Control Broker is a Policy as Code evaluation engine available via an API. Various Consumers can invoke this API to get evaluations of a given input against a series of policies expressed using the Open Policy Agent framework. This Policy-as-Code process codifies security and operational requirements into policy code, which in the case of OPA are written in the Rego language.
A common use case for OPA is a pre-deployment check in a Infrastructure-as-Code pipeline.
OPA can also be leveraged for Detective Controls that evaluate existing resources. Resources supported by Cloud Control can be described by the GetResource Schema, which, when wrapped in a Resources key, is a Schema that can overlap with a raw Cloud Formation template schema.
This repository aims to deploy a minimal Detective Control environment that invokes the Control Broker endpoint at /ConfigEvent to get an evaluation on an AWS Config Event.
This readme.md will cover:
- Setup the local Python environment
- Deploy the Detective Control consumer Control Broker via Python CDK
- Toggle the configuration of an ExampleApp resource to test the PaC evaluation
- A running serverless instance of Control Broker. See setup here
- A development environment capable of setting up a Python virtual environment
This repository was tested with a Cloud9 IDE.
uname -a # (Cloud9) Linux ip-10-0-3-28.ec2.internal 4.14.320-243.544.amzn2.x86_64 #1 SMP Tue Aug 1 21:03:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
python3 -V # Python 3.9.6
The CodePipeline stacks needs to know at which URL to invoke the Control Broker instance deployed in step 1.1.
Set control-broker/apigw-url in cdk.json to the value for the key that starts with ControlBrokerApiConfigEventHandlerUrl
{
"control-broker/apigw-url":"https://MY_API_ID.execute-api.us-east-1.amazonaws.com/ConfigEvent"
}
This repository was tested with a Cloud9 IDE.
uname -a # (Cloud9) Linux ip-10-0-3-28.ec2.internal 4.14.320-243.544.amzn2.x86_64 #1 SMP Tue Aug 1 21:03:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
python3 -V # Python 3.9.6
npm -v # 9.8.1
node -v # v16.20.1
npm update -g typescript
npm install -g aws-cdk --force
cdk --version # 2.92.0 (build bf62e55)To setup the Python CDK environment in a new Cloud9 instance, consider:
# 0. setup
uname -a # tested on: Linux ip-10-0-3-28.ec2.internal 4.14.320-243.544.amzn2.x86_64 #1 SMP Tue Aug 1 21:03:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
sudo rm -f /var/run/yum.pid
sudo rm -rf /var/lib/yum/history
sudo rm -f /home/ec2-user/environment/README.md
sudo yum -y update
# 1. upgrade python
cd ~
wget https://www.python.org/ftp/python/3.9.6/Python-3.9.6.tgz
tar xzvf Python-3.9.6.tgz
cd Python-3.9.6
./configure
make
sudo make install
cd ~
sudo rm -f Python-3.9.6.tgz
sudo rm -rf Python-3.9.6
export PATH="/usr/local/bin:$PATH"
exec $SHELL
python3 -V
pip3 install urllib3==1.26.6 # requests
# 2. set venv
cat >> ~/.bashrc << EOF
alias ve='python3 -m venv venv'
alias ae='deactivate &> /dev/null; source ./venv/bin/activate'
alias pu='python3 -m pip install -U pip setuptools wheel'
alias pit='python3 -m pip install pip-tools'
alias pc='pip-compile'
alias ps='pip-sync'
alias start='ve && ae && pu && pit'
alias cdd='cdk deploy --all --require-approval=never'
EOF
exec $SHELL- Deploy the Detective Control consumer Control Broker via Python CDK
Clone this repository and perform the following setup from the root of this repository.
start # build venv
pc && ps # install packages using pip-tools
cdd # cdk deployOur ExampleApp consists of two SQS queues. One has
content_based_deduplication = toggled_boolean,
the other has
content_based_deduplication = not toggled_boolean,
where
toggled_boolean_path='./dev/tracked_by_config/toggled_boolean.json'
This OPA policy performs a simple operational check on that CloudFormation template. It applies to resources of type "AWS::SQS::Queue", and requires that ContentBasedDeduplication be true.
The result is that with each cdk deploy, the stack will edit the queues to alter that field of interest. This generates Config Events which are available to view in the Cloud Watch Logs of the invoked_by_config lambda, which passes that Config Event to Control Broker endpoint at /ConfigEvent to get an evaluation.
This evaluation decision is returned as an evaluation to the AWS Config Rule that starts with CBConsumerConfig-SQSPoC. The End-to-End test of that evaluation is tracked in an AWS Step Functions State Machine named ConfigEventProcessing.
Use cdk deploy to trigger evaluations, and view the Step Functions and AWS Config console to track their progress.
For a complete list of example Consumers of Control Broker, including a CodePipeline implementation of the IaC pipeline referenced above, see here