Skip to content
CrowdStrike Developer Center

cloud_security_custom_rule

~> Deprecated This resource is deprecated and will be removed in a future version. Use crowdstrike_cloud_security_iom_custom_rule instead.

This resource manages custom cloud security rules. These rules can be created either by inheriting properties from a parent rule with minimal customization, or by fully customizing all attributes for maximum flexibility. To create a rule based on a parent rule, utilize the crowdstrike_cloud_security_rules data source to gather parent rule information to use in the new custom rule. The crowdstrike_cloud_compliance_framework_controls data source can be used to query Falcon for compliance benchmark controls to associate with custom rules created with this resource.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Cloud Security Policies: READ
  • Cloud Security Policies: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


# Custom rule derived from a parent rule with specific modifications
resource "crowdstrike_cloud_security_custom_rule" "copy_rule" {
  resource_type  = "AWS::EC2::Instance"
  name           = "copy_rule"
  description    = "Test Terraform Frank"
  cloud_provider = "AWS"
  severity       = "informational"
  remediation_info = [
    "Remediation step 1",
    "Remediation step 2",
    "Remediation step 3",
  ]
  alert_info = [
    "First item in alert info",
    "Second item in alert info"
  ]
  controls = [
    {
      authority = "CIS",
      code      = "89"
    },
    {
      authority = "CIS",
      code      = "791"
    }
  ]
  parent_rule_id = "190c2d3d-8b0e-4838-bf11-4c6e044b9cb1"
}


resource "crowdstrike_cloud_security_custom_rule" "minimal_copy_rule" {
  resource_type  = "AWS::EC2::Instance"
  name           = "minimal_copy_rule"
  description    = "Test Terraform Frank"
  cloud_provider = "AWS"
  severity       = "informational"
  parent_rule_id = "190c2d3d-8b0e-4838-bf11-4c6e044b9cb1"
}


resource "crowdstrike_cloud_security_custom_rule" "custom_rule" {
  resource_type  = "AWS::EC2::Instance"
  name           = "custom_rule"
  description    = "Test Terraform Frank"
  cloud_provider = "AWS"
  attack_types = [
    "Attack Type 1",
    "Attack Type 2"
  ]
  remediation_info = [
    "Remediation step 1",
    "Remediation step 2",
    "Remediation step 3",
  ]
  severity = "medium"
  logic    = <<EOF
package crowdstrike
default result = "pass"
result = "fail" if {
  input.tags[_] == "catch-me"
}
EOF
  alert_info = [
    "First item in alert info",
    "Second item in alert info"
  ]
  controls = [
    {
      authority = "CIS",
      code      = "89"
    },
    {
      authority = "CIS",
      code      = "791"
    },
  ]
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • cloud_provider (String) Cloud provider for the policy rule.
  • description (String) Description of the policy rule.
  • name (String) Name of the policy rule.
  • resource_type (String) The full resource type. Examples: AWS::IAM::CredentialReport, Microsoft.Compute/virtualMachines, container.googleapis.com/Cluster

Optional

Section titled “Optional”
  • alert_info (List of String) A list of the alert logic and detection criteria for rule violations. Do not include numbering within this list. The Falcon console will automatically add numbering.When alert_info is not defined and parent_rule_id is defined, this field will inherit the parent rule’s alert_info.
  • attack_types (Set of String) Specific attack types associated with the rule. If parent_rule_id is defined, attack_types will be inherited from the parent rule and cannot be specified using this field.
  • controls (Attributes Set) Security framework and compliance rule information. Utilize the crowdstrike_cloud_compliance_framework_controls data source to obtain this information. When controls is not defined and parent_rule_id is defined, this field will inherit the parent rule’s controls. (see below for nested schema)
  • logic (String) Rego logic for the rule. Either logic or parent_rule_id must be defined. When parent_rule_id is set, the rule inherits the Rego logic from the parent rule. Note: The API does not return Rego logic for rules created from a parent rule, so this field will not appear in state when using parent_rule_id.
  • parent_rule_id (String) Id of the parent rule to inherit properties from. The crowdstrike_cloud_security_rules data source can be used to query Falcon for parent rule information to use in this field. Required if logic is not specified.
  • remediation_info (List of String) Information about how to remediate issues detected by this rule. Do not include numbering within this list. The Falcon console will automatically add numbering. When remediation_info is not defined and parent_rule_id is defined, this field will inherit the parent rule’s remediation_info.
  • severity (String) Severity of the rule. Valid values are critical, high, medium, informational.

Read-Only

Section titled “Read-Only”
  • cloud_platform (String) Cloud platform for the policy rule.
  • domain (String) CrowdStrike domain for the custom rule. Default is CSPM
  • id (String) Unique identifier of the policy rule.
  • subdomain (String) Subdomain for the policy rule.

Nested Schema for controls

Section titled “Nested Schema for controls”

Optional:

  • authority (String) The compliance framework
  • code (String) The compliance framework rule code

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
# Cloud Security Custom Rule resources can be imported using their UUID, e.g.
terraform import crowdstrike_cloud_security_custom_rule.example 123e4567-e89b-12d3-a456-426614174000
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use