Firefly Documentation Portal
  • Welcome to the Documentation Portal
  • Contacting Firefly support
  • User Guides
    • QuickStart Guide
      • Onboarding
      • Dashboard
      • FAQ
      • Glossary
        • IaC status
    • Exploring the Inventory
    • Compose: Generating new configuration
    • Navigating the IaC Explorer
    • Workflows
      • Guardrails
    • Integrations
      • Integrate your providers and tools
        • Integrate your data sources
          • Integrate PagerDuty
          • Integrate MongoDB Atlas
          • Integrate AWS
            • Integrate AWS using Terraform
            • Integrate AWS using CloudFormation
            • Upgrading AWS integration to event-driven
            • AWS Discovery Status
          • Integrate Google Cloud
            • Integrate Google Cloud using a service account key
            • Integrate Google Cloud using Terraform
            • Google Cloud Discovery Status
          • Integrate Kubernetes
          • Integrate Datadog
          • Integrate New Relic
          • Integrate Okta
          • Integrate GitHub service
          • Integrate Cloudflare
          • Integrate NS1
          • Integrate Microsoft Azure
            • Integrate Microsoft Azure using Terraform
            • Azure Discovery Status
          • Integrate HashiCorp Vault
        • Integrate your IaC remote states
          • Integrate Terraform Cloud
          • Integrate Terraform Enterprise
          • Integrate HashiCorp Consul
          • Integrate remote stacks in Google Cloud Storage
          • Integrate env0
        • Integrate your version control system
          • Integrate GitHub
          • Integrate GitLab
          • Integrate Bitbucket
            • Integrate Bitbucket Data Center
            • Integrate Bitbucket Cloud
          • Integrate AWS CodeCommit
          • Integrate Azure DevOps
        • Send Firefly notifications to your messaging tools
          • Send Firefly notifications to Slack
            • Send notifications to Slack using the Slack App
            • Sending notifications to Slack using a webhook
          • Send Firefly notifications to Microsoft Teams
          • Send Firefly notifications to Torq
          • Send Firefly notifications to webhooks
          • Send Firefly notifications to Opsgenie
          • Send Firefly notifications to PagerDuty
            • Integration Key
            • General Access REST API Key
          • Send Firefly notifications to Google Chat
        • Integrate project management tools
          • Integrate Jira
    • Governance
    • Event-Center
    • How-to Guides
      • Manage assets
        • Codify assets
          • Codify assets to Config Connector
          • Codify assets to Manifest
          • Codify assets to Helm
          • Codify assets to CDK8S
          • Codify assets to Terraform
          • Codify assets to Pulumi
          • Codify assets to CloudFormation
          • Codify assets to CDK
          • Codify assets to Crossplane
          • Codify assets to Ansible
        • Delete unmanaged assets
        • Fix drifts
        • Remove asset Terraform code
        • Excluded drifts
        • IaC-Ignored assets
      • Monitor events
      • Manage notifications
      • Manage user roles
    • Deep Dive articles
      • Disaster recovery
      • Drifts
      • Codification
      • Notifications
      • Governance
      • Event-driven
      • IaC-Ignored assets
  • Appendix
    • Migrating CloudFormation resources to Terraform
    • Terraform Cloud Run Tasks
    • Creating a key pair
    • SSO Configuration
    • Firefly API Documentation
    • Support Matrix
    • Data privacy and AI usage
  • Firefly MCP
  • Firefly Backstage Plugin
Powered by GitBook
On this page
  • Built-in Policies
  • Custom Policies
  • Troubleshooting
  • Filters
  • Governance table
  • Implementing Remediations
  • Frameworks

Was this helpful?

  1. User Guides

Governance

Policies that improve the configuration of your assets to increase performance, usefulness, and security. Use KICS built-in policies or create your own.

PreviousIntegrate JiraNextEvent-Center

Last updated 8 months ago

Was this helpful?

Built-in Policies

After integrating your data source(s), Firefly uses to scan your assets and discover vulnerabilities in your assets. KICS queries are written in and defined by the following categories:

  • Access Control

  • Availability

  • Backup

  • Best Practices

  • Build Process

  • Encryption

  • Insecure Configurations

  • Insecure Defaults

  • Networking and Firewall

  • Observability

  • Resource Management

  • Secret Management

  • Structure and Semantics

  • Supply-Chain

Custom Policies

Policies you create using the Rego language to monitor and improve the configuration of your assets.

Creating Custom Policies

  1. Select Governance > + Custom Policy.

  2. Enter a descriptive name in the Name field.

  3. Select a category or create a new one > Add.

    • If using AI, select only one data source and asset type.

  4. Select the Severity.

    • TRACE: Information used for debugging

    • INFO: General information about system operation

    • LOW: Minor issues with a slight impact

    • MEDIUM: Moderate risk

    • HIGH: Significant risk requiring immediate attention

    • CRITICAL: Severe issues needing urgent resolution.

  5. Select the data source(s).

  6. Select the asset type(s).

  7. Enter a description in the Policy description field. For example:

    • instance of type in t family

    • instance has instance_state stopped

    • Auto Scaling Groups with a single AZ

    • elastic ip that have empty association_id

  • (Optional) Select Generate with Thinkerbell AI.

  • Select an asset and use the INPUT SCHEMA to construct your rule in the Firefly Rego Playground.

    • In the expression, input represents an asset. To access an asset attribute, write input.the attribute name. For example:

      • input.instance_type == "t2.micro"

    • The code in the Rego Playground must contain conditions that result in a Boolean value. These conditions determine whether the asset matches the rule.

  1. To view the assets that match your rule from the Rego code you created, select Evaluate.

    • SELECT ASSET: scope of assets according to your selection in the Insight Details.

    • INPUT SCHEMA: configuration of the rule you created.

    • MATCHING RESULTS: assets that match your rule.

  2. To send a notification to your notification tool or email, select the checkbox and destination.

  3. Select Create when the MATCHING RESULTS section displays the assets you want included in your rule.

Troubleshooting

If the assets that are supposed to match the rule you created are not displayed in the MATCHING RESULTS section:

  • To improve your rule, examine the code from the INPUT SCHEMA . Verify that all attributes match the schema described in the INPUT SCHEMA.

If the rule you created does not contain any MATCHING RESULTS:

Change the scope of the data source and asset you selected above.

If when I select Evaluate I receive the following error message, Could not test the Rego expression, make sure the syntax is valid.

Try selecting a different asset or adjusting the rule in the Rego Playground.

Filters

Apply the following filters to view details about your asset:

Filter
Description

Frameworks

Structured set of compliance guidelines

Categories

Policy type

Providers

Integrated service providers

Data Sources

Information resources

Scopes

Range of resources

Severities

Severity of the policy violation according to risk

Production

Assets in the production environment

Violating Assets

Assets that violate the policy

Notifications

Notification enabled for the policy

Enabled

Policy detection is enabled to locate matching assets

Governance table

The Governance table presents detailed information about your assets and their policies, organized into the following columns:

Title
Description

Category

Policy type

Name

Name of the policy

Severities

Severity of the policy violation according to risk

Data Source

Integrated resource

Asset Types

Type of service or object provided

Insights

Recommendation for remediation

Compliance

Percentage of assets that passed the policy detection check

Violating Assets

Assets that violate the policy

Notification

Notification enabled for the policy

Enabled

Policy detection is enabled to locate matching assets

  • To view the assets that match the policy, select the kebab > View Assets.

  • To change the policy code, select the kebab > Edit Policy > Update.

  • To create a ticket in Jira, select Issue Ticket.

Implementing Remediations

Firefly creates code to implement the improvements to your AWS assets that Firefly recommends. Run this code in your AWS CLI, and the desired changes are made automatically.

Procedure

  1. Select the kebab > Remediation.

  2. Copy and run the commands in your AWS CLI.

Frameworks

Structured sets of guidelines and standards designed to systematically manage compliance, security, efficiency, and optimization.

PCI DSS

A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

SOC 2

A compliance framework developed by the AICPA that evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

HIPAA

US legislation that provides data privacy and security provisions to safeguard medical information.

NIST

Guidelines, standards, and best practices established by the National Institute of Standards and Technology at the US Department of Commerce. The NIST Cybersecurity Framework helps businesses better understand, manage, and reduce their cybersecurity risk and protect their networks and data.

Cloud Waste

A term referring to the unnecessary or inefficient use of cloud resources, leading to excess costs. Practices and tools aimed at reducing cloud waste focus on optimizing resource utilization and cost management.

Google Cloud Insights

Tagging Policies

Policies that identify resources which are lacking the appropriate tags.

The configuration in the must contain the Firefly keyword: firefly { }.This keyword determines whether the asset matches the rule.

The Rego language supports expressions and conditionals.

Copy one of the input assets, and use the to troubleshoot until your code is correct.

After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, enable the .

KICS
Open Policy Agent (OPA) Rego language
Rego Playground
Regex
Rego Playground
Recommender API