DEV Community

Cover image for Meet Cloud Compass: AI-assisted IaC Coverage Audit and Risk Mitigation
env0 Team for env0

Posted on • Originally published at env0.com

Meet Cloud Compass: AI-assisted IaC Coverage Audit and Risk Mitigation

Working with our customers, we’ve noticed that even the most mature dev organizations struggle with forgotten cloud assets and obscure, manually managed resources. 

In Support and POC calls we got used to hearing comments like, "Oh, I forgot we even had this," or "Right, this is something so-and-so deployed before leaving last August."  

These always warrant a sympathetic nod and a smile. Still, at the end of the day, unmanaged infrastructure (like any other shadow IT) carries multiple risks — from cost creep to reliability and compliance issues, and even security threats. 

Meanwhile, manually tracking and closing gaps in IaC coverage is a labor-intensive task - one that will often get postponed in favor of more immediate needs, allowing issues to fester even further.

These are exactly the problems we’re offering to solve with the introduction of Cloud Compass - the latest addition to the env0 platform that leverages AI technologies and our IaC expertise to deliver an end-to-end discovery and remediation solution by:

  • Tracking IaC Coverage: Using proprietary AI-assisted logic Cloud Compass will audit your cloud infrastructure, identifying, itemizing, and categorizing all resources to show exactly which ones are managed via IaC and which are handled via Cloud API or ClickOps.
  • Auto-Assessing Risk: Cloud Compass will continuously monitor activity across your cloud accounts, assigning each manually-managed resource a ‘Severity’ score to help prioritize items for IaC importing.
  • Streamlining Resource Importing: Leveraging GenAI, Cloud Compass will create custom import blocks for each asset you’ll want to roll into your IaC. When used in tandem with the env0 platform, this not only saves time but also ensures adherence to your current security and compliance policies.

Let’s dive in.

How it Works

To get started, simply click on the newly added ‘Cloud Compass’ item in the env0 sidebar and add the details of your cloud account. 

Once a cloud account is added, the initial scan will commence and within just a few minutes you’ll see the dashboard start to populate with data, which will continue to stream in from subsequent future scans.

On the right side of the dashboard, you will see a breakdown of the resources in your cloud account, broken down into three categories: IaC, Cloud API, and ClickOps. 

The categorization of resources is done automatically and is part of the unique AI-assisted logic driving this feature, requiring a nuanced analysis of the CloudTrail event logs, used for this scan (see Under the Hood section below).

On the left, you have a graph showing the number of IaC assets over time. This visualization will help you track trends and changes in IaC coverage.

Below, you will find a table with a detailed by-resource breakdown of all of the resources, indexed by unique IDs. The table also offers additional information for each resource, including the number of changes.

Importantly, the system will also calculate a ‘Severity’ score for each resource to help identify urgent risks and prioritize your migration efforts. This can be particularly useful for large-scale deployments. 

The ‘Severity’ score is dynamic, and calculated based on several cross-verified factors and the analysis of activities over time. 

For instance, if our scan identifies manual permissions changes on an S3 bucket at a consistent and high frequency (e.g., at least once a month), it would be elevated to ‘High’ severity to require more immediate attention. 

Resource Importing

With manually-managed resources identified and prioritized, your next step is to import your assets into an IaC framework. 

Cloud Compass helps here as well, by auto-generating an import code you can use to quickly and securely move your manually-managed resources into IaC:

To create the import blocks, simply select the relevant resources from the list, choose your preferred IaC framework, and click Generate Code. Cloud Compass will use GenAI to create the code, which you can copy into your Git repo. 

Once you do, env0 will automatically detect the changes to your workspace and create a PR plan. 

Importantly, as it applies the changes, our platform will also execute all your OPA policies and other directives, ensuring that the imported resource fully matches your organization's compliance requirements, security profile, access controls, etc.

Under the Hood

Currently supporting AWS environments, env0 Cloud Compass uses a combination of our proprietary AI-assisted logic to analyze your cloud footprint and identify gaps in IaC coverage.

To do that, Cloud Compass connects with AWS CloudTrail and uses information stored in its events to track activity across your cloud environment, and do the following:

  • Discovery/Identification: Pinpoints resources and identifies them, based on activity history and other indicators from CloudTrail payloads.
  • Categorization: Classifying each resource based on its type and management method.
  • Activity Tracking: Continuous monitoring activities for each resource to provide a comprehensive view of changes over time and to assign and modify individual ‘Severity’ scores.

What's Next 

Cloud Compass introduces a new set of observability options for the env0 platform, opening the door to many new possibilities.

Here are some of our plans for Cloud Compass:

  1. Azure and GPC: Cloud Compass support will extend beyond AWS to include additional cloud service providers, such as Azure and GCP. This will also enable Cloud Compass to be utilized in multi-cloud infrastructure.

  1. Contextual Drift Detection: Leveraging Cloud Compass’s ability to track manual actions, we will enhance our platform’s automated drift detection to include additional context such as the history of changes and the author of the modified code. This will accelerate investigations, lower MTTR, and reduce the likelihood of repeat issues.
  2. Resource Block Generation: Currently, Cloud Compass uses GenAI to provide import blocks for IaC importing. Soon, we will expand this capability to auto-generate the entire resource blocks, for both Terraform and OpenTofu. This will further simplify importing, allowing you to mark and auto-migrate multiple resources into env0 with just a few clicks.

Want to know more? Schedule a technical demo with one of our experts to see Cloud Compass in action!

Top comments (0)