AWS Partner Network (APN) Blog

Scale Your AWS Environment Securely with HashiCorp Terraform and Sentinel Policy as Code

By AJ Bond, DevOps Consultant, AWS
By Manu Chandrasekhar, Devops Consultant, AWS

HashiCorp-AWS-Partners-2023
HashiCorp
Connect with HashiCorp-2

As cloud computing environments grow more complex, organizations face the challenge of reviewing and enforcing governance policies across their diverse infrastructure. Siloed tools, inconsistent standards and manual processes are inefficient, error prone and unable to keep pace with rapid changes. To address the challenges, organizations can shift the compliance review earlier in the development cycle following a “shift-left” approach. This proactive approach can streamline policy enforcement, catch vulnerabilities earlier and reduce risk of breaches, optimize resource usage, and enable organizations to consistently maintain standards across their entire cloud infrastructure.

In this blog post, we show you how HashiCorp Cloud Platform (HCP) Terraform and Sentinel policy framework can help organizations address their cloud governance at scale by using Policy as code (PaC). HashiCorp is an AWS Specialization Partner and AWS Marketplace Seller that provides consistent workflows to provision, secure, connect, and run any infrastructure for any application. HCP Terraform is HashiCorp’s managed service offering and eliminates the heavy lifting for practitioners, teams, and organizations to use Terraform in production.

Sentinel policy framework

Sentinel is an embedded policy as code framework that provides fine-grained, logic-based policy enforcement over infrastructure configurations modeled in Terraform. Customers can use Sentinel to define policies in the form of code using Sentinel’s own language to govern resource provisioning, access controls, and other behaviors. This gives customers an automated and scalable way to enforce security, compliance, and cost management policies. Customers can lean on Sentinel’s native integration with the HCP Terraform workflow to import information from Terraform state and make policy decisions. Sentinel can also prevent actions through different enforcement levels that you specify for your Terraform deployment processes.

Figure 1: High-level diagram of how Sentinel evaluates Terraform configurationFigure 1: High-level diagram of how Sentinel evaluates Terraform configuration

There are several key benefits of using Sentinel in your Terraform workflow:

  • Fine-Grained Policy: Sentinel policies can be written to specify required tags, naming conventions, allowed regions, instance types, and other aspects of AWS infrastructure that should be enforced.
  • Logic-Based Policy: Sentinel allows you to write policy using full conditional logic. For example, you may only allow a certain instance type based on the environment state (production, sandbox, dev) or allow replacement of instance type only during certain time of the day.
  • Extensibility: Sentinel can be extended by using additional imports. These imports can bring new functionality to Sentinel by allowing access to new data or by the addition of new functions or modules via reusable policy code.
  • Planned state: Sentinel policies can access the planned state of the AWS infrastructure from Terraform to evaluate and enforce rules. For example, a policy can check that an RDS instance planned for deployment is encrypted and in a VPC.

Introducing Sentinel Pre-written policies

At re:Invent 2024, HashiCorp announces the public beta of pre-written Sentinel policies for AWS. With this new release, AWS customers can gain the immediate benefit of Sentinel policy as code, without having to invest in the heavy lifting of writing their own Sentinel policies from scratch. With the pre-written policies for the CIS benchmark, Sentinel offers pre-written rules that can provide robust guardrails for enhanced security and compliance. Pre-written CIS Sentinel policies automate the enforcement of security best practices like encryption, access restrictions, and data protection. For operations teams, this bakes in proactive compliance checks into the infrastructure provisioning process, rather than leaving it to manual audits after deployment. It also reduces the burden of defining and maintaining these policies across multiple Terraform projects.

Customers can access the pre-written policies from Terraform Registry Policy Libraries. In this library, customers can find the specific policy framework of interest as per their particular use case. Using the provided Terraform module helpers, customers can quickly deploy the policy sets into their HCP Terraform organization. Sentinel policy will inspect the Terraform configuration plan and block resource provisioning if it fails the policy checks as shown below in Figure 2.

Figure 2: Example of a failed run of Sentinel policy checks in a Terraform workflowFigure 2: Example of a failed run of Sentinel policy checks in a Terraform workflow

Customers also have the ability to consume these pre-written policies as a policy set into their HCP Terraform or Terraform Enterprise environments. As a result, customers can enforce different policy levels across multiple workspaces within the organizations. For example, teams can apply policy sets on an advisory/soft-mandatory/hard-mandatory enforcement level per project, per workspace or even at a global scale. Such granularity allows the organization to scale the implementation of Sentinel to separate group / team according to the enforcement level required. We recommend starting with the advisory levels to gauge the current compliance levels across the deployed infrastructure before making them mandatory to avoid disruptions.

Conclusion

Sentinel enables centralized and automated governance across complex and evolving cloud environments through its embedded policy as code approach. With Sentinel, organizations can rapidly enforce compliance, security, efficiency and organizational best practice standards across teams and resources to effectively manage risk as cloud usage scales. To learn more about pre-written Sentinel policy for CIS Benchmark, please check the Policy Library in Terraform Registry and the launch video. You can also find HCP Terraform in AWS Marketplace.

HashiCorp-APN-Blog-Connect-2023


HashiCorp – AWS Partner Spotlight

HashiCorp is an AWS Competency Partner that provides consistent workflows to provision, secure, connect, and run any infrastructure for any application.

Contact HashiCorp | Partner Overview | AWS Marketplace | Case Studies