Support Center > Search Results > SecureKnowledge Details
CloudGuard Dome9 Custom Rules - GSL Reference Technical Level

Custom Rules - GSL Reference

CloudGuard Dome9 Compliance Engine

Compliance with industry standards (e.g., PCI DSS, HIPAA, SOC 2) and best practices is not only a requirement for companies in regulated industries but also a way to achieve and prove robust security to win customer trust.

CloudGuard Dome9 Compliance Engine brings one-click simplicity to the tracking, reporting and enforcement of compliance and security best practices in the public cloud. It delivers comprehensive compliance management in public cloud environments, allowing businesses to assess their compliance posture, identify risks and gaps, fix issues, enforce compliance requirements, and prove compliance in audits.

The Compliance Engine is designed for easy and speedy compliance, streamlining the compliance process with automated data aggregation and the ability to remediate changes from a single pane of glass.


The Compliance Engine provides:

  • End-to-end security and compliance management that allow you to see what needs to be fixed and fix it in place
  • Automated aggregation of data in real-time
  • Built-in test suites for checking compliance against standards such as PCI-DSS as well as industry best practices (e.g., 500+ tests in the CloudGuard Dome9 Best Practices Suite)
  • Compliance tests that cover not only network security policies (e.g., “Every security group must be part of a VPC”) , but also rules around users and roles (e.g., “Password policies must require at least one lowercase character”)
  • Printable assessment reports for proof of security posture across business units, VPCs and cloud accounts
  • Agentless, cloud-native architecture enabling coverage of built-in services and functions


Custom Rules

The CloudGuard Dome9 Compliance engine is built on CloudGuard Dome9's cutting edge rule engine.

The rule engine, allows our customers to specify and enforce custom governance policies that are tailored to their business needs using the same framework.

With custom rules, administrators can customize CloudGuard Dome9's pre-created bundles or create new bundles of rules that reflect their organizational needs.

The rules are specified using a new innovative policy language called the Governance Specification Language (GSL), rules written in GSL can be easily read and understood by anyone.

For example, here are rules written via in GSL:

  • RDS should have isStorageEncrypted = true
    This rule checks that RDS storage should be encrypted.
  • Instance should not have inboundRules with [port = 22 and protocol in ('TCP','All') and scope numberOfHosts() > 32]
    This rule checks that an instance with an open SSH port (22) should not be exposed to a wide network scope.

This simplicity and expressive power of GSL also means that there are no “lost in translation” errors where business logic and governance is not accurately captured by the underlying policies. GSL speeds up policy creation and minimizes errors.


In multi-cloud environments, the CloudGuard Dome9 Compliance Engine with GSL can be used to specify custom rules for AWS and Azure environments in a single location using a common framework.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document