Adopt Compliance as Code in your AWS environment — Part I — The right tools for the right job

Adopt Compliance as Code in your AWS environment — Part I — The right tools for the right job

Photo by Joshua Sortino on Unsplash

Compliance in a Cloud world

In order to protect its business, every company in the world should define a compliance program. A compliance program is a set of requirements that meet a specific standard (internal or external). A requirement is expressed by a statement or assertion — the policy — that specifies the correct or expected behaviour of an entity. To meet the compliance program, the organization implem ents controls, defines procedures and writes guidelines that satisfy these policies. Security and governance processes must evolve to support modern Cloud infrastructures keeping in mind two things: the organization share responsibility with cloud service providers [1] and the organization must improve its business agility without compromising safety [2].

Compliance as Code (Policy as Code)

To find the right balance between agility and compliance, the security and governance team must define new rules, engage the right people, and leverage cloud technologies. One of these rules is to define your compliance policies such that they can be treated as software. The companies must adopt a new approach to planning, developing, and testing policies. Just like we use Infrastructure as Code in infrastructure automation and the approach of CI/CD in application lifecycle management, at the same time our DevSecOps teams should adopt policy-as-code, especially in a cloud world. Because the compliance program is a set of policies that meet a standard, it is more correct to speak of Policy as Code as one implementation of Compliance as Code.

Shift-Left and Shift-Righ approach

The security and compliance team should adopt the policy-as-code practice to meet compliance requirements without compromising agility. In a DevOps process, during the software development, the team can execute the tests on the left side and/or on the right side of the lifecycle. On the left side the teams test software with the goal to meet the design criteria, instead on the right side they test integration with the rest of the world [3]. We can make the same analogy for the policy-as-code practice. Working on the left side we can detect compliance issues very early in the process, but our tests are limited in scope and more related to a specific workload. On the right side, we can asses s the resources against compliance requirements defined at the organization level. On the left side, the tests are planned and executed by the project's team while on the right side the tests are planned and executed by a CCoE (Cloud Center of Excellence) team [1].

Policy as Code — Shift-Left and Shift-Righ approach

The right tools for the right job

There are different tools to implement policy-as-code in a Cloud world, most of them are open source and many others are provided directly by the cloud provider. On the left side, the tests are implemented with the goal to verify the compliance of a specific workload against a standard. Usually, on this side, there is no dependency on cloud providers so we can use general-purpose tools. On the right side, instead, we need to assess the resources against the compliance requirements defi ned at the organization level. On this side, the policies are cross-projects, cross-business and implemented by a CCoE team. On this side, the tools provided by the Cloud providers are usually more effective and straightforward to adopt.

The right tools for the right job on AWS

AWS provide different services that give you a comprehensive view of your compliance status and permit you to continuously monitor the cloud resources. In particular, to help the policy-as-code adoption, AWS provide services and features that you can put on the DevOps lifecycle both for a shift-left than shift-right approach.

Shift-Left — AWS CDK and OPA
On the left side, we can use AWS Cloud Development Kit together with a framework that simplifies policy development and management such as OPA — Open Policy Agent — an open-source engin e incubated in the CNCF. By integrating AWS CDK and OPA we can realize policy as code capability that tests the changes before AWS CDK makes changes in your AWS environment. In this scenario, CDK generates a Cloudformation template that will be validated against OPA policy document before executing a create or launch stack. In this scenario, the OPA policies are specific to the workload we are creating or updating.

Shift-Left — AWS CloudFormation Guard
On the left side, we can use AWS CloudFormation Guard an open source tool that helps validate your workload against a rule set to keep resources in compliance with the project's guidelines. Guard is an open-source command line interface (CLI) that provides a domain-specific language (DSL) to express policy-as-code and then validate JSON/YAML template against that code. Cloudformation Guard support also Terraform JSON configuratio n files and Kubernetes configurations.

Shift-Right — AWS Config Rule and RDK
On the right side, the policies are defined by a CCoE and have an overall (entire organization) scope. AWS Config and in particular the AWS Config Rules can evaluate the configuration settings for specific AWS resources or for an entire AWS account. If a resource does not pass a rule check, AWS Config flags the resource as non-compliant and notifies it. AWS Config provide also a Rule Development Kit (RDK) that simplifies your custom rule creation and management.

The importance of CI/CD

To improve the agility of compliance we must introduce a continuous compliance workflow in which our DevSecOps team and/or our CCoE team can release policies in continuous integration and continuous deployment (CI/CD) fashion. Following the decoupling best practice we will put alongside the pipeline of Infrastructure and application the pipeline for compliance. To implement CI/CD pipeline we can use AWS Developer Tools such as Codepipeline, Codebuild and Codedeploy.

Compliance as Code — Pipeline with AWS

Reference

[1] AWS Shared Responsibility Model

[2] Governance in the AWS Cloud: The Right Balance Between Agility and Safety

[3] Shift left vs shift-right: A DevOps mystery sol ved

Adopt Compliance as Code in your AWS environment — Part I — The right tools for the right job was originally published in Towards AWS on Medium, where people are continuing the conversation by highlighting and responding to this story.

Namaste Devops is a one stop solution view, read and learn Devops Articles selected from worlds Top Devops content publishers inclusing AWS, Azure and others. All the credit/appreciations/issues apart from the Clean UI and faster loading time goes to original author.

Comments

Post a Comment

Did you find the article or blog useful? Please share this among your dev friends or network.

An android app or website on your mind?

We build blazing fast Rest APIs and web-apps and love to discuss and develop on great product ideas over a Google meet call. Let's connect for a free consultation or project development.

Contact Us

Trending DevOps Articles

Working with System.Random and threads safely in .NET Core and .NET Framework

In this post I look at some of the ways you can misuse System.Random, comparing .NET Framework, NET Core, and .NET 6 implementations. In this post I look at some of the ways you can misuse System.Random for generating random numbers, specifically around thread safety. I start by showing how to use the built-in thread-safe Random generator in .NET 6. I then step back to previous .NET Core implementations, before the thread-safe Random generator was added, and show how to add your own. Finally, we take one more step back to .NET Framework, and look at he issues that arise there. tl;dr; If you're using .NET 6, then always use the static property Random.Shared if possible. If (like me) you need to support older version of .NET Core and .NET Framework, then read on! Generating random numbers from multiple threads in .NET 6+ It's a common requirement to be able to generate some sort of random number in .NET. If you don't need this to be a cryptographically secure ran...
Read more

Popular DevOps Categories

AWS Devops aws devops use cases best devops tutorial for beginners AWS DevOps Guru Azure Business Analytics DataOps DataOps Automation DevOps Interview Questions
Docker aws cdk application load balancer AWS CDK Application security AWS CDK application Application Load Balancers with DevOps Guru Auto scale group Automation Autoscale EC2 Autoscale VPC Autoscaling AWS Azure DevOps Big Data BigQuery CAMS DevOps Containers Data Observability Frequently Asked Devops Questions in Interviews GCP Large Table Export GCP Serverless Dataproc DB Export GTmetrix Page Speed 100% Google Page Speed 100% Healthy CI/CD Pipelines How to use AWS Developer Tools IDL web services Infrastructure as code Istio App Deploy Istio Gateways Istio Installation Istio Official Docs Istio Service Istio Traffic Management Java Database Export with GCP Jenkin K8 Kubernetes Large DB Export GCP Linux MSSQL March announcement MySQL Networking Popular DevOps Tools PostgreSQL Puppet Python Database Export with GCP Python GCP Large Table Export Python GCP Serverless Dataproc DB Export Python Postgres DB Export to BigQuery Sprint Top 100 Devops Questions TypeScript Client Generator anti-patterns of DevOps application performance monitoring (APM) aws amplify deploy blazor webassembly aws cdk application load balancer security group aws cdk construct example aws cdk l2 constructs aws cdk web application firewall aws codeguru reviewer cli command aws devops guru performance management aws service catalog best practices aws service catalog ci/cd aws service catalog examples azure Devops use cases azure devops whitepaper codeguru aws cli deploy asp.net core blazor webassembly devops guru for rds devops guru rds performance devops project explanation devops project ideas devops real time examples devops real time scenarios devops whitepaper aws docker-compose.yml health aware ci/cd pipeline example host and deploy asp.net core blazor webassembly on AWS scalable and secure CI/CD pipelines security vulnerabilities ci cd pipeline security vulnerabilities ci cd pipeline aws smithy code generation smithy server generator
Show more