Governance and security with infrastructure as code (DOP203)
Leveraging Infrastructure as Code for Governance and Security
Introduction
Speakers: Eric Beard, Mac Merritt, and Ishu Gupta
Objective: Discuss how infrastructure as code can be a vital component of a strategy for governance and security in the cloud
Challenges Faced by Different Stakeholders
The business is always looking for ways to lower costs
Security teams are obsessed with reducing risk and making things safer
Developers are under constant pressure to get more features out to market
The Solution: Automation
Automating the delivery of software to the cloud is a very important part of compliance and security
Applying the same techniques to delivering changes to infrastructure as we do for other parts of our applications
Infrastructure as Code (IaC)
Moving from "ClickOps" to infrastructure as code
Benefits of IaC:
Take advantage of developer tooling (code reviews, static scanners, version control, IDE plugins)
Consistent deployments across environments
AWS CloudFormation as a foundational service for IaC
IaC Generator and AWS Cloud Development Kit (CDK)
IaC Generator: Scan an existing account and generate CloudFormation templates
CDK: Write infrastructure as code in a higher-level programming language, which then generates CloudFormation templates
Tools for IaC Governance and Security
cfn-lint: A linter for CloudFormation that leverages the resource specification to provide syntax highlighting, best practices, and performance optimizations.
cloudformation-guard: A tool for writing policy enforcement rules on CloudFormation templates.
cdk-nag: A tool for policy enforcement on CDK code.
Amazon Q Developer: A generative AI tool that can help with coding assistance, including identifying security issues and suggesting fixes.
Continuous Integration and Continuous Deployment (CI/CD)
Infrastructure as code can be used to configure and define a CI/CD pipeline
CI/CD can then be used to deploy the infrastructure itself using infrastructure as code
CloudFormation Features for Governance and Security
CloudFormation Hooks: A policy enforcement mechanism within CloudFormation that applies checks on every deployment.
CloudFormation Change Sets: A proactive mechanism to preview changes before deployment and apply policy checks.
CloudFormation Drift Detection: Checks the live state of resources and compares it to the desired state in the template.
Scaling IaC across an Organization
CloudFormation StackSets: Allows you to deploy CloudFormation stacks across multiple accounts and AWS organizations.
AWS Control Tower: Helps set up and govern a secure multi-account AWS environment.
Capital One's Journey with IaC
Challenges faced with siloed teams and reinventing the wheel
Adopted a centralized CI/CD platform and IaC
Key pillars of their modernization strategy:
Decoupled compliance logic from deployment logic
Adopted stateful and composable IaC deployment
Built a pattern catalog of reusable CDK constructs
Benefits realized:
Earlier compliance checks in the pipeline
Leveraging CloudFormation capabilities like StackSets and change sets
Faster feedback loops and reduced time to market
Improved usability and reliability
Importance of building a thriving community of practice around IaC
These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.
If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.