Wiz
AcademyGetting Started with Open Policy Agent (OPA) To Improve Your Cloud Security

Getting Started with Open Policy Agent (OPA) To Improve Your Cloud Security

The Open Policy Agent (OPA) is a powerful tool for managing security policies across distributed cloud service environments.

Wiz Experts Team

Part of the Cloud Security Posture Management (CSPM) collection of management products, OPA is designed to automate the deployment of security policies consistently across different technology platforms. 

One of the advantages of OPA is the centralization of security policy management, offering 

enhancements to policy definition and enforcement across the entire cloud environment from a single point. This is particularly valuable for cloud native application deployments, which often include components from a range of cloud infrastructure services such as virtual machines and serverless, using APIs for integration and CI/CD pipelines for deployment. 

OPA enables organizations to consolidate security, compliance, and operational policies, resulting in more consistent policy application as well as more efficient and effective policy management. Additionally, OPA allows policy management to be decoupled from business logic and service code, which helps to improve performance and availability. 

Organizations can leverage OPA to automate the deployment of security policies, monitor policy compliance in real-time, and remediate issues as they occur. This results in improved security posture, reduced risk, and improved regulatory compliance. 

Learn Rego basics from Wiz to express policy as code for your cloud security 

Comprehensive Cloud Security Posture Management (CSPM) from Wiz provides a continuous compliance management solution with misconfiguration detection and visibility, enabling the continuous improvement of cloud security posture. Wiz resources include Rego basics material to help you learn development of policy as code. 

With a foundation of over 1,400 built-in rules, Wiz provides out-of-the-box support for policy sets designed to detect and remediate misconfiguration in cloud deployments across multiple cloud providers such as GCP, Azure, AWS, OCI, Alibaba, and VMWare. Wiz also provides support for Infrastructure as Code (IaC) in Terraform, CloudFormation, and Azure ARM templates. Wiz offers pre-configured cross-cloud policies that provide comprehensive compliance coverage across 35 frameworks, as well as a starting point for your own Rego policies. 

Building upon the built-in OPA-based rules and automated remediation technology, Wiz enables the creation of policies designed using Rego to query cloud-native APIs and ensure compliance with policy regardless of the organization, industry, or regulatory framework. There’s aRego Guide to help get you started creating your own policies to meet business needs. 

If you’re not ready to independently take on creating cross-cloud policies for cloud-native environments, automate policy management, and ensure centralized, service-driven, policy compliance, we’ve got you covered with our lab environment.The Rego Playground lets you get practical experience with OPA and Rego. 

Overall, Wiz's CSPM solution provides a proactive approach to policy enforcement continuously in real-time, enabling organizations to improve their security posture, reduce risk, and ensure compliance with regulatory requirements. To get hands-on with Rego Language and OPA, you can download Wiz's Rego learning guide. 

What is OPA and why should you use Rego 

Open Policy Agent (OPA) is an open-source policy engine that provides a means to define and enforce security and configuration policies across systems, services, and applications. Rego is the declarative language provided by OPA, which is used to write policies specifying what is allowed or denied in a system. 

Rego was designed for OPA and is easy to learn, as well as being easy to interpret, even for beginners, at the same time as being expressive and adaptive enough to cater for more complex use cases. Policies are defined in high-level terms and concepts rather than low level implementation detail, and policies are created in a modular way, making it easy to manage and reuse components in multiple policies. This approach saves time and results in more consistent policy creation, and there are plenty of examples available to help guide the novice. 

Using Rego with OPA makes it simple to define and enforce policy across multi-cloud infrastructure, from virtual machine to application code. Rego policies can be used to validate requests, enforce access control, implement auditing, and so much more. Centralized management of consistent policy is easy with OPA and Rego, resulting in improved security and compliance without the complexity and overhead often associated with such solutions. 

How to write your first OPA policy 

Writing your first OPA policy breaks down in to four simple steps, with examples of the code syntax available in theWiz Rego guide

  1. Define a package: A package is a named collection of rules that define a particular policy, so it makes sense to use descriptive terms. To define a package, use the package keyword followed by the package name. For example, to define a package that allows users with an admin role to create new resources, you might choose ‘admin create’. 

  2. Define rules: Rules are the building blocks of OPA. They define the conditions under which a request is allowed or denied. To define a rule, use the default or deny keyword followed by the name of the rule. 

  3. Provide inputs: Inputs define the data that the OPA policy will use to make decisions. To define an input, use the input keyword followed by the name of the input variable. 

  4. Test your policy: Once your OPA policy has been created, test it by sending sample input to OPA and verifying that it returns the expected result. 

And  that's it! You’ve just written your first OPA policy. From here, you can explore more advanced policies, integrate OPA into your infrastructure, and use OPA to enforce policies consistently across your technology environments. 

Learn OPA & Rego basics 

It’s easy to learn the basics of OPA and Rego with Wiz. Take the built in rules provided and cross-cloud policies provided by straight out of the box to develop your own policies quickly and easily. Use ourRego Guide to get started with creating policies to meet your requirements, and get hands-on with thethe Rego playground OPA and Rego lab environment. 

You’re welcome to learn more about Wiz Cloud Security Posture Management, and to get started with OPA and Repo,get in touch for a CSPM demo.

Continue Reading

The Evolution of Cloud Security Posture Management

As organizations move further and further into the cloud operating model, the attack surface available to malicious actors has increased.

What is the difference between CSPM and CWPP?

The migration of infrastructure, applications, data, and services to the cloud results in an increasingly complex security position.

Discovering Misconfigurations with Wiz’s custom Host Configuration Rules

As organizations increasingly adopt cloud technologies, the number of applications, services, and workloads grows ever-greater.

What are the key requirements of a modern CSPM?

Cloud Security Posture Management, or CSPM is a set of practices and tools used to monitor and manage the security posture of cloud infrastructure environments, including public, private, hybrid and multi cloud.

What is Shadow Cloud IT? Challenges, Risk Management, and Best Practices

Shadow cloud IT refers to the use of cloud computing resources by the employees of an organization without the knowledge or consent of the IT department.