How To: Waive a Rule¶
For a primer on compliance concepts such as rules, controls, and more, see Compliance Concepts.
To learn about waivers, see Rule Waivers.
Creating a Rule Waiver¶
In this example, we’ll demonstrate how to waive the out-of-the-box rule “S3 buckets should have all block public access options enabled” (FG_R00229) for an Amazon S3 bucket hosting a static website in a single environment, though you could also waive a custom rule using the same process outlined below. Waivers can be scoped one or more resources in a single or all environments. Here, we’ll demonstrate how to waive a single resource in a single environment.
1. In the environment in which you want to waive the resource, navigate to the Compliance by Resource tab. This is the tab that shows by default when you access an environment:
2. You’ll see a list of resources. When you click on a resource, it expands to show a list of the rules that were applied to it, along with each rule’s associated controls, severity, and rule result. Here, we’ll select the S3 bucket
We can see that several rules have been applied to the bucket, some passing and some failing. We’ll focus on the rule “S3 buckets should have all block public access options enabled.” Because our S3 bucket hosts a static website, we want it to be public! However, the rule result is
Fortunately, we can waive the rule result. That means it’ll be ignored in compliance calculations.
3. Select the Waive button next to the rule, and a panel slides out. There are two sections:
About allows you to define a waiver name; any comments you’d like associated with the waiver, such as for auditing or tracking purposes; and an expiration date.
Parameters allows you to specify which environment(s) and resource(s) the waiver applies to. You can apply the waiver to the currently selected resource, a custom set of resources, or all resources impacted by the rule (including resources added in the future).
4. Enter a name for the waiver. We’ll call ours “Prod website bucket.”
5. Enter a comment for the waiver. We’ve entered “Bucket hosts website, needs to be public.”
6. Enter an expiration. We don’t want this to expire, so we’ll keep the default value, “Does not expire.”
7. For the environment(s), keep the currently selected environment.
8. For the resource parameters, keep all the defaults. This ensures that the rule result is only waived for this particular bucket. (If you want, you can configure each resource parameter individually to waive the rule for a custom set of resources using a custom pattern, or to waive the rule for all resources! Learn more about waiver scope in the Rule Waivers page.)
9. Click the “Create Rule Waiver” button. You should see a message saying “Successfully created your rule waiver. ‘Prod website bucket’ will be applied on your next scan.”
You’ll also see a tooltip next to the rule result you waived. If you hover over the
i, you’ll see the message “This rule has an associated rule waiver that will be applied on the next scan. Compliance results will be updated once the waiver is applied.”
10. To see the results, kick off a new scan by selecting the Actions button in the top right of the window and then selecting Start New Scan.
11. When the scan is finished, select the resource on the Compliance by Resource tab again, and you’ll see that the rule has been waived. Waived rules appear at the bottom of the list of applied rules.
That’s it – you’re done! You just waived a rule.
If the resource evaluation has changed to
Compliant as a result of an applied waiver, and you’ve enabled compliance notifications for the environment, you’ll receive notice that a compliance event occurred and the resource is newly compliant. This can occur if all of the failed rule results for a resource are waived in that environment.