DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Exemptions (Insights)

Overview

DivvyCloud's exemptions functionality is entirely Insight driven. This capability is configured through the Insights landing page and is also featured on its own landing page within the DivvyCloud platform "Security --> Exemptions" for dedicated viewing and managing of those defined exemptions.

Exemptions Landing Page

Exemptions includes enhanced approval logic, expiration functionality, and bulk edit and delete capabilities for exempted resources

Curating Exemptions

In previous versions, DivvyCloud offered the ability to exempt resources from Insight findings using the Resource Groups functionality. While this option worked well in certain scenarios, it did not provide a great overall user experience.

One aspect of the previous method of the Resource Group-based exemption management was the ability to curate exemptions on a broader level. Users had the ability to flag resources based on high level criteria like tags and permissions.

With the new functionality, exemptions are entirely Insight driven, however DivvyCloud still provides the curation of exemptions through a Bot action called Curate Insight/Bot Exemptions.

Bot Action - Curate Insight/Bot Exemptions

This Bot Action allows users to create a Bot that can automatically curate resources for exemption, enabling a more "generic" exemption strategy that operates in a similar capacity to the prior functionality offered by the Resource Group exemption approach.

Refer to our BotFactory documentation for more information on working with Bots and automation.

Prerequisites

Before getting started, ensure you have the following:

  • A functioning DivvyCloud installation with attached Clouds and configured Insights---without this data there's nothing to exempt!
  • All DivvyCloud users can view exemptions; however, to create/edit/delete/enable/disable exemptions, you will need to have Domain Admin or Org Admin permissions.

Creating a New Exemption

To create a new exemption, you can reach the exemption configuration function via two paths.

1. Navigate to "Security --> Insights" on the main sidebar.
2. Click on the name of an Insight to open the details page and then select the “View All” menu.

Open Exemptions through the Insight Name - View All Menu

Or, do the following:

1. Navigate to "Security --> Insights" on the main sidebar.
2. Click on the link to the “Impacted Resources” for your target Insight.

Open Exemptions through Impacted Resources

Either of the options above will bring you to a sorted Resources/Insight detail view with the complete list of applicable resources (shown below).

Insight Detail View

From one of the paths outlined above, follow the remaining steps to create an exemption:

3. To specify an exempted resource, select the box to the left of the resource name.

4. Once you have selected the resource(s) you want to exempt, select the “Add Exemption” option to open the “Create Exemption” window.

  • Note: this option (e.g., the icon) does not display if no resources are selected.

Create Exemption Option

📘

Creating Exemptions (Individually or in Multiples)

While you can select multiple resources for exemption, this will simply create a new individual exemption for each resource selected under the original Insight.

Upon creation, these exemptions will have the same creator, exemption owner, approver name, created date, start date, expiration date, and notes. However, they will differ based on their Resource Name and Provider ID.

5. By default, your new Exemption will be set to "Enabled". Provide a “Start Date” for your Exemption.

  • You can create a new exemption and set it to "Disabled".
  • By default, this will be today's date.
  • This can be set to a past, or future date.

Create Exemptions Form

6. Set an expiration date for your exemption, or select the “No Expiration Date” option checkbox.

  • If supplied, the expiration date must be later than the start date.

7. Add an Exemption Approver (optional).

  • This field is optional and can be completed using an approver name or an email address. If an email is supplied it must be completed using a valid email address.
  • This field will vary based on the System Settings (e.g. it can be configured as required, and to specifically require an email)

8. Include any Notes (optional).

  • This field can be used for internal reference codes, or other project-specific details.

9. Click “Create” to complete your new exemption.

  • Exemptions are always Enabled by default.

Expiration of Exemptions

By default, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator.

Exemption Report - Sample of Notification of Expiring Exemptions

  • The default 72 hour period can be modified in the System Settings
  • This system check takes place automatically and daily.
  • If an approver is included on the exemption via a valid email address, they will also receive a copy of the report.(Note: if the approver is just text with the person's name and no email, no action takes place.)
  • This feature requires that SMTP is configured. Refer to our documentation on SMTP (Email Notifications).

Exemptions System Settings

Users with appropriate permissions can manage certain properties of Insight Exemptions from "Administration --> System Administration --> System".

By default the Insight Exemptions section of the System settings will be blank. If no settings are specified here, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator. Changes implemented in System Settings supersede these defaults.

From this System tab - Insight Exemptions settings allow a user with the appropriate permissions to define requirements around the following:

  • Exemption Notification Days - This is the number of days before the expiration of an exemption will trigger an email.

    • For example, when set to "3", the specified approver will receive an email 3 days before the expiration of the exemption, notifying them of the upcoming expiration.
    • This feature requires that SMTP is configured. Refer to our documentation on SMTP (Email Notifications).
  • Require Approver - When checked/enabled requires an approver for all exemptions.

  • Require Approver Email - When checked/enabled requires the approver field to be populated with a valid email address (by default this field can support text or email).

Manage Insight Exemptions

Viewing Exemptions

To view the full list of Insight-driven exemptions associated with an Organization, select "Security → Exemptions" from the main navigation.

When you first arrive on the page, there will be no data displayed. You will need to use the Search or select from one of the Filters to populate the Exemptions display.

Exemptions Landing Page

To explore exemptions you can use a number of search and filtering capabilities.

Filter Display Options

The top of the page includes several options to explore the full list of exemptions in greater detail.

  • Search - will search most of the common text attributes available

    • It can also be applied as an additional filter on a selected Insight Pack or Badge filter to further refine your displayed results
  • Filters - this drop-down menu includes two options, Insight Pack and/or Badges

    • Insight Pack - enables the selection of any Insight Pack, both out-of-the-box (e.g. Compliance Pack) or Custom Packs (user-created)
    • Badges - enables the selection of Badges and will filter based on specified Badge, including the option to select and filter based on multiple badges via the "Must have all selected badges" checkbox.
  • Pagination Controls - will modify the number of displayed results and enable the user to page through the filtered results

Exemptions - Filtering

Exemptions Display

After selecting Filters, results display as individual line items (example below includes a single Insight Pack, and an additional filter using "aws" as the search term)

Exemptions Filter Displayed Results

Exemption Fields

The fields associated with each individual exemption that display in the filtered output are as follows:

  • Status - Currently either "Enabled" or "Disabled" (designated by a greyed-out line)
  • Provider ID - a unique identifier imported from the target CSP
  • Resource Name - this field is typically populated through a user-provided value (it may also be blank); the value is not required
  • Insight - The name of the Insight you used to create the exemption (e.g., Cloud Account Without Root Account MFA Protection)
  • Insight Severity - The color-coded severity of the specified Insight (e.g., Minor, Major, Severe, Critical)
  • Resource Type - The type of resource (e.g., Instance, Storage Container, etc.)
  • Account - associated Cloud account
  • Cloud- specific cloud provider (e.g., AWS) that applies to this resource
  • Creator - the user specified as the creator (determined by who was logged in when the exemption was created)
  • Approver - the (optional) name or email of the approver
  • Date Created - date the exemption was created
  • Start Date - date the exemption is configured to start (can be before/after the creation date)
  • Expiration Date - date the exemption was set to expire
  • Notes - any optionally included notes

Modifying & Deleting Exemptions

Bulk Edit & Delete

Users have the ability to bulk edit or delete exemptions. To delete exemptions in bulk, do the following:

Bulk Delete
1. Clicking on the top checkbox will select ALL of the items on the selected page (e.g., 20, or up to 200) and provide a total count. Note that you cannot select items across more than a single page.

  • In addition, you have the option of selecting ALL of the items by clicking on the blue text to the right of the "All items on this page are selected" text.
  • Alternatively, users can select multiple exemptions individually by clicking the box next to each exemption.

2. Click on "Delete" button to delete the selected exemptions.

  • This option appears when one or more exemptions is selected.

Exemptions - Bulk Delete

Bulk Edit
1. Clicking on the top checkbox will select ALL of the items on the page (e.g., 20, or up to 200) and provide a total count. Note that you cannot select items across more than a single page.

  • In addition, you have the option of selecting ALL of the items by clicking on the text to the right of the "All items on this page are selected" text.
  • Alternatively, users can select multiple exemptions individually by clicking the box next to each exemption.

2. Click on the "Bulk Edit" option to open the "Edit Exemptions" form.

  • This option appears when one or more exemptions are selected.

Exemptions - Bulk Edit

3. Modify as desired by selecting the checkbox next to each field you wish to edit. This includes:

  • Change State of Exemptions
  • Start Date
  • Expiration Date
  • Approver Email
  • Notes

4. Click "Save" to complete the bulk edit.

Modify/Disable an Individual Exemption

1. To modify/edit an individual exemption, navigate to “Security → Exemptions” on the main navigation panel. This page displays the full list of exemptions.

2. Locate the exemption you want to modify (using Search or any of the filtering options).

  • To Edit or Delete you can click the box next to the name to enable those options, or
  • Click on the actions context menu next to the exemption you want to Edit, Delete, Go to Insight, or View Resource Details for.
  • To “Disable” an exemption open the "Edit" menu and select the option from the "Change State" buttons and click "Save"
    • If the exemption is already “Disabled”, the option will display as “Enable”.

Edit an Exemption

Updated about 20 hours ago

Exemptions (Insights)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.