Skip to Content
InsightcloudsecHIDDEN

Exemption Rules

Exemption Rules Functionality

This page is intended for customers who are currently using the Exemptions Rules feature, which is currently access controlled through a feature flag.

We request that you do not share this URL/page outside of the Rapid7 organization or with customers that are not currently using this feature.

In addition, this documentation is “in-progress”. If you have questions, issues, or suggestions about the content provided here we are happy to have feedback. Reach out to your CSA or to support through the Customer Support Portal.

Exemption Rules is a new feature that enables customers to use Insights to create rules that can work with regular expressions and flag resources as exempt from specific Insights. Exemption rules are applied before Bot actions take place and can be used to evaluate resources that exist in your cloud accounts (harvested) and resources that need to be evaluated before they are deployed (IaC).

Use Case for Exemption Rules

Exemption rules were created to expand on our existing Exemptions (Insights) capabilities. Generally speaking, the current exemptions functionality only applies when the Insight and resource both already exist and this type of approach can be hard to scale. Our other support for exemptions is provided through Bot Automation. For example you could create a Bot around volumes and use the curate exemptions option to set the scope (one cloud account or many), and the timing, etc. The problem with this approach is that Bots are not guaranteed to run in a particular order, so in this example, a separate Bot designed to remove unencrypted volumes may run before our example exemption Bot is applied to a particular resource. Exemption rules avoids this issue, and other problems, by building exemptions that can apply to resources before they are added (via IaC) or before Bots take any actions on them.

Creating an Exemption Rule

Refer to the steps below to create a new Exemption Rule.

  1. Navigate to Security > Exemption Rules.
  2. Under the Exemption Rules tab, select the Create Rule button in the top right to launch the form.
  3. Create a new Exemption Rule by completing the following options:
    • Select an Insight — Use the drop-down/search to identify and select an Insight (out-of-the-box or Custom) from which to exempt a resource
      • The selected Insight will automatically update the other scoping options.
    • Select a Resource Type — e.g., instance - the InsightCloudSec normalized term
    • Description — provide a description for your Exemption Rule
    • Number of Days to Apply (optional) — Select the number of days this exemption will apply.
      • This field is subject to the Insight Exemption system-wide setting (if applied) under Settings > System Administration > System Settings.
      • If a system-wide setting is populated, the number of days specified here must be equal to or less than the value specified under the regular settings. The error message currently in place for this functionality does not specifically identify this as the issue.
      • If left blank (or set to 0) and no system-wide setting exists, this exemption will be applied indefinitely or until it is removed.
      • This will be overridden by Expiration Limit.
    • Expiration Limit (optional) — Select the date for the exemption rule to expire. This will override the Number of Days to Apply.
    • Regular Expressions — Provide additional filtering criteria through a regular expression.
      • Regular expressions are currently only applied to resource names and as a result do not apply to all resource types.
      • For deployed resources/accounts not all resource types are supported. For example, snapshots, when created, are automatically named and as a result cannot be identified with regular expressions.
    • Specify Accounts - Select All Accounts, which is selected by default, or specify one or more accounts in which you want this exemption rule to apply.
      • IaC Only can only be applied to the All Accounts option.
  4. Click OK when you are ready to create your exemption rule.
    • You can view, edit, and (if permitted) delete existing exemption rules from the Exemption Rules tab under System Administration.
    • Your new Exemption Rule will be applied to any relevant resource upon the creation of the rule. An existing Exemption Rule can also be newly applied to a resource if the resource name is modified and includes a match via Regular Expression.

Viewing & Editing Exemption Rules

Exemption rules are visible under Security > Exemption Rules under the Exemption Rules tab. This view currently displays exemptions created through the Exemptions (Insights) capability via the manual workflow, and through the new Exemptions Rules feature.

  • With the appropriate permissions this section also allows you to delete or modify an existing Exemption Rule.
  • At present you cannot sort to view exemptions based on type (i.e., how they were created), however (for the current release) manual exemptions will specify a creator or approver (email).