Create a new compliance bundle and run an assessment with it

In this topic:

    This note illustrates how to use the Dome9 API to create a new compliance bundle and then run an assessment with it on a cloud account. This will use the Dome9 API CompliancePolicy and  Assessment resources. 

    This example runs a single assessment. Use the ContinuousCompliancePolicy resource to run assessments continuously.

    See also

    Compliance

    Continuous Compliance

    Prerequisite steps

    You will need the following information

    • the GSL statements for the rules in the bundle
    • the cloud account id to be assessed by the bundle

    Create a Bundle

    Use the CompliancePolicy method.

    Request  

    POST https://api.dome9.com/v2/CompliancePolicy

    This is an example of the request block.   

     

     

     

     

     {  
       "name":"Example Bundle",
       "description":"Test bundle",
       "rules":[  
          {  
             "name":"RDS storage should be encrypted",
             "description":"You should encrypt your Amazon RDS instances and snapshots at rest by ena             bling the encryption option for your Amazon RDS DB instance.",
             "severity":"High",
             "logic":"RDS should have isStorageEncrypted = 'true' and kmsKeyId",
             "remediation":"Consider migrating your RDS to an at rest encrypted RDS; Follow AWS recommendations at: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
             "complianceTag":"Encryption and Key Management"
          }
       ],
       "cloudVendor":"aws"
    } 

     

     

     

    Parameters

    Set these fields

    name and (optionally) description of the bundle

    For each rule:
    name & (optionally) description of the rule

    severity - the severity of the rule (High/Medium/Low)

    logic - the GSL statement for the rule, as a text string

    remediation - free text of the remediation instructions.

    Ignore these parameters:

    complianceTag, domain,priority, controlTitle, ruleId, id, logicHash

    Response 

    This is an example of the response. The bundle id value (in the exampe above, 30263) is used to run assessments with the bundle.  

     

     

     

     

    {  
       "rules":[  
          {  
             "name":"RDS storage should be encrypted",
             "severity":"High",
             "logic":"RDS should have isStorageEncrypted = 'true' and kmsKeyId",
             "description":"You should encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance.",
             "remediation":"Consider migrating your RDS to an at rest encrypted RDS; Follow AWS recommendations at: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
             "complianceTag":"Encryption and Key Management",
             "domain":"",
             "priority":"",
             "controlTitle":"",
             "ruleId":"",
             "logicHash":"HtVz32xiB0iFPv74rGyirg",
             "isDefault":false
          }
       ],
       "accountId":*****,
       "createdTime":"2018-08-20T05:00:38.2769723Z",
       "updatedTime":"0001-01-01T00:00:00",
       "id":30263,
       "name":"Example Bundle",
       "description":"Test bundle",
       "isTemplate":false,
       "hideInCompliance":false,
       "minFeatureTier":"Premium",
       "section":0,
       "tooltipText":"",
       "showBundle":true,
       "systemBundle":false,
       "cloudVendor":"aws",
       "version":1,
       "language":"en"
    }
     

     

     

     

     

     Code sample 

    curl -X POST https://api.dome9.com/v2/CompliancePolicy \
      --basic -u <key-id>:<key-secret> \
      -H 'Content-Type: application/json' \
      -H 'Accept: application/json'
      -d '{  
       "name":"Example Bundle",
       "description":"Test bundle",
       "rules":[  
          {  
             "name":"RDS storage should be encrypted",
             "description":"You should encrypt your Amazon RDS instances and snapshots at rest by ena             bling the encryption option for your Amazon RDS DB instance.",
             "severity":"High",
             "logic":"RDS should have isStorageEncrypted = 'true' and kmsKeyId",
             "remediation":"Consider migrating your RDS to an at rest encrypted RDS; Follow AWS recommendations at: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
             "complianceTag":"Encryption and Key Management"
          }
       ],
       "cloudVendor":"aws"
    } '
      

     

     

     

     

     

    curl -X POST https://api.dome9.com/v2/CompliancePolicy \
      --basic -u <key-id>:<key-secret> \
      -H 'Content-Type: application/json' \
      -H 'Accept: application/json
    

    {  
       "name":"Example Bundle",
       "description":"Test bundle",
       "rules":[  
          {  
             "name":"RDS storage should be encrypted",
             "description":"You should encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance.",
             "severity":"High",
             "logic":"RDS should have isStorageEncrypted = 'true' and kmsKeyId",
             "remediation":"Consider migrating your RDS to an at rest encrypted RDS; Follow AWS recommendations at: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
             "complianceTag":"Encryption and Key Management"
          }
       ],
       "cloudVendor":"aws"
    }
     

     

     

     

     

    Run an Assessment with the bundle

    Use the AssessmentBundleV2 method.

    Request 

     POST https://api.dome9.com/v2/assessment/bundleV2 

     

     


    {  
       "id":30263,
       "name":"Example Bundle",
       "description":"Test bundle",
       "isCft":false,
       "dome9CloudAccountId":"********-****-****-****-************",
       "externalCloudAccountId":"************",
       "cloudAccountId":"************",
       "region":"us_east_1",
       "cloudAccountType":"Aws",
       "requestId":"00000000-0000-0000-0000-000000000000"
    }

     

     

    Parameters

    id - this is the bundle id, returned from the POST CompliancePolicy request, above (in this example, 30263)

    dome9CloudAccountId - is the Dome9 acccount number (can be retrieved using the GET CloudAccounts)

    externalCloudAccountId and cloudAccountId - these are both the cloud account id in the cloud provider (in this case, the AWS account id)

    region - the region (in the cloud provider) to test the bundle, as a text string.

    Response 

    The response shows the results of the tests (in this case, one test) when the bundle was run on the selected account and region. In this example, the test passed. 

     

     

     

     

    {  
       "request":{  
          "id":30263,
          "name":"Example Bundle",
          "description":"Test bundle",
          "cft":null,
          "isCft":false,
          "dome9CloudAccountId":"********-****-****-****-************",
          "externalCloudAccountId":"************",
          "cloudAccountId":"************",
          "region":"us_east_1",
          "cloudNetwork":"string",
          "cloudAccountType":"Aws",
          "requestId":"85742614-360b-4b53-b51d-afe57acb41f5"
       },
       "tests":[  
          {  
             "error":null,
             "testedCount":0,
             "relevantCount":0,
             "nonComplyingCount":0,
             "entityResults":[  

             ],
             "rule":{  
                "name":"RDS storage should be encrypted",
                "severity":"High",
                "logic":"RDS should have isStorageEncrypted = 'true' and kmsKeyId",
                "description":"You should encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance.",
                "remediation":"Consider migrating your RDS to an at rest encrypted RDS; Follow AWS recommendations at: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
                "complianceTag":"Encryption and Key Management",
                "domain":"",
                "priority":"",
                "controlTitle":"",
                "ruleId":"",
                "logicHash":"HtVz32xiB0iFPv74rGyirg",
                "isDefault":false
             },
             "testPassed":true
          }
       ],
       "locationMetadata":{  
          "account":{  
             "srl":"",
             "name":"AWS",
             "id":"********-****-****-****-************",
             "externalId":"************"
          },
          "region":{  
             "srl":"",
             "name":"N. Virginia",
             "id":"us_east_1",
             "externalId":"us-east-1"
          },
          "cloudNetwork":{  
             "srl":"",
             "name":"",
             "id":"string",
             "externalId":"string"
          }
       },
       "testEntities":{  
          "rds":[  

          ]
       },
       "assessmentPassed":true,
       "hasErrors":false,
       "id":35673387
    }

     

     

     

    Code sample   

     

     

    curl -X POST https://api.dome9.com/v2/assessment/bundleV2 \
      --basic -u <key-id>:<key-secret> \
      -H 'Content-Type: application/json' \
      -H 'Accept: application/json'
     -d '
    {  
       "id":30263,
       "name":"Example Bundle",
       "description":"Test bundle",
       "isCft":false,
       "dome9CloudAccountId":"********-****-****-****-************",
       "externalCloudAccountId":"************",
       "cloudAccountId":"************",
       "region":"us_east_1",
       "cloudAccountType":"Aws",
       "requestId":"00000000-0000-0000-0000-000000000000"
    }'