Policy Exceptions

Secberus provides the ability to pause violations so that they are excluded from compliance and risk calculations, violation counts, and workflow notifications.

For example, say you have a policy that mandates all S3 buckets be encrypted, but in a few instances there is a good reason to break that rule, like hosting static material that's public. You can mark violations that occur for that bucket as an exception or create a rule to do so automatically.

Violations can be manually marked as an exception, or rules can be created based on resource metadata to automatically mark exceptions.

Managing violation status

To manually change the status of a violation, navigate to a policy where violations are occurring and select the Violations tab. Select a violation, and choose the Mark as exception or Un-mark as exception button in the table header. The violation status will update to reflect this change.

Clicking on a violation row will open the Violation details panel, which includes a Mark as exception or Un-mark as exception button in the panel header.

Creating automatic exception rules

To establish rules in order to automatically mark violations as exceptions, navigate to a policy and select the Details tab. Then initiate the settings menu and select Manage exceptions.

Include a descriptive Name for the Exception rule group, then use the if exception type selector to indicate what type of resource metadata to look for when marking exceptions. Use the + rule button to add additional key:value pairs to the group. Use the Save rule group button to create the group and associate it with the policy. A policy exception can have multiple rule groups.

The exception rule will go into effect the next time the policy is run and the associated resource data is collected. Exception rules can be updated or removed at anytime.