Creating and using custom posture policies in VMware Tanzu Hub

As an InfoSec analyst or administrator, you want to ensure that your resources have the correct configuration and remain configured over time to meet your organization’s security requirements. You can use the posture policies in Tanzu Hub to define, monitor, and report if a configuration does not match the defined policy.

When you onboard accounts into Tanzu Hub, all posture policies are automatically activated and begin running to generate findings. A finding from a security policy indicates a misconfiguration or vulnerability in your cloud resources that should be investigated and resolved. Posture policies are useful for catching and correcting misconfigurations that were already present in your accounts before onboarding, or to identify ongoing issues in business practices that may create vulnerabilities in your accounts.

Before you begin

  • Verify that you have one or more cloud accounts onboarded in Tanzu Hub.
  • Verify user roles and permissions. You must have administrator permissions to create custom posture policies.

Create a custom posture policy

Custom posture policies are useful when you have a specific security need or vulnerability that isn’t covered by a Tanzu Hub native posture policy. In this situation you can create a custom policy to close the gap. For example, the native AWS security policies generate a finding when an IAM password is older than 90 days, but your organization may require renewing passwords earlier than that. The following steps demonstrate how to create a policy that checks for IAM passwords older than 60 days.

  1. In Tanzu Hub, click Guardrails > Policies.
  2. Click View (Posture policy) > New custom policy.
  3. In the General information section, enter the primary attributes for the policy using the image below as a reference.

    The first step of the custom policy workflow prompts users to enter a policy name, description, and query.

    1. To create the query in this example, select the 90-day version of the policy from Guardrails > Policies > View (Posture policy) and copy the string.
    2. Then, edit MaxPasswordAge>90 to the desired length.
    3. For more examples, see the How to create effective queries for your custom security policy section.
  4. Click Next.
  5. In the Properties section, enter the metadata used to categorize and filter your policy. Refer to the image below for an example.

    The second step of the custom policy workflow prompts users to enter property information for the provider, service, severity, policy type, and policy category.

  6. Click Save.

How to create effective queries for your custom security policy

Posture policies are structured as queries that represent misconfigurations and vulnerabilities in a cloud resource. Tanzu Hub runs these queries on your accounts and generates a finding whenever it detects a match. The key to building an effective query is to have a thorough understanding of how Simple Search Query Language works and testing the query before committing it to a custom policy.

Here are some examples of queries that can be used in custom security policies. To test a query, run it in the Explore section and see if you get any results. The amount of matched resources gives you an idea of how many findings you’d get from a custom policy using that query.

When you are running policy queries, you can save the query as a custom policy. To save the query, click Create a custom policy with this query.

The query search displays a button that you can click to create a custom policy from the query.

The following table includes sample policy queries that you can run.

Policy query Description

entityType=AWS.EC2.SecurityGroup -Contains-> entityType=AWS.EC2.SecurityGroupRule and RuleDirection=inbound and FromPort<=<FromPort> and ToPort>=<ToPort> and IpProtocol=tcp and RangeStart=0 and RangeEnd=4294967295

Detects AWS security groups that allow public access over IPv4 on a specific port. When using, replace the and values with the port or port range you want to monitor.

entityType=AWS.EC2.SecurityGroup -Contains-> entityType=AWS.EC2.SecurityGroupRule and RuleDirection=inbound and FromPort<=<FromPort> and ToPort>=<ToPort> and IpProtocol=tcp and CidrIpv6=::/0

Provides the same function as the previous query, but for IPv6 traffic.

entityType=AWS.EC2.Instance and propertyName(PublicIpAddress) and StateName=running -IsAssociatedWith-> entityType=AWS.EC2.SecurityGroup -Contains-> entityType=AWS.EC2.SecurityGroupRule and RuleDirection=inbound and FromPort<=<FromPort> and ToPort>=<ToPort>  and IpProtocol=tcp and RangeStart=0 and RangeEnd=4294967295 <-Contains- entityType=AWS.EC2.SecurityGroup <-IsAssociatedWith- entityType=AWS.EC2.Instance -IsContainedIn-> entityType=AWS.EC2.Subnet <-IsAssociatedWith- entityType=AWS.EC2.RouteTable -Contains-> entityType=AWS.EC2.Route -Contains-> entityType=AWS.EC2.InternetGateway

Detects an active AWS EC2 instance attached to a security group that allows public access on a specific port. When using, replace the and values with the port or port range you want to monitor.

entityType=Azure.Sql.Database and not(Name=master or Name=model or Name=msdb or Name=tempdb) -IsAssociatedWith-> entityType=Azure.Sql.DatabaseBlobAuditingPolicy and(RetentionDays>0 and RetentionDays<<Limit>)

Detects an Azure SQL database audit policy with a retention period in a defined range. Replace the value with the minimum number of days for which audit logs should be retained before deletion. For example, you could add RetentionDays<120 if you want audit logs retained for 120 days or more.

entityType=Azure.Sql.Database and not(Name=master or Name=model or Name=msdb or Name=tempdb) -IsAssociatedWith-> entityType=Azure.Sql.DatabaseSecurityAlertPolicy and State=Enabled and (RetentionDays>0 and RetentionDays<<Limit>)

Provides the same function as the previous query, but for Advanced Threat Protection logs.

entityType=Azure.PostgreSQL.Server and UserVisibleState=Ready -IsAssociatedWith-> entityType=Azure.PostgreSQL.ConfigurationsGroup -Contains-> entityType=Azure.PostgreSQL.Configuration and Name=log_retention_days and Value != ("4", "5", "6", "7")

Detects an Azure PostgreSQL Server that retains log files for a minimum number days. The default query generates a finding on a server that retains logs for 3 days or less, but you can adjust this by removing or adding values to the list at the end of the query. For example, Value != (“6”, “7”) detects servers retaining logs for five days or less.

Parent topic:Define and apply governance policies in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon