cloud_security_suppression_rule

A suppression rule defines criteria for automatically suppressing findings, such as IOMs, across your environment. When a finding matches a suppression rule’s conditions, such as specific rule types, asset tags, or cloud accounts, the finding will be suppressed.

API Scopes

The following API scopes are required:

Cloud Security Policies: READ
Cloud Security Policies: WRITE

Example Usage

terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}

provider "crowdstrike" {
  cloud = "us-2"
}

# Example 1: Simple suppression rule with rule name filter
resource "crowdstrike_cloud_security_suppression_rule" "example" {
  name        = "Suppression Rule"
  type        = "IOM"
  reason      = "false-positive"
  description = "Suppress findings for IAM root user access key rule"
  comment     = "This is a known false positive in our development environment"

  rule_selection_filter = {
    names = ["IAM root user has an active access key"]
  }

  asset_filter = {
    regions = ["us-east-2"]
  }
}

# Example 2: More complex suppression rule with multiple filters
# Demonstrates AND logic between attributes and OR logic within each attribute
resource "crowdstrike_cloud_security_suppression_rule" "multi_filter" {
  name        = "Multi-filter Suppression Rule"
  type        = "IOM"
  reason      = "accept-risk"
  description = "Suppress high and critical findings for specific cloud providers and regions"

  # Rules match if they are (critical OR high) AND (AWS OR Azure provider)
  rule_selection_filter = {
    severities = ["critical", "high"]
    providers  = ["AWS", "Azure"]
  }

  # Assets match if they are (aws OR azure) AND (us-west-1 OR eastus) AND (environment=dev OR team=security tags)
  asset_filter = {
    cloud_providers = ["aws", "azure"]
    regions         = ["us-west-1", "eastus"]
    tags = {
      environment = "dev"
      team        = "security"
    }
  }
}

# Example 3: Temporary suppression with expiration
# Shows single-attribute filters and expiration date usage
resource "crowdstrike_cloud_security_suppression_rule" "temporary" {
  name            = "Temporary Suppression"
  type            = "IOM"
  reason          = "compensating-control"
  expiration_date = "2025-12-31T23:59:59Z"

  rule_selection_filter = {
    origins = ["Default"]
  }

  asset_filter = {
    account_ids = ["123456789012"]
  }
}

output "suppression_rule" {
  value = crowdstrike_cloud_security_suppression_rule.example
}

Schema

Required

name (String) Name of the suppression rule
reason (String) Reason for suppression. One of: accept-risk, compensating-control, false-positive.
type (String) Type of suppression rule. One of: IOM.

Optional

asset_filter (Attributes) Filter criteria for scope assets. At least one of rule_selection_filter or asset_filter must be specified. If not assigned, defaults to all assets. Within each attribute, assets match if they contain ANY of the specified values (OR logic). Between different attributes, assets must match ALL specified attributes (AND logic). For example: account_ids = ["acc1", "acc2"] AND regions = ["us-east-1", "us-west-2"] will select assets that are in (acc1 OR acc2) AND (us-east-1 OR us-west-2). (see below for nested schema)
comment (String) Comment for suppression. This will be attached to the findings suppressed by this rule.
description (String) Description of the suppression rule.
expiration_date (String) Expiration date for suppression. If defined, must be in RFC3339 format (e.g., 2025-08-11T10:00:00Z). Once set, clearing this field requires resource replacement. The suppression rule will still exist after expiration and can be reset by updating the expiration date.
rule_selection_filter (Attributes) Filter criteria for rule selection. At least one of rule_selection_filter or asset_filter must be specified. If not assigned, defaults to all rules. Within each attribute, rules match if they contain ANY of the specified values (OR logic). Between different attributes, rules must match ALL specified attributes (AND logic). For example: ids = ["rule1", "rule2"] AND severities = ["high", "critical"] will select rules that are (rule1 OR rule2) AND (high OR critical severity). (see below for nested schema)

Read-Only

id (String) Unique identifier of the suppression rule.

Nested Schema for `asset_filter`

Optional:

account_ids (Set of String) Set of cloud account IDs. An Asset will match if it belongs to an account included in this set.
cloud_group_ids (Set of String) Set of cloud group IDs. An Asset will match if it belongs to a Cloud Group whose ID is included in this set.
cloud_providers (Set of String) Set of cloud providers. Examples: aws, azure, gcp. An Asset will match if it belongs to a cloud provider included in this set.
regions (Set of String) Set of regions. Examples: eu-central-1, eastus, us-west-1. An Asset will match if it is located in a region included in this set.
resource_ids (Set of String) Set of resource IDs. An Asset will match if its resource ID is included in this set.
resource_names (Set of String) Set of resource names. An Asset will match if its resource name is included in this set.
resource_types (Set of String) Set of resource types. Examples: AWS::S3::Bucket, compute.googleapis.com/Instance, Microsoft.ContainerService/managedClusters. An Asset will match if its resource type is included in this set.
service_categories (Set of String) Set of service categories. Examples: Compute, Identity, Networking. An Asset will match if its cloud service category is included in this set.
tags (Map of String) Map of tags. These must match the k=v format. An Asset will match if any of its tag key-value pairs match those specified in this map.

Nested Schema for `rule_selection_filter`