get information for Inspector it needs to be active for the instance - an AWS Inspector agent needs to be deployed for the instance.

    For more information on activating AWS Inspector see AWS documentation: 
    https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html

    vpc

    vpc

    VPC Id in which the instance is placed

       

    id

    string

    AWS Id of the instance

     

    Example: i-b4e01d31

    type

    string

    Type of element

    Instance

     

    name

    string

    Name of the instance

     

    Example: PROD-01

    dome9Id

    string

    Dome9 Id of the instance

       

    accountNumber

    integer

    AWS account number

     

    Example: 088171856215

    region

    string

    Id of the AWS region in which the account is placed

     

    Example: eu_west_1

    source

    string

    Source of the information on the element - Dome9 fetched information or CloudFormation Template processed by Dome9 engine

    db
    cft

     

    tags

    [tag]

    An arbitrary set of tags (key–value pairs) for this instance

       

    inboundRule attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    protocol

    string

    The type of protocol, for example TCP or UDP

     

    For known protocols see IANA Protocol numbers

    port

    int

    Start of port range

    0-65535

     

    portTo

    int

    End of port range

    0-65535

     

    scope

    string

    Determines the traffic that can reach the instance. Source can be single IP address, or an IP address range in CIDR notation

     

    CIDR example: 203.0.113.5/32

    scopeMetaData

    scopeMetaData

    Additional information on the scope

       

     

    outboundRule

    Attribute Name

    Type

    Description

    Values

    Comments

    protocol

    string

    The type of protocol, for example TCP or UDP

     

    For known protocols see IANA Protocol numbers

    port

    int

    Start of port range

    0-65535

     

    portTo

    int

    End of port range

    0-65535

     

    scope

    string

    Determines the traffic that can be reached frin the instance. Source can be single IP address, or an IP address range in CIDR notation

     

    CIDR example: 203.0.113.5/32

    scopeMetaData

    scopeMetaData

    Additional information on the scope

       

    scopeMetaData

    Attribute Name

    Type

    Description

    Values

    Comments

    vpcId

    string

    ID of the VPC in which the instance is placed

       

    region

    int

         

    accountInfo

    accountInfo

    Information on the AWS Account in which the element is placed

       

    accountNumber

    string

    AWS account number

       

    accountInfo attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    id

     

    Dome9 representation of the AWS Account ID

       

    name

     

    AWS account name

       

    externalAccountNumber

     

    AWS account ID

       

    nic attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    id

    string

    Id of the NIC

       

    name

    string

    Name of the NIC

       

    subnet

    subnet

    The subnet in which the NIC is located

       

    privateDnsName

    string

    The private DNS name of the specified instance

     

    Example: ip-10-24-34-0.ec2.internal

    publicIpAddress

    string

    The public IP address of the specified instance

     

    Example:  10.24.34.0

    privateIpAddress

    string

    The private IP address of the specified instance

     

    Example:  52.24.34.0

    securityGroups

    [securityGroup]

    A list that contains the Amazon EC2 security groups to assign to the Amazon EC2 instance

       

    inspector attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    runs

    [run]

    List of AWS Inspector runs for the instance

       

    findings

    [finding]

    List of AWS Inspector findings for the instance

       

    run attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    runArn

    string

    ARN of the Inspector Assessment run

       

    templateArn

    string

    ARN of the Inspector Assessment template

       

    runName

    string

    Name of the Inspector Assessment run

       

    rulesPackagesArns

    [string]

    List of rule packages within the Inspector Assessment template

       

    durationInSeconds

    integer

    Run duration, in seconds

       

    findingsCount

    {severity, count}

    Map of findings number. Key is the finding severity, Value is the number of findings for the severity.

     

    The numbers reflect the finding of the run across all the relevant instances and not only the reasoned instance 

    state

    string

    State of the run

       

    creationTime

    integer

    Time of the run creation

       

    startTime

    integer

    Run start time

       

    endTime

    integer

    Run end time

       

    finding attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    findingArn

    string

    ARN of the assessment finding

       

    assessmentRunArn

    string

    ARN of the Inspector Assessment run

       

    rulesPackageArn

    string

    ARN of the rule that generated the finding

       

    assetType

    string

    Type of inspected element

    ec2-instance

     

    creationTime

    integer

    Time of the finding creation

       

    findingId

    string

    Id of the finding

     

    Example: CVE-2014-4075

    title

    string

    Title of the finding

       

    description

    string

    Description of the finding

       

    recommendation

    string

    Remediation recommendation

       

    severity

    string

    Severity of the finding

     

    See AWS Inspector documentation: 
    http://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html#SeverityLevels

     IAM Policy entity

    AWS IAM policy is a complex element that can be built in many methods. Dome9 is based on AWS APIs, and the entities used in the rule engine are build based on result structure that is returned by those APIs.

    This document provides high level structure of the policy element.

    For a complete reference of the structure and grammar of IAM Policies see AWS documentation: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf

    For a complete reference on the IAM JSON Policy Elements see AWS Documentation: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html. This guide includes references to all the different elements that may be included in a policy: Principal, Action and more.

    Policy attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    Version

    string

    Version of the policy

     

    Example: "2012-10-17"

    Statement

    [statement]

    List of policy statements

       

    Statement attribute

    Attribute(s) Name

    Type(s)

    Description

    Values

    Comments

    Sid

    string

    Statement Id

     

    Example: AWSCloudTrailAclCheck20150319

    Effect

    string

    The effect when the user requests the specific action

    allow
    deny

     

    Principal

    {principal}

    Specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource

       

    NotPrincipal

    {principal}

    Specifies an exception to a list of principals

       

    Action

    string
    [string]

    Action or list of action to be performed when the operation is invoked.

     

    Examples: 

    • "Action": "s3:*"
    • "Action": [ "ec2:StartInstances", "iam:ChangePassword", "s3:GetObject" ]

    NotAction

    string
    [string]

    NotAction represents the exception in matches. 

     

    Example: "NotAction": "s3:DeleteBucket"

    Resource

    string
    [string]

    Specifies the object or objects that the statement covers.

    Statements must include either a Resource or a NotResource element

     

    Examples:

    • "Resource": "arn:aws:s3:::my_corporate_bucket/*"
    • "Resource": [ "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/books_table", "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/magazines_table" ]

    NotResource

    string
    [string]

    Specifies the object or objects that are match exceptions to the list of resources

     

    Example: "NotResource": [ "arn:aws:s3:::HRBucket/Payroll", "arn:aws:s3:::HRBucket/Payroll/*" ]

    Condition

    {condition}

    Map of conditions for when a policy is in effect

       


    Principal attribute

    Attribute Name

    Type(s)

    Description

    Values

    Comments

    AWS

    string
    [string]

    AWS Account

     

    Example: "AWS": "arn:aws:iam::AWS-account-ID:root"

    Federated

    string
    [string]

    Federated User

     

    Example: "Federated": "arn:aws:iam::AWS-account-ID:saml-provider/provider-name"

    Service

    string
    [string]

    The relevant service

     

    Example: cloudtrail.amazonaws.com

    Condition attribute 

    Attribute Name

    Type

    Description

    Values

    Comments

    Condition

    {condition-entry}

    IAM condition entry

       

    condition-entry attribute

    Attribute Name

    Type

    Description

    Values

    Comments

    key

    string

    IAM condition key

     

    Example: aws:MultiFactorAuthPresent

    value

    string

    IAM condition value

     

    Example: true

    See also

    The Dome9 GSL Core Language