How To: Waive a Rule¶
For a primer on compliance concepts such as rules, controls, and more, see Compliance Concepts.
To learn about waivers, see Rule Waivers.
Want to disable a rule for all applicable resources across all environments? See Enabling and Disabling Rules.
Creating a Rule Waiver¶
In this example, we’ll demonstrate how to waive the out-of-the-box rule “S3 buckets should have all block public access options enabled” for an Amazon S3 bucket hosting a static website, though you could also waive a custom rule using the same process outlined below. Within an environment, waivers can be scoped to a single resource or all resources the rule applies to. Here, we’ll demonstrate how to waive a single resource.
1. In the environment in which you want to waive the resource, navigate to the Compliance by Resource tab. This is the tab that shows by default when you access an environment:
Note that in the image above, there’s 1 noncompliant resource and the FBP compliance family shows 11/12 compliant controls – we’ll revisit this later!
2. You’ll see a list of resources. When you click on a resource, it expands to show a list of the rules that were applied to it, along with each rule’s associated controls, severity, and rule result. Here, we’ll select the S3 bucket
Because the Fugue Best Practices compliance family is enabled for this environment, we can see that three rules have been applied to the bucket, one failing and two passing:
We’ll focus on the rule “S3 buckets should have all block public access options enabled.” Because our S3 bucket hosts a static website, we want it to be public! However, the failed rule result is causing the resource to be flagged as noncompliant.
Fortunately, we can waive the rule result. That means it’ll be ignored in compliance calculations. And since this is the only failed rule, once we apply the waiver, the resource evaluation will change from
3. Select the Waive button next to the rule, and a panel slides out. There are three sections:
Rule Information lists the rule summary (“S3 buckets should have all block public access options enabled”) and associated compliance controls (in this case, just FBP R002).
Waiver Information allows you to define a waiver name and any comments you’d like associated with the waiver, such as for auditing or tracking purposes.
Waiver Scope shows which environment and resource the waiver applies to. You can apply the waiver to the currently selected resource or all resources impacted by the rule (including resources added in the future).
4. Enter a name for the waiver. We’ll call ours “Prod website bucket.”
5. Enter a comment for the waiver. We’ve entered “Bucket hosts website, needs to be public.”
6. For the rule scope, keep the default choice, “Waive a single resource.”
7. Click the “Create Rule Waiver” button. You should see a message saying “Successfully created your rule waiver. ‘Prod website bucket’ will be applied on your next scan.”
You’ll also see a tooltip next to the rule result you waived. If you hover over the
i, you’ll see the message “This rule has an associated rule waiver that will be applied on the next scan. Compliance results will be updated once the waiver is applied.”
8. To see the results, kick off a new scan by selecting the Actions button in the top right of the window and then selecting Start New Scan.
9. When the scan is finished, take a look at the Controls Overview again. This time, there are 7 compliant resources and 0 noncompliant resources, and FBP has 12/12 compliant controls:
If you select the resource on the Compliance by Resource tab again, you’ll see that the rule has been waived. Waived rules appear at the bottom of the list of applied rules. In this case, since “block public access” was the only noncompliant rule, the resource evaluation has changed to
That’s it – you’re done! You just waived a rule.
If the resource evaluation has changed to
Compliant as a result of an applied waiver, and you’ve enabled compliance notifications for the environment, you’ll receive notice that a compliance event occurred and the resource is newly compliant. This can occur if all of the failed rule results for a resource are waived in that environment.