After performing a recent security assessment of a client’s AWS account, I identified numerous issues (which the client was happy to be informed about); but, during the discussions that followed, they raised an interesting question: “How do I ensure that the same misconfigurations are not reintroduced into the environment the week after the assessment has completed?“. In other words, I had performed a point-in-time assessment of their environment, but what steps could they take to implement some form of continuous-assurance, or what I will call “security guardrails” within their account.
To understand how to tackle that question, we need to take a step back and look at the bigger picture, which involves discussing Cloud Governance. This concept is a framework or collection of rules and policies governing how users should make use of the services and resources on offer by various cloud providers. These policies are often built using existing IT practices governing their on-premise infrastructure but, in some instances, organizations have developed a new set of rules and policies specifically for the cloud — even going so far as defining them per public cloud provider that they make use of.
Cloud Governance is a very broad term; one useful resource I have come across when searching for a comprehensive definition is from Red Hat at https://www.redhat.com/en/topics/automation/what-is-cloud-governance, where they say that Cloud Governance has the following goals:
- Improve business continuity: With better visibility across all business units, organizations can develop clearer action plans in the case of data breaches or downtime.
- Optimize resources and infrastructure: Increasing monitoring and control over cloud resources and infrastructure can inform efforts to use resources effectively and keep cloud costs low.
- Maximize performance: With a clearer view of their entire cloud environment, organizations can improve operational efficiency by eliminating productivity bottlenecks and simplifying management processes.
- Increase compliance with policies and standards: Stringent compliance monitoring helps organizations follow applicable government regulations and standards, as well as their own internal governance policies.
- Minimize security risks: A good governance model includes clear identity and access management strategy and security monitoring processes, so that IT teams are better positioned to identify and mitigate vulnerabilities and improve cloud security.
While there is no definitive source on what all Cloud Governance entails, it generally attempts to achieve the goals outlined above. Whilst these goals are written in plain English, and are written at a high-level, their technical implementations might require a plethora of different tools, technologies, or approaches to be taken. Whilst some aspects of the goals may be enforced via technical controls, other controls, such as a company’s data classification policy, and which channels may be used to send data of varying sensitivities, may be implemented as a policy which employees themselves primarily need to understand and enforce.
The implementation of security guardrails within an AWS account would fall under the security pillar of a Cloud Governance framework. The specific guardrails that need to be implemented will be driven by the regulatory requirements that the organization needs to abide by, and any additional guardrails which the organization’s security team would like to implement (for example, enforcing the use of IMDSv2 for all EC2 instances, or not publicly exposing RDS instances).
Types of Tooling to Support Cloud Governance
When researching what available tooling exists to assist with implementing the security pillar of Cloud Governance, there are some acronyms which you will commonly encounter, namely CASB, CSPM, CWPP, and CNAPP. The multitude of different types of cloud security tooling should provide some indication of how complex securing cloud environments across an organization is. A summary of each of these acronyms follows:
- Cloud Access Security Broker (CASB) – provides a security policy enforcement gateway to ensure that users’ actions are authorized and compliant with company security policies. 
- Cloud Security Posture Management (CSPM) – identify misconfiguration issues and compliance risks in the cloud.
- Cloud Workload Protection Platform (CWPP) – workload-centric security protection solution for various types of workloads, including physical servers, containers, virtual machines (VMs), and serverless workloads. It also provides a single pane of glass for visibility and protection across on-premises and cloud environments. 
- Cloud-Native Application Protection Platform (CNAPP) – combines the capabilities of CWPP and CSPM. Its purpose is to scan workloads and configurations in development and to protect them at runtime.
Addressing the client question
Returning to our initial question of “How do I ensure that the same misconfigurations are not reintroduced into the environment the week after the assessment has completed?“, we will be looking at a tool that falls within either the CSPM or CNAPP category to address this need.
There are numerous open-source and paid-for tools that exist that assist with this aspect of cloud governance. Some of the paid-for options include Microsoft’s Defender for Cloud, Wiz.io, and Redhat’s Ansible Automation Platform. But being a long-time lover of open-source tooling, which has a large prevalence in the cybersecurity space, I wanted to take a look at what open-source tooling is available in this space for AWS specifically as well.
So let’s define some criteria for the tool we would like to implement:
- It should provide us the ability to implement some form of security guardrails. Ideally the tool will have some example or preconfigured guardrails, and the ability for us to deploy customized guardrails depending on the organization’s needs.
- We need to be able to deploy it across an AWS organization, and the deployment should be automated, or at least parts of it should be.
- The ability to apply different sets of guardrails to different organizational units would be preferred – as certain accounts may have more stringent regulatory requirements than other accounts.
- It should be cost effective.
- It should provide a way to view the output in a consistent and useful way.
Part 2 of this series of blog posts will analyse at a high-level a selection of options that address the defined criteria and selecting one of these to implement. Part 3 will discuss the practical implementation of the solution and discuss the architectural considerations that apply to it.
 Red Hat – What is cloud governance? – https://www.redhat.com/en/topics/automation/what-is-cloud-governance
 TechTarget – CASB, CSPM, CWPP emerge as future of cloud security – https://www.techtarget.com/searchsecurity/feature/CASB-CSPM-CWPP-emerge-as-future-of-cloud-security