Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Policy as Code: Putting best practices in your ...

Ben Bridts
October 03, 2022

Policy as Code: Putting best practices in your repository

Governance and Compliance can be a bottleneck when building infrastructure. In this talk we will look at different ways to enforce and encourage best practices, where they can fit in the Software Development Lifecycle and at different ways of running them.

Additionally we will look at common challenges with tools like cfn-guard and CloudFormation hooks

Ben Bridts

October 03, 2022
Tweet

More Decks by Ben Bridts

Other Decks in Programming

Transcript

  1. “Standardizing infrastructure configuration allows developers to stand up new infrastructure

    […] without the assistance or approval of an operations specialist, […] allowing them to take more ownership of their work.” - Emily Freeman, DevOps for dummies
  2. let s3_buckets = Resources.*[ Type == 'AWS::S3::Bucket'] rule S3_BUCKET_PUBLIC_ACCESS_PROHIBITED when

    %s3_buckets !empty { %s3_buckets.Properties.PublicAccessBlockConfiguration exists %s3_buckets.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true %s3_buckets.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true %s3_buckets.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls == true %s3_buckets.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets == true << Violation: S3 Bucket Public Access controls need to be restricted. Fix: Set S3 Bucket PublicAccessBlockConfiguration properties for BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets parameters to true. >> }
  3. Features: • Pre-build rules and rule sets • Docker Image

    for use in ci/cd • Individual rule supression https://github.com/aws-cloudformation/aws-guard-rules-registry
  4. Challenges (1/2) • Where do you store your rules? •

    Combining custom rules with Open Source rules • Running cfn-guard from docker with local rule file • Building custom docker images • Running natively • Integrating with CloudFormation • Limited examples for hooks • https://github.com/aws-cloudformation/community-registry- extensions/tree/main/hooks/S3_BucketVersioningEnabled • Per-account / per-region setting
  5. Challenges (2/2) • Integrating with other AWS Services • Config

    does not support all resources • CloudControl API has it’s own limitations • Integrating with Posture Management Vendors • Same rules in different tools