How To: Waive a Rule

This tutorial shows how to waive an out-of-the-box or custom rule for a specific resource in an environment.

Note

For a primer on compliance concepts such as rules, controls, and more, see Compliance Concepts.

To learn about waivers, see Rule Waivers.

Want to disable a rule instead? See Enabling and Disabling Rules. See also Waivers vs. Disabling Rules.

Let’s Go!

Creating a Rule Waiver

In this example, we’ll demonstrate how to waive the out-of-the-box rule “S3 buckets should have all block public access options enabled” (FG_R00229) for an Amazon S3 bucket hosting a static website in a single environment, though you could also waive a custom rule using the same process outlined below. Waivers can be scoped one or more resources in a single or all environments. Here, we’ll demonstrate how to waive a single resource in a single environment.

1. In the environment in which you want to waive the resource, navigate to the Compliance by Resource tab. This is the tab that shows by default when you access an environment:

_images/tut-compliance-by-resource-tab-1.png

2. You’ll see a list of resources. When you click on a resource, it expands to show a list of the rules that were applied to it, along with each rule’s associated controls, severity, and rule result. Here, we’ll select the S3 bucket fugue-example-public-bucket.

We can see that several rules have been applied to the bucket, some passing and some failing. We’ll focus on the rule “S3 buckets should have all block public access options enabled.” Because our S3 bucket hosts a static website, we want it to be public! However, the rule result is Failed.

_images/tut-noncompliant-eval-1.png

Fortunately, we can waive the rule result. That means it’ll be ignored in compliance calculations.

3. Select the Waive button next to the rule, and a panel slides out. There are two sections:

  • About allows you to define a waiver name; any comments you’d like associated with the waiver, such as for auditing or tracking purposes; and an expiration date.

  • Parameters allows you to specify which environment(s) and resource(s) the waiver applies to. You can apply the waiver to the currently selected resource, a custom set of resources, or all resources impacted by the rule (including resources added in the future).

_images/tut-waiver-panel-1.png

4. Enter a name for the waiver. We’ll call ours “Prod website bucket.”

5. Enter a comment for the waiver. We’ve entered “Bucket hosts website, needs to be public.”

6. Enter an expiration. We don’t want this to expire, so we’ll keep the default value, “Does not expire.”

7. For the environment(s), keep the currently selected environment.

8. For the resource parameters, keep all the defaults. This ensures that the rule result is only waived for this particular bucket. (If you want, you can configure each resource parameter individually to waive the rule for a custom set of resources using a custom pattern, or to waive the rule for all resources! Learn more about waiver scope in the Rule Waivers page.)

9. Click the “Create Rule Waiver” button. You should see a message saying “Successfully created your rule waiver. ‘Prod website bucket’ will be applied on your next scan.”

You’ll also see a tooltip next to the rule result you waived. If you hover over the i, you’ll see the message “This rule has an associated rule waiver that will be applied on the next scan. Compliance results will be updated once the waiver is applied.”

_images/tut-pending-waiver-tooltip-1.png

10. To see the results, kick off a new scan by selecting the Actions button in the top right of the window and then selecting Start New Scan.

11. When the scan is finished, select the resource on the Compliance by Resource tab again, and you’ll see that the rule has been waived. Waived rules appear at the bottom of the list of applied rules.

_images/tut-compliant-eval-1.png

That’s it – you’re done! You just waived a rule.

Note

If the resource evaluation has changed to Compliant as a result of an applied waiver, and you’ve enabled compliance notifications for the environment, you’ll receive notice that a compliance event occurred and the resource is newly compliant. This can occur if all of the failed rule results for a resource are waived in that environment.

What’s Next?

If you’d like to edit or delete the rule waiver, see the following documentation:

For in-depth documentation about the topics covered in this tutorial, check out the links below: