The Accurics Quick Start Guide is aimed to assist with the evaluation of the Accurics platform quickly and easily.
As you build your defense-in-depth strategy with Accurics, there are three primary prerequisites that you need to be aware of.
- The Cloud Service Provider. Accurics currently supports Amazon Web Services, Microsoft Azure, and the Google Cloud Platform. You will need read-only credentials that will allow Accurics to enumerate the resources you’re trying to analyze.
- An interface to your Infrastructure as Code. There are a few possible entry points, but let’s plug into your Version Control System for this guide. Accurics supports:
- Azure DevOps
- AWS CodeCommit
- Other Git-based solutions via proxy
- Policy as Code. Out of the box, Accurics provides over a thousand policy controls and curated Policy groups for common regulatory frameworks. Because it builds on top of the work done with the Open Policy Agent and Rego, Accurics can be extended to cover security requirements that might be specific to your organization.
This section explains some of the important concepts that you will need to understand to efficiently use the Accurics platform to manage the security of your resources.
Project is a logical grouping of things, like cloud infrastructure, associated IaC, and security policy, possibly with a Kubernetes cluster or pipeline thrown in for good measure.
Usually, the projects are named as per your application structure, such as “Application XYZ – Dev,”. However, you can rename any project after creating it.
Let’s begin by creating a new project via. the Accurics dashboard.
You can find the step by step documentation at:
After creating a project, you will need to give Accurics access to your IaC repository. The access is important to scan your Infrastructure as Code for possible vulnerabilities and start building feedback loops between Security and Infrastructure Development teams.
You can connect to more than one repository if appropriate to capture the full scope of the code.
You can find the step by step documentation at:
Cloud Service Provider Access
Once the repositories are connected, Accurics gets visibility into your runtime environment.
If you want the same insight into your running infrastructure as you are now getting from your IaC, start comparing their security posture, reporting how the runtime differs from your IaC, or even how it changes over time.
You can find the step by step documentation at:
- Amazon Web Services
- Connect to an AWS account
- Scanning AWS resources
- Microsoft Azure
- Connect to Microsoft Azure account
- Scanning Azure resources
- Google Cloud Platform
- Connect to Google Cloud account
- Scanning Google Cloud resource
Now, you need some sort of compliance standard to compare your infrastructure against. Accurics provides you the option of using one of the curated Policy groups out of the box or creating custom policies specific to your needs.
You can enforce the policies at three different levels.
- Monitoring returns a warning that some resources may be out of compliance.
- Enforcing policies can be used to “break the build” when integrated with a CI/CD Pipeline.
- Self-healing policies automates the creation of pull requests, allowing engineers to define secure defaults for cloud resources.
By default, Accurics automatically assigns an Accurics-curated Best Practices Policy to your project. However, if you want to add or adjust policy groups to better suit your needs, you can click the project name on the dashboard and select from the policy groups available through the Active policy group option.
Things to Try
Now that you have a working Project scanning both your IaC and Cloud Runtimes, let’s see what you can do.
Set up a Cloud Scan
In the Projects tab of the home page, you should see the projects you configured above. Move your mouse over the Run scan link in the Last scan column, and Configure Cloud Scan.
From here, you will be presented with a list of Cloud Resources you can select from to customize your Cloud Scans for your needs. Make your selections and be sure to click on Save as Default Scan in the upper right corner to make these your defaults.
Click Run Scan to initiate your first runtime scan. You can also adjust the schedule for automatic scans and see a history of all Cloud Scans in this Project. For more information, see Initiate a Cloud Scan.
Compare IaC violation to Runtime (Cloud as Code)
After you run your first Cloud Scan, you will probably see some policy violations.
If you mouse over the number, you will see a breakdown of how many violations were found between your Infrastructure as Code and Cloud Runtimes. If there is a mismatch, it is likely because there are either some undeployed changes in your IaC or some Cloud Resources were built manually. Go ahead and click on the number beside IaC.
You will now see the list of failing policies in your Infrastructure as Code. The Source column displays if the violation is found in IaC, Cloud Runtime, or both. Click one of the failed policies that have both an IaC and Cloud Source. You get a side panel that gives you more details and a few options to initiate remediation workflows. Click on one of the links under Impacted resources.
This dialog details the vulnerable resource and where the offending IaC lives within your code repository. The Change History tab shows how both the IaC and Cloud resources have changed throughout the lifetime of the Project.
Finally, selecting the Configuration tab will display the Cloud as Code representation across your IaC and Cloud. This is the normalized JSON that allows you to compare apples to apples when analyzing your infrastructure.
At the Project dashboard, you may notice Accurics reporting on Drift. You can see this broken down by IaC and Cloud.
You may have resources under IaC management that do not match your Cloud Runtime, for example, an AWS Security Group where an ingress rule has been modified at the console to close a high severity vulnerability. Accurics reports that as an IaC Drift to let you know these configurations will not be persistent through the next deployment.
Cloud Drift reports on Cloud Resources that have been configured outside the scope of your Infrastructure as Code. Your automation will not affect these resources; however, it is helpful to track how they change over time.
Feedback by creating a Pull Request
Now that you have visibility into your Infrastructure as Code, Cloud Runtimes, and how they compare against your Security Policy, you can start setting up feedback loops to remediate vulnerabilities as quickly and effectively as possible.
Go to the Project dashboard again and select IaC Policy violations and drill down into one of your Failed policies. If you select the check box next to one of the offending cloud resources, you can see a few workflows available to help initiate the remediation process. Create a Jira ticket is probably familiar to most organizations where security concerns are thrown over a wall to Infrastructure Developers to figure out. Ideally, you want to plug into common Software Development and Testing workflows likely already in place.
If you are using a supported Version Control System, you can click on the three dots to the right of the Impacted resource, and you will see an option to Create a Pull Request. This will give you a process to create a branch within your repository with a suggested fix. You will see the vulnerable resource, its current configuration, as well as the option to suggest a more secure value. Defaults can be defined at the Policy level to help you build a security standard and even automate creating Pull Requests. For now, simply enter a Secure Value and click Create PR.
You can now navigate to your IaC repository and find the recommended changes under Pull Requests. The exact format will differ depending on the Version Control System, but typically it will show you details on the offending line or lines of code, as well as recommend fixes with the Secure Values you provided earlier. You now have the option to review the changes, merge the pull request to remediate your Infrastructure as Code, and even deploy the changes to your Cloud Runtime to resolve live vulnerabilities.
Accurics brings several other capabilities that you may wish to try, including scanning with our Command Line Interface (CLI), or Microsoft Visual Studio Code, and inside a CI/CD pipeline.
Scanning at the CLI
You have now set up a workflow to minimize the time to remediate possible vulnerabilities in your Cloud Runtimes. However, you will still need to catch these issues before they get deployed in the first place. Accurics has the unique ability to apply your security policy to code before it is even checked into version control!
There are a few different ways to automate the identification of insecure Infrastructure as Code as early as possible; however, the simplest and most effective way is to find vulnerabilities before they even hit version control. To help do this, Accurics provides Infrastructure Developers a CLI tool to scan their code locally.
The earlier you can find possible vulnerabilities, the easier they are to fix. You can read more about configuring the CLI scanner Set up Code Analysis through CLI.
You can also use the Accurics extension for Microsoft Visual Studio Code, available on the Visual Studio Code Marketplace as an extension.
Integrating Accurics into the CI/CD Pipeline
As you now built maturity around Infrastructure Development workflows, you will probably want to automate the testing and deployment of your Infrastructure as Code.
Accurics can easily plug into many common CI/CD tools to help build a Security gate, automatically prevent insecure code from moving forward. Of course, every CI/CD tool is different, but you can find information about some common workflows Connect your deployment CI/CD Pipelines.
Still have Questions?
You should now have a good understanding of how Accurics fits into your Cloud security strategy; however, every organization is unique, and not every integration point is covered in this guide. If you still have any questions during the process, contact Accurics.