Manage Cloud Security Misconfigurations Compliance Rules

Docs > Datadog Security > Cloud Security > Cloud Security Misconfigurations > Manage Cloud Security Misconfigurations Compliance Rules

Cloud Security Misconfigurations out-of-the-box compliance rules evaluate the configuration of your cloud resources and identify potential misconfigurations so you can immediately take steps to remediate.

The compliance rules follow the same conditional logic as all Datadog Security compliance rules. For Cloud Security Misconfigurations, each rule maps to controls within one or more compliance frameworks or industry benchmarks.

Cloud Security Misconfigurations uses the following rule types to validate the configuration of your cloud infrastructure:

Cloud configuration: These compliance rules analyze the configuration of resources within your cloud environment. For example, the CloudFront distribution should be encrypted rule assesses whether an Amazon CloudFront distribution enforces HTTPS to secure communications.
Infrastructure configuration checks evaluate:
- Containers and Kubernetes clusters, using rules from CIS compliance benchmarks for Docker and Kubernetes.
- Linux workloads, using CIS host benchmarks for Linux distributions including Ubuntu, Red Hat, Amazon Linux, and AlmaLinux.
  Cloud Security Misconfigurations supports a subset of the Linux distributions that the Agent supports. For more information, see Supported Platforms.
In Cloud Security, rules with the infrastructure label are applicable to Agent installations.

Explore default compliance rules

To filter the default compliance rules by cloud provider:

Navigate to the Misconfiguration Rules page.
Choose one of the following values from the Tag facet.
- AWS: cloud_provider:aws
- Azure: cloud_provider:azure
- Google Cloud: cloud_provider:gcp
- OCI: cloud_provider:oci
- Docker: framework:cis-docker
- Kubernetes: framework:cis-kubernetes

Customize how your environment is scanned by each rule

Customization of a cloud configuration query directly is not supported at this time, but you can customize how your environment is scanned by each rule.

On the Rules page, select a rule to open its details page. Under Exclude benign activity with suppression queries, set the filtering logic for how the rule scans your environment.

For example, you can exclude resources tagged with env:staging using the This rule will not generate a misconfiguration if there is a match with any of the following suppression queries function. You can also limit the scope for a certain rule to resources tagged with compliance:pci using the Only generate a misconfiguration if there is a match with any of the following queries function.

After you customize a rule, click Update Rule at the bottom of the page to apply your changes.

Create custom rules

You can create custom rules to extend the rules being applied to your environment to evaluate your security posture. You can also clone the default detection rules and edit the copies (Google Cloud only). See Custom Rules for more information.

Rule deprecation

Regular audits of all compliance rules are performed to maintain high fidelity signal quality. Deprecated rules are replaced with an improved rule.

The rule deprecation process is as follows:

There is a warning with the deprecation date on the rule. In the UI, the warning is shown in the:
- Signal side panel’s Rule Details > Playbook section
- Misconfigurations side panel
- Rule editor for that specific rule
After the rule is deprecated, there is a 15 month period before the rule is deleted. This is due to the signal retention period of 15 months. During this time, you can re-enable the rule by cloning the rule in the UI.
After the rule is deleted, you can no longer clone and re-enable it.

URL: https://docs.datadoghq.com/security/cloud_security_management/misconfigurations/compliance_rules/