Wiz Custom Rules¶
TrustOnCloud CCRs operate in three distinct modes so teams can match rules to their risk tolerance and operational context.
CCR Enforcement Modes¶
| Mode | Philosophy | Best For |
|---|---|---|
| Universal | Binary check — applies to every resource with no exceptions | Non-negotiable baseline controls |
| Allowlist | Default Deny — only explicitly permitted values pass | Strict environments: Production, Banking, PCI-DSS |
| Denylist | Default Allow — only explicitly banned values fail | Flexible environments: Dev/Test, Sandboxes |
Universal Mode¶
A binary check. The control applies to every resource with no exceptions. If
the resource does not match the required configuration state, the result is
fail.
Example — Storage.C123 (Universal):
All SMB file shares must support AES-256 (Kerberos) and AES-256-GCM
(Channel) encryption. Any deviation fails with no exceptions.
package wiz
# --- Configuration ---
required_kerberos := "AES-256"
required_channel := "AES-256-GCM"
Allowlist Mode¶
Follows a strict Default Deny philosophy. You define exactly what is permitted — everything else is flagged as a violation.
Example — Storage.C123 (Allowlist):
Only file shares named in required_secure_shares are subject to strict
encryption enforcement. All other shares bypass the check, reducing false
positives.
package wiz
# --- Configuration ---
required_secure_shares := {"finance-share", "hr-share"}
required_kerberos := "AES-256"
required_channel := "AES-256-GCM"
Denylist Mode¶
Follows a Default Allow philosophy. You define specific bad configurations to block — everything else is permitted.
Example — Storage.C123 (Denylist): The rule targets known weak legacy protocols. Modern or unlisted encryption methods pass automatically.
package wiz
# --- Configuration ---
forbidden_methods := {"RC4-HMAC", "AES-128-CCM", "AES-128-GCM"}
Related¶
- Wiz CCR Packages — GitHub links for all three cloud services
- Wiz Control Mapping — full control to Wiz rule mapping