Policy as Code: Putting best practices in your repository

Transcript

1. Policy as Code Putting best practices in your repository

2. What’s the problem?

3. Central teams create bottlenecks AWS Service Catalog AWS CloudFormation AWS

   Management Console AWS CloudFormation

4. GuardRails have long feedback loops AWS CloudFormation Service Control Policy

   AWS CloudTrail AWS Config

5. We need a new thing or do we?

6. “Standardizing infrastructure configuration allows developers to stand up new infrastructure

   […] without the assistance or approval of an operations specialist, […] allowing them to take more ownership of their work.” - Emily Freeman, DevOps for dummies

7. Everything is awsome YAML

8. Policy as Code With (cfn-)guard

9. https://github.com/aws-cloudformation/cloudformation-guard

10. let s3_buckets = Resources.*[ Type == 'AWS::S3::Bucket'] rule S3_BUCKET_PUBLIC_ACCESS_PROHIBITED when

    %s3_buckets !empty { %s3_buckets.Properties.PublicAccessBlockConfiguration exists %s3_buckets.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true %s3_buckets.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true %s3_buckets.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls == true %s3_buckets.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets == true << Violation: S3 Bucket Public Access controls need to be restricted. Fix: Set S3 Bucket PublicAccessBlockConfiguration properties for BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets parameters to true. >> }

11. Creating a short feedback loop AWS CodePipeline Source code pre-commit

12. Reusing Rules - Preventive AWS CloudFormation https://aws.amazon.com/blogs/mt/proactively-keep-resources-secure-and-compliant-with-aws-cloudformation-hooks/

13. Reusing Rules - Detective https://aws.amazon.com/blogs/mt/announcing-aws-config-custom-rules-using-guard-custom-policy/ AWS Config

14. Reusing Rules - Detective AWS Cloud Control API

15. How to get started and related problems

16. Installation is harder than it should be https://github.com/aws-cloudformation/cloudformation-guard#installation

17. How to find rules? https://github.com/aws-cloudformation/cloudformation-guard/tree/main/guard-examples

18. AWS Guard Rule Registry A decent first step

19. Features: • Pre-build rules and rule sets • Docker Image

    for use in ci/cd • Individual rule supression https://github.com/aws-cloudformation/aws-guard-rules-registry

20. Challenges

21. Challenges (1/2) • Where do you store your rules? •

    Combining custom rules with Open Source rules • Running cfn-guard from docker with local rule file • Building custom docker images • Running natively • Integrating with CloudFormation • Limited examples for hooks • https://github.com/aws-cloudformation/community-registry- extensions/tree/main/hooks/S3_BucketVersioningEnabled • Per-account / per-region setting

22. Challenges (2/2) • Integrating with other AWS Services • Config

    does not support all resources • CloudControl API has it’s own limitations • Integrating with Posture Management Vendors • Same rules in different tools

23. Thank you! Ben Bridts [email protected] @BenBridts | @WeAreCloudar www.cloudar.be