Cloud

What is PaC?

Cloud resources and services must adhere to a certain set of rules (in short, policy) that meet enterprise mandates for security, compliance, governance, etc.

While infrastructure as code (IaC) evolved to provision cloud environment at scale, PaC emerged to enforce enterprise-level policies at scale using a declarative programming language. PaC defines and manages policies using few lines of code in programming languages such as Python, Rego, and YAML. PaC can be enforced across the board before deployment and regularly evaluated thereafter. Codification helps to implement organizational standards and compliances at scale.

Here are some examples:

A policy written in JSON format that can be used with AWS Config Rules to check for encryption of sensitive data at rest on Amazon S3 :

Example 1 – Enforce S3 encryption

Rego code for EKS cost optimization policy

Example 2 – EKS cost optimization policy

Precisely, PaC is a set of reusable codes that can be embedded in the development pipeline.

Need for PaC

Earlier, a governance team or a centralized operations team used to review a policy document before approving or denying its enforcement. However, this approach can create delays and human errors in a distributed cloud environment. PaC validations can address these challenges. The policies should be applied at scale across multiple accounts with one cloud service provider (CSP) or a multicloud environment.

In a microservices-based application, tightly coupled policies make it difficult to modify or add policies after deployment. A separate policy repository with features like add, update, test, and deploy is necessary for large application portfolios.

At an enterprise level, we can create a policy repository in the form of a policy engine comprising policies across:

Enterprises need a comprehensive policy repository to store custom policies for their applications and environments. This engine will help enterprises fetch and amend policies from the repository before embedding them in the development pipeline.

The biggest challenge for cloud admins is to write policy scripts, which requires programming skills. However, there are open-source and cloud-native tools that write policy scripts by using programming languages, such as Python, Yaml, and Rego.

The varying APIs, services, and syntax for defining policies across cloud providers make it challenging to build a portable policy. We can use a combination of the below approaches to define and manage policies in a multicloud environment.

We can use OPA/Rego code to control Kubernetes ingress and egress decisions. This code can prohibit ingresses with conflicting hostnames. Below is an example code snippet:

Example 3 – Kubernetes ingress and egress decisions

An overview of which cloud services a policy applies to, and which cloud accounts should be included, is essential.

The system should generate a comprehensive report (with one click), comprising all cloud accounts, cloud services, and policy non-compliances.

For this, essential elements are:

Architecture – Validation using PaC

The architecture of validation using PaC typically involves:

Generative AI can be used to write Rego code for Open Policy Agent to identify security violations. For example, you can write a prompt to generate code that detects encryption in S3 buckets and restricts public access.

Example 4 – Detect encryption in S3 bucket and restrict public access

Figure 1: Prototype of validation using PaC

Figure 2: Typical architecture for validation using policy as code

As organizations migrate to the cloud, we need to provide a platform that can manage policies across multiple cloud accounts and hybrid cloud environments. We also need to provide out-of-the-box solutions using the latest technology stack, such as Generative AI.

References