Using Open Policy Agent (OPA) for cloud security and compliance
9 octobre 2019
0 minutes de lectureEditor's note
This blog originally appeared on fugue.co. Fugue joined Snyk in 2022 and is a key component of Snyk IaC.
Just like the challenges of managing large cloud infrastructure operations led to the development of infrastructure as code, ensuring the security and compliance of those environments led to policy as code. Cloud infrastructure environments are simply too vast, complex and dynamic to address with traditional security approaches such as manual audits and checklists.
Unfortunately, most policy as code languages are proprietary, closed-source ones offered by cloud vendors. These lock in customers, are incompatible with other policy frameworks the enterprise may be using, and it can be a real struggle to apply them to specific use cases.
Open Policy Agent (OPA) is an open source general-purpose policy engine, and Rego is OPA’s declarative policy language. Combined with Fugue, it provides maximum flexibility when implementing cloud infrastructure policy. The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level hosted project in April 2019.
We’ve been using OPA and Rego at Fugue as the policy-as-code framework in our SaaS solution for cloud security and compliance, and it’s simply amazing. Much of the focus of OPA has been on developing access policies for Kubernetes, but we’ve been leveraging it substantially for a wider variety of cloud infrastructure use cases on Amazon Web Services (AWS) and Microsoft Azure. You can read our announcement here.
By adopting of OPA and Rego, we’ve been able to provide the powerful and flexible policy as code capabilities for our customers, including the ability to quickly and easily create custom cloud infrastructure policies.
Fugue’s custom rules capabilities that leverage OPA enable users to:
Build and manage custom, user-defined cloud infrastructure rules in OPA Rego via the Fugue API, CLI, and web interface
Validate and test custom rules while they are being written with helpful errors that save time
Continuously validate and report on compliance for custom rules and out-of-the-box policy frameworks
Just a few examples of custom policies using OPA with Fugue include:
Check for public and unencrypted S3 buckets
Which cloud regions are allowed
Which machine images (e.g. AMIs) are allowed
Make sure VPC flow logs are configured
Which instance sizes (e.g. EC2) are allowed
Check for least permissions in IAM policies
Which ingress rules are allowed for Security Groups
For example, if a security group should not allow port 9200 to be open to the world, the rule can be expressed like this:
deny {
input.ingress[i].from_port <= 9200
input.ingress[i].to_port >= 9200
input.ingress[ij.cidr_blocks[_]=="0.0.0.0/0"
}
Most organizations also need to adhere to one or more compliance frameworks, so Fugue provides out-of-the-box support using OPA for CIS Foundations Benchmarks (AWS and Azure), GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2.
Fugue is running millions of security rule evaluations every day using OPA, so we've put a lot of work into developer tooling and will be contributing all of that back to the open source community. We’re excited about OPA and the opportunity to get more involved in this important open source project.
Sécurité IaC conçue pour les développeurs
Snyk assure la sécurité de votre infrastructure en tant que code du cycle du développement logiciel à son exécution dans le cloud avec un moteur de politique en tant que code unifié pour permettre à chaque équipe de développer, déployer et faire fonctionner les solutions en toute sécurité dans le cloud.