Announcing Public Beta: Pre-Written Sentinel Policy Sets for AWS Now Available
We are pleased to share the news of the public beta release of pre-written Sentinel policy sets tailored for AWS, which are now accessible for users in the Terraform registry. This new offering is a collaborative effort between HashiCorp and AWS, crafted to aid organizations in adhering to industry standards and simplifying the adoption process for infrastructure policy enforcement.
With this launch, the goal is to deliver a comprehensive solution to intricate governance challenges, enabling organizations to operate more swiftly without compromising on security. This collaboration underscores the unique synergy between AWS’s cloud infrastructure and HashiCorp’s automation and security prowess.
Understanding the Hurdles in Policy Adoption
Sentinel is an embeddable framework that treats policies as code, providing logic-based policy enforcement over infrastructure configurations in HashiCorp Terraform and other HashiCorp products. This approach allows organizations to manage policies similarly to application code, meaning they can be version-controlled, audited, tested, and understood by all stakeholders within an organization.
Sentinel policies play a crucial role in managing what Terraform users are permitted to do, ensuring that infrastructure provisioning thresholds are not surpassed, and preventing insecure or non-compliant configurations.
For example, Fannie Mae, a prominent and highly regulated financial institution, utilizes Sentinel policies to enforce over 400 preventative security, architectural, and financial guardrails, ensuring its infrastructure remains compliant with regulatory requirements.
While Sentinel is an effective tool for ensuring cloud governance on a large scale, the process of adopting policy-as-code workflows can be overwhelming and time-consuming for some organizations. This is particularly true for those lacking the resources and expertise to develop policies from scratch. Starting from the ground up can lead to significant delays in policy development and implementation, increasing the risk of human error and misconfigurations.
Introducing Co-Owned Pre-Written Policy Sets with AWS
To tackle these challenges, HashiCorp and AWS have jointly developed a library of pre-written policies covering a broad spectrum of use cases, such as security, compliance, and operational efficiency. Crafted by industry experts with years of experience, these policies have been thoroughly tested and validated to ensure reliability and effectiveness. Moreover, these policies are customizable, enabling organizations to quickly tailor them to fit their specific requirements.
These policies are specifically designed for AWS services in alignment with the Center for Internet Security (CIS) benchmarks. CIS is a non-profit organization offering prescriptive configuration recommendations that reflect a global consensus-based effort in cybersecurity. Our pre-written policy sets assist with CIS AWS Foundation Benchmarks versions 1.2, 1.4, and 3.0. The supported services include:
- EC2
- KMS
- CloudTrail
- S3
- IAM
- VPC
- RDS
- EFS
Users can explore the Terraform Registry policy library to discover and apply these pre-built policies. With Sentinel’s native integration, users can swiftly deploy policy sets into their HCP Terraform organizations.
After deploying these policies, administrators have the option to set three different enforcement levels:
- Hard Mandatory: If a policy fails, the run halts. The failure must be resolved to continue.
- Soft Mandatory: Allows an organization owner or a user with override privileges to continue with the run even if a failure occurs.
- Advisory: Notifies users of policy failures but allows the operation to proceed.
For instance, in a hypothetical Terraform run, two advisory-level CIS policies might be triggered, providing valuable feedback without halting the process.
Enforcing Sentinel Policies for CIS Compliance
By utilizing this solution, organizations can consistently enforce policies of varying strictness across their infrastructure, efficiently and at scale. These pre-written policies are designed to help organizations using AWS accelerate their policy-as-code adoption, achieving greater speed and security with no compromises.
Next Steps
To ensure a seamless experience, remember to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for an integrated sign-in process. This step is crucial for leveraging the full potential of the pre-written policy sets and enhancing your organization’s infrastructure governance.
In summary, the introduction of these co-owned pre-written policy sets by HashiCorp and AWS marks a significant advancement in making infrastructure policy enforcement more accessible and efficient. By streamlining the process and providing expertly crafted policies, this collaboration aims to empower organizations to navigate the complexities of cloud infrastructure governance with confidence and ease. For further details, you can explore the Terraform registry and start integrating these policies into your workflows today.
For more Information, Refer to this article.
