Terraform adds new pre-written Sentinel policies for AWS Foundational Security Best Practices

Building on our recent release of pre-written Sentinel policies for Center for Internet Security (CIS) standards, which has already surpassed 550K downloads, we’re proud to announce the release of a new set of pre-written Sentinel policies for AWS. These new policy sets aim to lower the barrier of adoption for policy as code and help organizations meet AWS Foundational Best Security Practices (FSBP). The FSBP Sentinel policies are co-created and co-owned by HashiCorp and AWS, and are now available for use in the Terraform registry.

These policy sets aim to provide a turnkey solution to complex governance challenges and empower organizations to move faster without trade-offs between speed and security. This joint effort highlights the unique value of pairing AWS’s cloud infrastructure with HashiCorp’s automation and security capabilities.

»Challenges in policy adoption

Sentinel is an embeddable policy as code framework that provides logic-based policy enforcement over infrastructure configurations in HashiCorp Terraform and other HashiCorp product configurations. This approach lets organizations treat policies like application code, meaning the code can be version controlled, audited, tested, and understood by stakeholders across the organization. Sentinel policies help organizations control what Terraform users are allowed to do, ensuring that certain thresholds for infrastructure provisioning are not exceeded,

While Sentinel can be used as a powerful tool to ensure cloud governance at scale, we understand that adopting policy as code workflows may be a daunting and time-consuming process. This is especially true for organizations that lack the resources and expertise to write policies from scratch. Starting from the ground up can lead to significant delays in the development and implementation of policies, and increase the risk of human error and misconfigurations.

»Introducing co-owned, pre-written policy sets with AWS

To address these challenges, HashiCorp and AWS have co-developed multiple libraries of pre-written Sentinel policies that cover a wide range of use cases, including security, compliance, and operational efficiency. These policies have been written by experts with years of experience in the industry, and have been tested and validated to ensure their reliability and efficiency. The policies are also customizable, allowing organizations to quickly adjust them to meet their specific needs.

The policies released today are written specifically for AWS services in compliance with Amazon Foundational Best Security Practices (FSBP). The FSBP standard is a set of controls that can detect when your AWS accounts and resources deviate from security best practices. It also provides actionable and prescriptive guidance about how to improve and maintain your organization’s security posture.

Users can now discover the policies via the Terraform Registry policy library or the FSBP policies GitHub repo. With Sentinel’s native integration, users can quickly deploy the policy sets into their HCP Terraform organizations. You can also use the Terraform module for onboarding FSBP policy sets.

For guidance on how to run pre-written Sentinel policies, visit our documentation on the topic.

After deploying these policies, administrators can set three different enforcement levels:

• Hard mandatory: If a policy fails, the run stops. You must resolve the failure to proceed.
• Soft mandatory: Lets an organization owner or a user with override privileges proceed with the run in the event of failure.
• Advisory: Will notify you of policy failures, but proceed with the operation. All the pre-written policies are set to this level by default.

With Sentinel, organizations can consistently enforce policies of varying strictness across all of their infrastructure efficiently at scale. These pre-written policies should help organizations using AWS jumpstart their policy as code adoption—unlocking more speed and more security with no trade-offs.

»Next steps

Want to see Sentinel policies in action? Check out this video and blog to see how Fannie Mae, a well-known and highly regulated financial institution, uses Sentinel to enforce 400+ preventative security, architectural, and financial guardrails to make sure its infrastructure meets compliance requirements.

You can also try HCP Terraform out for free and see the benefits of policy as code workflows. For more information on Sentinel’s language and specifications, visit the Sentinel documentation page. If you would like to engage with the community to discuss information related to Sentinel use cases and best practices, visit the HashiCorp Community Forum.

If you are attending AWS re:Inforce June 16 - 18 in Philadelphia, join HashiCorp and AWS for this Lightning Talk:

Scaling cloud compliance & governance with Terraform and AWS | Session ID: GRC121-S

As organizations scale on AWS, managing compliance and governance grows more complex. Manual enforcement of security policies often leads to inefficiencies and increased risk. To address this, enterprises are adopting policy-as-code and infrastructure automation. In this session, learn how AWS and HashiCorp Terraform help automate governance with embedded policy controls, enforce compliance with frameworks like CIS and SOC 2, and prevent misconfigurations before deployment. This will be a 15 minute talk on the expo floor, date and time to follow.