How does policy as code work

What is Policy as Code?

Policy as Code is a method of writing security and compliance policies as executable code. These policies can be used alongside an organization's applications and infrastructure to ensure they meet security and compliance requirements.

Compared to traditional security and compliance approaches, Policy as Code offers a more efficient and precise way of enforcement. It also enables organizations to automate security and compliance policies within their development and deployment processes, improving efficiency and reducing operational risks.

How does Policy as Code work?

Policy as Code relies on three key components:

Data

To analyze existing cloud, SaaS, or infrastructure environments, it's necessary to obtain the underlying data. In the context of Policy as Code tools, data is typically fetched using providers. In the case of Selefra, providers are used to retrieve data from various cloud service providers. During the initial stage of running Selefra, open-source (or user-defined) providers are used to fetch and store the cloud resources' data in a designated PostgreSQL database. This data serves as the basis for policy writing and analysis in subsequent steps.

Policies

Policies are written as code that simulates decision-making behavior. These rules describe security, compliance, or best practice requirements. Policies can be based on industry standards (such as CIS Benchmarks) or internal organizational policies. They can be expressed using natural language, domain-specific languages (DSLs), or code. In Selefra, policies are defined in a YAML format with placeholders and SQL statements.

rules:
  - name: bucket_acl_publicly_writeable
    query: |-
      SELECT
        DISTINCT(a1.*)
      FROM
        aws_s3_buckets a1,
        aws_s3_bucket_grants a2
      WHERE
       a1.selefra_id = a2.aws_s3_buckets_selefra_id
        AND a2.grantee :: jsonb ->> 'URI' = '<http://acs.amazonaws.com/groups/global/AllUsers>'
        AND a2.permission IN ('WRITE_ACP', 'FULL_CONTROL');
    output: "S3 bucket ACL publicly writable, ARN: { {.arn} }"

In the above example, Selefra retrieves the AWS data based on the user's configuration and stores it in a specified format. Then, it applies the defined rules to identify non-compliant items.

Execution

Once the data and policies are in place, a tool is needed to execute the policies and query for potential security risks or compliance violations. In the case of Selefra, the policies are interpreted as executable code. The query section of the policy is executed, and the results are formatted and outputted using the output section. Users can view the identified issues with their cloud resources in the console.

Conclusion

That concludes a brief explanation of how a Policy-as-Code product works. Each step of implementation requires significant code design. In our upcoming articles, our team will provide detailed explanations of the architecture design and code implementation for each step. If you're interested in following our team and experiencing our open-source product, Selefra, please visit:

GitHub: https://github.com/selefra/selefra

Slack: https://selefra.io/community/join

Thank you very much for reading!