Implements OPA-based preventive security controls for AWS Infrastructure using Terraform Infrastructure as Code (IaC), that can establish a security baseline and safeguard resources before deployment into the AWS Accounts and reduce security risks.
Policy-as-Code
This repo contains Open Policy Agent (OPA) policies to test AWS infrastructure against terraform plan.
Why OPA?
OPA provides a powerful policy engine that helps organizations enforce fine-grained policies across their applications and infrastructure, improving security, compliance, and policy management capabilities.
Benefits of using this repo policies:
Implementing OPA-based preventive security controls for Terraform Infrastructure as Code (IaC) can establish a security baseline and safeguard resources before deployment into the AWS Accounts and reduce security risks.
Introduction
What is OPA?
The OPA is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software.
To learn more, refer
Folder structure
- policy-as-code/OPA/policy/aws/
- contains the actual policy files written in rego language for each AWS service. - policy-as-code/OPA/policy/template - contains the sample files for each OPA rule for AWS service.
- policy-as-code/OPA/policy/common.utils.rego - utils package for common code/functions used in actual rule rego files.
Template folder files
- aws-servicename-policyid.mock.json:
./policy/aws/efs/aws-efs-m-2.mock.json
- aws-servicename-policyid.rego:
./policy/aws/efs/aws-efs-m-2.rego
- aws-servicename-policyid.test.rego
./policy/aws/efs/aws-efs-m-2.test.rego
File naming convention:
"aws-
- servicename - any of the AWS services E.g., s3, efs, dynamodb, etc. - aws-s3-m refers to mandatory control, r for recommended control - aws-s3-m-
Usage
Pre-requisites:
Download the repo and do the following:- Write your own terraform code and generate plan using below commands:
terraform init
terraform plan -input=false -refresh -no-color -out=/tmp/planfile
terraform show -json /tmp/planfile > /tmp/plan.json
- Run specific OPA rule against the generated terraform plan use:
~/policy-as-code/OPA/policy (Note: check the path correctly)
opa eval -i <terraformplanjsonfilepath> -d <OPAruleregofilepath> -d <commonutilsfilepath> "data.aws.<servicename>.<policy_id>.deny"
E.g.
cd ~/policy-as-code/OPA/policy
opa eval -i /tmp/plan.json -d aws/efs/aws-efs-m-1.rego -d common.utils.rego "data.aws.efs.m2.deny"
- Run all OPA rules in this repository against the generated terraform plan use:
~/policy-as-code/OPA/ (Note: check the path correctly)
conftest test <terraformplanjsonfilepath> -o table --all-namespaces -p <OPArulepolicydirfile_path>
E.g.
cd ~/policy-as-code/OPA/
conftest test /tmp/tfplan.json -o table --all-namespaces -p policy/
- If opa evaluations are done successfully against the generated plan, you can safely deploy the infrastructure. If not, modify terraform code to comply with the policies defined.
Security
See CONTRIBUTING for more information.
License
This project is licensed under the Apache-2.0 License.