Custom Benchmark
Custom Benchmarks in Stackguardian allow users to define and implement their unique checks aligned with specific business requirements, industry standards, or internal protocols. Users have the flexibility to create benchmarks that are bespoke to their organizational needs, going beyond the predefined options.
Create a Custom Benchmark​
Creating and enforcing a custom benchmark is a straightforward process. Follow these enhanced steps for a seamless experience:
Step 1: Navigate to Connectors's Tab​
After completing the connector process with AWS or Azure, proceed to Orchestrator > Connectors
. Scroll to find all your integrated platforms.
Step 2: Select Connector​
Click on the specific connector (AWS or Azure) where you want to apply a custom benchmark.
Step 3: Create Benchmark​
In the pop-up modal displaying all benchmarks, click on “Create Benchmark (Preview)” at the bottom.
- Check Name: E.g., "Security Audit"
- Description: E.g., "A comprehensive check for cloud security."
Step 4: Configure Benchmark​
Your new custom check will appear with other pre-existing checks. Select it and update the details under its settings:
- Benchmark Status: Toggle to activate or deactivate.
- Name and Description: Amend if needed.
- Runtime Source: Specify where the runtime data of your benchmark is sourced.
- Source Destination Kind: E.g., GitHub.
- Repository URL: The URL where the benchmark’s codes are stored.
- Reference (Optional): Provide if necessary.
- Is Private Source Check: Toggle if it’s a private source.
- Authentication Method: It ensures secure access to private benchmarks with specific credentials.
- Working Dir: Indicate the path to the directory containing the IaC configuration if it’s not at the root of the repository. E.g.,
infra/app1/aws/ec2
.
Step 5: Save Benchmark​
Click the "Save Benchmark" button to finalize the setup.
Example Configurations for Custom Benchmarks:​
a) Cost Optimization:​
- Fork the open repository from turbot/steampipe to your repo. For cost, utilize steampipe-mod-aws-thrifty.
- Modify the '.sp' files in the 'controls' folder as per need. Remove or alter controls to fit your requirements.
- In StackGuardian’s Connectors tab, click on the account and select 'Create Benchmark (Preview)'. Input the URL of your modified repository.
- After saving and running the discovery, the customized cost benchmark will be available (allow up to 15 minutes for results to display).
b) Security Enhancement:​
- Similar to cost optimization, fork and modify the steampipe-mod-aws-compliance repository.
- Navigate to StackGuardian’s Connectors tab, initiate 'Create Benchmark (Preview)', and input the modified repository’s URL.
- Specify a particular benchmark (e.g., SOC 2 or PCI-DSS) in the 'checks' section using the format
benchmark.<benchmark-name>
. - Post-save and discovery run, the customized security benchmark becomes visible.
c) Setting up benchmark from scratch​
-
Create repository for benchmark. Needs to contain the file mod.sp to be recognized as benchmark repository. (like https://github.com/StackGuardian/discovery-benchmarks/tree/main/custom-benchmark)
-
Add files with .sp ending that hold the controls and query commands (i.e. custom.sp).
-
Within the .sp file you have 3 constructs
- query uses SQL to query the Cloud provider for specific resources and attributes
- control references a query and provides a title and description to the query for better understanding
- benchmark provides the title for the overall benchmark and lists the controls, that it contains as so called children
Enforce a Benchmark​
1. Select a Benchmark​
Choose from the list of benchmarks - COST, CIS, Custom, etc.
2. Access Settings​
On the right of the selected benchmark, click the “Settings” button.
3. Enable Benchmark​
Switch the “Benchmark Status” to 'Enabled'.
4. Save and Apply​
Hit the “Save Benchmark” button to apply the enforcement to the selected connector.
By following these steps, both standard and custom benchmarks can be effectively created and enforced, ensuring a tailored approach to optimizing and securing cloud services.
Create and enforce Custom Benchmark