Home » Blogs » DevOps in the Cloud » Building Great Cloud Security Guardrails

By: Rich Mogull on October 17, 2018 2 Comments

Security guardrails are an incredible way to keep our cloud deployments safer without slowing things down. Taking this structured approach will minimize friction while increasing protection.

When I first started working hands-on in cloud (AWS) around nine years ago, I quickly realized both the power and risks of just how darn fast and agile cloud could be. Being, on occasion, an optimist, I decided this capability was a significant upgrade to our security capabilities. Sure, I could accidentally spin up internet-exposed servers, but in exchange I gained levels of central control and visibility unheard of in traditional infrastructure.

One of the most powerful new capabilities is the ability to leverage cloud APIs and automation to build automated security guardrails without having to spend a gazillion dollars for a big box that actually delivers as promised, but also adds tremendous friction and slows things down. Guardrails are automations that constantly watch your deployments, find deviations from desired baselines and can even automatically remediate issues. Yet, even cloud-native guardrails can become problematic if they aren’t designed properly. Having both built a fair few myself and worked with many organizations as they built out their cloud security programs, here are some of the lessons I’ve learned along the way and some code to show you how it works.

My first guardrails were a bit of a hodgepodge in terms of structure and capabilities. And practically speaking, there are a lot of ways to attack the problems. Even today I’ll take different approaches depending on the particular challenge in front of me, but most of my guardrails (including operational ones) tend to follow a consistent pattern:

One of my favorite guardrails to demonstrate is automatically reversing security group changes in AWS. Here’s how to set it up for yourself and run my demonstration code to see what it looks like:

This should now revert any new ingress rules added to a security group. If you play with the code you can also use this for egress rules. This is just demo code and there are edge cases it will miss.

The code also includes a number of filter options, including:

It takes the action automatically; if you want to manually review first you would modify the code to send a notification instead. We have some alternative examples posted at https://github.com/disruptops/demos-tools. These includes some samples that protect S3 and also show how to embed notifications in the Lambda itself for more-flexibility.

Hopefully this gives you some ideas to refine your own guardrails to dramatically improve security while still moving blazingly fast.

Filed Under: Blogs, DevOps in the Cloud Tagged With: cloud, devops, devsecops, guardrails

© 2022 ·Techstrong Group, Inc.All rights reserved.

Step 1 of 6 16% Have security concerns slowed or prevented your use of Kubernetes? Yes, security concerns are preventing us from deploying Kubernetes Yes, but we are moving forward and working to improve Kubernetes security No, we know how to secure Kubernetes No, but we still have security concerns What are your top Kubernetes security concerns? Pod security policy management Image supply chain integrity Configuration errors Over provisioning of permissions Writing and enforcing security policies Runtime threat/incident detection What are your greatest challenges securing Kubernetes? Lack of the necessary K8s security skills Time and resources to address K8s security Point K8s security solutions don't fit into our DevOps workflows Current vendors we use do not adequately address K8s security Lack the understanding of K8s security policy best practices Is Kubernetes pod security a priority for your organization? Yes, we have an funded, active project Yes, it is a priority for 2023 Somewhat, we address on a project-by-project basis No, but we know we need to do more with Kubernetes security No, not currently a significant issue What are your sources for Kubernetes policy management? Open source software Kubernetes native Pod Security Policies Commercial security product offering Cloud service provider security offerings Do not have a solution at this time What role is responsible for Kubernetes security in your organization? Development DevOps DevSecOps Security Platform Engineering Δ