Overview
Policies are the rules that qrie uses to evaluate your AWS resources for security and compliance issues
Each policy:
- •Evaluates specific resource types (S3 buckets, IAM users, EC2 instances, etc.)
- •Checks for security misconfigurations or compliance violations
- •Creates findings when issues are detected
- •Provides remediation guidance
Launching Policies
Activate policies to start monitoring your resources
Important
Policy launch is an expensive operation. Do not randomly enable/disable policies. Launch them once and adjust scope/severity as needed.
Steps to launch a policy:
- 1Navigate to Management pageGo to Management to see all available policies
- 2Browse by categoryPolicies are organized by service (IAM, S3, EC2) and compliance framework (CIS, HIPAA, etc.)
- 3Click "Launch" on desired policyReview the policy description and default settings
- 4Configure scopeChoose which accounts, tags, or OUs to monitor (default: all accounts)
- 5Customize (optional)Adjust severity (0-100) or customize remediation steps
- 6Confirm launchPolicy is activated and bootstrap scan is triggered automatically
Automatic Bootstrap Scan
When you launch a policy, qrie automatically triggers a bootstrap scan that evaluates all resources in scope. This creates your initial findings baseline. Duration: 2-10 minutes depending on resource count.
Understanding Scope Configuration
Control which resources are evaluated by a policy
Scope Options:
Include Accounts
List of AWS account IDs to monitor (default: all)
Exclude Accounts
List of AWS account IDs to skip
Include Tags
Only evaluate resources with these tags (e.g., Environment=Production)
Exclude Tags
Skip resources with these tags (e.g., SkipCompliance=true)
Include OU Paths
Monitor accounts in specific AWS Organizations OUs
Exclude OU Paths
Skip accounts in specific OUs
Tip: Start Broad, Refine Later
It's better to launch policies with broad scope (all accounts) and then narrow down using exclusions, rather than trying to get the scope perfect on first launch.
Deleting Policies
Permanently remove policies and their findings
Warning: Findings Are Purged
When you delete a policy, all findings for that policy are marked as RESOLVED with a 30-day TTL for automatic cleanup. Consider adjusting scope instead of deleting if you want to keep monitoring some resources.
To delete a policy:
- 1.Go to Management page
- 2.Find the active policy you want to delete
- 3.Click "Delete" button
- 4.Confirm the action (you'll see how many findings will be purged)
What happens when you delete:
- •Policy is removed from the system
- •All ACTIVE findings are marked as RESOLVED
- •Resolved findings get a 30-day TTL and are automatically deleted by DynamoDB
- •Policy stops evaluating resources immediately
- •No new findings will be created for this policy
Alternative: Adjust scope instead
If you want to stop monitoring certain resources but keep the policy active for others, use the "Edit" button to adjust the policy scope with exclusions rather than deleting the entire policy.
Best Practices
Launch Once
Policy launch scans all resources (expensive). Launch policies once and adjust scope/severity as needed rather than repeatedly enabling/disabling.
Start Simple
Begin with high-severity policies (IAM, encryption, public access) before adding lower-priority checks.
Use Exclusions
Use scope exclusions for dev/test accounts or resources with legitimate exceptions rather than deleting entire policies.
Monitor Drift
Check the dashboard's "Last Policy Scan" metric. If drift is detected (scan older than 26 hours), investigate scheduled scan failures.
Future Features
View Roadmap Coming soon to qrie
•Findings Export: Export findings to S3 before policy deletion for compliance audit trails
•Bulk Policy Operations: Launch/delete multiple policies at once with policy templates
•Custom Policies: Define your own policies using Python evaluation modules
•Policy Templates: Pre-configured policy bundles for compliance frameworks (HIPAA, PCI-DSS, SOC 2)