symbol and 1 uppercase character. • Region should be in United States. • Private CA certificate key should be marked as sensitive. • Names should include standard environment. 15
condition = random_string.boundary.length > 3 error_message = "HCP Boundary requires username to be at least 3 characters in length" } } } Variable Validation, Inline with PreCondition 18
◦ State • Encrypt in transit and at rest. • Sanitize sensitive values in logs or outputs • Ensure least privilege access to providers Static analysis Dynamic analysis 21
should not be printed in output. • Virtual machine resource should have attached IAM role. • Infrastructure state should be limited to owners of workspace. 22
contains(key, "password") not outputs[key].sensitive ] count(plaintext_password_outputs) != 0 msg := sprintf("%v should be marked as sensitive outputs", [plaintext_password_outputs]) } Static Analysis of Practices with OPA25
privilege network access • Separate development and production • Analyze vulnerabilities and access • Assess drift • Remove idle / unused resources Need dynamic analysis 28
• Verify network policies and secure versions. • Tags should include environment. • Image should include secure base. • Scan running infrastructure for new vulnerabilities. 29
{r.values.id | r := vpc_modules[_].resources[_] r.type == "aws_subnet" not r.values.map_public_ip_on_launch } public_subnets := cluster_subnet_ids - private_subnets count(public_subnets) != 0 msg := sprintf("EKS cluster %v should be in private subnets (%v are public subnets)", [cluster_id, public_subnets]) } More Complex Static Analysis with OPA 31
or industry benchmarks. Infrastructure modules Production configuration 1 Create custom policy tests. Divide by… • Enforcement level • Business unit • Resource • Type 2 37
Choose a severity threshold. ◦ Identify mandatory rules. ◦ Use advisory as last resort. ◦ Try to enforce development environments. • Evaluate and make exceptions. 39