CloudFromation-nag

  • NAVIST
  • Thursday, Sep 12, 2019
blog-image

CI/CD Best-Practice for AWS Container Services

With CI/CD and Infrastructure as Code (IaC) becoming so popular in the world of Information Technology (IT), it is common place to deploy version-controlled infrastructure through custom-built pipelines.

This is especially true for tightly controlled environments. There are some best practices and basic hygiene that go with managing your cloud environments, and in this blog, we are going to cover how to put the practices in place yourself.

Rules and Roles

The first habit that you should instil in your team is to always use read-only roles in your environments (especially when it comes to AWS Console or Azure Portal).

In some special circumstances, they should assume a role with elevated privileges to apply a change. This is already common practice with admin privileges in Azure.

In AWS, however, you can get away with providing both roles, or you can get your developers and sysadmins to follow this practice. Using AWS CloudTrail, you can have visibility over who’s being the cowboy — a win both ways.

Build pipelines to deploy your infrastructure

Another good habit to get into is to build pipelines for deploying infrastructure as code.

This will help your organisation in many ways. You can have version-controlled code in your repository and apply guard rails to the code that is being deployed to your environment.

You can add more security to this setup by introducing different approval gates that will put the minds of even the toughest security consultants at ease.

There are a few products out there that can be used for guarding your infrastructure deployments into AWS.

For example, cfn-nag has a great name and does an excellent job of implementing this functionality. cfn-nag is developed in Ruby and makes it easy to add new rules to its big inventory of already implemented rules. It covers basic things like:

AWS CloudFormation Guard

AWS recently (16th June 2020) announced AWS CloudFormation Guard (cfn-guard), which is an open-source command-line interface to help keep with your company policy guidelines.

Here’s what Amazon had to say about the product when it was introduced:

Cfn-guard provides compliance administrators with a simple, policy-as-code language to define rules that can check for both required and prohibited resource configurations. It enables developers to validate their CloudFormation templates against those rules.

The administrators can also leverage a second open-source CLI called cfn-guard-rulegen to extract rules from existing compliant CloudFormation templates. With cfn-guard-rulegen, administrators don't have to create rules from scratch, which speeds up the rules authoring process. The rules become a consistent record of compliant resource configurations that administrators can check into a source control such as GitHub to share across teams. 

https://github.com/aws-cloudformation/cloudformation-guard

Doing it the right way pays off

You might think that introducing more moving parts to your deployment might be counter-productive, but this isn’t always the case.

By using these best-practice methods, you are minimising the risks related to over-spending, security, and compliance.