Security & Policy Con fi gurations for Infrastructure as Code Cloud Native @Scale June 2021

infrastructure as code (This example creates policies in a secrets manager.) resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

“It works. I’ll just copy it.”

copied infrastructure as code (This is…. fi ne?) resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

copied infrastructure as code (This is…. fi ne?) resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

Rosemary Wang Developer Advocate at HashiCorp @joatmon08 joatmon08.github.io (Not my cat.)

Deliver infrastructure and secure it across many teams.

5 Things I Learned 1. Static analysis 2. Dynamic analysis 3. Modularize 4. Pipelines as code 5. Enforcement levels

1. Static analysis

Does the change adhere to our policy and security 
 standards? Release it to infrastructure. Yes No Update infrastructure as code.

Lots of terms • Shift-left security testing • Fitness functions (evolutionary architecture) • Testing infrastructure as code

Security Testing Tool Parse for fi elds JSON or metadata format Con fi guration or planned state Check fi eld values Assert pass or fail

Use Cases •Network policy •Infrastructure con fi guration •Access control & logging

resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

2. Dynamic analysis

Lots of terms • Vulnerability management • Security scanning • Remediation

Security Testing Tool Parse for fi elds JSON or metadata format Active state or infrastructure API Check fi eld values Assert pass or fail Run on a regular schedule.

resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

import "sockaddr" import "strings" # Check for create, update, or delete actions to database secrets precond = rule { request.operation in ["create", "update", "delete"] and strings.has_prefix(request.path, “database/") } # Requests to come only from self-hosted pipeline runner in a private network cidrcheck = rule { sockaddr.is_contained(request.connection.remote_addr, "172.16.0.9/32") } # Check the precondition before execute the cidrcheck main = rule when precond { cidrcheck }

Other Tools •Vulnerability Scanning (Snyk, Tenable) •Cloud Infrastructure Scanning (Forseti, Cloudcheckr) •Authorization (Sentinel, OPA)

3. Modularize

Repositories to share… •Organizational policies •Organizational benchmarks •Industry benchmarks

Dividing Modules • Function • Infrastructure provider • Business domain

Repository: shared-org-policies naming tagging aws azure gcp billing secrets access-management vulnerability-management runtime-security Repository: infrastructure-policies aws (reference) shared-org-policies/tagging/aws azure gcp datadog Repository: payments-infrastructure-policies pci (reference) infrastructure-policies/aws (reference) shared-org-policies/vulnerability-management Build Test Deploy Security Test Release

4. Pipelines as code

Repository: shared-org-policies naming tagging aws azure gcp billing secrets access-management vulnerability-management runtime-security Repository: infrastructure-policies aws (reference) shared-org-policies/tagging/aws azure gcp datadog Repository: payments-infrastructure-policies pci (reference) infrastructure-policies/aws (reference) shared-org-policies/vulnerability-management Build Test Deploy Security Test Release

De fi ne Pipelines “as Code” •Use templates •Require “security testing” stages •Run asynchronously

Build Test Deploy Security Test Release Test

5. Enforcement levels

Choose one: •Hard mandatory •Soft mandatory •Advisory

5 Things I Learned 1. Static analysis 2. Dynamic analysis 3. Modularize 4. Pipelines as code 5. Enforcement levels

Demos & Tools • Pytest + Terraform • Inspec + Docker • Open Policy Agent + JSON API Response

References • ncp.nist.gov// • github.com/joatmon08/policy-as-code • github.com/tracypholmes/policy-as-code-workshop • github.com/joatmon08/tdd-infrastructure#policy-as-code- with-security-scanning Find these slides at joatmon08.github.io