CSPM (Cloud Security Posture Management) tools have made it easier for businesses to reduce risks in the cloud. One key component of this has been setting the right policies to safeguard organizations for their cloud infrastructure and applications. It is often overlooked how these policies are created and what goes into customizing them. We use Rego, the language used by OPA (Open Policy Agent), to write these policies because Rego is easy to use and highly scalable. To fully understand Rego, let us go over a few basics.
What is OPA and why should you use Rego
Rego is a policy language that supports Open Policy Agent (OPA) and is used to write policies across the cloud stack. At its core, Rego inspects and transforms data, allowing OPA to make policy decisions. Rego, created by Styra, was built for authorization, and was designed to help users express policy as code.
At Styra, we are empowering organizations to more easily build authorization policy that is easy to read and write. Wiz’s use of Rego to configure CSPM checks on cloud resources is a notable example of how we are enabling DevOps, security, and compliance teams to democratize policy and protect their cloud environments.Anders Eknert, Developer Advocate, Styra
At Wiz, we provide customers with thousands of built-in policies to protect them from potential cloud security risks. Customers who prefer to write their own policies can leverage Rego to tune Wiz for their needs.
How to write your first OPA policy
As an example, the policy shown below checks to ensure that the IP ranges of an AWS security group restricts outbound traffic to the public internet. To fully understand this OPA policy, let us go through each line step-by-step.
Line 1: Every Rego policy has a package name that defines the scope of that policy.
Line 3: Import future.keyworks package into the scope of this policy so it can be referred to.
Line 5: Define default result as pass.
Line 7: IPs is a variable that represents all internet IP ranges.
Line 9: Result will fail if the condition inside the bracket is true.
Lines 10-11: Input.IpPermissionsEgress[permission] is running a loop for every Egress rule. And then we are calling the unrestrictedDestinationIPs function for each of those Egress rules.
Lines 14-18: The function unrestrictedDestinationIPs returns a boolean value “true” if the Egress rule allows all internet IP ranges.
To help you get started, we have developed a Rego guide to help you write policies for your business needs. You can also visit Styra Academy and take a course covering the topic or visit the Rego Playground to try Rego in a hands-on lab environment.