Cisco Panoptica API Policies specify a set of attributes for API destinations. Attributes include the risk associated with the destination, the location, and more.
You can use API Policies in Panoptica in the following ways:
- as a filter, to select workloads in Panoptica Deployment and Connection Policy rules. When you include an API Policy in these rules, the rule will apply if the API requests for the workload are to destinations that comply with the policy. In this way, you can prevent workloads that are non-compliant from running in your environments, or connecting to with these locations.
- as a test to evaluate the API sites that your workloads are accessing. Panoptica evaluates all API sites accessed by workloads in your Panoptica environment, and shows results in the API Catalog view. Among the details, it shows whether the site is compliant with your API policies
Create an API Policy
- Navigate to the Policies page, and select API Policies.
- Click New API Security Policy.
- In the General Details section, enter a name and description for the policy, and then click Next.
- In the Policy Configuration section, select attributes and values for the policy. Select attributes from the list (for example, risk). Then, select a value and a relationship, for example Risk > Medium.
- Click + to add more attributes, or - to remove attributes. When used in a Runtime Policy rule, the workload is selected if the API sites it accesses match all attributes in the API Policy. Similarly, when used to evaluate API sites, they must match all attributes in a policy for the site to be compliant.
- Click FINISH to save the policy. Once defined, the policy will be applied to all APIs listed in the API Catalog. You can also use the policy in Runtime Policy rules.
Use API Policies in a Runtime Policy rule
You use API Policies in Runtime Deployment or Connection rules by selecting them as part of the Source and/or Destination options.
- In the New Rule dialog (for Deployment or Connection Policies), in the Workload section, select an API Policy. This will select only workloads that comply with the policy.
- Optionally, select a violation action. This is the Rule action to be taken if the workload does not comply with the policy (either Detect or Block).
- Complete the definition of the rule, as described here
Use API Policies in the API Catalog
The API Catalog is updated automatically when you add or modify an API Policy. All APIs are evaluated for compliance to the policy.
Open a specific API to see details, including the API policies with which the API is not-compliant.
The API Policies tab in the Policies page shows all your API Policies.
Updated 9 months ago