Create a resource policy

Updated: October 30, 2025

API Resource Policy

Resource policies enables you to define automated monitoring policies that scan your infrastructure for changes. These policies act as monitors that detect when resources are added, modified, or meet specific criteria, and they trigger alerts when changes are detected.

  1. In the side menu, go to API and select Resource Policies.
  2. Click Create Resource Policy.
  3. Enter a name for your policy (e.g., "DeepSeek usage policy").
  4. Enter a description for the resource policy.

Define monitoring rules

Each Resource Policy can include multiple monitoring rules. You can:

  • Select from suggested policy templates.
  • Reuse saved policies.
  • Add custom policies (up to 10 per resource policy).

All rules within the policy are evaluated together during each automatic scan.

Suggested policies

Select from ready-made templates that cover common monitoring scenarios.

API resource policy templates

  • API discovered on AWS – Detects any API discovered on AWS infrastructure.
  • API discovered on Azure – Detects any API discovered on Azure infrastructure.
  • API discovered on Google Cloud – Detects any API discovered on Google Cloud infrastructure.
  • API has no cloud tags – Identifies APIs lacking proper cloud tagging.
  • API on AWS has no cloud tags set – AWS-specific tag compliance monitoring.
  • API on AWS has no discovered endpoints – Identifies AWS APIs without discoverable endpoints.
  • AppSync API Has Introspection Enabled – Detects AppSync APIs with introspection enabled (security risk).
  • AppSync API has no query depth limit – Identifies AppSync APIs without query depth restrictions.
  • AppSync API has no resolver count limit – Detects AppSync APIs without resolver limits.
  • AWS Lambda function URL discovered with no auth – Identifies Lambda functions with public URLs lacking authentication.
  • High Risk APIs – Matches any APIs that have a risk score greater than 70.

Saved policies

Select from previously created policies to apply existing configurations and maintain consistency across your monitoring strategy.

Add custom policies

You can define up to 10 custom monitoring rules per policy.

Adding a custom policy

  1. Click Add Policies under the Custom Policies section.
  2. Choose a Resource Type.

API resources:

  • API
  • API Findings
  • App
  • Auth Provider
  • Client Secrets
  • Integration
  • Specification
  • Specification Version
  1. Click Submit

Add filters

  • Click Add Filter
  • Define the condition using field, operator, and value.

Custom policy management

  • Edit filters: Click existing filters to modify conditions.
  • Delete policy: Click the trash icon to remove a policy.

Add notification method

  1. Go to the Notification Integrations section.
  2. Choose a previously created integration (Slack, email, webhook, etc.).
  3. Click Create to configure a new integration if needed.

Note: Notifications are triggered only when a change is detected between the current scan and the previous scan. If no changes are found, no notification is sent.

Finalize

  • Click Submit to save and activate the policy.

History

Each resource policy you create includes a History tab where you can view a record of past scans performed by the policy.

  • The History tab is accessible in existing Resource Policies.
  • Each entry shows the date and time the scan was executed and indicates "Resources found matching Resource Policy".
  • History entries are only created when new matching resources are found - scans with no matches don't generate history records.
  • Each history entry shows matched resources grouped by resource type (e.g., APIs).
  • For each resource group, you can see the policy name that matched, total count of matched resources, and a "View Matched Resources" button to see the specific items.

Need help?

Contact FireTail support