Open ganesh29072 opened 2 years ago
This sounds like a proposed CCC-07 metric ("Implement detection measures with proactive notification in case of changes deviating from the established baseline").
CCC-07-M1 measures "the percent of positive test results from all configuration tests performed". This would be a subset of CCC-07-M1 focusing only on tests that access policy is met? e.g.
CCC-07-M2 measures "the percent of positive test results from [IAM access policy] configuration tests performed"?
I agree with the statement that configuration tests "should fully cover the overarching policies". This feels like a unique and distinct metric suggestion. e.g.
CCC-07-M3 measures "the percent of normative statements in [IAM access policy] that have an associated configuration test"?
(We could do one per domain or one for all policies)
Metrics proposal from Sriganesh Chandrasekaran:
Just a suggestion: There should be specific adherence related metrics around number of configurations (/ misconfigurations) tracing back to the IAM access policy setup for the cloud assets in each of the prod and non-prod regions. The configurations setup should fully cover the overarching policies that are setup at resource level in the cloud.
I can go through the metrics and see if there are any additional feedback that I can give around the above.