control-broker 0.12.3

Control Broker allows customers to deploy an HTTP API on AWS that executes Policy as Code (PaC) policies using Open Policy Agent (OPA) or CloudFormation Guard to evaluate inputs and return decisions.

Control Broker

Give everyone in your organization subsecond security and compliance decisions based on the organization's latest policies.

Contributing

Please see CONTRIBUTING.md.

Features

• Runs a Policy as Code service as a serverless AWS application - you bring the policies, and Control Broker helps you store, organize, and use them - plus it helps you monitor, and analyze their usage.
• Defined in the AWS Python CDK for push-button, repeatable deployment.
• Can be invoked from anywhere in your environment that can invoke an API Gateway API.
• Supports policies written for Open Policy Agent (CloudFormation Guard planned).
• Also helps with notifications, auditing, and analysis of discovered compliance issues.

Example use cases

• Using the Control Broker from a CodePipeline application pipeline to block deployment of non-compliant CDK resources
• Using the Control Broker to detect non-compliant changes to deployed resources with AWS Config
• Using the Control Broker from a development machine to evaluate IaC against the organization's latest security policies as it is being written

Deploying Your Own Control Broker

Note: You can change the name of the secret that Control Broker uses by changing the value of the "control-broker/secret-config/secrets-manager-secret-id" context variable.-->

Deploy the CDK app

Install the AWS CDK Toolkit v2 CLI tool.

If you encounter issues running the cdk commands below, check the version of aws-cdk-lib from ./requirements.txt for the exact version of the CDK library used in this repo. The latest v2 version of the CDK Toolkit should be compatible, but try installing the CDK Toolkit version matching requirements.txt before trying other things to resolve your issues.

Clone this repo to your machine before proceeding.

Follow the setup steps below to properly configure the environment and first deployment of the infrastructure.

To manually create a virtualenv on MacOS and Linux:

$ python3 -m venv .venv

After the init process completes and the virtualenv is created, you can use the following step to activate your virtualenv.

$ source .venv/bin/activate

If you are on a Windows platform, you would activate the virtualenv like this:

% .venv\Scripts\activate.bat

Once the virtualenv is activated, you can install the required dependencies.

$ pip install -r requirements.txt

Bootstrap the cdk app:

cdk bootstrap

At this point you can deploy the CDK app for this blueprint:

$ cdk deploy

After running cdk deploy, the Control Broker will be set up.

Next Steps

Try launching one of the Example use cases!