Skip to content

Configuration Reference

Cloud Security is configured entirely through three Hive types. Anything the console can configure, limacharlie hive set can configure — which makes tenant onboarding and fleet-wide policy a script, not a UI workflow (see Automation & IaC for recipes).

Hive Records Purpose
cloudsec_provider one per cloud / IdP connection what to collect and with which credential
cloudsec_policy many, discriminated by policy_type classification, coverage, scanning, emission, exclusions, suppression, compliance assignments
cloudsec_query one per saved query shared saved graph queries

Permissions

cloudsec_provider records are gated by the dedicated cloudsec_provider.get/set/del permissions; cloudsec_policy and cloudsec_query follow cloudsec.get/cloudsec.set.

cloudsec_provider

One record per provider connection. provider_type discriminates; each type reads its own scope fields.

Common fields:

Field Meaning
provider_type gcp | aws | azure | okta | 1password | google_workspace | cloudflare
credentials A hive://secret/<name> reference. The credential itself lives in the secret hive — it is not stored inline.
internal_domains Your own email domains (bare domains, no @) beyond the discoverable primary — identities outside this set are classified external.
sync_now Opaque nonce; change its value to trigger an on-demand sweep.
refresh Periodic re-enumeration cadence as a duration string (e.g. "6h"); empty uses the service default.
feed_subscription Optional fully-qualified Pub/Sub subscription carrying a cloud change feed, for event-driven freshness between full sweeps.

Per-provider scope fields:

provider_type Fields
gcp gcp_scope: projects/{id}, folders/{id}, or organizations/{id} (optional gcp_project)
aws aws_role_arn (the read-only role to assume), aws_external_id, optional aws_regions, optional aws_member_role_name — the role name assumed in each member account of an AWS Organization (defaults to the name in aws_role_arn, the common StackSet pattern)
azure azure_tenant_id, azure_client_id, azure_subscription_id (service-principal auth)
okta okta_org_url — the org base URL; the credential is an SSWS API token or an API Services app (client credentials)
google_workspace workspace_customer_idmy_customer or an explicit customer id; the credential is a service-account key with domain-wide delegation plus the admin subject to impersonate
1password onepassword_scim_url — the SCIM bridge URL; the credential is the SCIM bearer token
cloudflare cloudflare_account_id — the 32-hex account id

Use limacharlie cloudsec provider test to preflight a record before saving it — see Getting Started.

cloudsec_policy

Each record declares exactly one policy_type and fills the matching sub-object.

classification — crown jewels

Declares which resources are sensitive (nothing is sensitive by default). Rules match resources by account/name/label/tag and assign classes:

{
  "policy_type": "classification",
  "classification": {
    "data_stores": [
      {"name_contains": ["customer", "pii"], "classes": ["pii"]}
    ],
    "compute": [
      {"label": {"tier": "crown-jewel"}, "classes": ["critical-infra"]}
    ],
    "auto_classify": true
  }
}

auto_classify: true opts into content-based detection of sensitive data (sampled during agentless scanning); the explicit policy always remains authoritative.

Rule matchers (shared by every policy type that scopes over resources): account_contains, account_glob, name_contains, name_glob, label (key→value), label_key_present, tag.

coverage — workload coverage expectations

Declares which cloud workloads are expected to run a LimaCharlie sensor, with required and exempt resource-rule lists — the "EDR on production VMs" expectation, evaluated over the cloud inventory.

Distinct from the CAASM expected-coverage policy

limacharlie cloudsec caasm policy set manages a separate policy with a different shape ({expect: [{label, capability, kinds}]}) evaluated over the merged third-party asset inventory ("seen by the IdP, no EDR") — see CAASM. The two are not synced: this hive record drives cloud-workload coverage findings; the CAASM policy drives coverage_gap findings over third-party assets.

scanning — agentless content scanning

Names the YARA rules to run against snapshot-scanned workloads and the classification each match assigns, plus an optional resource scope:

{
  "policy_type": "scanning",
  "scanning": {
    "rules": [{"yara_rule": "hive://yara/crypto-miners", "classification": "malware"}],
    "scope": [{"account_glob": ["proj-prod-*"]}]
  }
}

emission — the event feed

Controls which Cloud Security events reach the organization's event stream:

Field Meaning
resource_events cloud_resource.* inventory change events
finding_events cloud_finding.* lifecycle events
ops_events operational events (sweep start/complete, errors)
severity_floor drop finding events below this severity
suppress_first_sync don't flood the stream with the initial enumeration

exclusions — the escape hatch

Excludes matching resources from collection, scanning, or emission (three independent rule lists; rules add services and resource_types matchers on top of the shared resource matchers). Use it for the million-object bucket that should not be enumerated, or the noisy account that should not emit events. Removal takes effect on the next sweep.

suppression — finding disposition policy

Auto-dispositions matching findings — see Automation & IaC for semantics and a worked example. Match fields: finding_class, rule, account, urn_prefix, max_severity; effect: kind (accepted/false_positive/mitigated), reason, ttl_days.

compliance — scoped assignments

A named framework assignment over a scoped subset of the estate — see Compliance. Fields: framework_id (required, lowercase slug), description, scope (v1 supports the account/name matchers only).

cloudsec_query

A saved graph query, shared org-wide:

{
  "version": 1,
  "name": "Exposed VMs reaching sensitive data",
  "description": "Weekly review lens",
  "query": {"text": "..."},
  "project": "rows",
  "tags": ["weekly"]
}

query takes one of named (a query-pack reference), text, or ast (the raw DSL). Optional ui hints (view, columns) shape how the console renders results. schedule and detection blocks are accepted so IaC written today survives the scheduled-query phase, but are not yet active.