When there’s a data breach involving Amazon Web Services (AWS), more often than not it involves the Amazon S3 object storage service. The service is incredibly popular. Introduced way back in 2006 when few knew what the cloud was, S3 is highly scalable, reliable, and easy to use. But getting the security of S3 right—and making sure it stays.

Lately, we at Fugue have been demonstrating live hacks against cloud infrastructure based on real events in the news. We often walk through a theft of data from Amazon S3 by exploiting little-known misconfigurations of Security Groups, EC2, IAM, and S3 in combination. See A Technical Analysis of the Capital One Cloud Misconfiguration Breach.

Cloud misconfiguration remains the top cause of data breaches in the cloud, and the COVID-19 crisis is making the problem worse. These are among the findings of Fugue’s new State of Cloud Security 2020 Report.

Recently, I was tasked with creating an automated testing tool for Fugue. Fugue monitors cloud resources for compliance and security, and we needed a way to verify that the full results of a Fugue scan were correct. My goal was to create an automated system that runs locally or in CI, deploys configurable infrastructure, scans it using Fugue,.

Employers across the U.S. and around the world are rapidly shifting to a mandatory work-from-home (WFH) arrangement to help slow the spread of the coronavirus (COVID-19). Even for organizations already operating with team members working from.

Inpart 1 of this walkthrough, we set up a CI/CD pipeline to define, commit, deploy, and secure infrastructure as code. To recap, here are the components:

Fugue allows you to easily and programmatically validate your cloud infrastructure for security and compliance. By integrating Fugue into your CI/CD pipeline, you can detect resource misconfiguration and compliance violations as part of every deployment.

We recently open sourced our tool Regula, which allows you to check your Terraform infrastructure as code for compliance prior to deployment. Regula can be used locally or as part of a CI/CD system, independently of Fugue or with Fugue.

In the cloud, developers now own the security posture of the enterprise because the cloud is fully software-defined and programmable. Getting the programming of cloud infrastructure wrong leads to misconfiguration, which is the number one cause of cloud-based data breaches. 

Today we announced Regula, an open source tool for evaluating Terraform infrastructure as code for potential security misconfigurations and compliance violations. Regula uses the open source Open Policy Agent(OPA) policy framework and Rego query language, which have gained significant traction in the Kubernetes community and scale to cloud.