🔙 Backjoeygoksu.com

DevSecOps: Policy as Code

software

March 17, 2022

Hello everyone,

I’ve been super busy with hashicorp vault lately and I saw the other product named “sentinel”. It is a policy as code tool. Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text or code files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment.

It is an approach to policy management in which policies are defined, updated, shared, and enforced using code.

It also has a lot of benefits. A policy-as-code approach makes it possible to define and manage policies in ways that different types of stakeholders can understand. Such as developers, administrators, security engineers so go on.

As I mention above, I want to show some examples from hashicorp sentinel. Let’s look at it.

Policy Language

The policy language was designed to be a simple, declarative language that can be used to define and enforce policies. It’s approachable by non-programmers. So, everyone can define a policy easily in your company/team. However, the policy language includes constructs that are familiar to developers to enable powerful policies.

Here is a super simple example code block.

# Import the library
import "time"

# Validate time is between 8 AM and 4 PM
valid_time = rule { time.now.hour >= 8 and time.now.hour < 16 }

# Validate day is M - Th
valid_day = rule {
	time.now.weekday_name in ["Monday", "Tuesday", "Wednesday", "Thursday"]
}

main = rule { valid_time and valid_day }

We can easily define a policy for valid days and times. So, we can use this policy to validate if the time is between 8 AM and 4 PM and the day is Monday - Thursday. Awesome, right?

Benefits of Policy-as-Code

Compared to the alternative – which is to manage rules, conditions, and procedures manually – policy-as-code offers several critical benefits:

  • Efficiency: Once we have a policy, we can use it at the scale.
  • Visibility: Even non-programmers can understand the policy language.
  • Collaboration: By providing a uniform, policy-as-code simplifies collaboration.
  • Accuracy: Once the teams define the policy, they avoid the risk of making configuration mistakes when managing a system manually.

There are amazing tools that can help you to manage policies. I would like to focus hashicorp sentinel in the near future. So, I will show you some examples.

You can also check the tools like Prisma Cloud, Bridgecrew, and Checkov. They can also automatically scan and audit policy files in order to detect misconfigurations or vulnerabilities prior to deployment.

I will share hands-on examples of how to use policy-as-code in the next blog post. I also want to deploy it to AWS using Terraform.

See you in the next blog post. Thanks for reading, sharing and learning.


References:

Cloud Securitypolicy-as-codehashicorp sentinel

Crafted with ❤️ in multiple locations [🇬🇧 🇺🇸 🇹🇷 🇷🇺]. · © 2022