cfn_nag
gatekeeper
Our great sponsors
cfn_nag | gatekeeper | |
---|---|---|
14 | 22 | |
1,219 | 3,465 | |
0.5% | 2.0% | |
0.0 | 9.3 | |
8 months ago | 3 days ago | |
Ruby | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cfn_nag
-
Setting up my own landing zone on AWS
.pre-commit-config.yaml – contains the cfn-lint and cfn_nag pre-commit hooks.
-
Guide to Serverless & Lambda Testing — Part 2 — Testing Pyramid
For generic CloudFormation templates, check CFN-NAG.
-
AWS Serverless Production Readiness Checklist
If you use CDK, you should implement CDK nag; otherwise, use cfn-nag.
-
Make your life easier using Makefiles
cfn_nag
-
Creating a Multi-Account CI/CD Pipeline with AWS CodePipeline
CodeBuild will run a linting check against the CloudFormation Template using cfn-lint and will then run cfn-nag to check for patterns that indicate insecure resources within the CloudFormation template.
-
App with self-contained infrastructure on AWS
Security checks for the Cloudformation stack using cfn-nag
-
Mastering AWS CDK Aspects
cdk-nag contains several Aspects to check your applications for best practices. It is especially useful if you need to be HIPAA-compliant or have other compliance requirements. It is inspired by cfn_nag which is a a tool checking for patterns in your CloudFormation templates.
-
how did you get good at iac-cloudformation
cfn-lint and cfn_nag or other tools of that nature to check as you write so you don't need to continually try to deploy only to find that you've done something dumb.
-
Source Control your AWS CloudFormation templates with GitHub
There is another tool called cfn_nag that can check your code for potentially any insecure infrastructure. When you read the documentation around this tool, the author says it can check for things such as:
-
Install cfn_nag on Windows
I recently wanted to use the cfn-nag tool on some templates I was writing but couldn't find any instructions to install on Windows, but I have found a way to do it.
gatekeeper
- Shrink to Secure: Kubernetes and Secure Compact Containers
-
Long, detailed post mortem on a reddit failed k8s upgrade
When the Gatekeeper validatingwebhook came up, I was really worried that'd be the issue! Regardless I'd recommend anyone who cares about their cluster not collapsing to change the gatekeeper webhook to only intercept resources you care about: https://github.com/open-policy-agent/gatekeeper/pull/1806
- Is OPA Gatekeeper the best solution for writing policies for k8s clusters?
-
Implement DevSecOps to Secure your CI/CD pipeline
Kyverno adds an extra layer of security where only the allowed type of manifest is deployed onto kubernetes, otherwise, it will reject or we can set validationFailureAction to audit which only logs the policy violation message for reporting. Kubewarden and Gatekeeper are alternative tools available to enforce policies on Kubernetes CRD.
-
Gatekeeper with Istio
Now, we have the hardest part resolved and let's turn our attention to the OPA Gatekeeper. Gatekeeper uses the OPA Constraint Framework to describe and enforce policy. Right now there are mainly 3 parts we should pay attention:
-
10 Essentials For Kubernetes Multi-Tenancy
They enable you to establish the policies and regulations that govern cluster deployments and applications. Using predefined policies, policy engines can dynamically modify or create configurations. Policy engines such as Gatekeeper and Kyverno can be leveraged to meet legal and compliance requirements while maintaining operational flexibility and development speed.
- Gatekeeper - Policy Controller for Kubernetes
-
Kubernetes for Startups: Practical Considerations for Your App
Setup policy around what resource requirements can be requested by an app per environment. OPA and gatekeeper or kyverno can help. Setup access control for who can create or modify apps.
-
Kubernetes policy management: I - Introduction
OPA Gatekeeper is an open source, general purpose policy engine. OPA decouples policy decisions from other responsibilities of an application, like those commonly referred to as business logic. OPA works equally well making decisions for Kubernetes, Microservices, functional application authorization and more, thanks to its single unified policy language.
- Gatekeeper
What are some alternatives?
checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Kyverno - Kubernetes Native Policy Management
cfn-python-lint - CloudFormation Linter
falco - Cloud Native Runtime Security
SonarQube - Continuous Inspection
cloud-custodian - Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
aws-secure-environment-accelerator - The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.
k-rail - Kubernetes security tool for policy enforcement
vscode-cloudformation-snippets - This extension adds snippets for all the AWS CloudFormation resources into Visual Studio Code.
connaisseur - An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
tfsec - Security scanner for your Terraform code
opa-envoy-plugin - A plugin to enforce OPA policies with Envoy