Tag Archives: Security-as-Code

Enforcing Kubernetes Security at the Gate: OPA/Gatekeeper + Kyverno in Production

May 17, 2026DevSecOps, Linux, SecurityAdmission Controllers, CIS K8s Benchmark, EKS, Gatekeeper, K8s, Kyverno, OPA, RBAC, Security-as-Coderohan

Kubernetes RBAC is not enough. RBAC controls who can make API calls, but it does not control what those API calls can deploy. A developer with create pods permission in their namespace can deploy a container running as root, mounting the host filesystem, pulling from an untrusted registry, with no resource limits – and RBAC will not stop any of it.

This is the gap that Kubernetes Admission Controllers fill. Having hardened EKS clusters for ad-tech workloads at Smaato and energy trading platforms at work, I have learned that admission controllers are the most operationally impactful Kubernetes security control available. This post documents the production configuration I use.

How Admission Controllers Work

When a request hits the Kubernetes API server, it passes through a pipeline before being persisted to etcd:

The two relevant webhook types are:

Mutating Admission Webhooks: Intercept the request before validation and can modify the object. Use Kyverno here to inject secure defaults (non-root user, resource limits, labels) automatically, so developers don’t need to remember security configuration.
Validating Admission Webhooks: Intercept the request after mutation and either allow or deny it. Use OPA/Gatekeeper here to enforce hard policies (no privileged containers, approved registries only, required labels).

The split is intentional: Kyverno mutates to help developers, Gatekeeper validates to enforce compliance.

Installing OPA/Gatekeeper

Gatekeeper is the production-grade OPA integration for Kubernetes. Install via Helm:

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update

helm install gatekeeper gatekeeper/gatekeeper \
  --namespace gatekeeper-system \
  --create-namespace \
  --set replicas=3 \
  --set auditInterval=60 \
  --set constraintViolationsLimit=100 \
  --set logLevel=WARNING

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update

helm install gatekeeper gatekeeper/gatekeeper \
  --namespace gatekeeper-system \
  --create-namespace \
  --set replicas=3 \
  --set auditInterval=60 \
  --set constraintViolationsLimit=100 \
  --set logLevel=WARNING

The auditInterval=60 setting is important: Gatekeeper continuously audits existing resources against all policies, not just new requests. This catches drift from resources created before the policies were installed.

Installing Kyverno

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update

helm install kyverno kyverno/kyverno \
  --namespace kyverno \
  --create-namespace \
  --set replicaCount=3 \
  --set config.webhooks[0].failurePolicy=Fail

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update

helm install kyverno kyverno/kyverno \
  --namespace kyverno \
  --create-namespace \
  --set replicaCount=3 \
  --set config.webhooks[0].failurePolicy=Fail

Setting failurePolicy=Fail means if the Kyverno webhook is unavailable, API requests fail closed (denied) rather than open (allowed). This is the safer default for production.

Kyverno Mutating Policies

Policy 1: Inject Secure Container Defaults

This policy automatically injects security context into every new pod that does not already have it defined. Developers do not need to write this – Kyverno adds it transparently:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: inject-security-context
  annotations:
    policies.kyverno.io/title: Inject Secure Defaults
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: >
      Injects runAsNonRoot, readOnlyRootFilesystem, and
      allowPrivilegeEscalation=false into all containers.
spec:
  rules:
    - name: inject-security-context
      match:
        any:
          - resources:
              kinds: [Pod]
              namespaces: ["!kube-system", "!gatekeeper-system", "!kyverno"]
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                securityContext:
                  +(runAsNonRoot): true
                  +(readOnlyRootFilesystem): true
                  +(allowPrivilegeEscalation): false
                  +(runAsUser): 1000
            initContainers:
              - (name): "*"
                securityContext:
                  +(runAsNonRoot): true
                  +(allowPrivilegeEscalation): false

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: inject-security-context
  annotations:
    policies.kyverno.io/title: Inject Secure Defaults
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: >
      Injects runAsNonRoot, readOnlyRootFilesystem, and
      allowPrivilegeEscalation=false into all containers.
spec:
  rules:
    - name: inject-security-context
      match:
        any:
          - resources:
              kinds: [Pod]
              namespaces: ["!kube-system", "!gatekeeper-system", "!kyverno"]
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                securityContext:
                  +(runAsNonRoot): true
                  +(readOnlyRootFilesystem): true
                  +(allowPrivilegeEscalation): false
                  +(runAsUser): 1000
            initContainers:
              - (name): "*"
                securityContext:
                  +(runAsNonRoot): true
                  +(allowPrivilegeEscalation): false

The +() syntax is Kyverno’s “add if not present” operator – it will not overwrite explicitly set values.

Policy 2: Inject Resource Limits

Pods without resource limits are a denial-of-service vector. This policy injects sensible defaults so the cluster scheduler always has resource information:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-resource-limits
spec:
  rules:
    - name: add-default-resource-limits
      match:
        any:
          - resources:
              kinds: [Pod]
              namespaces: ["!kube-system"]
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                resources:
                  +(requests):
                    memory: "64Mi"
                    cpu: "50m"
                  +(limits):
                    memory: "512Mi"
                    cpu: "500m"

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-resource-limits
spec:
  rules:
    - name: add-default-resource-limits
      match:
        any:
          - resources:
              kinds: [Pod]
              namespaces: ["!kube-system"]
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                resources:
                  +(requests):
                    memory: "64Mi"
                    cpu: "50m"
                  +(limits):
                    memory: "512Mi"
                    cpu: "500m"

Policy 3: Add Mandatory Labels for NetworkPolicy

Network policies use label selectors. If pods don’t have consistent labels, network policies become fragile. This policy ensures every pod carries the labels required for policy enforcement:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-team-labels
spec:
  rules:
    - name: add-labels-from-namespace
      match:
        any:
          - resources:
              kinds: [Pod]
      context:
        - name: namespaceLabels
          apiCall:
            urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}"
            jmesPath: "metadata.labels"
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              +(app.kubernetes.io/managed-by): "helm"
              +(security.rohanbhagat.com/team): "{{namespaceLabels.\"team\" || 'unknown'}}"
              +(security.rohanbhagat.com/environment): "{{namespaceLabels.\"environment\" || 'unknown'}}"

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-team-labels
spec:
  rules:
    - name: add-labels-from-namespace
      match:
        any:
          - resources:
              kinds: [Pod]
      context:
        - name: namespaceLabels
          apiCall:
            urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}"
            jmesPath: "metadata.labels"
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              +(app.kubernetes.io/managed-by): "helm"
              +(security.rohanbhagat.com/team): "{{namespaceLabels.\"team\" || 'unknown'}}"
              +(security.rohanbhagat.com/environment): "{{namespaceLabels.\"environment\" || 'unknown'}}"

OPA/Gatekeeper Validating Policies

Gatekeeper uses ConstraintTemplates (the Rego logic) and Constraints (the parameters). Each policy is a pair.

Policy 1: Block Privileged Containers

Privileged containers have full access to the host kernel. This policy denies any pod spec that requests privileged mode, host network, or host PID:

# constraint-template: no-privileged-containers.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8snoPrivilegedContainers
spec:
  crd:
    spec:
      names:
        kind: K8sNoPrivilegedContainers
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8snoprivilegedcontainers

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.privileged == true
          msg := sprintf("Container '%v' must not run as privileged", [container.name])
        }

        violation[{"msg": msg}] {
          input.review.object.spec.hostPID == true
          msg := "Pod must not use hostPID"
        }

        violation[{"msg": msg}] {
          input.review.object.spec.hostNetwork == true
          msg := "Pod must not use hostNetwork"
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.capabilities.add[_] == "NET_ADMIN"
          msg := sprintf("Container '%v' may not add NET_ADMIN capability", [container.name])
        }

# constraint-template: no-privileged-containers.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8snoPrivilegedContainers
spec:
  crd:
    spec:
      names:
        kind: K8sNoPrivilegedContainers
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8snoprivilegedcontainers

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.privileged == true
          msg := sprintf("Container '%v' must not run as privileged", [container.name])
        }

        violation[{"msg": msg}] {
          input.review.object.spec.hostPID == true
          msg := "Pod must not use hostPID"
        }

        violation[{"msg": msg}] {
          input.review.object.spec.hostNetwork == true
          msg := "Pod must not use hostNetwork"
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.capabilities.add[_] == "NET_ADMIN"
          msg := sprintf("Container '%v' may not add NET_ADMIN capability", [container.name])
        }

# constraint: no-privileged-containers.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoPrivilegedContainers
metadata:
  name: no-privileged-containers
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    excludedNamespaces:
      - kube-system
      - gatekeeper-system
      - kyverno

# constraint: no-privileged-containers.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoPrivilegedContainers
metadata:
  name: no-privileged-containers
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    excludedNamespaces:
      - kube-system
      - gatekeeper-system
      - kyverno

Policy 2: Approved Container Registries Only

Supply chain attacks start with untrusted images. This policy denies any image not from the approved ECR registry or the internal registry:

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sapprovedregistries
spec:
  crd:
    spec:
      names:
        kind: K8sApprovedRegistries
      validation:
        openAPIV3Schema:
          type: object
          properties:
            allowedRegistries:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sapprovedregistries

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not image_from_approved_registry(container.image)
          msg := sprintf(
            "Container '%v' uses unapproved image '%v'. Use one of: %v",
            [container.name, container.image, input.parameters.allowedRegistries]
          )
        }

        image_from_approved_registry(image) {
          registry := input.parameters.allowedRegistries[_]
          startswith(image, registry)
        }

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sapprovedregistries
spec:
  crd:
    spec:
      names:
        kind: K8sApprovedRegistries
      validation:
        openAPIV3Schema:
          type: object
          properties:
            allowedRegistries:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sapprovedregistries

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not image_from_approved_registry(container.image)
          msg := sprintf(
            "Container '%v' uses unapproved image '%v'. Use one of: %v",
            [container.name, container.image, input.parameters.allowedRegistries]
          )
        }

        image_from_approved_registry(image) {
          registry := input.parameters.allowedRegistries[_]
          startswith(image, registry)
        }

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sApprovedRegistries
metadata:
  name: approved-registries-only
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    excludedNamespaces: ["kube-system"]
  parameters:
    allowedRegistries:
      - "123456789012.dkr.ecr.eu-central-1.amazonaws.com"
      - "registry.k8s.io"
      - "quay.io/kyverno"

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sApprovedRegistries
metadata:
  name: approved-registries-only
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    excludedNamespaces: ["kube-system"]
  parameters:
    allowedRegistries:
      - "123456789012.dkr.ecr.eu-central-1.amazonaws.com"
      - "registry.k8s.io"
      - "quay.io/kyverno"

Policy 3: Block `latest` Tag

The latest tag makes deployments non-reproducible and bypasses security scanning (you scan one digest, deploy a different one). This policy enforces explicit tags or digest references:

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8snolatestimage
spec:
  crd:
    spec:
      names:
        kind: K8sNoLatestImage
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8snolatestimage

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          endswith(container.image, ":latest")
          msg := sprintf("Container '%v' uses ':latest' tag. Use an explicit version or digest.", [container.name])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not contains(container.image, ":")
          msg := sprintf("Container '%v' has no tag. Specify an explicit version or SHA digest.", [container.name])
        }

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8snolatestimage
spec:
  crd:
    spec:
      names:
        kind: K8sNoLatestImage
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8snolatestimage

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          endswith(container.image, ":latest")
          msg := sprintf("Container '%v' uses ':latest' tag. Use an explicit version or digest.", [container.name])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not contains(container.image, ":")
          msg := sprintf("Container '%v' has no tag. Specify an explicit version or SHA digest.", [container.name])
        }

Audit Mode vs Enforce Mode

Rolling out admission controllers to an existing cluster without prior audit is high-risk – you will likely break existing workloads. Use this three-phase rollout:

Phase 1 – Audit (week 1-2): Set enforcementAction: warn in all Constraints. Gatekeeper logs violations but does not block. Review the audit report to understand current posture:

kubectl get constraint -A -o json | jq '.items[].status.totalViolations'

kubectl get constraint -A -o json | jq '.items[].status.totalViolations'

Phase 2 – Dry-run (week 3-4): Switch to enforcementAction: dryrun. Violations appear in kubectl describe constraint but requests are still allowed. Alert on high-violation counts.

Phase 3 – Enforce (week 5+): Switch to enforcementAction: deny. Coordinate with engineering teams to fix any remaining violations beforehand.

Testing Policies with conftest

Before deploying policy changes, test them against Kubernetes manifests locally using conftest:

# Install conftest
brew install conftest

# Test a Kubernetes manifest against your OPA policies
conftest test k8s/deployment.yaml \
  --policy policies/gatekeeper/ \
  --namespace k8s

<em># Example output:</em>
<em># FAIL - k8s/deployment.yaml - Container 'app' uses ':latest' tag.</em>
<em># FAIL - k8s/deployment.yaml - Container 'app' must not run as privileged.</em>
<em># 2 tests, 0 passed, 0 warnings, 2 failures</em>

# Install conftest
brew install conftest

# Test a Kubernetes manifest against your OPA policies
conftest test k8s/deployment.yaml \
  --policy policies/gatekeeper/ \
  --namespace k8s

<em># Example output:</em>
<em># FAIL - k8s/deployment.yaml - Container 'app' uses ':latest' tag.</em>
<em># FAIL - k8s/deployment.yaml - Container 'app' must not run as privileged.</em>
<em># 2 tests, 0 passed, 0 warnings, 2 failures</em>

Integrate conftest into the CI/CD pipeline to catch policy violations before they reach the cluster:

# .github/workflows/k8s-policy-check.yml
- name: Validate K8s manifests against policies
  run: |
    conftest test k8s/ \
      --policy policies/gatekeeper/ \
      --namespace k8s \
      --output github

# .github/workflows/k8s-policy-check.yml
- name: Validate K8s manifests against policies
  run: |
    conftest test k8s/ \
      --policy policies/gatekeeper/ \
      --namespace k8s \
      --output github

Namespace-Level Network Policies as a Complement

Admission controllers control what runs in the cluster. Network policies control how workloads communicate. The two work together. After the label-injection Kyverno policy ensures all pods have consistent labels, these Network Policies enforce zero-trust within the cluster:

# Default deny-all for every namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes: [Ingress, Egress]
---
# Allow intra-namespace traffic only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
spec:
  podSelector: {}
  ingress:
    - from:
        - podSelector: {}
  egress:
    - to:
        - podSelector: {}
  policyTypes: [Ingress, Egress]

# Default deny-all for every namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes: [Ingress, Egress]
---
# Allow intra-namespace traffic only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
spec:
  podSelector: {}
  ingress:
    - from:
        - podSelector: {}
  egress:
    - to:
        - podSelector: {}
  policyTypes: [Ingress, Egress]

Results

After deploying this configuration on a 40-node EKS production cluster at Smaato:

Zero privileged containers running in production (down from 8 before enforcement)
100% of pods have explicit resource limits (up from ~40% before mutation policies)
CI policy gate catches manifest violations in 90 seconds, before the image is even built
CIS Kubernetes Benchmark score on control plane 5.x (Admission Control) moved from 3/9 to 9/9 controls passing

Implementing Cloud Security Posture Management (CSPM) at Scale with Terraform and Orca Security

May 3, 2026AWS, Cloud, Cloud Security, DevSecOpsAWS Security Hub, Checkov, Cloud Engineers, CSPM, DevOps Leads, guardduty, Multi-Account, Orca Security, Security Architects, Security-as-Code, Terraformrohan

In a multi-account AWS environment handling energy trading workloads, a single misconfigured S3 bucket or an overly permissive IAM role is not just a security finding — it is a compliance violation, a potential regulatory breach, and an audit risk. At RWE Supply & Trading, I faced this challenge at scale: dozens of accounts, hundreds of Terraform modules, and a continuous pressure to ship infrastructure quickly without compromising security posture.

This post documents the CSPM architecture I designed and implemented: a centralized, automated control plane that continuously monitors posture, enforces policy, and auto-remediates critical findings — all driven by Infrastructure as Code.

The Problem with Point-in-Time Security Reviews

Traditional cloud security reviews are periodic. A team runs a checklist against a snapshot of the environment, flags findings, and assigns tickets. By the time those tickets are resolved, the environment has drifted further. In fast-moving cloud environments, this model breaks down within weeks.

The operational shift required is continuous posture management: every configuration change is evaluated against policy the moment it is applied, and deviations are either blocked before they land or remediated automatically within minutes.

Architecture Overview

The architecture has three layers:

1. Preventive layer: Checkov and OPA run in the CI/CD pipeline and block non-compliant Terraform before it is applied. AWS Service Control Policies (SCPs) at the Organizations level enforce hard boundaries that no account-level policy can override.

2. Detective layer: AWS GuardDuty, Config Rules, Security Hub, and Orca Security continuously monitor all accounts. Security Hub aggregates findings centrally in the Security/Audit account.

3. Responsive layer: EventBridge rules trigger Lambda functions that auto-remediate critical findings (e.g., public S3 buckets, disabled CloudTrail, overly permissive security groups) within minutes of detection.

Setting Up the Security Account as the Control Plane

All findings flow into a dedicated Security/Audit account. This account is not a workload account — it exists solely to aggregate, analyse, and act on security findings.

# Enable Security Hub aggregator in the security account
resource "aws_securityhub_finding_aggregator" "central" {
  linking_mode = "ALL_REGIONS"
}

# Enable GuardDuty as organization delegated admin
resource "aws_guardduty_organization_admin_account" "delegated" {
  admin_account_id = var.security_account_id
}

resource "aws_guardduty_organization_configuration" "auto_enable" {
  auto_enable_organization_members = "ALL"
  detector_id     = aws_guardduty_detector.main.id
}

# Enable Security Hub aggregator in the security account
resource "aws_securityhub_finding_aggregator" "central" {
  linking_mode = "ALL_REGIONS"
}

# Enable GuardDuty as organization delegated admin
resource "aws_guardduty_organization_admin_account" "delegated" {
  admin_account_id = var.security_account_id
}

resource "aws_guardduty_organization_configuration" "auto_enable" {
  auto_enable_organization_members = "ALL"
  detector_id     = aws_guardduty_detector.main.id
}

Each member account is enrolled automatically via AWS Organizations, so new accounts inherit the full security stack on creation — no manual onboarding required.

Preventive Controls: Checkov + OPA in the CI/CD Pipeline

The pipeline never reaches `terraform apply` unless the IaC passes security linting. Checkov runs first, validating Terraform plans against 500+ built-in rules covering CIS, NIST, and PCI-DSS:

# .github/workflows/security-gate.yml
- name: Run Checkov IaC Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: .
    framework: terraform
    output_format: sarif
    output_file_path: results.sarif
    soft_fail: false
    check: |
      CKV_AWS_18   # S3 access logging
      CKV_AWS_19   # S3 encryption at rest
      CKV_AWS_20   # S3 public access
      CKV_AWS_86   # CloudTrail log validation
      CKV_AWS_119  # DynamoDB encryption

# .github/workflows/security-gate.yml
- name: Run Checkov IaC Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: .
    framework: terraform
    output_format: sarif
    output_file_path: results.sarif
    soft_fail: false
    check: |
      CKV_AWS_18   # S3 access logging
      CKV_AWS_19   # S3 encryption at rest
      CKV_AWS_20   # S3 public access
      CKV_AWS_86   # CloudTrail log validation
      CKV_AWS_119  # DynamoDB encryption

After Checkov, an OPA policy gate evaluates the Terraform plan JSON against custom Rego policies specific to our environment:

# policies/no_public_s3.rego
package terraform.s3

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_s3_bucket_public_access_block"
  resource.change.after.block_public_acls == false
  msg := sprintf("S3 bucket '%v' must block public ACLs", [resource.address])
}

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_s3_bucket"
  not resource.change.after.server_side_encryption_configuration
  msg := sprintf("S3 bucket '%v' must have server-side encryption enabled", [resource.address])
}

# policies/no_public_s3.rego
package terraform.s3

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_s3_bucket_public_access_block"
  resource.change.after.block_public_acls == false
  msg := sprintf("S3 bucket '%v' must block public ACLs", [resource.address])
}

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_s3_bucket"
  not resource.change.after.server_side_encryption_configuration
  msg := sprintf("S3 bucket '%v' must have server-side encryption enabled", [resource.address])
}

Any `deny` result blocks the pipeline and posts the violation reason directly to the PR as a review comment.

Deploying AWS Config Rules at Scale with Terraform

AWS Config Rules run continuously in every account, evaluating resources against compliance rules whenever a configuration change is detected. I deploy them as an organization-wide Terraform module:

# modules/config-rules/main.tf
resource "aws_config_config_rule" "cis_s3_public_access" {
  name        = "s3-bucket-public-read-prohibited"
  description = "CIS 2.1.2 - S3 buckets must not allow public read"

  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }

  depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_config_rule" "mfa_enabled_for_iam_console" {
  name        = "mfa-enabled-for-iam-console-access"
  description = "CIS 1.2 - MFA required for console access"

  source {
    owner             = "AWS"
    source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
  }
}

resource "aws_config_config_rule" "cloudtrail_enabled" {
  name        = "cloudtrail-enabled"
  description = "CIS 2.1 - CloudTrail must be enabled in all regions"

  source {
    owner             = "AWS"
    source_identifier = "CLOUD_TRAIL_ENABLED"
  }
}

resource "aws_config_config_rule" "encrypted_volumes" {
  name        = "encrypted-volumes"
  description = "CIS 2.2.1 - EBS volumes must be encrypted"

  source {
    owner             = "AWS"
    source_identifier = "ENCRYPTED_VOLUMES"
  }
}

# modules/config-rules/main.tf
resource "aws_config_config_rule" "cis_s3_public_access" {
  name        = "s3-bucket-public-read-prohibited"
  description = "CIS 2.1.2 - S3 buckets must not allow public read"

  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }

  depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_config_rule" "mfa_enabled_for_iam_console" {
  name        = "mfa-enabled-for-iam-console-access"
  description = "CIS 1.2 - MFA required for console access"

  source {
    owner             = "AWS"
    source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
  }
}

resource "aws_config_config_rule" "cloudtrail_enabled" {
  name        = "cloudtrail-enabled"
  description = "CIS 2.1 - CloudTrail must be enabled in all regions"

  source {
    owner             = "AWS"
    source_identifier = "CLOUD_TRAIL_ENABLED"
  }
}

resource "aws_config_config_rule" "encrypted_volumes" {
  name        = "encrypted-volumes"
  description = "CIS 2.2.1 - EBS volumes must be encrypted"

  source {
    owner             = "AWS"
    source_identifier = "ENCRYPTED_VOLUMES"
  }
}

Findings from Config flow into Security Hub, which normalises them into the ASFF (Amazon Security Finding Format) alongside GuardDuty and Inspector findings.

Auto-Remediation with EventBridge and Lambda

Critical findings trigger immediate automated responses. The EventBridge rule pattern targets findings by severity and type:

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Severity": {
        "Label": ["CRITICAL", "HIGH"]
      },
      "Compliance": {
        "Status": ["FAILED"]
      },
      "RecordState": ["ACTIVE"]
    }
  }
}

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Severity": {
        "Label": ["CRITICAL", "HIGH"]
      },
      "Compliance": {
        "Status": ["FAILED"]
      },
      "RecordState": ["ACTIVE"]
    }
  }
}

The Lambda function dispatches remediation based on finding type:

import boto3
import json

def handler(event, context):
    finding = event["detail"]["findings"][0]
    finding_type = finding["Types"][0]
    resource = finding["Resources"][0]

    if "S3/BucketPubliclyAccessible" in finding_type:
        remediate_s3_public_access(resource["Id"])
    elif "IAM/RootAccountUsage" in finding_type:
        notify_critical(finding)
    elif "CloudTrail/CloudTrailStopped" in finding_type:
        enable_cloudtrail(resource["Region"])

def remediate_s3_public_access(bucket_arn):
    bucket_name = bucket_arn.split(":::")[-1]
    s3 = boto3.client("s3")
    s3.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration={
            "BlockPublicAcls": True,
            "IgnorePublicAcls": True,
            "BlockPublicPolicy": True,
            "RestrictPublicBuckets": True,
        },
    )
    print(f"[REMEDIATED] Blocked public access on S3 bucket: {bucket_name}")

import boto3
import json

def handler(event, context):
    finding = event["detail"]["findings"][0]
    finding_type = finding["Types"][0]
    resource = finding["Resources"][0]

    if "S3/BucketPubliclyAccessible" in finding_type:
        remediate_s3_public_access(resource["Id"])
    elif "IAM/RootAccountUsage" in finding_type:
        notify_critical(finding)
    elif "CloudTrail/CloudTrailStopped" in finding_type:
        enable_cloudtrail(resource["Region"])

def remediate_s3_public_access(bucket_arn):
    bucket_name = bucket_arn.split(":::")[-1]
    s3 = boto3.client("s3")
    s3.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration={
            "BlockPublicAcls": True,
            "IgnorePublicAcls": True,
            "BlockPublicPolicy": True,
            "RestrictPublicBuckets": True,
        },
    )
    print(f"[REMEDIATED] Blocked public access on S3 bucket: {bucket_name}")

For findings that cannot be auto-remediated safely (e.g., IAM policy changes), the Lambda creates a JIRA ticket with the finding detail, account ID, resource ARN, and a link to the relevant runbook.

Service Control Policies: The Non-Bypassable Layer

SCPs apply at the AWS Organizations level and cannot be overridden by any IAM policy within a member account, including root. This is the last-resort preventive control:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootAccountActions",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    },
    {
      "Sid": "DenyIAMPrivilegeEscalation",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "iam:CreatePolicyVersion",
        "iam:SetDefaultPolicyVersion",
        "iam:PassRole",
        "iam:CreateAccessKey"
      ],
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/SecurityBreakGlassRole"
        }
      }
    },
    {
      "Sid": "DenyUnauthorisedRegions",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["eu-central-1", "eu-west-1"]
        }
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootAccountActions",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    },
    {
      "Sid": "DenyIAMPrivilegeEscalation",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "iam:CreatePolicyVersion",
        "iam:SetDefaultPolicyVersion",
        "iam:PassRole",
        "iam:CreateAccessKey"
      ],
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/SecurityBreakGlassRole"
        }
      }
    },
    {
      "Sid": "DenyUnauthorisedRegions",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["eu-central-1", "eu-west-1"]
        }
      }
    }
  ]
}

The region restriction alone eliminates a large class of shadow-IT risks. If a developer accidentally provisions resources in `us-east-1`, the SCP blocks the API call before it lands.

Integrating Orca Security for Agentless CSPM

Orca Security complements AWS-native tooling with agentless scanning that reads cloud provider APIs and storage snapshots without deploying agents into workloads. In the Orca dashboard, I configure:

– Attack path analysis: Identifies multi-hop paths from the internet to sensitive data (e.g., internet-facing EC2 → unrestricted S3 → PII data)

– Vulnerability prioritisation: CVEs ranked by exploitability and lateral movement risk, not just CVSS score

– Compliance posture: Continuous CIS, NIST CSF 2.0, ISO 27001, GDPR mapping

Orca findings feed back into Security Hub via the Orca Security Hub integration, keeping all findings in one pane of glass.

Results After 6 Months

After deploying this architecture across the full AWS estate:

– CI/CD gate blocks: Checkov catches an average of 12 IaC policy violations per sprint before they reach the AWS environment

– Mean time to remediate critical findings dropped from ~72 hours (manual ticket) to **< 8 minutes** for auto-remediable findings

– False-positive rate: GuardDuty tuning and Security Hub suppression rules reduced noisy, low-value alerts by approximately 60%, so the on-call team focuses on signal

– Compliance posture: CIS AWS Foundations Benchmark v3.0 score improved from 62% → 91% within the first quarter

Key Takeaways

1. Shift left first: The cheapest fix is blocking a misconfiguration in the CI/CD pipeline before it reaches AWS. Checkov + OPA running on every PR costs nothing compared to a breach or audit finding.

2. Don’t build a SIEM, build automation: The goal of a CSPM control plane is not to show findings — it is to close them. Every HIGH/CRITICAL finding should have an automated response path.

3. SCPs are your safety net, not your primary control: SCPs are powerful but blunt. Use them for hard organisational boundaries, not fine-grained policy enforcement.

4. Orca and AWS-native tooling are complementary: AWS native services (GuardDuty, Inspector, Config) have deep integration and low latency. Orca adds context (attack paths, sensitive data identification) that native tools do not provide.

5. Measure posture, not findings: Report compliance score trends (CIS score over time), not raw finding counts. Leadership cares whether posture is improving, not how many findings were generated this week.

Rohan Bhagat

IT Security Engineer | Cloud Security | DevSecOps | AWS | Kubernetes

Tag Archives: Security-as-Code

Enforcing Kubernetes Security at the Gate: OPA/Gatekeeper + Kyverno in Production

How Admission Controllers Work

Installing OPA/Gatekeeper

Installing Kyverno

Kyverno Mutating Policies

Policy 1: Inject Secure Container Defaults

Policy 2: Inject Resource Limits

Policy 3: Add Mandatory Labels for NetworkPolicy

OPA/Gatekeeper Validating Policies

Policy 1: Block Privileged Containers

Policy 2: Approved Container Registries Only

Policy 3: Block `latest` Tag

Audit Mode vs Enforce Mode

Testing Policies with conftest

Namespace-Level Network Policies as a Complement

Results

How Admission Controllers Work

Installing OPA/Gatekeeper

Installing Kyverno

Kyverno Mutating Policies

Policy 1: Inject Secure Container Defaults

Policy 2: Inject Resource Limits

Policy 3: Add Mandatory Labels for NetworkPolicy

OPA/Gatekeeper Validating Policies

Policy 1: Block Privileged Containers

Policy 2: Approved Container Registries Only

Policy 3: Block latest Tag

Audit Mode vs Enforce Mode

Testing Policies with conftest

Namespace-Level Network Policies as a Complement

Results

Policy 3: Block `latest` Tag