Exceptions
You may want to create exceptions to exempt certain cloud resources from a particular run time of control or temporarily change the status of a resource for a particular run time of control from Failed to PassE (Pass with Exception) or Skip (applicable for resources in IaC templates).
For example, it may be the policy in an organization that a particular cloud resource is not allowed on any server or port. However, there could be a business need for the organization to provide an exception for one or more resources on a temporary basis. This may be required to support a custom application or other business need. You could use exceptions in such scenarios.
Create Exceptions (with Connectors and Tags)Create Exceptions (with Connectors and Tags)
You can exempt evaluation of resources from the Exceptions tab. Here, you can create exceptions for resources associated with a Connector or resources with a QualysTag applied. Here are quick steps to create an Exception for connector and tagged resources.
1. Navigate to the Exceptions tab.
2. Click New. You are taken to a wizard to provide the details of the exception.
3. In the Basic Details screen, provide name for the exception, the reason to create the exception, an explanation, start and end date for the exception. Optionally, you could also provide the information regarding the security policy and procedure for which the exception is being created. Click Next.
4. Select Exception Scope. There are two scopes available.
Connector: Choose to create exceptions for all resources in the account associated with the connector.
Qualys Tag: Choose to create exceptions for all resources in the account associated with a given tag. The tags are applied for resources for exceptions through the exception management APIs. Read more about the APIs in the TotalCloud API Guide.
You can further filter resources for exceptions by selecting Connectors or Connector tags. All connectors with the selected Exception tag or connectors with both the exception and a new connector tag are chosen for evaluaton exception.
5. Select controls to exempt from Evaluation. The selected controls are automatically moved to PassE result when evaluations are performed.
6. Review and Create Exception.
Your exception is available to view in the Exceptions tab.
Create Exception (for Build Time Controls)Create Exception (for Build Time Controls)
You could also exempt evaluation of resources within your Infrastructure as Code (IaC) template files for build time of controls.
You need to add the following code to your template files, and the controls are skipped during evaluation.
Code Snippet: ARM Template
"metadata":{ "qiac-skip": [ "iac:exempt=<cid>:<exception_comment>", "iac:exempt=<cid>:<exception_comment>" ] }
Example Snippet: To exempt resources from an evaluation of CID 1 and CID 2, the following code should be added to your ARM template file.
"metadata":{ "qiac-skip": [ "iac:exempt=1:Skipping cid 1", "iac:exempt=2:Skipping cid 2" ] }
Code Snippet: CloudFormation Template
Example Snippet: To exempt resources from evaluation of CID 20, the following code should be added to your CloudFormation template file.
"Resources" : {
#iac:exempt=20:Skipping cid 20
"Trail": {
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"EnableLogFileValidation" : true,
"IsMultiRegionTrail" : true,
"KMSKeyId" : ""
}
}
Code Snippet: Terraform Template
Example Snippet: To exempt resources from evaluation of CID 294, the following code should be added to your Terraform template file.
resource "aws_kms_key" "kms_key"
{
#iac:exempt=294:Skipping cid 294
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = "true"
}
resource "aws_sqs_queue" "sqsprod"
{
name = "sqsprod"
kms_master_key_id = "alias/aws/sqs"
}
}
Create Exception (for Run Time Controls)Create Exception (for Run Time Controls)
You can create exceptions to exempt resources from run type of control evaluation. Here are quick steps to create an exception.
1. Navigate to Posture tab. You'll notice a Search field above the controls list. Enter your search query for failed evaluations and click the required control in the search results to view the control evaluations.
2. Select the failed resource for which you want to create an exception and click Create Exception from the quick actions menu.
Note: The Create Exception option is available in the quick action menu only for resources with failed control evaluations (FAIL).
3. The Exception wizard is displayed. Provide the following details for the exception:
- Basic details such as name for the exception, reason to create the exception, an explanation, start and end date for the exception. Optionally, you could also provide the information regarding the security policy and procedure for which the exception is being created.
- Scope Information: Decides the scope of the exception you are creating. By default, Resource option is selected. You could expand the scope of the exception to all resources in a specific account.
Resource: Choose to create exception at resource level and the exception is applicable only for the selected resource.
Connector: Choose to create exception for all resources in the account associated with the connector. By default, the connector associated with the resource is selected. You could click Add More Connectors to add multiple connectors for the exception.
- Select Controls: The control for which the evaluation failed is auto-populated. Click Add More Controls to include more controls of the same resource type.
4. Review the information you provide for the exception and click Create Exception.
That’s it! The exception is created. The exceptions you create are listed in the Exceptions tab. Go to Policy > Exceptions to view the list of all exceptions.
Once the exception is in ACTIVE status, the resource result immediately changes from Fail to PassE (Pass with Exception).
Note: The exception created at the connector level is implemented on the resource evaluation result in the next connector run.
The Exception Details section in Evidence displays all the exception details. The exception details are updated only when the exception status changes or on every connector run. 
See Exception Status to know more about the various status for exceptions.
