Did you know you could use Progress Chef InSpec profiles and AWS Systems Manager (SSM) to better support security and compliance within an air-gapped AWS Cloud environment?
Recently, we had the opportunity to collaborate with a client eager to leverage the capabilities of AWS Systems Manager. We embarked on a Proof of Concept (PoC) journey using SSM to streamline their operations.
This blog outlines the process we followed—and the promising results we obtained.
Some organizations that prefer to work in a highly secure environment opt for AWS air-gapped cloud. In these setups, internet access is restricted to help minimize security risks. However, managing the security and compliance of cloud resources can be complex.
Using SSM with Chef will help organizations audit, enforce and report on security and compliance within their restricted environment.
Let’s look at the prerequisites to set up before you can run Chef InSpec audits.
To make Chef InSpec profiles work within an air-gapped AWS environment, we harnessed the capabilities of AWS Systems Manager, a suite of services for managing AWS resources.
Here's how we executed the solution:
1. Air-Gapped VPC Configuration: We set up a dedicated VPC environment to isolate Chef InSpec profile execution from the internet.
2. Amazon S3 for Profile Storage: Chef InSpec profiles were stored in an Amazon S3 bucket within the air-gapped VPC. Note: Chef InSpec profiles stored in GitHub can also serve as a parameter.
3. AWS Systems Manager Association: We used AWS Systems Manager to associate Chef InSpec profiles with EC2 instances in the environment. This allowed us to automate the execution of profiles on target instances.
4. Chef InSpec Execution Within VPC: The Chef InSpec execution was carried out within the air gapped VPC, to facilitate audit and compliance checks without external network access.
5. Custom Reporting and Remediation: We customized reporting and remediation scripts using SSM custom document to export the reports to the Chef Automate server.
6. Scheduling Executions: We used the AWS System Manager Maintenance window feature to schedule the execution based on CRON or at scheduled intervals.
Air-gapped environments come with their own set of challenges. We deployed Chef InSpec profiles on an air-gapped environment in the following ways:
Profile Updates: Keeping Chef InSpec profiles updated within the restricted environment required manual updates, which we addressed by automating the synchronization of profiles.
Resource Constraints: Air-gapped environments typically have limited external integrations, making it necessary to work within the confines of the isolated setup. Utilizing SSM supports more secure integration of services, such as Git repositories and S3 buckets.
Custom SSM Document: The default SSM Document for running SSM won’t support exporting results to Chef Automate. We addressed this issue by creating a custom SSM Document to configure the Chef InSpec version and the reporting configurations.
The implementation of Chef InSpec profiles in an air-gapped AWS environment using AWS Systems Manager delivered numerous benefits:
Enhanced Security and Compliance: Chef InSpec profiles empowered the client to audit, enforce and report on the security and compliance of their infrastructure.
Air-Gapped Compatibility: The solution allowed security checks to be conducted without internet access, helping maintain the integrity of the restricted environment.
Automation and Remediation: The automation of compliance checks and remediation tasks saved valuable time and resources.
Customized Reporting: The client gained access to comprehensive and actionable compliance reports tailored to their specific needs.
The successful execution of Chef InSpec profiles within an air-gapped AWS Cloud environment using AWS Systems Manager is a testament to the adaptability and versatility of Chef tools. It underscores the importance of flexibility in securing and managing environments with unique constraints.
The information shared in this blog is based on a specific project and the pre-requisites and steps may vary for different use cases.
Download the architecture deployment guide to learn more about Chef InSpec and for detailed instructions on using Chef InSpec with SSM.