Posture Management

Resource policies

Updated: September 15, 2025

API AI Resource Policy

Resource policies enables you to define automated monitoring policies that scan your infrastructure for changes. These policies act as monitors that detect when resources are added, modified, or meet specific criteria, and they trigger alerts when changes are detected.

How it works

  • Define monitoring rules: Choose from pre-built policies or create custom policies with specific filters.
  • Configure notifications: Get alerted when changes occur.
  • Change detection: Alerts are triggered only when changes are detected.
  • Historical tracking: Review scan history to identify trends and patterns.

Create a resource policy

  1. Navigate to Posture Management and select Resource Policy.
  2. Click Create Resource Policy.
  3. Select your policy type:
    • API – Monitor API resources, security configurations, and platform activities.
    • AI – Monitor AI model usage, prompts, and AI-related activities.
  4. Enter a name for your policy (e.g., "DeepSeek usage policy").
  5. Enter a description for the resource policy.

Define monitoring rules

Each Resource Policy can include multiple monitoring rules. You can:

  • Select from suggested policy templates.
  • Reuse saved policies.
  • Add custom policies (up to 10 per resource policy).

All rules within the policy are evaluated together during each automatic scan.

Suggested policies

Select from ready-made templates that cover common monitoring scenarios.

API resource policy templates

  • API discovered on AWS – Detects any API discovered on AWS infrastructure.
  • API discovered on Azure – Detects any API discovered on Azure infrastructure.
  • API discovered on Google Cloud – Detects any API discovered on Google Cloud infrastructure.
  • API has no cloud tags – Identifies APIs lacking proper cloud tagging.
  • API on AWS has no cloud tags set – AWS-specific tag compliance monitoring.
  • API on AWS has no discovered endpoints – Identifies AWS APIs without discoverable endpoints.
  • AppSync API Has Introspection Enabled – Detects AppSync APIs with introspection enabled (security risk).
  • AppSync API has no query depth limit – Identifies AppSync APIs without query depth restrictions.
  • AppSync API has no resolver count limit – Detects AppSync APIs without resolver limits.
  • AWS Lambda function URL discovered with no auth – Identifies Lambda functions with public URLs lacking authentication.
  • High Risk APIs – Matches any APIs that have a risk score greater than 70.

AI resource policy templates

  • Any AI Usage – Monitors any AI usage, regardless of provider (tracks both AI Models and AI Prompts).
  • Any AI Usage in code – Detects AI usage specifically within code implementations.
  • Any AI Usage on platforms – Monitors AI usage on SaaS/Cloud platforms.
  • DeepSeek AI Usage – Monitors any DeepSeek AI usage across your environment.
  • DeepSeek AI Usage in code – Detects DeepSeek AI usage in code, including LLM models and prompts.
  • DeepSeek AI Usage on platforms – Monitors DeepSeek AI usage on SaaS/Cloud platforms.

Saved policies

Select from previously created policies to apply existing configurations and maintain consistency across your monitoring strategy.

Add custom policies

You can define up to 10 custom monitoring rules per policy.

Adding a custom policy

  1. Click Add Policies under the Custom Policies section.
  2. Choose a Resource Type.

API resources:

  • API
  • API Findings
  • App
  • Auth Provider
  • Client Secrets
  • Integration
  • Specification
  • Specification Version

AI resources:

  • AI Model
  • AI Prompt
  • AI Finding
  1. Click Submit

Add filters

  • Click Add Filter
  • Define the condition using field, operator, and value.

Custom policy management

  • Edit filters: Click existing filters to modify conditions.
  • Delete policy: Click the trash icon to remove a policy.

Add notification method

  1. Go to the Notification Integrations section.
  2. Choose a previously created integration (Slack, email, webhook, etc.).
  3. Click Create to configure a new integration if needed.

Note: Notifications are triggered only when a change is detected between the current scan and the previous scan. If no changes are found, no notification is sent.

Finalize

  • Click Submit to save and activate the policy.

History

Each resource policy you create includes a History tab where you can view a record of past scans performed by the policy.

  • The History tab is accessible in existing Resource Policies.
  • Each entry shows the date and time the scan was executed and indicates "Resources found matching Resource Policy".
  • History entries are only created when new matching resources are found - scans with no matches don't generate history records.
  • Each history entry shows matched resources grouped by resource type (e.g., Platform Models, Platform Prompts, Software Models).
  • For each resource group, you can see the policy name that matched, total count of matched resources, and a "View Matched Resources" button to see the specific items.

Need help?

Contact FireTail support

Previous (Posture Management - Alerting)
AI alert examples
Next (Tags)
All tags