Overview
Policies are the rules that qrie uses to evaluate your AWS resources for security and compliance issues
Each policy:
- •Evaluates specific resource types (S3 buckets, IAM users, EC2 instances, etc.)
- •Checks for security misconfigurations or compliance violations
- •Creates findings when issues are detected
- •Provides remediation guidance
Launching Policies
Activate policies to start monitoring your resources
Important
Policy launch is an expensive operation. Do not randomly enable/disable policies. Launch them once and adjust scope/severity as needed.
Steps to launch a policy:
- 1Navigate to Management pageGo to Management to see all available policies
- 2Browse by categoryPolicies are organized by service (IAM, S3, EC2) and compliance framework (CIS, HIPAA, etc.)
- 3Click "Launch" on desired policyReview the policy description and default settings
- 4Configure scopeChoose which accounts, tags, or OUs to monitor (default: all accounts)
- 5Customize (optional)Adjust severity (0-100) or customize remediation steps
- 6Confirm launchPolicy is activated and bootstrap scan is triggered automatically
Automatic Bootstrap Scan
When you launch a policy, qrie automatically triggers a bootstrap scan that evaluates all resources in scope. This creates your initial findings baseline. Duration: 2-10 minutes depending on resource count.
Understanding Scope Configuration
Control which resources are evaluated by a policy
Scope Options:
Include Accounts
List of AWS account IDs to monitor (default: all)
Exclude Accounts
List of AWS account IDs to skip
Include Tags
Only evaluate resources with these tags (e.g., Environment=Production)
Exclude Tags
Skip resources with these tags (e.g., SkipCompliance=true)
Include OU Paths
Monitor accounts in specific AWS Organizations OUs
Exclude OU Paths
Skip accounts in specific OUs
Tip: Start Broad, Refine Later
It's better to launch policies with broad scope (all accounts) and then narrow down using exclusions, rather than trying to get the scope perfect on first launch.
Understanding Finding Lifecycle
How findings are created, resolved, and cleaned up
Finding States:
ACTIVE
Resource is non-compliant and has an open finding
RESOLVED
Resource was remediated, deleted, or policy was deleted. Finding marked for cleanup with 90-day retention.
What happens in different scenarios:
| Scenario | Behavior | Rationale |
|---|---|---|
| Resource remediated | RESOLVED + 90-day TTL | Keep for audit trail |
| Resource deleted | RESOLVED + 90-day TTL | Audit trail shows finding existed |
| Policy deleted | Hard DELETE | Clean break, policy no longer exists |
| Account removed | Hard DELETE | Clean break, no audit needed |
| Resource out of scope | RESOLVED + 90-day TTL | Audit trail, can be re-scoped |
Automatic Cleanup
DynamoDB automatically deletes RESOLVED findings after their TTL expires (90 days). You don't need to manually clean up old findings.
Deleting Policies
Permanently remove policies and their findings
Warning: Findings Are Permanently Deleted
When you delete a policy, all findings for that policy are immediately and permanently deleted (hard delete). This is a clean break with no audit trail. Consider adjusting scope instead if you want to keep monitoring some resources.
To delete a policy:
- 1.Go to Management page
- 2.Find the active policy you want to delete
- 3.Click "Delete" button
- 4.Confirm the action (you'll see how many findings will be purged)
What happens when you delete:
- •Policy is removed from the system
- •All findings (ACTIVE and RESOLVED) are permanently deleted
- •Policy stops evaluating resources immediately
- •No new findings will be created for this policy
- •No audit trail remains (clean break)
Alternative: Adjust scope instead
If you want to stop monitoring certain resources but keep the policy active for others, use the "Edit" button to adjust the policy scope with exclusions rather than deleting the entire policy.
Best Practices
Launch Once
Policy launch scans all resources (expensive). Launch policies once and adjust scope/severity as needed rather than repeatedly enabling/disabling.
Start Simple
Begin with high-severity policies (IAM, encryption, public access) before adding lower-priority checks.
Use Exclusions
Use scope exclusions for dev/test accounts or resources with legitimate exceptions rather than deleting entire policies.
Monitor Drift
Check the dashboard's "Last Policy Scan" metric. If drift is detected (scan older than 26 hours), investigate scheduled scan failures.
Future Features
View Roadmap Coming soon to qrie
•Findings Export: Export findings to S3 before policy deletion for compliance audit trails
•Bulk Policy Operations: Launch/delete multiple policies at once in a single action
•Custom Policies: Define your own policies using Python evaluation modules
•Framework Bundles: Launch all policies for a compliance framework (HIPAA, PCI-DSS, SOC 2) in one click — compliance views already exist, one-click launch bundles are coming