Controls

A control is a rule that defining clear pass/fail criteria.

Here are a few examples:

• Code Review: All code must be reviewed and approved before merging.

• Security Scan: All code must pass security scans before deployment.

• Build Success: Software builds must have a high success rate (90% or more).

• Incident Response: Track how quickly production issues are addressed.

Controls are defined as simple SQL Statements, and stored in a YAML file. In the community edition, there are over 2K+ Policies for AWS, Azure, and EntraID.

Control Structure

Control rules consist of two parts:

Metadata

• ID: Unique identifier for the control.

• Title: A brief title describing the control.

• Description (Optional): A detailed description of the control.

• Severity: Indicates the importance or criticality of the control.

Types of Controls

Controls with Inline Policies

Controls with inline policies contain both the compliance requirement (what must be done) and the policy (how to check it) within a single YAML file.

Controls with Referenced Policies

To improve reusability, controls can reference other policies. These are called Controls with Referenced Policies. This approach allows for:

• Reusability: Common policies can be reused across multiple controls.

• Customization: Policies can be tailored to fit specific compliance needs.

• Consistency: Ensures uniform application of policies across different controls.

Next Steps

In the following sections, we will explore two approaches: Controls with Inline Policies and Controls with Referenced Policies, to demonstrate effective compliance rule management.