ACM.111 Separate your information and assets out of your executable code
It is a continuation of my sequence of posts on Automating Cybersecurity Metrics.
The final put up supplied some solutions pertaining to how CloudFormation could possibly be improved.
This put up explains how utilizing CloudFormation might help you safe your AWS account.
Have you ever ever heard the phrase “separate your management aircraft out of your information aircraft?” It is a idea usually really useful as a safety greatest follow for containers and Kubernetes (a subject I usually get questions on from IANS prospects.)
I think about some builders obtained pissed off after they couldn’t take an motion in CloudFormation. As a substitute of simply describing what they wish to deploy in a template they wished to calculate or do one thing. Maybe that’s the reason customized assets and the flexibility to name Lambda capabilities obtained tacked onto CloudFormation.
However CloudFormation will not be for “actions.” CloudFormation information. Metadata, to be extra particular, that describes the state of your cloud infrastructure.
Have you ever ever been instructed to take away the configuration of your program from the applying code itself and put it in a separate file? CloudFormation is the same idea (type of). We’re configuring assets. You separate the useful resource configuration from the code that executes the deployment.
The performance that deploys a CloudFormation — the actions that you just wish to carry out — ought to stay separate from the info itself for a clear design.
I understand that someday that is arduous to do. It requires further thought when designing your deployment programs. I bumped into some points already on this sequence the place I needed to generate a template — however that was brought on by CloudFormation limitations than a difficulty that could possibly be fastened so I might hold my design good and clear.
Right here’s what you are able to do in the event you hold your configuration information separate out of your executable code.
- You’ll be able to ensure that when somebody is modifying code that takes motion that they don’t seem to be altering the CloudFormation templates or infrastructure configurations.
- Then again, if you find yourself deploying infrastructure, you don’t want to permit somebody to entry or modify the code that handles deployments, like say turning off safety checks embedded within the course of.
Separate execution from information.
Deploying CloudFormation templates permits you to examine the configuration of your assets as a result of CloudFormation has a construction that may be validated and in comparison with what exists in your cloud account. Free-form code that may be written any which approach is likely to be arduous to decipher to find out when you’ve got a configuration drawback.
By the way in which, in case you are utilizing Terraform it has this similar attribute of separating code from information relying on in the event you adhere to the precept. Typically, you might be defining assets after which use different instructions to deploy the assets primarily based on the outlined configuration.
As an apart, typically individuals imagine that by utilizing Terraform they’ll write one set of code to deploy in all places — however you might be nonetheless going to have totally different code for various assets throughout cloud platforms. You’ll nonetheless wish to perceive the underlying cloud platforms to troubleshoot issues.
What Terraform helps with is to create a single deployment pipeline for assets throughout totally different cloud platforms so you possibly can handle issues in a constant method. Should you’re utilizing a number of platforms you could undoubtedly wish to take into account it, however bear in mind you’ll nonetheless find yourself writing code for every platform in a variety of circumstances.
Right here’s an ideal instance of what I’m speaking about:
I haven’t vetted that code I simply rapidly looked for an instance to show the idea that I’m addressing.
Many articles have been written about how “infrastructure as code” might help you with cloud safety. That’s one thing I cowl in cloud safety courses however not on this put up. Right here I’m particularly speaking about utilizing CloudFormation versus another AWS deployment strategies, and consideration for a way you implement your deployments with it.
Simply bear in mind to maintain your CloudFormation configuration information separate out of your executable code or actions taken on and with that information.
Observe for updates.
Teri Radichel
Should you favored this story please clap and comply with:
Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this sequence:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts
