BMC Helix Cloud Security enables you to create exceptions for a rule in a policy. Exceptions enable you to mark all resources that are evaluated against the rule as compliant, but with exceptions.
To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.
New update has been added which enables editing of exception name, exception justification and start and ends dates.
An Administrator can create an exception with just the Policy Name and the Rule Name that the exception is associated with.
To open the Manage Exceptions page, select Manage > Exceptions.
From the Manage Exceptions page you can perform the following actions:
View Only users cannot add or modify exceptions; however, they can view existing exceptions.
Customizing data on the Manage Exceptions page
The Manage Exceptions page contains the following information:
- Exception Name: Shows the name of the exception that was created.
Clicking the exception name displays the Exception Details page with the resources that are assigned to that exception.
- Rule Name: Shows the rule that is associated with the exception
- Policy: Shows the name of the policy associated with the exception
- Resource Count: Shows the number of resources that are evaluated against the rule as exceptions.
Clicking on the number opens the Violations page which displays the corresponding rule that qualifies for the exception.
From there you can traverse directly to the Violations Details page by clicking on the rule that contains the violation, where you can view and create additional exceptions.
- Status: Shows the status of the exception:
If the exception period has not started, the status displays as INACTIVE.
If the exception period is in force, the status displays as ACTIVE.
If the exception period has expired, the status displays as EXPIRED.
Filtering the display of the exception list
You can filter the display of the exception list in a variety of ways. You can:
Type a keyword of 3 or more characters in the Enter Search Keyword field to narrow down search, and then press Enter or click anywhere on the page.
- Filter by policy:
- Click the Policy menu in the filter bar and choose a policy from the list.
- Type a keyword of 3 or more characters in the Find Policy field to narrow down search, and then press Enter or click anywhere on the page.
- Clear the retrieved results by clicking Clear selected items and reset the list to the default settings.
- Filter by status:
- Click the Status menu in the filter bar and choose a status from the list (Active, Inactive, or Expired).
- Clear the retrieved results by clicking Clear selected items and reset the list to the default settings.
- Click Clear in the filter bar to reset the list to the default settings after you have filtered by either policy or status.
Creating a new exception
- Click Add Exception.
On the Create an Exception page, complete the following fields or options:
Field Description Exception Name (Required) The name for the exception can be chosen and edited according to user preference. Justification
The reason for exception. You can specify any justification for creating the exception (for example, a business requirement, or reason why a particular rule will not be followed in your organization). Start Date/Time
End Date/Time (Required)
The start date and time and end date and time.
An administrator can create an exception for a date in the future, so that the exception will not be enforced until that day and time. Exceptions that are created for a future date display a status of INACTIVE until that date occurs. Exceptions for dates that are in the past cannot be created.
Click anywhere in the field to open the calendar widget and select a date by clicking the corresponding day on the calendar.
To specify a time, type the hour and minutes in the corresponding fields and click AM or PM.
Users must enter relevant dates for the exception to be activated, that is, the date added must not be from prior days.
Policy (required) The policy associated with the exception. Click in the Search Policy field and select a policy from the menu. Rule (required)
The rule associated with the exception based on the policy selected. Click in the Search Rule field and select a policy from the menu. The rules that display are rules associated with the selected policy.
Resources The resources that are applied to the exception. Selecting the All Resources option button specifies that the selected exception will span all resources. You can also select the Selected Resources option button to specify which resources will contain the exception. For more information, see Creating an exception for a specific resource/rule. Tags (enabled only when the Selected Resources button is selected)
One or more tags can be specified here. You can select one or more pre-created tags from AWS/GCP/Azure environment like shown below.
This way only those resources which have the specified tag will be accounted for the exception being created. For more information, see Creating an exception for a specific resource/rule.
Click Save Exception to add the rule to the policy.Exception created under a specific Organization is only applicable for the resources under that Organization. These exception are only seen in context of the organization under which they are created.
Once the exception is created, on a subsequent evaluation the qualifying resource is considered compliant, even if it is evaluated as non-compliant in Cloud Security. A resource can be added to more than one exception, and resources with exceptions that have expired will turn non-compliant at the next evaluation.
Creating an exception for a specific resource/rule
Cloud Security enables you to create exceptions for a rule in a policy only for specific resources. For example, you might create an exception for another department in an organization that does not consider a specific resource as non-compliant. The resource for which you create the exception will then be shown as a status of CompliantWithException.
You can create one exception per rule, and you can assign one or more tags to the exception that specify resources that are candidates for exceptions.
- From the Create an Exception page, Resources area, select the Selected Resources option button.
- In the Tags field, click in the field to select a tag and then click the plus sign icon to add the tag. Repeat until you have added all the tags that you want.
- Add or remove resources that will contain the exception as necessary. For more information, see Steps 5 and 6 in Creating an exception for a specific resource/rule using the exception flag.
Creating an exception for a specific resource/rule using the exception flag
You can also create a resource-specific exception from the Violations page using the exception flag. For example, a user might view a specific resource and wants to add an exception on the spot. Using the flag option enables you to do so without leaving the page.
- On the Violations page, click the rule already associated with or to be associated with the exception.
- On the Violations Details page, in the List of Resources, click the exceptions flag icon in the row of the resource on which an exception has been or will be created.
For rules for which an exception has already been created, a red flag displays. When you hover over the flag, a banner displays indicating that the resource is marked as an exception. When you click the flag, you can add to an existing exception by creating a new one. Note that the corresponding resource may still show a status of Compliant, as shown in the following illustration.
For rules for which an exception has not yet been created, a gray flag displays when you hover over the icon. In this case, you can create a new exception (the first one associated with that resource).
- Choose Create new exception from the menu.
On the Create an Exception page, complete the fields and click Save Exception.The Create an Exception page contains pre-populated fields to indicate the policy and rule that will contain the new exception.
Using this example, creating an exception from the flagged AWS EC2 resource from the Violations page opens the Create an Exception page with the AWS policy and rule combination, as well as the associated connector, pre-populated on the page. See the following illustration.
- Click in the Type Resource Name field to select an additional resource to apply to the exception, and then click the plus sign icon to add the resource. Repeat until you have added all the resources that you want.
- To remove the resource, click in the Type Resource Name field to select the resource from which to remove the exception, and then click Remove.
Alternatively, select the check boxes of the resource in the Resources list and click Remove.
- Click Save Exception.
The selected resources will be shown as a status of CompliantWithException.
Deleting an exception
To delete an exception:
- From the Manage Exceptions page, hover over the far-right row of the exception in the Exception Name list that you want to delete to display the trash can icon, as shown in the following illustration:
- Click the trash can icon.
Click Ok, Delete on the confirmation message that displays.
Deleting this exception removes all resources that might be associated with it. You cannot undo this action.
A confirmation message displays that the exception has been successfully deleted.
In the next scan, the deleted exception will show a status of Not Available in the Exceptions tab of the resource on the Violations Details page.
In the following example, an exception for 1.4_IAM_Rule that was previously enabled was subsequently deleted. The status is now shown as Not Available.
With the exception no longer active, the associated resource is evaluated as NonCompliant and the Exceptions tab for that resource is no longer displayed, as shown in the following illustration.
Viewing the details of an exception
On the Manage Exceptions page, click a link in the Exception Name column to view additional details for the selected exception.
The Exception Details page shows the status of the exception, the start and end time scheduled for the exception, and the policy and rule to which the exception applies. belongs and the reference ID (an identification for a given rule defined by a user or a regulatory framework), their type, the time when they were last scanned, the time since the status of the resource in a specific state (age of violations), the status of the remediation, and (if applicable) an exception flag.
Editing existing exceptions
Exceptions exist in three different states, namely Inactive, Active and Expired states. Cloud Security now allows you to manage these states by enabling access to edit start and end dates of exceptions.
- On the Exception Details page, a status of Inactive indicates an exception that has been enabled but is not running against the associated policy and rule as the selected start date is set for a future date.
To disable an Inactive exception, click the Status bar. The slider moves to the left and the Status area is grayed out with DISABLED displayed.
- On the Exception Details page, a status of Active indicates an exception that has been enabled and is currently running against the associated policy and rule.
To disable an active exception, click the Status bar. The slider moves to the left and the Status area is grayed out with DISABLED displayed.
Start dates of Active states cannot be changed.
- If the exception period has expired, the status is displayed as EXPIRED and you will be unable to enable or disable the exception until the start and end dates have been modified accordingly.
The user must run evaluation after making modifications for the changes to be successfully implemented.
Performing next steps