Using Open Policy Agent (OPA) for cloud security and compliance

Just like the challenges of managing large cloud infrastructure operations led to the development of infrastructure as code, ensuring the security and compliance of those environments led to policy as code. Cloud infrastructure environments are simply too vast, complex and dynamic to address with traditional security approaches such as manual audits and checklists.

Unfortunately, most policy as code languages are proprietary, closed-source ones offered by cloud vendors. These lock in customers, are incompatible with other policy frameworks the enterprise may be using, and it can be a real struggle to apply them to specific use cases.

Open Policy Agent (OPA) is an open source general-purpose policy engine, and Rego is OPA’s declarative policy language. Combined with Fugue, it provides maximum flexibility when implementing cloud infrastructure policy. The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level hosted project in April 2019.

We’ve been using OPA and Rego at Fugue as the policy-as-code framework in our SaaS solution for cloud security and compliance, and it’s simply amazing. Much of the focus of OPA has been on developing access policies for Kubernetes, but we’ve been leveraging it substantially for a wider variety of cloud infrastructure use cases on Amazon Web Services (AWS) and Microsoft Azure. You can read our announcement here.

By adopting of OPA and Rego, we’ve been able to provide the powerful and flexible policy as code capabilities for our customers, including the ability to quickly and easily create custom cloud infrastructure policies.

Fugue’s custom rules capabilities that leverage OPA enable users to:

• Build and manage custom, user-defined cloud infrastructure rules in OPA Rego via the Fugue API, CLI, and web interface

• Validate and test custom rules while they are being written with helpful errors that save time

• Continuously validate and report on compliance for custom rules and out-of-the-box policy frameworks

Just a few examples of custom policies using OPA with Fugue include:

• Check for public and unencrypted S3 buckets

• Which cloud regions are allowed

• Which machine images (e.g. AMIs) are allowed

• Make sure VPC flow logs are configured

• Which instance sizes (e.g. EC2) are allowed

• Check for least permissions in IAM policies

• Which ingress rules are allowed for Security Groups

For example, if a security group should not allow port 9200 to be open to the world, the rule can be expressed like this:

deny {
  input.ingress[i].from_port <= 9200
  input.ingress[i].to_port >= 9200
  input.ingress[ij.cidr_blocks[_]=="0.0.0.0/0"
}

Most organizations also need to adhere to one or more compliance frameworks, so Fugue provides out-of-the-box support using OPA for CIS Foundations Benchmarks (AWS and Azure), GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2.

Fugue is running millions of security rule evaluations every day using OPA, so we've put a lot of work into developer tooling and will be contributing all of that back to the open source community. We’re excited about OPA and the opportunity to get more involved in this important open source project.