Announcing open-source cloud compliance with Snowflake
I’m proud to announce the release of CIS AWS Benchmarks as SQL so that anyone on Snowflake can quickly start doing data-driven compliance validation. This release is the product of many hours of effort by Snowflake Security Engineering. The result is an opportunity to save time for GRC teams, reduce vendor spend, and spot risky cloud configurations before they’re targeted by the bad guys.
In recent posts, I described why cloud compliance is a challenge while at the same time the traditionally derided “checkbox” approach can be a solid foundation for cloud security. These aren’t super original observations. In fact, there are many available solutions from cloud providers and cybersecurity vendors that can be used to generate compliance reports for cloud infrastructure.
The problem is that these off-the-shelf “canned” reports provide only the findings, not the raw data or the analytics logic. It’s fast and easy like junk food. But ingredients and preparation matter and especially as we get older we can’t live on Mickey D’s.
Larger cloud-centric enterprises are better off getting the raw data that describes every aspect of their infrastructure and analyzing it using custom analytics against their own standards and requirements.
With this home-made, data-driven approach in mind, we translated dozens of CIS AWS Benchmarks from English to SQL. For more information on how and why, check out my previous post where I promised that the SQL would be coming soon. It is now available online and ready for use as a starting point for your internal compliance analytics.
Controlling the analytics enables you to tailor your compliance automation to your requirements and SLAs. But what about getting the raw data? Quality data is the most important part of solving any analytics problem and for AWS compliance automation you need a complete snapshot of your AWS assets and configurations.
Open-source AWS data collection is the other part of this latest release. Available now as part of the SnowAlert project, the data connector for AWS Collection brings into Snowflake all of the raw data needed for AWS CIS. After you’ve achieved compliance with CIS best practices, this data can be used for further locking down your AWS infrastructure. For example, we’re excited about the potential for implementing “use it or lose it” IAM permissions and analyzing user policies for least privilege.
The homemade approach to cloud security may not be right for every organization. Smaller companies with basic architectures can see fast results with off-the-shelf compliance reports. But for organizations where the security and data teams can collaborate, it’s time to consider a new approach with compliance reports that are customized and high fidelity. Accurate findings can then be reflected to stakeholders across the enterprise and over time gain enough confidence to drive automated remediation.
To get cooking:
- Read the article on “SQL for CIS Compliance Validation: Why and How”
- Check out the SQL and Python code on GitHub
- Reach out to snowalert@snowflake.com
