Ensuring cloud security is a top priority for businesses that use cloud infrastructure. Open Policy Agent (OPA) is a tool that helps achieve this goal by enforcing policies throughout cloud environments. OPA is an open-source policy engine that uses a declarative language called Rego to ensure that cloud resources are configured securely.

Using OPA, organizations can define and enforce policies to govern various cloud resources, including virtual machines, storage buckets, and databases. OPA can help ensure compliance with regulatory requirements, industry standards, and best practices by enforcing policies that govern access control, configuration management, and security settings.

Furthermore, OPA’s dynamic and flexible management capabilities enable organizations to manage their cloud resources more efficiently and effectively. By leveraging OPA for CSPM, organizations can enhance their security posture and reduce the risk of data breaches and security incidents.

Here’s a concise graphical illustration showcasing OPA Policy-as-code(PaC) approach:

Outlined below are some ways in which OPA can assist with CSPM, utilizing AWS as the foundation.

OPA offers several ways to assist CSPM in relation to Amazon Web Services (AWS). For instance, it can perform automated checks to ensure that cloud resources and configurations meet security standards and compliance requirements. These checks can be defined in policies and are automatically executed using OPA to identify potential security risks and vulnerabilities.  

We will furnish you with concrete illustrations that will walk you through diverse scenarios highlighting the integration of OPA into CI/CD, utilizing policy-as-code for  secure cloud storage management, compliance management, access control management, security configuration management, and best practices validation.

Using OPA to automate checks:

• Integration with CI/CD:
  OPA can be integrated with Continuous Integration/Continuous Deployment (CI/CD) pipelines to automatically evaluate cloud resources against defined policies. Any violations detected can prompt alerts for remediation.

Here’s an example scenario for automated checks integrated within CI/CD:

We aim to establish a CI/CD pipeline in our AWS environment by utilizing AWS CodePipeline, AWS CodeCommit, and AWS CodeBuild. Once a new code commit is made to the CodeCommit repository, the pipeline will be triggered and Conftest will automatically verify the Kubernetes manifest files against a specific set of control policies encoded in OPA Rego. In the event of any policy violation, the validation process will terminate the pipeline. The pipeline will proceed to the deployment stage only when all the control policies are satisfied by the Kubernetes manifest files.

The solution architecture is depicted in the diagram below:

• Secure cloud storage management:
  OPA can be used to enforce policies that ensure secure cloud storage management. For example, OPA can check if EBS volumes are encrypted and utilize a customer-managed CMK with KMS encryption. Additionally, OPA can verify whether S3 buckets have public access blocked, and enforce encryption policies for data-at-rest and data-in-transit. By leveraging OPA’s policy-as-code approach, organizations can define and enforce policies that govern the secure management of their cloud storage resources. This helps in mitigating the risk of data breaches and ensures the confidentiality, integrity, and availability of their data. OPA empowers organizations with a secure and compliant cloud storage environment, thanks to its unparalleled policy-as-code capabilities.

Here is a sample Rego script to ensure the encryption of EBS volumes with customer-managed CMK.

The above policy checks if a violation will be reported when a volume is not encrypted or doesn’t employ a customer-managed CMK with KMS. This policy guarantees that robust encryption mechanisms are utilized to safeguard the data stored in EBS volumes.

• Compliance management:
  Compliance management is critical for cloud security posture management, and organizations must ensure that their cloud environment meets all relevant compliance standards. OPA can define policies that ensure cloud resources comply with regulatory requirements.  

The Rego below ensures that all Amazon RDS instances comply with the Payment Card Industry Data Security Standard (PCI DSS).

This Rego policy establishes a security control to validate whether RDS instances comply with PCI-DSS standards. The policy defines a “deny” rule that inspects incoming RDS instances to verify if they are publicly accessible, encrypted, and configured to use a database parameter group named “pci-dss.” If any of these conditions are not met, the rule generates a “deny” decision accompanied by a message that the RDS instance does not comply with PCI-DSS standards, including the instance ID in the details.

This Rego policy can help reduce the risk of data breaches and uphold the security and confidentiality of an organization’s sensitive data stored in RDS instances.

• Identity and access management:
  Identity and Access Management is another crucial aspect of CSPM that OPA can assist with. OPA can enforce access control policies to ensure that cloud resources are accessed only by authorized users or processes. It can also help businesses identify potential security risks related to access control by enforcing policies that specify security requirements for cloud resources and configurations. OPA can identify misconfigured or non-compliant access control policies and take appropriate action to mitigate potential security risks.

The above policy aims to prevent the IAM PassRole permission from being granted to roles with a wildcard (*) in the role’s ARN. It defines a “deny” rule that checks incoming IAM API requests to see if they are attempting to grant the PassRole permission.

If the request is attempting to grant PassRole, the rule further checks if

The role’s ARN has a wildcard Permission has already been granted to the role The policy statement allows actions on all resourcesOnce all these conditions are met, the rule generates a “deny” decision, preventing the PassRole permission from being granted to roles with a wildcard in their ARN.

The policy also defines a “any_permission_granted_to” helper rule that checks if any permission has already been granted to the role in the IAM request’s policy document. This helper rule is called by the “deny” rule to check if permission has already been granted to the role.

Network security configuration management:OPA can also assist with security configuration management by enforcing policies that ensure that cloud resources are configured with appropriate security settings. This helps to reduce the risk of security threats by ensuring that security requirements for cloud resources and configurations are met. The code snippet provided represents a Rego policy defined in a package named “aws.ec2.security.” This policy aims to ensure that only approved Virtual Private Networks (VPNs) can access an instance in Amazon Elastic Compute Cloud (EC2).

The policy defines a set named “approved_vpns” that contains the identifiers of approved VPNs. The rule defines a “violation” rule that checks instances and their network interfaces against the list of approved VPNs. If an instance is not associated with an approved VPN, the rule generates a violation with a message that the instance’s VPC is not approved and includes the instance ID in the details of the violation.

OPA is an extremely reliable solution for Cloud Security Posture Management (CSPM), as it offers a variety of features that simplify the process of defining and enforcing policies for cloud resources. Writing policies in Rego is simple and easy to understand, making it easier for security teams to create and modify policies as needed. OPA also provides a testing framework that enables security teams to test rules using various test cases, without deploying the rules to the production environment. This helps ensure that the rules work as expected before they are deployed, reducing the risk of errors or unintended consequences. Additionally, OPA is fast and lightweight, which enables it to be integrated with different cloud services and tools. All of these features make OPA an excellent tool for organizations seeking to enhance their CSPM capabilities and protect their cloud resources.

References used in our Research

• https://www.openpolicyagent.org/docs/latest/policy-language/
• https://www.styra.com/blog/how-to-write-your-first-rules-in-rego-the-policy-language-for-opa/
• https://academy.styra.com/

Author:

Pruthvi T – Lead Security Researcher, Loginsoft