After I listened to Ashish Rajan’s Cloud Security Podcast, episode “Building Cloud Security Roadmap”, I finally had the chance to read the AWS Security Maturity Roadmap by Scott Piper and found it very insightful. Whether you are tasked with building a security roadmap for your organization or you are leveling up your AWS cloud security skills, the roadmap is worth reading. Scott has some great pointers and resources for learning AWS Cloud security and how you can keep yourself up-to-date. While opinionated, the roadmap provides specific guidelines for AWS Cloud Security, and the concept is universal and can be applied to other Cloud Service Providers.
The roadmap lays out ten steps starting from the fundamentals to help you establish a foundation. This includes getting an inventory across your cloud accounts and the need to perform regular backups which is easily forgotten but increasingly important with the rise of ransomware. As you progress with the roadmap, you’ll start to use Infrastructure as Code (IaC) for reproducibility (stage 7). I want to highlight a few benefits and best practices we learned from our own experience and our interaction with the community.
Why Infrastructure as Code
Using Infrastructure as Code (IaC) for repeatability and improved audits were well explained in the roadmap. If you are using IaC, you should also consider applying the same disciplines and quality gates that are used to manage application code to the infrastructure. Instead of allowing users to deploy cloud infrastructure directly from the workstation, you check your IaC into a code repository such as Github and leverage a CI/CD pipeline to control the deployment. This has an added benefit of limiting the number of administrators you allow in your cloud account. By integrating IaC into the CI/CD pipeline, infrastructure changes can be tracked alongside with the application code.
Beyond Static Analysis
As mentioned in the roadmap, one of the key benefits of integrating IaC into the pipeline is to perform security scanning early in the development process with static analysis. Making security scanning part of the developer’s workflow means that security scanning will happen even with a tight timeline. IaC will be automatically evaluated for security impacts and provide immediate feedback to developers. You can even stop the pipeline if a critical security issue is detected preventing a potential security issue from making it into your production environment.
This allows you to expand beyond Continuous Integration and Continuous Delivery, to Continuous Compliance. Essentially, the concept of having your cloud environment always compliant with your own security and operational requirements, as well as external one.
Interestingly, as you start to operationalize an IaC managed infrastructure and apply compliance processes to it, you may find that you need to “connect the dots” across your IaC. Essentially, instead of analyzing each IaC code repository on its own, you’d want to analyze how they impact one another. For example, if one code stack deploys cloud network infrastructure and another one uses it, you’d want to be able to analyze them as a whole.
To do this you’d need to evaluate IaC with the live cloud environment. It’s called Dynamic Analysis. This is because many cloud issues manifest themselves only through analysis with the deployed (live) environment and the different code stacks that build it. For example, if you want to identify and remove unused IAM roles, you have to consider the live environment. Incidentally, this is one of the roadmap items in stage 5: secure IAM access. For more information on how you can identify them, read this blog.
Another reason for dynamic analysis is infrastructure drift. One of the biggest challenges in an IaC managed infrastructure is to spot discrepancies as they happen. Infrastructure drift is change that occurs in a cloud environment that differs from the originally deployed method. For example, if you provision a resource using Terraform, and you then make a change using the web console, that is considered a drift. With dynamic analysis where you continuously monitor the live cloud environment, you can detect Cloud infrastructure drift.
Achieving Continuous Compliance
By deploying your infrastructure using a CI/CD pipeline, you can ensure repeatability and improve business agility. Static and Dynamic analyses are two different techniques to secure your IaC managed infrastructure. Applying both techniques with the right processes can help you achieve continuous compliance and know that your infrastructure is always in line with your requirements, just like your application code is.