Simplify the provisioning of compliant accounts using landing zones and ensure ongoing compliance:
VMware Aria Guardrails continues its mission to make end-to-end governance more effortless and scalable for cloud operations teams by introducing the ability to create landing zones for AWS and Azure accounts. Landing zones enable cloud operations teams to provision cloud accounts with built-in guardrails that allow the implementation of governance standards across categories such as cost, security, and operations. It is a preventative governance technique to ensure consistent application of policies to accounts provisioned for App teams.
Cloud Operations teams create accounts based on a hierarchy per the scope of use defined for these accounts. These accounts are often scoped based on App teams requesting the accounts, project requirements, resource isolation or security isolation. By using landing zones, it is possible to define a desired state for each account added to the hierarchy, as per the specific governance requirements. In the case of AWS, these could include some mandatory Service Control Policies (SCP policies), operational policies, or security policies.
VMware Aria Guardrails combines three steps into a simple workflow :
- Define the desired state in IaC templates, create cloud accounts in a landing zone, assign them to specific projects per specific app teams, and auto-apply the desired state for all accounts.
- Get accounts on-boarded to Aria Hub, which automatically discovers your cloud inventory and maps the relationships between cloud objects to model your muti-cloud environment in one place.
- Automatically activate over 1200 security rules, continuously monitoring cloud resource configurations and reporting misconfigurations in your accounts to a single dashboard to track compliance. Any detected violations are called findings which could be misconfigurations, threats, or vulnerabilities.
Using policy templates ensures that policies are applied consistently across all accounts. These templates can also be repeatedly reused to provision accounts with the same policy configuration, eliminating manual steps.
Close the governance loop with drift detection and remediation:
During account provisioning, the service provides the option to either monitor drift by tracking the changes in described desired state for the account or enforce compliance by correcting drift as soon as detected through the event-driven mechanism. One-click remediation of drift for continuous enforcement of policies is now available for AWS and Azure accounts.
Manage policies in templates and scale governance standards described in the desired state for multiple accounts with ease:
I. Different ways to apply policy templates to your accounts:
Leverage a library of policy templates across categories such as config, security, and cost to deliver compliant accounts to App teams. VMware Aria Guardrails now enables the configuration of policies efficiently through the application of policy templates to either all on-boarded accounts or a selected collection of accounts in a single workflow. In this workflow, you can choose one or multiple templates grouped to define the desired compliance state for a collection of selected accounts. This feature is handy for applying baseline policies; for instance, while provisioning new AWS member accounts, it is possible to create essential roles, apply a member account password policy, create an AWS CloudTrail for risk auditing, governance, and compliance, as well as enable Amazon GuardDuty for threat detection in a single desired state.
A note on VMware Aria Guardrails policy templates and desired states:
Policy templates are like blueprints of the desired configuration state of cloud policies leveraging IaC techniques. Aria Guardrails makes it easy to read and understand the objects configured in a template (Figure 2). Templates are easy to manage and edit as per the governance objects that need to be created and managed by the service. These templates can be repeatedly used to create any number of compliant accounts so you can break free from error-prone manual policy configuration. Your selected policy template + input parameters = desired state for an account.
Drift occurs when the policy configuration and parameters originally set for an account do not match the current state of the account. Drift could occur due to changes in governance objects as a result of the deployment activities of app teams.
II. Managing templates and desired states for multiple accounts:
Cloud Operations teams can now define a single desired state and use it to apply a policy consistently across multiple accounts. Whenever there is a need to make changes to the desired state, it can be done at a single place and applied across the selected group of accounts (Figure 1). This functionality reduces the repetitive manual effort to apply the same policies to each account.
a) Manage desired state for multiple accounts: It is possible to search for a template, find the desired state created using the template, and list accounts to which this desired state is applied. Cloud operations teams can take immediate actions, including monitoring and remediating drift detected when the current compliance state does not match a defined desired state for an account. By deleting a desired state from the list (Figure 3), you can remove an applied template from the list of accounts, and Aria Guardrails no longer enforces the policies described in that template. The cloud operations teams can track the policies applied across accounts, and any new on-boarded accounts can be added to this group. The same policies are configured for new accounts as well. All accounts to which a desired state is applied are available in a single view, making it easy to track policies applied and compliance by comparing the current state to a defined desired state.
b) Manage desired states for a single account: It is easy to take action for an account whether you need to apply another policy template, monitor drift, enforce a desired state from the list of described policy configurations, or create a template using all policies applied to the account of interest. By creating a template that captures all policies configured in your account of choice, you can use this template as a reference and benchmark compliance for other accounts in your environment . An example is verifying whether the AWS config rules are applied consistently across regions and accounts. Monitoring and enforcing policies across multiple accounts in large environments by creating a template from current policy configurations in an account is a more efficient way to scale best practices.
Unified governance visibility
Implementing controls that help manage your cloud environments as defined by the FinOps, architecture, and security teams is impossible by simply configuring desired states for your accounts. Visibility into drift and configuration changes that do not meet the governance requirements and elevate risk is essential for continuous compliance. It is difficult to overcome data silos, track policy violations, and drift with cloud services spread across various regions and providers. These configuration errors and drifts detected using Aria Guardrails and those detected in cloud native services (Amazon GuardDuty, Amazon Inspector, Microsoft Defender for Cloud, and Google Cloud Security Command Center) are centralized and reported as findings in a single dashboard.
- Quickly browse the drift and policy violations detected across cloud providers, regions, services, and resources. If you are using native services to detect violations, you can easily track threats and vulnerabilities along with misconfigurations.
- Scope the dashboard view by filtering findings detected within a cloud account, organized as per Organization Units (OU).
- With a dedicated dashboard for each desired state, you can also track the detected and enforced drift. When a drift is detected, it is easy to track the original or source configuration defined during the provisioning of an account.
- Track violations for each account with a dedicated dashboard. It is easy to take various actions for this account, whether you need to apply a new policy template or create a template based on the desired state for the account. (Figure 5)
- Prioritize the violations for investigation or remediation using attention scores considering the severity of risk and resource blast radius because of connected cloud objects.
- Categorize drift as per policy types such as security, config, cost, custom, and more to track compliance for teams such as FinOps, Security, Architecture.
- Suppress findings with an approved workflow to reduce noise and focus on the most critical violations. You can suppress an individual finding alert or create a suppression policy based on pre-defined criteria to avoid false positives proactively.
Support for new services Amazon Document DB and FSx
VMware Aria Guardrails now provides support for two Amazon services, DocumentDB and FSx. You will now be able to view DocumentDB and FSx resources in your inventory and manage any potential risks and misconfigurations for these resources using the newly published ruleset.
Learn more about VMware Aria Guardrails:
Webinar – How to Simplify Public Cloud Governance: Automation for Policy Enforcement
Webinar – Break Free from DIY: Govern Public Clouds with Automated Guardrails
IDC White Paper: Secure Your Entitlements and Avoid an Identity Crisis
Product Documentation: Library of policy templates