DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Exemptions (Insights)

Overview

DivvyCloud's exemptions functionality is entirely Insight driven. This capability is configured through the Insights landing page and is also featured on its own landing page within the DivvyCloud platform "Security --> Exemptions" for dedicated viewing and managing of those defined exemptions.

Exemptions Landing Page

Exemptions includes enhanced approval logic, expiration functionality, and bulk edit and delete capabilities for exempted resources

Curating Exemptions

In previous versions, DivvyCloud offered the ability to exempt resources from Insight findings using the Resource Groups functionality. While this option worked well in certain scenarios, it did not provide a great overall user experience.

One aspect of the previous method of the Resource Group-based exemption management was the ability to curate exemptions on a broader level. Users had the ability to flag resources based on high level criteria like tags and permissions.

With the new functionality, exemptions are entirely Insight driven, however DivvyCloud still provides the curation of exemptions through a Bot action called Curate Insight/Bot Exemptions.

Bot Action - Curate Insight/Bot Exemptions

This Bot Action allows users to create a Bot that can automatically curate resources for exemption, enabling a more "generic" exemption strategy that operates in a similar capacity to the prior functionality offered by the Resource Group exemption approach.

Refer to the instructions on the BotFactory page for more details on creating a Bot.

Prerequisites

Before getting started, ensure you have the following:

  • A functioning DivvyCloud installation with attached Clouds and configured Insights---without this data there's nothing to exempt!
  • All DivvyCloud users can view exemptions; however, to create/edit/delete/enable/disable exemptions, you will need to have Domain Admin or Org Admin permissions.

Creating a New Exemption

To create a new exemption, you can reach the exemption configuration function via two paths.

1. Navigate to "Security --> Insights" on the main sidebar.
2. Click on the name of an Insight to open the details page and then select the “View All” menu.

Open Exemptions through the Insight Name - View All Menu

Or, do the following:

1. Navigate to "Security --> Insights" on the main sidebar.
2. Click on the link to the “Impacted Resources” for your target Insight.

Open Exemptions through Impacted Resources

Either of the options above will bring you to the Insight detail view with the complete list of associated resources (shown below).

Insight Detail View

From one of the paths outlined above, follow the remaining steps to create an exemption:

3. To specify an exempted resource, select the box to the left of the resource name.

4. Once you have selected the resource(s) you want to exempt, select the “Add Exemption” option to open the “Create Exemption” window.

  • Note: this option (e.g., the icon) does not display if no resources are selected.

Create Exemption Option

📘

Creating Exemptions (Individually or in Multiples)

While you can select multiple resources for exemption, this will simply create a new individual exemption for each resource selected under the original Insight.

Upon creation, these exemptions will have the same creator, exemption owner, approver name, created date, start date, expiration date, and notes. However, they will differ based on their Resource Name and Provider ID.

3. Provide a “Start Date” for your Exemption.

  • This can be a past, current, or future date.

4. Set an expiration date for your exemption, or select the “No Expiration Date” option checkbox.

  • If supplied, the expiration date must be later than the start date.

5. Add an Exemption Approver (optional).

  • This field is optional and can be completed using an approver name or an email address. If an email is supplied it must be completed using a valid email address.
  • The “Creator” field (which displays on the Exemptions overview page) is populated automatically and is not editable; this person is the "owner" by default.

6. Include any Notes (optional).

  • This field can be used for internal reference codes, or other project-specific details.

7. Click “Create” to complete your new exemption.

  • Exemptions are always Enabled by default.

Expiration of Exemptions

By default, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator.

Exemption Report - Sample of Notification of Expiring Exemptions

  • This system check takes place automatically and daily.
  • If an approver is included on the exemption via a valid email address, they will also receive a copy of the report.(Note: if the approver is just text with the person's name and no email, no action takes place.)

Editing Exemption Details

In addition, users with appropriate permissions can manage Insight Exemptions from "Administration --> System Administration --> System".

From the System tab they can modify the expiration period, require an approver, and require the approver field to include an email. Read more here.

Viewing Exemptions

To view the full list of Insight-driven exemptions associated with an Organization, select "Security → Exemptions" from the main navigation.

Exemptions Landing Page

You can explore exemptions with a number of search and filtering capabilities, as shown in the image below, including:

Exemptions Search and Filtering

Display Options

The top of the page includes several options to explore the full list of exemptions in greater detail.

  • Search Exemptions - will search any of the text attributes displayed in the columns
  • Insight Pack - enables filtering of displayed results based on existing Compliance Packs or Custom Packs
  • Badges - will filter based on specified Badge, including the option to select and filter based on multiple badges via the "Must have all selected badges" checkbox
  • Results per Page - allows users to adjust the number of results displayed per page
  • Pagination (arrows to the right of the total item count) - allows users to page through the results
  • Columns (Enabled, Provider ID, Insight, Resource Name, etc.) - can all be used to sort the displayed data by clicking on the column title

Exemption Fields

The fields associated with each individual exemption are as follows:

  • Enabled - this field designates if an exemption is enabled or disabled; Disabled exemptions are displayed with an “X"
  • Provider ID - a unique identifier imported from the target CSP
  • Resource Name - this field is typically populated through a user-provided value (it may also be blank); the value is not required
  • Insight - The name of the Insight you used to create the exemption (e.g., Cloud Account Without Root Account MFA Protection)
  • Severity - The severity of the specified Insight (e.g., Minor, Major, Severe, Critical)
  • Resource Type - The type of resource (e.g., Instance, Storage Container, etc.)
  • Account - associated Cloud account
  • Cloud- specific cloud provider (e.g., AWS) that applies to this resource
  • Creator - the user specified as the creator (determined by who was logged in when the exemption was created)
  • Approver - the (optional) name or email of the approver
  • Created Date - date the exemption was created
  • Start Date - date the exemption was configured to start (can be before/after the creation date)
  • Expiration Date - date the exemption was set to expire
  • Notes - any optionally included notes

Modifying & Deleting Exemptions

Bulk Edit & Delete

Users have the ability to bulk edit or delete exemptions. To delete exemptions in bulk, do the following:

Bulk Delete
1. Clicking on the top checkbox will select ALL of the items on the page.

  • It also provides the user with the ability to select all of the items available (e.g., Select 35 items).
  • Alternatively, users can select multiple exemptions individually by clicking the box next to each exemption.

2. Click on "Delete" to delete the selected exemptions.

  • This option appears when one or more exemptions is selected.

Exemptions - Bulk Delete

Bulk Edit
Note that "Bulk Edit" capabilities do not apply to all components of exemptions.

1. Clicking on the top checkbox will select ALL of the items on the page.

  • In addition, this action also provides the user with the ability to select all of the items available (e.g., Select 35 items).
  • Alternatively, users can select multiple exemptions individually by clicking the box next to each exemption.

2. Click on the "Bulk Edit" option to open the "Edit Exemptions" form.

  • This option appears when one or more exemptions are selected.

Exemptions - Bulk Edit

3. Modify as desired by selecting the checkbox next to each field you wish to edit. This includes:

  • Start Date
  • End Date
  • Approver
  • Change State (Enabled/Disabled)
  • Notes

4. Click "Update Exemptions" to complete the bulk edit.

Modifying an Individual Exemption

1. To modify/edit an individual exemption, navigate to “Security → Exemptions” on the main navigation panel. This page displays the full list of exemptions.

2. Locate the exemption you want to modify (using Search or any of the filtering options) and then click on the more content ("...") menu next to the exemption you want to edit.

3. Make any changes you want and select “Save Changes”.

  • Note that you cannot “delete” an exemption from this view but you can disable it.

Edit an Exemption

Disabling an Individual Exemption

1. To disable an exemption, navigate to "Security → Exemptions" on the main navigation panel. This page displays the full list of exemptions.

2. Locate the exemption you want to modify (using Search or any of the filtering options) and then click on the more content ("...") menu next to the exemption you want to edit.

Disable an Exemption

3. Click “Disable”. You will see the “Exemption Updated” confirmation and the window will close.

  • Exemptions that are already disabled will appear in the list with an “X” next to their Provider ID details.
  • If the exemption is already “Disabled”, the option will display as “Enable”.

Updated 3 days ago

Exemptions (Insights)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.