Today we announced Regula, an open source tool for evaluating Terraform infrastructure as code for potential security misconfigurations and compliance violations. Regula uses the open source Open Policy Agent(OPA) policy framework and Rego query language, which have gained significant traction in the Kubernetes community and scale to cloud infrastructure policy assessments as well (Fugue’s SaaS product performs more than 100 million policy evaluations using OPA every day).

While maintaining the security and compliance of cloud infrastructure requires the continuous evaluation of existing resources (what Fugue does), our customers often tell us that they want to validate their infrastructure-as-code for policy compliance to identify pre-deployment. We built and open sourced Regula to solve this problem.

Regula image

Regula identifies cloud misconfiguration risks contained in Terraform scripts. The initial release of Regula includes rules that can identify overly permissive IAM policies and security group rules, VPCs with flow logs disabled, EBS volumes with encryption disabled, and untagged cloud resources. View the full set of initial Regula rules here.

We are adding more rules over the next few weeks, and will be adding support for Azure as well.

Regula initially supports rules that validate Terraform scripts written for AWS infrastructure, and includes mapping to CIS AWS Foundations Benchmark controls where relevant. Regula also includes helper libraries that enable users to easily build their own rules that conform to enterprise policies. At launch, Fugue has provided examples of Regula working with GitHub Actions for CI/CD, and with Fregot, a tool that enables developers to easily evaluate Rego expressions, debug code, and test policies. Fugue open sourced Fregot this past November.

Working independently of Fugue, Regula can be integrated with Fugue for end-to-end cloud infrastructure security and compliance. Fugue enables users to visualize cloud infrastructure environments, detect post-deployment misconfigurations and automatically enforce critical resource configurations through self-healing. Both Regula and Fugue utilize the open-source Rego policy language, and developers can easily create their own rules for Regula and Fugue using a similar syntax. In addition to Fugue Enterprise, Fugue offers Developer, a free tier available to individual engineers who need to ensure continuous security and compliance of their cloud infrastructure environments.

Regula is available today on Fugue’s public GitHub repository.

One more thing…

Fugue is cloud security and compliance. Built for engineers, by engineers. With Fugue, you can:

Get complete visibility into your cloud infrastructure environment and security posture with dynamic visualizations and compliance reporting.
Validate compliance at every stage of your software development life cycle for CIS Foundations Benchmark, HIPAA, PCI, SOC 2, NIST 800-53, ISO 27001, GDPR, and your custom policies.
Protect against cloud misconfiguration with baseline enforcement to make security critical cloud infrastructure self-healing.

Fugue Developer is free forever for individual engineers. Get started here.

Announcing Regula: Validate Terraform Policy Compliance with Open Policy Agent

One more thing…

Categorized Under

Search

Related posts

Popular Categories

Featured Posts

Get Started with Fugue Today

Trending Topics

Cloud Security Posture Management

Infrastructure as Code and Security

AWS Cloud Security

Azure Cloud Security

Cloud Security for Google Cloud Platform

DevSecOps for Cloud Infrastructure Security

CIS AWS Foundations Benchmark

CIS Azure Foundations Benchmark

Fugue Best Practices Policy Framework

GDPR

HIPAA

ISO 27001

NIST 800-53

PCI

SOC 2 Cloud Compliance

Popular Blogs

Five Steps to a Secure Cloud Architecture

An Introduction to Cloud Security for Infosec Professionals

9 Questions You Should Ask About Your Cloud Security

Events

News

Fugue Extends Cloud Security Market Dominance in Customer Satisfaction, According to G2 Report

Snyk Acquires Fugue, Enters Cloud Security Market

Fugue Achieves AWS Security Competency Status

Fugue Leads Cloud Compliance Market in Customer Satisfaction, According to G2 Report

Fugue Leads Cloud Security Market in Customer Satisfaction, According to G2 Report

Fugue Adds Centralized Multicloud Security Visibility and Policy-Based Governance Capabilities

Fugue Adds AWS Well-Architected Framework to Its Policy as Code Engine for Full Life Cycle Cloud Security

Fugue and CWS Team Up to Close Enterprise Cloud Security Gaps with End-to-End Policy as Code Enforcement

Fugue Adds Kubernetes Security Checks to its SaaS Platform and Open Source Regula Project

Fugue Announces Unified Infrastructure as Code and Cloud Runtime Security

Resources

Submit a Ticket

Documentation

Pricing

API

Guarantee

Login

Contact Us

Security

Privacy Policy

Careers

Schedule Demo

Product Videos

Press

Events

Library