Linting cloud infrastructure (part 2)
In our last blog post we introduced the concept linting through the prism of infrastructure-as-deployed and went over three simple example queries. Continuing our series on linting your cloud infrastructure, we’ll go over three new queries of successively increasing complexity.
A common area of infrastructure lint that cascades additional cruft is when engineers write one off Python/Go or bash/jq to get answers about their infrastructure. Whether it ends up as throwaway code or kept running, maintaining them creates unnecessary toil and busy work that modern teams really ought not to deal with. Further exacerbating the situation for these scripts is the fact that as teams shift to multi-account layouts within their organizations, correctly iterating through all accounts and regions while juggling credentials can be tricky. Finding infrastructure lint shouldn’t further incur more technical debt in even getting to the point of asking the question.
Just like osquery made it easy to ask questions that were previously squirreled away in brittle scripts, Introspector makes it easy to ask questions about your infrastructure.
We’ll look at some use cases and example Introspector queries we’ve seen our customers ask of their infrastructure that previously lived in one-off Go programs or bash scripted AWS cli calls strung together.
- As a team we have a policy that users that have not logged in to the console in over 3 months get their credential disable until they are in need of it again in the future. Give me a list of all idle users.
- As a team we have a policy that states all records that point to internal resources must be of type
ALIAS
; to support our migration of our Route53 config over to Terraform, give me a list of allA
records that point to RFC1918/private network IP addresses. - As a team we have a policy to disable access keys that haven’t been used in over 3 months. Give me a list of all users that who have active access keys that are stale. Note that AWS users have the ability to have 2 access keys.
While these SQL queries appear lengthy, teams get the benefit of deprecating their brittle one-off scripts. As more and more tools are shifted to structured configuration systems like Introspector teams can have a centrally maintainable place for asking questions about their infrastructure settings and configs.