Organizations striving to ensure that cloud environments are compliant to enterprise standards need to automate public cloud governance and policy management. Using manual processes and multiple tools do not allow cloud operations teams to establish controls at a pace and with accuracy required to achieve outcomes such as reduced risks or avoiding overspending in large cloud environments.
VMware Aria Guardrails now offers continuous policy enforcement for Amazon Web Services in the public cloud governance toolkit. Cloud operations teams will not only be able to declare desired states using policy templates, but also enforce standards by automating remediation and enabling organizations to scale cloud governance best practices in growing cloud environments.
VMware Aria Guardrails is an end-to-end public cloud governance service that provides a mechanism to apply preventative guardrails in cloud accounts as well as enforce compliance to organization-level policies at scale. The service takes a policy-as-code approach to automate governance by enabling organizations to define a desired state using infrastructure as code (IaC) templates and enforce policies in cloud accounts as it detects any drift from desired state.
Define desired state in IaC template
The benefit of using IaC templates lies in the ability to standardize policy definition at an “account” level and to scale baseline policy application across cloud environments managed by different app teams. The service also enables policy enforcement in other tools through registration of other policy engines within Aria Guardrails.
One such example is creating a desired state to monitor IAM roles and policies such as defining and deploying a IAM password policy.
Here, Aria Guardrails enables users to configure password parameters which are then applied to cloud accounts.
Continuous drift detection and policy enforcement
Once the policies are deployed in selected accounts using templates, Aria Guardrails leverages an event-based detection mechanism to capture any changes that may have occurred to configured objects for several reasons such as application deployment or due to changes made by App teams leading to drift from desired state. While applying policies to accounts, Aria Guardrails provides the flexibility to monitor drift from desired state (Figure 2) or automatically enforce policies to maintain the desired state for the cloud accounts.
Some examples where the ability to automatically deploy preventative cloud guardrails for accounts and continuous enforcement of policies can help optimize cloud environments include:
- FinOps teams trying to control cloud costs can benefit from templates that help identify and delete unused Amazon Machine Images (AMI) which utilize storage.
- App teams can manage multi-account environments assigned to an organizational unit (OU) to ensure that Service Control Policies (SCP) are applied to all accounts and can be enforced using Aria Guardrails
- Tag policy configuration for accounts within an OU used by multiple App teams and continuous enforcement of such policies ensures that only resources which are tagged as per policy defined in the desired state are deployed.
By defining desired state and enforcing preventative guardrails, organizations can shift left governance controls for a cloud-smart approach to optimize cost and reduce cloud risk.
FedRamp compliance framework
VMware Aria Guardrails has added support for FedRamp compliance framework. Organizations that manage federal data can now benchmark compliance to this framework and ensure continuous compliance. FedRAMP leverages the National Institute of Standards and Technology’s (NIST) guidelines, specifically NIST’s Special Publication [SP] 800-53 – Security and Privacy Controls for Federal Information Systems and Organization series, baselines, and test cases.
The FedRAMP Draft Rev. 5. Baselines were released on December 20th, 2021, and align with NIST’s Rev. 5 update. FedRAMP controls and enhancements were selected from the 800-53 Revision 5 catalog and FedRAMP also added standards above the NIST guidelines for low, moderate, and high systems. Controls were selected to address the unique risks of cloud computing environments, including but not limited to, multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.
Supported control groups include:
- Access Control
- Audit and Accountability
- Assessment, Authorization, and Monitoring
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
Entitlement visibility for AWS:
Cloud Entitlements enable principals (users and services) to access and perform actions in the cloud environment. Often these entitlements are inadvertently or unknowingly configured to be too permissive. The flexibility offered by cloud providers in configuring roles and policies also makes it difficult to trace the paths that principals can take to access a resource or understand whether permissions granted to resources are excessive and unused. This makes it difficult to investigate security incidents and troubleshoot issues in multi-account environments. One example is understanding what resources a user can access on getting an alert about suspicious activity. Another scenario is auditing cloud entitlements before moving applications to another environment.
VMware Aria Guardrails provides a full-view of the principals – human or machine and links them to the resources that they have permissions to, enabling better understanding of whether those permissions are necessary or not. The service provides a graph view of relationships between identities, entitlements and cloud resources. It is easy to search for a principal and visualize entitlements to specific resources. On the other hand, for a selected resource, it is possible to visualize and categorize what human or machine identities are entitled to access the resource. Customers can not only categorize the permissions granted such as whether the permission is conditional or time-bound but can also gain additional insight on whether a risky condition could occur due to exposure of a resource, or due to ability to control credentials or due to an IAM misconfiguration that leads to a more privileged role.
Learn more about VMware Aria Guardrails:
Sign-up for a Free Tier account