Cloudrail is a context-aware cloud security tool that will audit your cloud environment and your IaC templates in order to build a security context of the resources being deployed to determine the security risks. The goal of Cloudrail is to be integrated within a CI/CD pipeline to catch violations of your security policy before they make it into the production environment.
Cloudrail's main advantages vs existing tools are:
- The understanding of relationships between resources (for example, a given security group can be problematic or not, depending on how it's used)
- Taking into account the live cloud environment, and its potential impact on the resources in the IaC code
- Support for tfvars, runtime variables and modules (Cloudrail reviews the full plan, instead of specific .tf files)
- Find out if a public instance and a private instance use the same role
- Identify if a Default Security Group is in use AND open
- Take into consideration the account-level Public Access Block for S3 buckets
- Calculate if a VPC endpoint should be used, and whether it's used correctly
- Do not alert about a resource being public if it isn't
Cloudrail currently supports Terraform files used with the AWS cloud provider.
- Container execution environment (such as Docker Desktop)
- Terraform >= 0.12
Cloudrail is a cloud-hosted service (SaaS) that receives a filtered version of your Terraform plan, merges it (in memory) with your cloud account's current snapshot, and runs context-aware rules on the merged model. To do this, the Cloudrail CLI container will receive your Terraform plan, reduce it to a minimal version we need for analysis (what we call "Terraform context"), and then upload that minimal version to our service.
This ensures no highly-sensitive content from the plan ever leaves your network.
Go to https://web.cloudrail.app to sign up for Cloudrail. This will include adding your cloud account, and will provide instructions for downloading and using the Cloudrail CLI container.
Inside the "test" folder you will find several examples you can use to try Cloudrail with. Some of these examples will set up vulnerable resources that are detected by Cloudrail as such. A few of these examples are not vulnerable, and are there to show Cloudrail's context awareness.
Now it's time for you to try Cloudrail with your own scenarios. Simply follow the same process - "terraform init", "terraform plan -out=plan.out" and "cloudrail run".
If you encounter any error, please let us know in the Indeni Slack channel #cloudrail-user-support. An invite can be received by filling out the form here: https://indeni.com/cloudrail-user-support/