Cloud Security Assessments in AWS

In our most recent webinar, Cloud Security Assessment for AWS Instances, we took a look at how Chef can help to secure environments in Amazon Web Services. While our previous webinar focused on providing a high-level overview of the challenges organizations face when securing workloads in the cloud, this time around we gave a hands-on demonstration of how you can start gathering actionable insights from your AWS environments with Chef InSpec and Chef Automate. If you missed the live webinar, you can now check it out on demand.

Security & Cloud Expertise

During the presentation, I spent some time reviewing some of the insights gleaned from Rightscale’s 2019 State of the Cloud Report. Of the top 8 cloud challenges reported by the organizations polled, the top two categories respondents considered significant challenges were “Lack of resources/expertise” and “Security”, respectively. This seems like a logical pairing — organizations can significantly lower their maintenance overhead by making use of cloud-provided solutions for things like data storage, networking, and access control, but must learn a new set of tools to make effective use of them. Similarly, we must learn and implement security best-practices for these new solutions, which can be easy to overlook in the race to ship applications at high velocity.

Chef helps ease the burden of securing hybrid workloads by providing within Chef InSpec the ability to communicate directly with cloud-native APIs to audit your environment’s configuration. Since Chef InSpec already has facilities for scanning servers and virtual machines, it provides a way to scan traditional and cloud-native environments all in one place. During the demonstration, we saw some examples of how to use Chef InSpec to validate that an AWS S3 bucket is securely configured and show that my IAM Account is configured for multi factor authentication (MFA). For further examples, be sure to check out our blog post, Don’t Leave Your S3 Buckets Wide Open.

Incorporating CIS Benchmarks

We also took a look at some of the pre-built resources Chef provides to our enterprise customers and, in particular, InSpec profiles for the CIS Benchmarks. These benchmarks, created by the Center for Internet Security (CIS), can be used to help validate a variety of regulatory compliance frameworks, as well as provide a baseline for general security best practices on a variety of platforms. The CIS profiles included with a Chef subscription have been certified by CIS, supported by Chef, and can be run from within Chef Automate with the push of a button, giving you a plethora of actionable insights into your cloud estate right out of the gate. 

failed controls dashboard; cloud security

Within Chef Automate, scans can be configured to be run on-demand or on a schedule, providing continuous, real-time insight into your security status across your environments, as well as filterable dashboards to address and remediate any failures uncovered. Combine that with an auditable history of scans, and you have everything you need to continuously audit your estate without slowing down your software development cycle.

Next Steps


Nick Rycar

Nick is a Technical Product Marketing Manager working out of Chef HQ in Seattle. When he's not busy preparing product demos, he's torturing his colleagues with terrible puns and needlessly esoteric pop-culture trivia. Mostly he's just another confused New York transplant in the Pacific Northwest.