AWS Marketplace

Bridging the compliance gap: Identifying issues early in the software development lifecycle

Modern Governance, Risk, and Compliance (GRC) solutions often lack coverage across the software development lifecycle (SDLC), especially for infrastructure as code (IaC) misconfigurations found directly in the codebase. This leaves a significant gap in security and compliance. It can take over 20 days to fix an identified compliance issue in production, and GRC tools struggle to keep up with the rapid pace of change and new releases deployed by engineering teams. GRC solutions are often viewed as a roadblock to development, rather than an enabler of secure innovation.

Drata, an AWS Security Competency Partner available in AWS Marketplace, has released Compliance as Code to address this gap. Drata’s continuous, automated security and compliance monitoring platform enforces, monitors, and collects evidence of controls from code to production.

Drata’s Compliance as Code solution integrates deeply across a wide range of Amazon Web Services (AWS) services to seamlessly incorporate compliance into your cloud infrastructure. By integrating with AWS CloudFormation, Drata automatically scans IaC and identifies misconfigurations. For customers using AWS Lambda for serverless computing, Drata provides specialized tests to secure runtime configurations. And for API-driven architectures built on Amazon API Gateway, Drata can test for whether a web application firewall is in place to help meet critical compliance requirements. This tight integration between Drata and AWS offerings, incorporates compliance into development process from the beginning, saving time, reducing risk, and ensuring cloud environments are secure and compliant from the ground up.

In this post, we demonstrate how Drata helps AWS customers accelerate their usage of cloud technologies, automate compliance, and remain compliant.

Challenges with the current approach

Traditional compliance efforts present several challenges, including the following:

  • Rate of change – With rapid development and continual innovations, engineering teams can quickly build and deliver new features and capabilities by using AWS Cloud services. IaC further enables this rapid delivery because it means users can define the services their applications run on (such as network, compute, or storage) using code. Traditional GRC tools can’t keep up with the pace of change within SDLC. It’s difficult for even larger security and compliance teams to review each change manually and understand how these changes impact their controls and audit readiness.
  • Increased risk – When issues are identified after deployment, it creates an increased risk to the business. The risk can range from delaying audit readiness to a security breach that can impact business revenue, reputation, and customer trust.
  • Cost of re-architecture – Compliance issues can require engineering teams to re-architect their applications to address the services that are used or how the application networking is configured. These changes often require engineering resources and can slow down the development process, impacting business agility.

Prerequisites

To get started incorporating Drata Compliance as Code across your development lifecycle, you need to have the following prerequisites in place:

  1. Use your AWS account ID to find and subscribe to Drata in AWS Marketplace.
  2. Accept the AWS Marketplace Private Offer.
  3. After subscribing, you can access and configure the Drata platform.

Solution overview

You can integrate Drata Compliance as Code within your version control systems, such as GitHub and Bitbucket, and continuous integration and continuous deployment (CI/CD) tools such as GitHub Actions. When changes are made to infrastructure, Compliance as Code provides more than 30 tests that scan for misconfigurations that impact compliance and security across popular AWS services. These tests are mapped to a library of built-in controls and standard framework requirements, enabling teams to quickly understand how misconfigurations impact their GRC controls and requirements across industry frameworks such as AWS System and Organization Controls (SOC) 2, National Institute of Standards and Technology (NIST), and Health Insurance Portability and Accountability Act (HIPAA).

Drata then provides remediations for any identified issues by creating automated pull requests within the AWS customer’s version control system. The pull requests allow engineering teams to quickly review and apply Drata recommendations to maintain security and compliance. Having an automated pull request helps engineering teams quickly identify impacted GRC controls, infrastructure configurations impacting the control, and how to fix them.

The following graphic demonstrates the straightforward nature of incorporating Drata Compliance as Code across your entire development lifecycle tooling.

Figure 1: Drata proactively enforces controls and quickly addresses compliance and security gaps throughout the SDLC

Figure 1: Drata proactively enforces controls and quickly addresses compliance and security gaps throughout the SDLC

Figure 2: Solution Architecture

Figure 2: Solution Architecture

Solution walkthrough: Identifying compliance issues early in the software development lifecycle

To integrate Drata Compliance as Code into your version control systems, follow the steps in the next sections.

Integrating with GitHub

Integrating with GitHub is a seamless process:

  1. Install the GitHub App with read permissions to enable Drata to access the repositories containing IaC resources such as Terraform. Drata requires write permissions to create pull requests with code change recommendations.
  2. Connect to GitHub using the codebase connection. On the Connections page, select Codebase for the Connection Type. Click on the Available Connections tab. Then select your Codebase Provider (e.g., GitHub) as shown in the following screenshot.
Figure 3: Users can quickly connect to GitHub using Drata

Figure 3: Users can quickly connect to GitHub using Drata

  1. Configure your GitHub application and select the IaC repositories to bring into Drata (recommended). Alternatively, you can bring them all in and filter on Drata’s end as well.
Figure 4: Users can configure which IaC repositories to bring into Drata or connect all IaC repositories

Figure 4: Users can configure which IaC repositories to bring into Drata or connect all IaC repositories

  1. Configure your application branch to scan and choose whether to create pull requests.
Figure 5: Drata users can configure the application branch for scanning and have the option to create pull requests

Figure 5: Drata users can configure the application branch for scanning and have the option to create pull requests

For information how to automate monitoring and create pull requests within Drata, refer to Connecting GitHub Code to Drata in the Drata documentation.

After users have enabled and configured Drata Compliance as Code for a repository, Drata will identify issues and automatically create pull requests with recommendations to address issues impacting controls.

Integrating Drata Compliance as Code into pipelines (CI/CD tools)

In addition to integrating with version control systems, you can integrate Drata Compliance as Code within your CI/CD pipelines. By doing so, you can create guardrails within your CI/CD pipelines to make sure that you only deploy secure and compliant infrastructure. You can incorporate Drata tests to run prior to deployment in your pipeline. Drata offers flexible configurations options to allow organizations to create guardrails that follow your policies and development lifecycle practices.

The following use case shows how Drata helps identify and remediate IaC misconfigurations that impact GRC controls.

A site reliability engineer (SRE) is helping an engineering team add APIs that can serve data analytics to their customers. The public-facing API requires AWS new components and services such as AWS Lambda, Amazon CloudFront, Amazon DynamoDB and Amazon API Gateway. The SRE team creates Terraform to define how new services can be instantiated and configured along with architectural changes to make sure the APIs are available over the public internet.

When changes are incorporated into the version control system, Drata Compliance as Code scans the repository for any changes and identifies controls needed to promote compliance. Here are examples of tests that are run:

  1. TLS enforcement – Make sure that cloud resources are configured to encrypt network communication using a secure protocol. The following image shows an example of a Compliance as Code scan that has identified incorrectly configured resources leading to the TLS enforcement control failing.
Figure 6: Drata recommended changes to IaC with a link to version control system identifying the exact location of the issue

Figure 6: Drata recommended changes to IaC with a link to version control system identifying the exact location of the issue

  1. Secure runtime configurations – Make sure that your cloud resource(s) are configured securely. In the following image, a potential security issue related to the way the cloud resource runtime is configured has been identified with Compliance as Code and automatically generates a pull request. The developer can observe the issue and the recommended fix in their environment.
Figure 7: Drata automatically creates pull requests in GitHub

Figure 7: Drata automatically creates pull requests in GitHub

  1. Web application firewall – Make sure that a web application firewall is configured appropriately. In the following image, Compliance as Code checks for potential security and compliance risks related to your cloud resource’s firewall and then provides recommended fixes.
Figure 8: Drata’s recommendations for secure and compliant web application firewall configuration for AWS

Figure 8: Drata’s recommendations for secure and compliant web application firewall configuration for AWS

  1. Cloud storage versioning enabled – Make sure that cloud storage buckets have versioning enabled. In the following image, recommended guidance is provided for this potential security and compliance risk.
Figure 9: Drata provides remediation guidance for S3 bucket

Figure 9: Drata provides remediation guidance for S3 bucket

AWS and Drata: A proactive approach to building secure and compliant cloud infrastructure

The combination of Drata’s Compliance as Code solution and the breadth of AWS Cloud services creates a powerful platform for customers to build secure and compliant cloud infrastructure. By using Drata deep integrations with key AWS services (such as AWS Lambda, Amazon CloudFront, Amazon DynamoDB, and Amazon API Gateway), you can automate compliance checks and remediation within your development workflows. Identify and address issues early, before deploying to production, so you can save time, reduce risk, and confirm your applications meet the most stringent compliance requirements. Drata’s ability to map misconfigurations to specific control frameworks further streamlines the compliance process, giving you full visibility and a path to remediating any gaps. Together, Drata and AWS empower customers to innovate rapidly in the cloud while maintaining the highest standards of security and compliance.

AWS and Drata customers can benefit from the breadth and scope of AWS services while maintaining a proactive approach to compliance that starts at the beginning of the software development lifecycle. Drata is an AWS Security Competency Partner, is part of AWS Global Security and Compliance Acceleration (GSCA) Program, and is available in AWS Marketplace.

Clean-up: Deleting GitHub Integration

Deleting GitHub integration is a simple two-step process:

  1. Navigate to GitHub Connection In Drata – In Drata, find your GitHub connection by navigating to the Connections > Active Connections > GitHub Code.
Figure 10: Connection Screen in Drata

Figure 10: Connection Screen in Drata

  1. Disconnect the GitHub Account – Disconnect the GitHub Account by clicking on ‘Ok’ button in the confirmation dialog.
Figure 11: Disconnect Confirmation Screen

Figure 11: Disconnect Confirmation Screen

Alternatively, you can also delete Drata’s application from your GitHub account.

  1. Navigate to GitHub App Settings – Navigate to Drata’s GitHub app by clicking on Settings > GitHub Apps and selecting Drata’s app.
Figure 12: GitHub Apps Screen

Figure 12: GitHub Apps Screen

  1. Uninstall the App – Click on ‘Configure’ button and select Uninstall to remove the app.
Figure 13: Uninstall Drata app from GitHub

Figure 13: Uninstall Drata app from GitHub

About Authors

Ashok Mahajan

Ashok Mahajan is a Senior Solutions Architect at Amazon Web Services. Based in NYC Metropolitan area, Ashok is a part of Global Startup team focusing on Security Startups and helps them design and develop secure, scalable, and innovative solutions and architecture using the breadth and depth of AWS services and their features to deliver measurable business outcomes. Ashok has over 18 years of experience in information security, is CISSP, Access Management Specialist and AWS Certified Solutions Architect, and has diverse experience across finance, health care and media domains.

Om Vyas

Om Vyas is a Senior Director of Product at Drata, Om responsible for strategy and product delivery for Drata’s Continuous Monitoring and Automation and Compliance as Code products. Prior to joining Drata, Om co-founded oak9, a developer-first cloud native security company. Om has over 20 years of experience in Information Security, Software Development, DevOps and Cloud.