Chef Cloud Security with AWS

Cloud security is a collection of procedures and technology designed to address external and internal threats to business security. The organization needs cloud security as it moves toward its digital transformation strategy and incorporates cloud-based tools and services as part of its infrastructure. Chef progress is the leading platform and the first provider certified by CIS for all the major cloud providers.

Chef Cloud Security allows you to scan, monitor, and remediate configuration issues in your multi-cloud accounts across on-prem and cloud-native environments. Maintaining and enforcing compliance with the standards-based audit is easier than ever. You can tune baselines to adapt to the organization’s requirements and maintain visibility and control across hybrid environments.

Chef Cloud Security provides visibility through streamlined audits, maintaining continuous compliance, CSPM and Cloud-Native security, and a coded approach.

Setting up your Environment

You can set up Cloud solutions in Chef Automate in three simple steps.

To start, you first need to connect your cloud-native environment (AWS) to Chef Automate UI.

  • Click on Settings
  • Node Integration > Create Integration
  • Select AWS from the given options.
  • Give a valid name for your cloud management service
  • Fill out necessary details concerning AWS keys
  • Save Integration
Connect cloud-native environment (AWS) to Chef Automate UI

Note that the node's status should always be reachable when you save your integration.

The next step is to select the security profile you want to apply to your AWS node.

  • Click on Compliance
  • Profiles > Available profiles > Search for CIS AWS Foundations
  • Click on Get
  • The selected security profile should now be visible under the profiles section.

You can also upload any InSpec2 compatible profile, including inherited profiles, to Chef Automate with the upload button on the Profiles page. Uploads use either the “.tar.gz” or zip archive file formats.

Select the security profile you want to apply to your AWS node

With the profile selection and node integration completed, you need to create a scan job that will scan the selected cloud nodes based on the security profile.

  • Click on Compliance
  • Scan Jobs > Create Scan Job
  • Select the Cloud node
  • Select a Profile Run the Scan job

You can also schedule the time and date for scanning your cloud environment.

Each control file from the security profiles goes through your cloud account and checks for misconfiguration based on benchmarks and best practices as per CIS. To check for the results of the scans.

  • Click on Compliance
  • Nodes
  • Search and Click for the name of your test
Check the results of the scans

You can find all the detailed passed/failed results of the scanned node.

Example of the passed test case

To ensure the S3 bucket that is used to store logs is not publicly accessible.

The InSpec code will run at the backend and check each S3 bucket and its permissions. If either bucket is declared public, the code will throw an error in the compliance scan. You can also check the source of the code which says the buckets should be private.

You can also get an overview of all the control files with their results under the “Controls” section of the reports tab.

You can download the compliance report as a CSV or in JSON format. Also, you can integrate any third-party tools like ServiceNow and Splunk within the Automate UI, where this data can be fed. In addition to all these features, Chef also provides APIs for external support.

Get more details of Chef End-to-End Cloud Security Management here.

Watch the Technical Demonstration here.


Akshay Parvatikar

Akshay Parvatikar is a Technical Product Marketing Manager at Progress. With a career of over seven years and a bachelor's degree in Engineering, Akshay has worked in various roles such as solution engineering, customer consulting, and business development in web performance for Telecom and the e-commerce industry.