Just like the challenges of managing large cloud infrastructure operations led to the development of infrastructure as code, ensuring the security and compliance of those environments led to policy as code. Cloud infrastructure environments are simply too vast, complex and dynamic to address with traditional security approaches such as manual audits and checklists.

Unfortunately, most policy as code languages are proprietary, closed-source ones offered by cloud vendors. These lock in customers, are incompatible with other policy frameworks the enterprise may be using, and it can be a real struggle to apply them to specific use cases.

Open Policy Agent (OPA) is an open source general-purpose policy engine, and Rego is OPA’s declarative policy language. Combined with Fugue, it provides maximum flexibility when implementing cloud infrastructure policy. The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level hosted project in April 2019.

We’ve been using OPA and Rego at Fugue as the policy-as-code framework in our SaaS solution for cloud security and compliance, and it’s simply amazing. Much of the focus of OPA has been on developing access policies for Kubernetes, but we’ve been leveraging it substantially for a wider variety of cloud infrastructure use cases on Amazon Web Services (AWS) and Microsoft Azure. You can read our announcement here.

By adopting of OPA and Rego, we’ve been able to provide the powerful and flexible policy as code capabilities for our customers, including the ability to quickly and easily create custom cloud infrastructure policies.

Fugue’s custom rules capabilities that leverage OPA enable users to:

Build and manage custom, user-defined cloud infrastructure rules in OPA Rego via the Fugue API, CLI, and web interface
Validate and test custom rules while they are being written with helpful errors that save time
Continuously validate and report on compliance for custom rules and out-of-the-box policy frameworks

Just a few examples of custom policies using OPA with Fugue include:

Check for public and unencrypted S3 buckets
Which cloud regions are allowed
Which machine images (e.g. AMIs) are allowed
Make sure VPC flow logs are configured
Which instance sizes (e.g. EC2) are allowed
Check for least permissions in IAM policies
Which ingress rules are allowed for Security Groups

For example, if a security group should not allow port 9200 to be open to the world, the rule can be expressed like this:

custom-ingress-rule

Most organizations also need to adhere to one or more compliance frameworks, so Fugue provides out-of-the-box support using OPA for CIS Foundations Benchmarks (AWS and Azure), GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2.

Fugue is running millions of security rule evaluations every day using OPA, so we've put a lot of work into developer tooling and will be contributing all of that back to the open source community. We’re excited about OPA and the opportunity to get more involved in this important open source project.

While you’re here…

Fugue is cloud security for developers, by developers.

Get continuous cloud compliance visibility and reporting for your custom rules and a number of out-of-the-box policy frameworks like CIS Foundations Benchmark, HIPAA, PCI, SOC 2, NIST 800-53, ISO 27001, and GDPR.

Fugue Developer is free forever and it takes just 15 minutes to get up and running. Get started here.

Using Open Policy Agent (OPA) for Cloud Security and Compliance

While you’re here…

Categorized Under

Search

Related posts

Popular Categories

Featured Posts

Get Started with Fugue Today

Trending Topics

Cloud Security Posture Management

Infrastructure as Code and Security

AWS Cloud Security

Azure Cloud Security

Cloud Security for Google Cloud Platform

DevSecOps for Cloud Infrastructure Security

CIS AWS Foundations Benchmark

CIS Azure Foundations Benchmark

Fugue Best Practices Policy Framework

GDPR

HIPAA

ISO 27001

NIST 800-53

PCI

SOC 2 Cloud Compliance

Popular Blogs

Five Steps to a Secure Cloud Architecture

An Introduction to Cloud Security for Infosec Professionals

9 Questions You Should Ask About Your Cloud Security

Events

News

Fugue Extends Cloud Security Market Dominance in Customer Satisfaction, According to G2 Report

Snyk Acquires Fugue, Enters Cloud Security Market

Fugue Achieves AWS Security Competency Status

Fugue Leads Cloud Compliance Market in Customer Satisfaction, According to G2 Report

Fugue Leads Cloud Security Market in Customer Satisfaction, According to G2 Report

Fugue Adds Centralized Multicloud Security Visibility and Policy-Based Governance Capabilities

Fugue Adds AWS Well-Architected Framework to Its Policy as Code Engine for Full Life Cycle Cloud Security

Fugue and CWS Team Up to Close Enterprise Cloud Security Gaps with End-to-End Policy as Code Enforcement

Fugue Adds Kubernetes Security Checks to its SaaS Platform and Open Source Regula Project

Fugue Announces Unified Infrastructure as Code and Cloud Runtime Security

Resources

Submit a Ticket

Documentation

Pricing

API

Guarantee

Login

Contact Us

Security

Privacy Policy

Careers

Schedule Demo

Product Videos

Press

Events

Library