Skip to content
CrowdStrike Developer Center

cloud_security_kac_custom_rule

This resource manages custom cloud security KAC rules.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Cloud Security Policies: READ
  • Cloud Security Policies: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


resource "crowdstrike_cloud_security_kac_custom_rule" "privileged_container_detection" {
  name        = "detect-privileged-containers"
  description = "Detects containers configured to run in privileged mode"
  severity    = "critical"
  logic       = <<EOF
package crowdstrike


import rego.v1


result := message if {
  count(violations) > 0
  message = sprintf("container(s) running as privileged: %v", [violations])
}


#########################################################################################
# Rules for Pod
#########################################################################################


violations contains message if {
  some cntr in input.request.object.spec.containers
  cntr.securityContext.privileged
  message = sprintf("container: %v", [cntr.name])
}


violations contains message if {
  some cntr in input.request.object.spec.initContainers
  cntr.securityContext.privileged
  message = sprintf("initContainer: %v", [cntr.name])
}


violations contains message if {
  some cntr in input.request.object.spec.ephemeralContainers
  cntr.securityContext.privileged
  message = sprintf("ephemeralContainer: %v", [cntr.name])
}


#########################################################################################
# Rules for Daemonset, Deployment, Job, ReplicaSet, ReplicationController, StatefulSet
#########################################################################################


violations contains message if {
  some cntr in input.request.object.spec.template.spec.containers
  cntr.securityContext.privileged
  message = sprintf("container: %v", [cntr.name])
}


violations contains message if {
  some cntr in input.request.object.spec.template.spec.initContainers
  cntr.securityContext.privileged
  message = sprintf("initContainer: %v", [cntr.name])
}


#########################################################################################
# Rules for CronJob
#########################################################################################


violations contains message if {
  some cntr in input.request.object.spec.jobTemplate.spec.template.spec.containers
  cntr.securityContext.privileged
  message = sprintf("container: %v", [cntr.name])
}


violations contains message if {
  some cntr in input.request.object.spec.jobTemplate.spec.template.spec.initContainers
  cntr.securityContext.privileged
  message = sprintf("initContainer: %v", [cntr.name])
}
EOF
  remediation_info = [
    "Review the pod specification",
    "Remove or set securityContext.privileged to false",
    "Run containers with minimum required privileges"
  ]
  alert_info = [
    "Container is configured to run in privileged mode",
    "This grants the container unrestricted access to host resources"
  ]
  attack_types = [
    "Privilege Escalation",
    "Container Escape"
  ]
}


resource "crowdstrike_cloud_security_kac_custom_rule" "privileged_container_detection_by_file" {
  name        = "detect-privileged-containers"
  description = "Detects containers configured to run in privileged mode"
  severity    = "critical"
  logic       = file("../rego/detect-privileged-container.rego")
  remediation_info = [
    "Review the pod specification",
    "Remove or set securityContext.privileged to false",
    "Run containers with minimum required privileges"
  ]
  alert_info = [
    "Container is configured to run in privileged mode",
    "This grants the container unrestricted access to host resources"
  ]
  attack_types = [
    "Privilege Escalation",
    "Container Escape"
  ]
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • description (String) Description of the policy rule.
  • logic (String) Rego logic for the rule.
  • name (String) Name of the policy rule.

Optional

Section titled “Optional”
  • alert_info (List of String) A list of the alert logic and detection criteria for rule violations.
  • attack_types (Set of String) Specific attack types associated with the rule.
  • remediation_info (List of String) Information about how to remediate issues detected by this rule.
  • severity (String) Severity of the rule. Valid values are critical, high, medium, informational.

Read-Only

Section titled “Read-Only”
  • id (String) Unique identifier of the policy rule.

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
# Cloud Security KAC Custom Rule resources can be imported using their UUID, e.g.
terraform import crowdstrike_cloud_security_kac_custom_rule.example 123e4567-e89b-12d3-a456-426614174000
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use