As a Cloud Security Operations administrator, you must continuously know that the organizational units in your AWS landing zone comply with the policies you applied. Cloud Guardrails helps you detect the drift from your policies, and enforce compliance.
To ensure that the organizational units in your AWS landing zone comply with your security policies, you can have Cloud Guardrails attach security baseline guardrails to your AWS landing zone. Cloud Guardrails includes security templates that include policies and configuration rules. The security templates enforce the configuration rules on the organizational units in your AWS landing zone.
Cloud Guardrails can apply mandatory, strongly recommended, and elective baseline security guardrail policies to your AWS landing zone. As a Cloud Operations administrator, setting up your AWS landing zone enables the mandatory guardrails by default. During the setup, you can select the strongly recommended guardrails and elective guardrails that you need to apply to your landing zone, and you can deselect them later as needed.
|Type of security guardrail||Supported security templates||Rules in the template that Cloud Guardrails enforces|
|Strongly recommended guardrails||
Cloud Guardrails provides templates that support elective guardrails for SCP Policies and configuration rules.
- To apply the security policies on the organizational units your AWS landing zone, access the Cloud Guardrails policy templates from your vRealize Automation Cloud instance.
- On the Guardrails tab, click +New.
- Click From library.
- Click the Security card.
- Import the SCP policy template and config templates.
- Select the template named Mandatory and Strongly Recommended Guardrails SCP Policy.
- Select the template named Strongly Recommended Guardrails Config Rules.
- Select the template named Elective Guardrails SCP Policy.
- Select the template named Elective Guardrails Config Rules.
- Click Add Selected Template, select a project, and click Import.
The templates appear in the list on the Templates tab.
- To create the desired states, click each template, and click Create Desired State.
For example, click Strongly Recommended Guardrails Config Rules, and click Create Desired State.
- In the Create a Desired State dialog box, enter a name and description, and select a cloud account and region. Then click Create.
- Create the desired states for the other security templates for your landing zone.
Congratulations! To ensure that the organizational units in your AWS landing zone comply with your security policies, you imported the security templates for your landing zone and created desired states.
What to do next
After you create the desired state, you can run it and view the resulting enforcements. To find out more about creating desired states and enforcements, see How do I create a Cloud Guardrails desired state from a template and enforce it.