Table of Contents
Introduction to Guardrails
In the Telecom community, we define the term Guardrails as different rules of governance for operations, security and compliance that every user can specify and use either across their AWS environment or to a particular group of accounts.
As a general rule, the security guardrails are protecting the users from taking decisions that aren’t aligned with their all-inclusive requirements. As they can be overridden in general, we advise all the users to configure guardrails to be visible to all the accounts in their AWS environment, so that they will have a clear picture of the choices they are taking.
It is acknowledged by scientists that a good security guardrail should be able to focus on the threat scheme and act to mitigate any threat, while applying the fundamental features.
Classification of Guardrails
Ona very high level, we classify guardrails as preventative or detective:
- Preventive Guardrails: This category of guardrails, is used to intent and occasionally prevent deployment of resources that don’t follow the user’s policy. In general, this type of guardrails needs an AWS Cloud Trail to be activated in all the accounts.
- Detective Guardrails: The second category of guardrails, is used to monitor distributed resources for disaffection and trigger the required alerts when it is detected. The users have the option to automate the above process, for example, by disallowing the public read access to the Amazon S3 buckets.
Application Forms of Guardrails
In general, guardrails are usually implemented in the form of the following applications:
- AWS Organizations Service Control Policies (SCPs).
- AWS Configuration Rules.
- AWS IAM Permission Boundaries (Limits).
Now, in case the user follows this guide to set up a team development environment, he should have already acquired experience by deploying SCPs and IAM permission rules, to help drive in the overall access of the whole team environments of development.
It is a well-known advantage that the Guardrails integrate with open source and commercial security tools, in order to deal with the most urgent fixes that need to be applied.
- Integration with Modern Version of Control Systems: It is possible for guardrails to be supported by GitHub, GitLab and BitBucket and they also have the ability to identify when programming code changes or which user has modified it. For such implementations, private repositories must be enabled by default. Furthermore, guardrails scan and report only the changes directly in the developer workflow interface.
- Security Rules Curation: Guardrails are covering about 700 rules in the platform, they apply those rules, in order to identify only the relevant threats that require immediate action.
- False Positive Detection: Finally, guardrails can use machine learning, in order to continuously increase the accuracy of alerting on real vulnerabilities that need to be addressed.
Hopefully, every user will have key knowledge about guardrails including how they are implemented in the AWS platform. The structure of the system tools that are merged and finally the advantages of almost 100% compatibility with open-source security tools that they provide for free.
We would like to see more AWS Control Towers in every country in the world from Amazon, that will expand the possibilities for the users to make secure choices for their services they provide in public.
Concluding the above, similar technology will look handy for other worldwide electronic commercial websites such as (eBay, aliexpress, bangood, etc.). Similar projects will unify the online business opportunities and increase secure transactions for all kinds of payments worldwide.
Finally, guardrail technology will always be an evolution of Amazon, and every user will be secure and comfortable with the intelligent services it provides.