Policy Authoring Guide | Define Properties
Properties are an optional method of defining the ideal values for checks. Instead of defining a value in the check itself, you can define it in a property and reference that property in the check. Multiple checks in a policy can share a single property.
This policy does not use properties. It checks that you have strong IAM policies in AWS:
policies:
- uid: no-properties-example
name: Example policy without properties
version: "1.0.0"
authors:
- name: Lunalectric
email: security@lunalectric.com
groups:
- title: group01
checks:
- uid: aws-iam-01
title: Require long passwords
mql: aws.iam.accountPasswordPolicy['MinimumPasswordLength'] >= 8
- uid: aws-iam-02
title: Require uppercase characters
mql: aws.iam.accountPasswordPolicy['RequireUppercaseCharacters'] == true
- uid: aws-iam-03
title: Limit password age
mql: aws.iam.accountPasswordPolicy['MaxPasswordAge'] <= 90
The no-properties-example policy above performs three checks:
-
Line 13 checks whether the minimum password length is set to 8 or higher.
-
Line 17 checks whether uppercase letters are required in passwords.
-
Line 21 checks whether passwords expire after 90 or fewer days.
In each of these lines, the ideal value that the policy checks against is in the check itself.
An alternate way to structure these checks is to put all the ideal values in properties. You define properties separately from the checks themselves—similar to defining variables in code.
This policy shows how you can use properties to achieve the same results as the no-properties-example policy:
policies:
- uid: example-with-properties
name: Example policy using properties
version: "1.0.0"
authors:
- name: Lunalectric
email: security@lunalectric.com
groups:
- title: group01
checks:
- uid: aws-iam-01
title: Require long passwords
mql: aws.iam.accountPasswordPolicy['MinimumPasswordLength'] >= props.passwordMinLength
- uid: aws-iam-02
title: Require uppercase character
mql: aws.iam.accountPasswordPolicy['RequireUppercaseCharacters'] == props.passwordUppercase
- uid: aws-iam-03
title: Require password rotation
mql: aws.iam.accountPasswordPolicy['MaxPasswordAge'] <= props.passwordMaxAge
props:
- uid: passwordMinLength
title: Minimum password length
mql: "8"
- uid: props.passwordUppercase
title: Whether to require at least one uppercase character in passwords
mql: "true"
- uid: props.passwordMaxAge
title: Maximum time that a user can go without changing their password
mql: "90"
In the example-with-properties policy above, the three checks refer to properties for the ideal values to check against. The props sections of the policy (beginning on line 21) assigns a value to each of the three properties.
To check for errors in the policy bundles you write, run cnspec bundle lint BUNDLE-NAME.mql.yaml. For BUNDLE-NAME, substitute the name of your file.
Use one property for multiple checks
Multiple checks in a policy can share a single property. This can make updates easier when your organization's requirements change.
As a simple example, suppose you create a policy that checks IAM best practices across multiple platforms. Even though the platforms are different, your company's minimum password length requirement is the same. If you create password length checks for each different platform, you don't need to define the minimum password length value multiple times. Instead, all of the password length checks can point to a single property. That way, there's only one value to change when your company's minimum password length requirement changes.
Next steps
-
To learn about changing what a policy checks based on different conditions, read Make Policies Flexible with Variants.
-
If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read Manage Policies.