Speaker: Anton Babenko @ AWS Community Day Hong Kong 2025
Summary by Amazon Nova
https://www.youtube.com/watch?v=l7YgSdK-ypw
Open Source Projects and Passion for Simplification
- Developed https://www.terraform-best-practices.com/ to help people learn Terraform best practices.
Current Project: compliance.tf
Aimed at simplifying compliance implementation with Terraform.
Compliance is a cool area but currently difficult to implement with Terraform.
Created to help people avoid implementing common services and patterns.
Supports configuration of more than 50 AWS services.
Reflection on Work vs. Fun
Compared the exciting future-building mindset of past generations with the current focus on compliance frameworks and automation.
Acknowledged that compliance work can be perceived as boring compared to more hands-on, outdoor activities.
Emphasized the need for a clear separation between interesting and boring tasks.
Compliance is Not Magic
Compliance is often portrayed as essential, expensive, and magical by vendors and providers.
In reality, compliance is usually just another business requirement that companies need to satisfy.
Being compliant means taking security and client trust seriously.
Shared Responsibility Principle
AWS is responsible for the underlying infrastructure.
Customers are responsible for everything they put on the cloud.
Compliance Frameworks
Many different frameworks exist, some aligning with ISO 27001.
Regions like Hong Kong and mainland China have specific restrictions and rules.
Most frameworks cover similar aspects like encryption, access controls, and login mechanisms.
Implementing one framework often means you are more than 50% done with implementing any other framework.
Typical Compliance Process
Determining what compliance requirements you need to meet.
Using AWS services or third-party services to assess your current compliance posture.
Understanding the amount of work required, what has already been done, and what remains..
Tools and Services for Compliance
Control Tower: Essential for managing compliance.
Organizations and Service Control Policies: Used to control boundaries and permissions.
CloudFormation Guard: An open-source project by AWS that can work with Terraform code.
CloudTrail and Config: Useful for detecting configuration changes and API calls.
AWS Audit Manager: A service for collecting evidence of infrastructure evolution in an S3 bucket with KMS encryption.
Infrastructure as Code Tools
- Currently, there are four main tools for implementing required controls: Checkov, Trivy and Terrascan..
Audience Interaction on Tool Usage
Most people use Checkov, Trivy.
Checkov is open-source, static code analysis tool for Infrastructure as Code (IaC) that scans for security misconfigurations and compliance issues before deployment
Trivy is the most popular open source security scanner for Vulnerability &, IaC, SBOM discovery, cloud scanning and Kubernetes security.
Surprisingly, Terrascan is rarely mentioned by users.
Terrascan is an open-source security scanner for Infrastructure as Code (IaC), backed by Tenable
Remediation Steps
After running compliance tools, remediation steps are necessary to fix configuration files.
Understand failure messages, identify responsible modules or parameters, and fix them.
Alternatively, use compliance-ready Terraform modules provided by compliance.tf.
DevSecOps Pipeline
The pipeline involves running compliance checks on development machines or in CI/CD pipelines.
Fix non-compliant issues manually, push code back, and confirm fixes in cloud resources.
Use tools like Checkov, Prowler, and Steampipe for comprehensive compliance checks.
Recommended Tools
Checkov: Good for most situations, useful as a first check.
Prawler: Open-source tool that checks real resources in your environment for misconfigurations.
Steampipe: Allows querying cloud APIs using SQL, with predefined and custom queries.
Drift Prevention
- Emphasized the importance of preventing drift by restricting console access to AWS environments.
Drift and ClickOps
ClickOps means managing cloud resources by hand using a user interface, like the AWS Console.
People often want direct access to AWS accounts, leading to ClickOps and resulting drift.
Services like Config Rules can be used for continuous verifications and remediations, though remediations can be tricky to implement.
Auto Remediation
Auto remediation can be achieved by connecting CloudTrail, EventBridge, and AWS Systems Manager (SSM) Automation Documents.
For Terraform modules and remediations, refer to docs.compliance.tf for automatically updating documentation.
Terraform Active Directory (AD) Modules and Compliance Requirements
Demonstrated how to call Terraform Active Directory (AD) Modules from the Terraform registry.
Showed how to create an S3 bucket and enable login as per compliance requirements.
Explained the process of transforming compliance information into Terraform code, which can be complex due to the use of modules.
Documentation and Terraform Snippets
Directed to docs.compliance.tf for specific checks and valid Terraform snippets.
Example given for applying different frameworks like SOC 2 or PCI DSS by specifying the login section.
Extra Info: Checkov, Prowler, Steampipe
Checkov is a static analysis tool for Infrastructure as Code (IaC). It scans configuration files (like Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles) during the development lifecycle (shifting left) to find misconfigurations and compliance violations before deployment.
Prowler is a command-line tool that performs security, compliance, and best practices checks against live cloud environments (AWS, Azure, Google Cloud, and Kubernetes). It is primarily a Cloud Security Posture Management (CSPM) tool that generates detailed reports mapped to industry standards like CIS Benchmarks, PCI-DSS, and ISO 27001.
Steampipe is a unique tool that uses a Postgres Foreign Data Wrapper to present data from external systems (like cloud providers, APIs, and infrastructure) as a relational database, allowing users to query their cloud resources using SQL. This approach allows for complex, ad-hoc security and compliance checks and the creation of custom dashboards using SQL queries, offering a different way to perform assessments compared to Prowler's sequential checks.
Extra Info 2: CloudTrail, EventBridge, and SSM Automation Documents
Intro
- AWS CloudTrail, EventBridge, and SSM Automation Documents are distinct but often integrated services within the AWS ecosystem, used for managing and automating cloud operations.
AWS CloudTrail:
Purpose: CloudTrail is an AWS service that provides a record of actions taken by users, roles, or AWS services in your AWS account. It logs API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
Functionality: It delivers event history, enabling security analysis, resource change tracking, and troubleshooting by providing details such as who made the call, when it was made, from what IP address, and what resources were affected.
Use Cases: Security auditing, compliance, operational troubleshooting, and identifying unauthorized activity.
Amazon EventBridge:
Purpose: EventBridge is a serverless event bus service that makes it easy to connect applications together using events. It enables you to build scalable, event-driven applications by routing events from various sources to targets.
Functionality: It can receive events from AWS services (like CloudTrail), custom applications, and SaaS partners. You can then define rules to filter and route these events to various targets, including AWS Lambda functions, Amazon SNS topics, Amazon SQS queues, and AWS Systems Manager Automation.
Use Cases: Real-time event processing, building loosely coupled microservices, integrating with third-party applications, and triggering automated workflows based on events.
AWS Systems Manager (SSM) Automation Documents:
Purpose: SSM Automation Documents are predefined or custom-created scripts or runbooks that define a series of steps to automate common operational tasks across your AWS resources.
Functionality: They can be used to perform actions like starting/stopping instances, applying patches, creating AMIs, and running custom scripts. These documents can be executed manually, on a schedule, or triggered by events.
Use Cases: Patch management, instance lifecycle management, compliance enforcement, and automated incident response.
Integration Example:
These services can be combined to create powerful automation workflows. For instance, a CloudTrail event indicating an unauthorized change to a security group could trigger an EventBridge rule. This rule could then invoke an SSM Automation Document to automatically revert the change, notify an administrator, or isolate the affected resource, thereby enhancing security and operational efficiency.
Team:
Top comments (0)