Governance and security with infrastructure as code (DOP203)

Leveraging Infrastructure as Code for Governance and Security

Introduction

  • Speakers: Eric Beard, Mac Merritt, and Ishu Gupta
  • Objective: Discuss how infrastructure as code can be a vital component of a strategy for governance and security in the cloud

Challenges Faced by Different Stakeholders

  • The business is always looking for ways to lower costs
  • Security teams are obsessed with reducing risk and making things safer
  • Developers are under constant pressure to get more features out to market

The Solution: Automation

  • Automating the delivery of software to the cloud is a very important part of compliance and security
  • Applying the same techniques to delivering changes to infrastructure as we do for other parts of our applications

Infrastructure as Code (IaC)

  • Moving from "ClickOps" to infrastructure as code
  • Benefits of IaC:
    • Take advantage of developer tooling (code reviews, static scanners, version control, IDE plugins)
    • Consistent deployments across environments
  • AWS CloudFormation as a foundational service for IaC

IaC Generator and AWS Cloud Development Kit (CDK)

  • IaC Generator: Scan an existing account and generate CloudFormation templates
  • CDK: Write infrastructure as code in a higher-level programming language, which then generates CloudFormation templates

Tools for IaC Governance and Security

  1. cfn-lint: A linter for CloudFormation that leverages the resource specification to provide syntax highlighting, best practices, and performance optimizations.
  2. cloudformation-guard: A tool for writing policy enforcement rules on CloudFormation templates.
  3. cdk-nag: A tool for policy enforcement on CDK code.
  4. Amazon Q Developer: A generative AI tool that can help with coding assistance, including identifying security issues and suggesting fixes.

Continuous Integration and Continuous Deployment (CI/CD)

  • Infrastructure as code can be used to configure and define a CI/CD pipeline
  • CI/CD can then be used to deploy the infrastructure itself using infrastructure as code

CloudFormation Features for Governance and Security

  1. CloudFormation Hooks: A policy enforcement mechanism within CloudFormation that applies checks on every deployment.
  2. CloudFormation Change Sets: A proactive mechanism to preview changes before deployment and apply policy checks.
  3. CloudFormation Drift Detection: Checks the live state of resources and compares it to the desired state in the template.

Scaling IaC across an Organization

  • CloudFormation StackSets: Allows you to deploy CloudFormation stacks across multiple accounts and AWS organizations.
  • AWS Control Tower: Helps set up and govern a secure multi-account AWS environment.

Capital One's Journey with IaC

  • Challenges faced with siloed teams and reinventing the wheel
  • Adopted a centralized CI/CD platform and IaC
  • Key pillars of their modernization strategy:
    1. Decoupled compliance logic from deployment logic
    2. Adopted stateful and composable IaC deployment
    3. Built a pattern catalog of reusable CDK constructs
  • Benefits realized:
    • Earlier compliance checks in the pipeline
    • Leveraging CloudFormation capabilities like StackSets and change sets
    • Faster feedback loops and reduced time to market
    • Improved usability and reliability
  • Importance of building a thriving community of practice around IaC

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us