August 17, 2022
4
min

CloudTwin Hands On - Introduction

IaC Impact Analysis with Lightlytics Simulation Our simulation engine merges the current configuration state of your cloud in combination with the Terraform code proposed change, to determine how your cloud is going to be impacted if the code will be deployed, helping you prevent misconfigurations and eliminate critical mistakes before they are deployed by continuously simulating changes as part of the GitOps flow. Lightlytics comes out of the box with dozens of predefined best practices for Availability, Security, Compliance, and Cost. (Architectural Standards)Each best practice is validated every time a change is made.
Tal Shladovsky
Cloud Specialist

TL;DR

Part one - simulating basics - Amazon Relational Database Service (RDS)

Cloud challenges

Times are changing and more and more organizations are shifting workloads to the cloud, accelerating the cycle of ever-evolving technologies in the cloud. The cloud makes it extremely easy to manage and provision infrastructure in speed and scale, but it comes with its own complexities. As cloud service providers offer such a vast array of options, selecting the right resources for applications gets more complex, stress inducing, time-consuming, and costly.

Infrastructure as Code (IaC) tools such as Terraform are used to simplify and automate infrastructure changes. Terraform provides a simple yet powerful way to request cloud infrastructure at the code level, but it also comes with a cost – Infrastructure changes at any level can cause havoc and chaos if done wrong. Wrong means making small mistakes that might seem minute but can have serious consequences on your entire cloud platform.

"With great power comes great responsibility"

Using the right tool to simulate and make sure there are no mistakes means being responsible in the cloud. There are many factors that may cause unexpected behaviors and outages. In fact, most outages are caused by human error in configuration changes.  

Don't guess- simulate

Lightlytics innovative CloudTwin engine creates a real-time simulated model of the cloud environment and dynamically correlates the dependencies between configurations, services, infrastructure and activity logs.

IaC Impact Analysis with Lightlytics Simulation

Our simulation engine merges the current configuration state of your cloud in combination with the Terraform code proposed change, to determine how your cloud is going to be impacted if the code will be deployed, helping you to check if intent is met, prevent downtime and other misconfigurations to eliminate critical mistakes before they are deployed by continuously simulating changes as part of the GitOps flow. Lightlytics comes out of the box with dozens of predefined best practices for Availability, Security, Compliance and Cost (Architectural Standards). Each best practice is validated every time a change is made.  

Simulating example #1 - Amazon Relational Database Service (RDS)
Overview:

Amazon Relational Database Service is a distributed relational database service by Amazon Web Services. It is a web service running "in the cloud" designed to simplify the setup, operation, and scaling of a relational database for use in applications.

The misconfiguration:

The example below contains a non-encrypted publicly accessible RDS instance in a single AZ using a default port for accepting DB connections. RDS database instances should be encrypted to fulfill compliance requirements for data-at-rest encryption.It's significantly important in production databases that store sensitive information. This configuration is critical and is often overlooked and results in data leaks, which can be your worst nightmare.

When your RDS instance is public, it provides unrestricted access for anyone and everyone to establish a connection to your database. Having this misconfiguration is an open invitation to brute-force attacks, DDoS attacks, and SQL injections.

Preventing these misconfigurations along with the others will make your cloud CIS, SOC2, PCI DSS, HIPAA and GDPR compliant as well.

Misconfigured Terraform code for simulation:

resource "aws_db_instance" "test_rds" {
 name = "test_rds"
 identifier = "test-rds"
 db_subnet_group_name = aws_db_subnet_group.test_db_subnet_group.name
 port = 3306
 multi_az = false
 storage_encrypted = false
 availability_zone = "us-east-1a"
 backup_retention_period = 0
 allocated_storage = 20
 storage_type = "gp2"
 engine = "mysql"
 engine_version = "5.7"
 instance_class = "db.r4.large"
 username = "demo"
 password = "demo123123"
 skip_final_snapshot = true
 vpc_security_group_ids = [aws_security_group.project-iac-sg.id]
 tags = {
   Name = "test_rds"
 }
 publicly_accessible = true
Simulation results: Run details and meta-data

In the left sidebar, you will find general details and meta-data of the simulation run such as time and date, the Version Control or CI platform the simulation was triggered from, PR and Commit ID, source and dest branches, and a summary of the number of resources that will be changed on apply.

Change Summary

The change summary tab shows details about the changes that are about to be made to a resource configuration and the impact the change will have on a given environment.

In our example, we can see various changes affecting the RDS instance, making it having common misconfigurations:

All Violations

The simulation alerts us about common RDS misconfiguration such as:

(Critical) Ensure RDS database instances have storage encryption enabled

(Critical) Ensure RDS database instances are not accessible via Internet (Network and API)


(Warning) Ensure RDS instances have Storage AutoScaling feature enabled

(Warning) Ensure RDS instances have Multi-AZ enabled


(Info) Resource has access to RDS database

(Info) Ensure RDS database instances have Copy Tags to Snapshots enabled

(Info) Ensure RDS is not using the default port 3306

(Info) Ensure RDS MySQL and PostgreSQL database instances have Performance Insights feature enabled

All Impacts

A summary of all of the impacts that the configuration change will have on the environment.

You can click on any group of resources to view all the relevant paths.

In the example below, we can see the RDS instance is internet exposed via the allowed default port (3306)

Allowed ports:

In addition, we can explore new connections from various resources within the cloud environment, such as Lambda function, Auto Scaling groups, EC2 instances, EKS cluster and more:

To get more context and understand how these changes is going to impact your cloud environment in terms of reachability, network connectivity, exposure paths and accessibility, you can review the impacts by Topology:

Or by Edges:

A real time CloudTwin is the most efficient way to simulate changes and predict the outcome. This series will explore just a few of the ways a CloudTwin can solve complexities in your cloud and help you prevent mistakes before they happen. In the next part of this series we will explore more simulation strategies on a CloudTwin to enable you to get a better understanding of your cloud.

To test-drive our system and see how we make cloud deployment simple and efficient click here  

About Stream Security

Stream.Security delivers the only cloud detection and response solution that SecOps teams can trust. Born in the cloud, Stream’s Cloud Twin solution enables real-time cloud threat and exposure modeling to accelerate response in today’s highly dynamic cloud enterprise environments. By using the Stream Security platform, SecOps teams gain unparalleled visibility and can pinpoint exposures and threats by understanding the past, present, and future of their cloud infrastructure. The AI-assisted platform helps to determine attack paths and blast radius across all elements of the cloud infrastructure to eliminate gaps accelerate MTTR by streamlining investigations, reducing knowledge gaps while maximizing team productivity and limiting burnout.

Tal Shladovsky
Cloud Specialist
Related Articles
All
articles >
No items found.

Step into the Future of SecOps