Cloud Security

How to create custom cloud security posture policies

How to create custom cloud security posture policies
Written by ga_dahmani
How to create custom cloud security posture policies


Falcon Horizon, CrowdStrike’s cloud security posture management solution, uses configuration and behavior policies to monitor public cloud deployments, proactively identify issues, and resolve potential security issues. However, clients are not limited to predefined policies. This article will review the different options for creating custom cloud security posture management policies in Falcon Horizon.


Policy settings

The Falcon Horizon Dashboard illustrates an overview of recent findings across all registered cloud providers and accounts.

csp control panel

Those findings are based on policy settings. The “Policies” tab displays comprehensive options, categorized by provider and service, for monitoring cloud misconfigurations as well as malicious behavior. In this example from Amazon’s S3 service, there are multiple policy options for both categories. Falcon Horizon also provides the functionality to create custom policies tailored to best meet an organization’s needs.

cspm policies

Create a custom policy

From the “Policies” tab under “Cloud Security Posture”, there is an option to create a “New Custom Policy”.

cspm create new policy

A wizard will guide the creation of the new policy. The first step is to choose the applicable cloud provider.

cspm policy provider

A new name, description, and severity are then assigned to the policy. In the following example, this custom Azure Identity policy is of medium severity.

cspm naming policy

To create a new policy from scratch, the next step is to choose an asset type that corresponds to the cloud service. The following example shows an AD user asset type. (The option to select a reference policy will be covered under “Modify Existing Policies”.)

cspm policy resource

Once the asset type is selected, filters and conditions can be added. Adding rules based on any number of additional criteria, including specific accounts, groups, or tenants, makes the new policy more specific. Here’s a policy that looks for enabled accounts where the credentials aren’t registered for MFA, but the credential itself is enabled.

cspm new filters

Modify existing policies

In many situations, it can be useful to start with an existing rule and make changes or additions. There are two different ways to approach that in the UI. From the list of policies, some policies include a “Clone” link. Cloning a policy will transfer all policy and compliance details, while allowing changes to the rule criteria.

cspm clone policy

Alternatively, selecting the “New Custom Policy” option will present options for the applicable cloud provider.

cspm create new policy

Below are directions for entering a custom policy name and severity before selecting the appropriate cloud service. The next screen includes two main options. As shown above, selecting an asset type is the first step in creating a blank policy. In contrast, choosing to start with an existing reference policy will replicate that policy and associated query logic (shown below for AWS EC2).

cspm baseline

Once the cloned or reference policy has been selected, there are a number of options to make changes. Existing fields and operations can be edited. While the trash can icon provides the option to remove criteria, new criteria can also be added using any number of fields. In the following example, ports considered high risk can be added or removed. Added a rule for tag name to ensure that this rule will fire whenever systems with a tag NOT equal to “test” are allowed public entry into high-risk ports.

cspm policy issues

The “Test Custom Rule” option highlighted above provides a preview of how that rule will perform in your environment.


After saving custom policy filters, there are options to assign that policy to compliance controls. While the cloned policies will already include any enforcement associations, they can also be modified as needed.

cspm clone compliance

Using a policy baseline or starting from scratch, the next step will present menu options for compliance. CrowdStrike’s built-in compliance frameworks can be selected, but there is also the option to “Add New Compliance.”

cspm compliance checks

By completing just a few fields, policies can be associated with a custom benchmark or compliance frameworks that are not currently built into the platform.

cspm new compliance

Once the requirement has been saved, it will appear in the dropdown so that the version, section, and requirement can be mapped to the custom policy before saving.

cspm select new compliance

After mapping compliance, the next step is to save the policy.

cspm save policy


New policies will be listed under the “Policies” tab as custom policies. The buttons at the top rotate the screen between default and custom policies for each service.

cspm custom policies button

With default and custom policies in place, assessments occur at regular, configurable intervals. Assessment results can be filtered to quickly hone in on a specific severity, account, region, service, or type. Also, a “custom” mark is used next to the policy name to help identify those custom policies.

cspm findings


As organizations continue to deploy mission-critical data and applications in the cloud, it’s critical that those resources are properly configured and protected. In addition to monitoring multi-cloud deployments for incorrect configurations and behaviors, Falcon Horizon enables customers to create custom policies that best meet their organizational and compliance needs.

more resources

About the author


Leave a Comment