Control Broker allows customers to deploy an HTTP API on AWS that executes Policy as Code (PaC) policies using Open Policy Agent (OPA) or CloudFormation Guard to evaluate inputs and return decisions.
Project description
Control Broker
Give everyone in your organization subsecond security and compliance decisions based on the organization's latest policies.
Contributing
Please see CONTRIBUTING.md.
Features
- Runs a Policy as Code service as a serverless AWS application - you bring the policies, and Control Broker helps you store, organize, and use them - plus it helps you monitor, and analyze their usage.
- Defined in the AWS Python CDK for push-button, repeatable deployment.
- Can be invoked from anywhere in your environment that can invoke an API Gateway API.
- Supports policies written for Open Policy Agent (CloudFormation Guard planned).
- Also helps with notifications, auditing, and analysis of discovered compliance issues.
Example use cases
- Using the Control Broker from a CodePipeline application pipeline to block deployment of non-compliant CDK resources
- Using the Control Broker to detect non-compliant changes to deployed resources with AWS Config
- Using the Control Broker from a development machine to evaluate IaC against the organization's latest security policies as it is being written
Deploying Your Own Control Broker
Note: You can change the name of the secret that Control Broker uses by changing the value of the "control-broker/secret-config/secrets-manager-secret-id" context variable.-->Deploy the CDK app
Install the AWS CDK Toolkit v2 CLI tool.
If you encounter issues running the cdk commands below, check the version of
aws-cdk-lib from ./requirements.txt for the exact
version of the CDK library used in this repo. The latest v2 version of the CDK
Toolkit should be compatible, but try installing the CDK Toolkit version
matching requirements.txt before trying other things to resolve your issues.
Clone this repo to your machine before proceeding.
Follow the setup steps below to properly configure the environment and first deployment of the infrastructure.
To manually create a virtualenv on MacOS and Linux:
$ python3 -m venv .venv
After the init process completes and the virtualenv is created, you can use the following step to activate your virtualenv.
$ source .venv/bin/activate
If you are on a Windows platform, you would activate the virtualenv like this:
% .venv\Scripts\activate.bat
Once the virtualenv is activated, you can install the required dependencies.
$ pip install -r requirements.txt
Bootstrap the cdk app:
cdk bootstrap
At this point you can deploy the CDK app for this blueprint:
$ cdk deploy
After running cdk deploy, the Control Broker will be set up.
Next Steps
Try launching one of the Example use cases!
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file control-broker-0.12.3.tar.gz.
File metadata
- Download URL: control-broker-0.12.3.tar.gz
- Upload date:
- Size: 61.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | bf6d9a1646187c50e5fc44b870d8fb336db1bb9529d1e34ba68f21d497a3ff6e |
|
| MD5 | 8376f544d3f3413928f8452c053e3bf7 |
|
| BLAKE2b-256 | 072ced220ae093ae33952edf0017686a9019865b93566eb7aabae4041943358f |
File details
Details for the file control_broker-0.12.3-py3-none-any.whl.
File metadata
- Download URL: control_broker-0.12.3-py3-none-any.whl
- Upload date:
- Size: 59.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a6533083f12aee4dea9c4b71bbf5c8768ecf998993675a85ac70226092c1a442 |
|
| MD5 | 71e1076b88152252cc4ec4cfe28a935b |
|
| BLAKE2b-256 | a551a291ffdf40795924d7b03a0bf45ee83eaced3bbe78c6d13b1105e6700c59 |
