Amazon Web Services (AWS) this week added a declarative policies capability that promises to reduce the level of DevSecOps friction that far too many software engineering teams continue to encounter.
Announced at the AWS re:Invent 2024 conference, that capability enables IT teams to declare and enforce desired configurations for AWS services in a way that prevents them from being altered.
Mark Ryland, director of Amazon Security, said rather than defining a policy that they hope will be enforced, this capability enables IT teams to declare their actual cybersecurity intent, in a way that prevents misconfigurations from being created as applications are updated or new accounts are added.
For example, IT teams can configure AWS service to block public access to virtual private clouds (VPCs) across all accounts even as new features or application programming interfaces (APIs) are added to applications.
Currently, declarative policies can be used across Amazon Elastic Compute Cloud (Amazon EC2), Amazon VPC) and Amazon Elastic Block Store (Amazon EBS) services. Features include enforcing IMDSv2, allowing troubleshooting through serial console, setting allowed Amazon Machine Image (AMI) settings, and blocking public access for Amazon EBS snapshots, Amazon EC2 AMI, and VPC. Those declarative policies can be created using the AWS Organizations console, AWS Command Line Interface (AWS CLI), AWS CloudFormation or AWS Control Tower.
Declarative policies prevent non-compliant actions regardless of whether they were invoked using an AWS Identity and Access Management (IAM) role you created or by an AWS service using a service-linked role.
It’s not clear who, within organizations, will be responsible for implementing declarative policies, but more cybersecurity organizations are starting to hire software engineers to programmatically implement them, noted Ryland. The overall goal is to provide a set of well-defined guardrails that can’t be easily circumvented, he added.
Ultimately, cloud security will eventually become integrated with platform engineering initiatives through which organizations are centralizing the management of DevSecOps workflows, noted Ryland.
Misconfigurations have historically been a major challenge in the cloud era, simply because services used are programmatically provisioned by application developers that have little to no cybersecurity expertise. Over time, cybercriminals became more adept at scanning for misconfigurations of, for example, AWS S3 bucket, which made it simple to exfiltrate data. AWS has since made it more difficult for developers to make those types of mistakes, but declarative policies make it simpler to enforce cybersecurity policies at scale, noted Ryland. Similarly, AWS can also block malicious scanning of network traffic to help prevent actual cyberattacks, he added.
Additionally, AWS has updated its cloud security portfolio to add machine learning algorithms for the Amazon GuardDuty service that make it simpler to detect attack patterns, which can then be shared with DevSecOps teams to improve application security.
The challenge and the opportunity, as always, is to continue to make it harder for application developers to make mistakes without slowing down the pace at which applications can be built and deployed. Until that goal is achieved, application developers will continue to work around cybersecurity policies that, from their perspective, are often suggestions that can be ignored whenever deemed necessary.
