Empowering Cloud Custodian with Generic Resource Filtering

As cloud infrastructures grow, they become highly "entangled," making it difficult to detect non-trivial security issues using conventional methods. While standard Cloud Custodian filters excel at evaluating individual resource attributes, they struggle to identify risks defined by these relationships.

As a result, the most significant cloud vulnerabilities often emerge not from a single misconfigured entity but from the complex interplay between multiple resources

For ensuring security & compliance, Maestro widely engages EPAM Syndicate Rule Engine (SRE), based on the Clou Custodian tool. Dmytro Afanasiev, one of SRE key developers, introduces a concept of generic resource filtering as a first step in complex issues resolution.

The key idea is that you can filter resources of one type based on directly related resources of some other type. The relation between them can be inferred by foreign key attributes, so it's quite trivial to implement.

In his blog post on Medium, Dmytro shares the examples of the filtering implementation, tips and tricks, and additional ideas on how generic resource filtering can become a basis for more powerful policies.

Check out the post and follow Dmytro for more insights!

Comments

Post a Comment

Popular posts from this blog

Maestro Meets Microservices to Expand its Open Infrastructure Platform

Image
In our previous post , we discovered Maestro as a part of the Open Infrastructure world, as well as its Open Source components and strategy. However, a modern platform is more than just about infrastructure. To increase efficiency, unification, visibility and control, it is important not only to establish effective infrastructure management, but also to set up control on the application layer. With the infrastructure layer being often hosted in multi- and hybrid- clouds, Microservices became one of the silver bullets for cloud-based and cloud-native applications within the past years. They allow to package your applications properly so that they can be hosted on any platform. The parts that cannot be put to this type of architecture, are often re-platformed, or re-architected within the new provider. Thus, a modern platform should be capable of both managing Cloud environments and empowering microservice-based applications development, delivery and management . Kee...
Read more

2025 is coming: From Dragon Tales to Snake Wisdom

Image
The Year 2024 is coming to an end, and it's high time to sum up our achievements and future plan in the traditional summary and resolution post. While the Green Dragon is still here, we would like to start with summing up the past 52 weeks, taking the recap of the updates, news, and success cases we had - all that becomes a solid ground for our further movement. 2024: Main Steps and Updates Traditionally, Maestro development was focused on several main directions, as well as included a set of general updates and stabilization changes. General updates and stabilization The updates covering general Maestro performance and core functionality has been taking place throughout the year, with the massive stabilization closer to the end of the year. These included not only performance improvements and bug fixing, but also important new features, such as the possibility to have the ReadOnly access to Maestro, a huge update to C-level, tenant-l...
Read more

Enterprise Cloud Billing: Adjust and Conquer

Image
Maestro billing engine allows transforming virtual and hardware capacities utilization into bills , based on the events within their timeline, and states they get as a result of such events However, the modern world, with its dynamic changes in situations and requests, needs flexibility – and in billing, as well. The hourly cost of your datacenter maintenance may depend on external factors, like varying electricity costs (for example, cheaper night hours), which can let you make nightly hours of your infrastructure usage be also more affordable. You may also want to re-distribute the load between data centers or data center sections during peak hours by offering lower prices in underutilized zones, and higher prices – in those that are overloaded. Season discounts, special offerings, and other pricing alterations are also on the list. You even may want to apply extra charges for your users access to public clouds, by adding a respective coefficient to the native provi...
Read more