Exemptions (Insights)

Exemptions includes enhanced approval logic, expiration functionality, and bulk edit and delete capabilities for exempted resources. InsightCloudSec's exemptions functionality is primarily Insight-driven but can also be curated using a Bot action called "Curate Insight/Bot Exemptions." This Bot Action allows users to create a Bot that can automatically curate resources for exemption, enabling a more "generic" exemption strategy that operates in a similar capacity to the prior functionality offered by the Resource Group exemption approach. Refer to our BotFactory documentation for more information on working with Bots and automation.

Go to Security > Insights to get started creating exemptions. Go to Security > Exemptions to view existing exemptions.

Prerequisites

Before getting started, ensure you have the following:

  • A functioning InsightCloudSec platform installation with attached Clouds and configured Insights---without this data there's nothing to exempt! - Check out Cloud Account Setup for details on this process if you still need to connect clouds.
  • All InsightCloudSec users can view exemptions
    • To create, edit, delete, enable, or disable exemptions, you will need to have Domain Admin or Org Admin permissions.

Create a New Exemption

To create a new exemption, you can reach the exemption configuration function via two paths within the Insights view.

  1. Go to Security > Insights and select the insight you want to create an exception for.
  2. Open the Actions menu by clicking the vertical three dots and click View Results.
  3. To specify an exempted resource, select the box to the left of the resource name and click Add Exemption.

    Creating Exemptions (Individually or in Multiples)

    While you can select multiple resources for exemption, this will simply create a new individual exemption for each resource selected under the original Insight.

    Upon creation, these exemptions will have the same creator, exemption owner, approver name, created date, start date, expiration date, and notes. However, they will differ based on their Resource Name and Provider ID.

  4. Complete the Create Exemption window.
    1. By default, your new Exemption will be set to Enabled. You can create a new exemption and set it to Disabled.
    2. Provide a past, current, or future Start Date for your Exemption. By default, this will be today's date.
    3. Set an expiration date for your exemption, or select the No Expiration Date option checkbox.
    4. (Optional) Add an Exemption Approver.
    5. (Optional) Include any Notes (optional). This field can be used for internal reference codes, or other project-specific details.
  5. Click Create to complete your new exemption.

Add an Exemption through the Compliance Scorecard

In addition to creating an exemption from the Insights view, you can also identify resources for exemption through the Compliance Scorecard.

  1. Go to Security > Compliance Scorecard and filter.
  2. Select any individual impacted cell on the heatmap.
  3. Click on the target cell to open the associated Report Card.
  4. Check the box next the resource you want to exempt and click Create Exemption.
  5. Complete the Create Exemption window.
    1. By default, your new Exemption will be set to Enabled. You can create a new exemption and set it to Disabled.
    2. Provide a past, current, or future Start Date for your Exemption. By default, this will be today's date.
    3. Set an expiration date for your exemption, or select the No Expiration Date option checkbox.
    4. (Optional) Add an Exemption Approver.
    5. (Optional) Include any Notes (optional). This field can be used for internal reference codes, or other project-specific details.
  6. Click Create to complete your new exemption.

Expiration of Exemptions

By default, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator.

  • The default 72 hour period can be modified in the System Settings
  • This system check takes place automatically and daily.
  • If an approver is included on the exemption via a valid email address, they will also receive a copy of the report. If the approver is just text with the person's name and no email, no action takes place.
  • This feature requires that SMTP is configured. Refer to our documentation on SMTP (Email Notifications).

Exemptions System Settings

Users with appropriate permissions can manage certain properties of Insight Exemptions from Administration > System Administration > System.

By default the Insight Exemptions section of the System settings will be blank. If no settings are specified here, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator. Changes implemented in System Settings supersede these defaults.

From this System tab - Insight Exemptions settings allow a user with the appropriate permissions to define requirements around the following options:

OptionDescription
Exemption Notification DayThis is the number of days before the expiration of an exemption will trigger an email.

For example, when set to "3", the specified approver will receive an email 3 days before the expiration of the exemption, notifying them of the upcoming expiration.

This feature requires that SMTP is configured. Refer to our documentation on SMTP (Email Notifications).
Require ApproverWhen checked/enabled requires an approver for all exemptions.
Require Approver EmailWhen checked/enabled requires the approver field to be populated with a valid email address (by default this field can support text or email).

Viewing Exemptions

To view the full list of Insight-driven exemptions associated with an Organization, go to Security > Exemptions.

Detailed descriptions of display options

Display Options

To explore exemptions you can use a number of search and filtering capabilities. The top of the page includes several options to explore the full list of exemptions in greater detail.

OptionDescription
SearchSearches most of the common text attributes available

It can also be applied as an additional filter on a selected Insight Pack or Badge filter to further refine your displayed results
FiltersThis drop-down menu includes two options, Insight Pack and/or Badges

  • Insight Pack - enables the selection of any Insight Pack, both out-of-the-box (e.g. Compliance Pack) or Custom Packs (user-created)
  • Badges - enables the selection of Badges and will filter based on specified Badge, including the option to select and filter based on multiple badges via the Must have all selected badges checkbox.
Pagination ControlsModifies the number of displayed results and enable the user to page through the filtered results

After selecting Filters, results display as individual line items.

Detailed descriptions of exemption fields

Exemption Fields

The fields associated with each individual exemption that display in the filtered output are as follows:

The following details display by default for Clouds.

FieldDescription
InsightThe name of the Insight you used to create the exemption (e.g., Cloud Account Without Root Account MFA Protection)
Insight SeverityThe color-coded severity of the specified Insight (e.g., Minor, Major, Severe, Critical)
Resource TypeThe type of resource (e.g., Instance, Storage Container, etc.)
AccountThe associated Cloud account name
Account IDThe associated Cloud account ID
CloudThe specific cloud provider (e.g. AWS) that applied to this resource
CreatorThe user specified as the creator (determined by who was logged in when the exemption was created)
BotThe name of the Bot that created the exemption (if applicable)
ApproverThe (optional) name or email of the approver
Exemption IDUnique ID associated with the Exemption
Date CreatedDate the exemption was created
Start DateThe date the exemption is configured to start (can be before/after the creation date)
Expiration DateThe date the exemption was set to expire
NotesAny included notes (optional)

Download Exemption Details

On the Exemptions page, click the Download All (CSV) to download all Exemptions in the list as a CSV file, with each column representing a field in the file, i.e. Status, Provider ID, Resource Name, etc.

This means that all Exemptions will be included in the file regardless of the currently applied filter/search.

Editing and deleting exceptions

Users have the ability to bulk edit or delete exemptions. To delete exemptions in bulk, do the following from the Exemptions landing page:

Bulk edit or delete

  1. Click the top checkbox to select ALL of the items on the selected page and provide a total count.
  2. Click Actions to expand the actions menu.
  3. To bulk edit, click Edit and complete the Edit Exemptions window. When finished editing, click Save.
  4. (Optional) Click Download Selected to only download the selected Exemptions as a CSV file.
  5. To bulk delete, click Delete to delete the selected exemptions.

Modify or disable an individual exemption

Locate the exemption you want to modify (using Search or any of the filtering options), then click the actions/context menu. From there you can:

  • Edit or delete the individual exception
  • Go to the Insight the exemption is part of
  • View resource details
  • Download a CSV file containing the individual exemption