Today we announced the 1.0 release of Regula, Fugue’s open source policy engine for infrastructure as code (IaC) security. With this release, Regula now has hundreds of pre-built policies for checking IaC deployments for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, along with new tooling to make it easier to develop and test custom rules. Read about it at Help Net Security.
With the 1.0 release of Regula, we’re realizing our goal of a powerful and flexible IaC policy engine that meets the requirements of teams operating in the cloud at scale and need to move fast without compromising security.
IaC security should work for multiple IaC tools
Terraform and AWS CloudFormation are extremely popular IaC tools, and it’s not uncommon for both to be used extensively within a single organization. But having to use a different security tool for each IaC tool is unnecessary overhead—and an invitation for security gaps that may lead to vulnerabilities slipping through. Reconciling policies between different tools is also non-trivial, if truly possible over time. Regula works for Terraform (HCL and plan) and AWS CloudFormation.
IaC security should also work for the cloud runtime
Infrastructure as code development is the first phase of the cloud development lifecycle (CDLC), and it’s essential to ensure IaC configurations are secure prior to deployment. But for the cloud runtime, teams have historically had to rely on a separate cloud security posture management (CSPM) tool with its own policy approach independent of IaC security. This also invites security gaps and added overhead. While Regula works independently of Fugue, you can bring your Regula policies to Fugue to check your runtime environment. Learn more about Fugue here.
IaC security should have a robust offering of pre-built policies
Effective cloud security involves adhering to hundreds of standard best practices that help us avoid common—and dangerous—misconfiguration vulnerabilities. Any IaC security tool should cover these so you and your team aren’t wasting time writing policies that every organization using the cloud should have. Regula provides hundreds of pre-built policies, along with mappings for the CIS Foundations Benchmarks for AWS, Azure, and Google Cloud. View the full set of Regula rules here.
IaC security should be developer-friendly
Having hundreds of pre-built policies helps teams cover most of the bases quickly and move forward, but organizations typically also have their own internal policies that govern their cloud environments and usage. Engineers need tools that help them develop and test policies quickly and accurately with the new Regula CLI. Regula uses Rego, the language of Open Policy Agent, the open standard for policy as code.
IaC security should work with your tools and workflows
Regula supports standardized output formats such as JUnit, Test Anything Protocol (TAP), and JSON, allowing it to integrate seamlessly with CI/CD tools and testing frameworks including Jenkins, CircleCI, Travis CI, and Conftest. And you can use Regula in your git workflows. You can check out a GitHub Actions example here.
IaC security should cover complex, contextual vulnerabilities
There are many single-resource misconfiguration vulnerabilities that are critical to avoid, but as cloud services and environments become more complex, contextual cloud security is now essential. A resource configuration may be perfectly safe in one context and a data breach waiting to happen in another. Regula supports multi-resource policies, such as “IAM policies should not allow broad list actions on S3 buckets.”
Regula comes as a pre-packaged binary including a CLI, and can be easily installed with Homebrew or deployed with a Docker image that can be found at DockerHub.