Streamlining Compliance: Leveraging Open-Source Terraform AWS modules by Anton Babenko
Are you navigating the complexities of compliance frameworks like SOC2, CIS, and HIPAA and seeking a more efficient path? This talk breaks down these frameworks simply and shows you a time-saving trick, making it perfect for anyone wanting to make their organization's compliance journey much easier.
I'll start by outlining the basics of these frameworks and highlighting the challenges businesses face in implementing them.
As the creator and maintainer of the terraform-aws-modules projects, I'll be excited to share how using these open-source Terraform AWS modules can streamline the compliance process. I'll walk you through real-life examples showing how such solutions significantly reduce the effort and time required for compliance.
At the end of the talk, attendees will get actionable insights on using Terraform AWS modules for efficient compliance management.
Talk Questions
Questions moderation
All questions have to comply with our Code of conduct. So if you don't see your question right after sending it it's because either it has not been moderated yet or it's a question that does not comply with our CoC.
Question 705
You mentioned checkov. What is the best way to keep up with the ever-changing and ever-evolving scan policies? It feels like we are always chasing a moving target.Question 702
Which OSS IaC scanning tool you mentioned you have the best experience with?Question 711
Prowler only checks the files or is connected to infra?Question 691
Do you also think that the integration of AWS SAM CLI with Terraform doesn’t seem to be widely adopted? What is your opinion on the health of the serverless.tf project concerning this integration? Is there anything on the horizon regarding further development, especially for local environment testing?Question 704
When will compliance.tf be available?Question 706
Checkov is a python package?Question 709
Is possible to check compliance from modules and locals that have values out of the current working directory? For some tools if the values are not explicitly set in the same location, it does not work.Question 717
How compliance.tf can help when modules are not even used (e.g. a new service for which we don’t have a curated module yet)Question 716
Why Terraform with AWS and not AWS native Cloudformation?Question 715
Have you considered optional integration with aws config built into compliance.tf?Question 707
How do you deal with IaC false positives?Question 703
Do you deploy Terraform manually, or do you use an automated deployment pipeline with scanning? Which approach do you recommend?Question 701
What’s the best way to support your compliance efforts?Question 700
When people approach compliance topics, they also look at the tooling used and if it fits the compliance requirements. For youe compliance modules, do you actually review every aingle change for possible breakage that could result in uncomplying resources/configuration?Question 710
What is the best approach to follow in case an external module that we don’t maintain is not compliant?Question 712
Even using compliance.tf. Is there any way to override default values? You know in case of any fire happens…Question 713
You mentioned that compliance.tf will rewrite TF modules to now allow optional/default values. Is there a way to check/control what was overwritten?Question 714
So is compliance.tf going to replace terraform-aws-modules? Why should we use modules with non-compliant defaults?