Exemptions (Insights)
Exemptions includes enhanced approval logic, expiration functionality, and bulk edit and delete capabilities for exempted resources. Cloud Security (InsightCloudSec)‘s exemptions functionality is primarily Insight-driven but can also be curated using a Bot action called “Curate Insight/Bot Exemptions.” This Bot Action allows users to create a Bot that can automatically curate resources for exemption, enabling a more “generic” exemption strategy that operates in a similar capacity to the prior functionality offered by the Resource Group exemption approach. Refer to our BotFactory documentation for more information on working with Bots and automation.
Go to Security > Insights to get started creating exemptions. Go to Security > Exemptions to view existing exemptions.
Prerequisites
Before getting started, ensure you have the following:
- A functioning Cloud Security (InsightCloudSec) platform installation with attached Clouds and configured Insights.
- Check out Cloud Account Setup for details on this process if you still need to connect clouds.
- Proper entitlements to view or manage exemptions.
- Visit Users, Groups, and Roles for more information.
Create a New Exemption
To create a new exemption, you can reach the exemption configuration function via two paths within the Insights view.
- Go to Security > Insights and select the insight you want to create an exception for.
- Click Action (…) > View Insight Report, then click the number of Impacted Resources next to an account.
- Select the box next to each resource you want to exempt and click Add Exemption.
Creating Exemptions (Individually or in Multiples)
While you can select multiple resources for exemption, this will simply create a new individual exemption for each resource selected under the original Insight.
Upon creation, these exemptions will have the same creator, exemption owner, approver name, created date, start date, expiration date, and notes. However, they will differ based on their Resource Name and Provider ID.
- Complete the Create Exemption window:
- Provide a past, current, or future Start Date for your Exemption.
- Optionally:
- Set an Expiration Date for your exemption.
- Add an Exemption Approver.
- Add Notes.
- Click Create to complete your new exemption.
Add an Exemption through the Compliance Scorecard
In addition to creating an exemption from the Insights view, you can also identify resources for exemption through the Compliance Scorecard.
- Go to Security > Compliance Scorecard and filter.
- Select any individual impacted cell on the heatmap.
- Click on the target cell to open the associated Report Card.
- Check the box next the resource you want to exempt and click Create Exemption.
- Complete the Create Exemption window:
- Provide a past, current, or future Start Date for your Exemption.
- Optionally:
- Set an Expiration Date for your exemption.
- Add an Exemption Approver.
- Add Notes.
- Click Create to complete your new exemption.
Expiration of Exemptions
By default, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator.
- The default 72 hour period can be modified in the System Settings.
- This system check takes place automatically and daily.
- If an approver is included on the exemption via a valid email address, they will also receive a copy of the report. If the approver is just text with the person’s name and no email, no action takes place.
- This feature requires that SMTP is configured. Refer to our documentation on SMTP (Email Notifications).
Exemptions System Settings
Users with appropriate permissions can manage certain properties of Insight Exemptions from Settings > System Administration > System Settings. If no changes are made, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator by default. The following options are available:
| Option | Description |
|---|---|
| Exemption Notification Days | This is the number of days before the expiration of an exemption will trigger an email. For example, if set to 3, the specified approver will receive an email 3 days before the expiration of the exemption, notifying them of the upcoming expiration. This feature requires that SMTP is configured. Refer to our documentation on SMTP (Email Notifications). |
| Require Approver | When checked/enabled requires an approver for all exemptions. |
| Require Approver Email | When checked/enabled requires the approver field to be populated with a valid email address (by default this field can support text or email). |
| Maximum Age | The maximum age an Insight Exemption can be set to. Set to 0 for no limit. |
Viewing Exemptions
To view the full list of Insight-driven exemptions associated with an Organization, go to Security > Exemptions. To explore exemptions you can use a number of search and filtering capabilities. The top of the page includes several options to explore the full list of exemptions in greater detail.
Select an exemption to unlock actions
Select exemptions individually or select the column header checkbox to select all exemptions on the current page and activate the buttons to edit, download, or delete the selected exemptions.
Click the Download All (CSV) to download all Exemptions in the list as a CSV file, with each column representing a field in the file, for example: Status, Provider ID, Resource Name. This means that all Exemptions will be included in the file regardless of the currently applied filter/search.