Enforce compliance and vulnerability policies in VMware Tanzu Guardrails for virtual machines on cloud accounts

As a Cloud Operations administrator, you must create and apply a VMware recommended compliance policy and a vulnerability policy and enforce them on your cloud accounts in Tanzu Hub.

To enforce the compliance policy and the vulnerability policy for virtual machines on your Amazon AWS account and Microsoft Azure subscription, you will create a target, such as an Amazon AWS account or a Microsoft Azure subscription. Then, you will run and enforce the compliance policy and the vulnerability policy on the target account or subscription.

To enforce the policies, you will run these desired state templates for VMware Aria Automation for Secure Hosts:

  • Compliance and Vulnerability enforcement
  • CIS compliance and vulnerability enforcement for AWS Account
  • CIS compliance enforcement for AWS Account
  • CIS compliance and vulnerability enforcement for Azure Subscription
  • CIS compliance enforcement for Azure Subscription

Before you begin

Before you run the desired state templates in enforcement mode, you must:

  • Have the correct org permissions.
  • Not have a project associated with the desired state templates.
  • Have elevated privileges on the provider account. For more information, refer to the appropriate topic for your provider in: Setting up data connections in VMware Tanzu Hub.

You do not need to provide any additional credentials to run the VMware Aria Automation for Secure Hosts desired state templates.

What you will do

This process shows you how to enforce the compliance policy and the vulnerability policy on your Amazon AWS instances. The process is similar for applying the policies on your Microsoft Azure subscriptions.

You will:

  • Create a target in the VMware Aria Automation for Secure Hosts environment based on the AWS Account ID or the Azure Subscription ID grains.
  • Enforce the compliance policy on the target by running the desired state template and selecting Enforce mode.
  • Enforce the vulnerability policy on the target by running the desired state template and selecting Enforce mode.

Create a target

Create a target where the Salt minion gets installed. For example, the target can be a virtual machine on an Amazon AWS account or a Microsoft Azure subscription.

Enforce the compliance policy

To enforce the compliance policy on your AWS account or Azure subscription, use the following desired state template SLS code.

Create Compliance Policy on target:
  saltstack.compliance_policy.present:
  - name: <Name of policy>
  - tgt_name: <Name of target>
  - remediate: {{ remediate }}
  - benchmark_names:
    - "CIS CentOS Linux 6 Benchmark v2.1.0"
    - "CIS CentOS Linux 7 Benchmark v2.2.0"
    - "CIS Debian Linux 9 Benchmark v1.0.0"
    - "CIS Docker 1.13.0 Benchmark v1.0.0"
    - "CIS_Microsoft_Windows_10_Enterprise_Release_1703_Benchmark_v1.3.0-1"
    - "CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.3.0"
    - "CIS Microsoft Windows Server 2016 Benchmark v1.4.0"
    - "CIS Microsoft Windows Server 2016 RTM Release 1607 Benchmark v1.1.0"
    - "CIS Microsoft Windows Server 2019 RTM Release 1809 Benchmark v1.0.0"
    - "CIS Oracle Linux 7 Benchmark v2.1.0"
    - "CIS Red Hat Enterprise Linux 6 Benchmark v2.1.0"
    - "CIS Red Hat Enterprise Linux 7 Benchmark v3.1.1"
    - "CIS Red Hat Enterprise Linux 7 Benchmark v2.2.0"
    - "CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0"
    - "CIS Red Hat Enterprise Linux 8 Benchmark v1.0.0"
    - "CIS SUSE Linux Enterprise 12 Benchmark v2.1.0"
    - "CIS SUSE Linux Enterprise 15 Benchmark v1.0.0"
    - "CIS Ubuntu Linux 14.04 LTS Benchmark v2.1.0"
    - "CIS Ubuntu Linux 16.04 LTS Benchmark v1.1.0"
    - "CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0"

Enforce the vulnerability policy

To enforce the vulnerability policy on your AWS account or Azure subscription, use the following desired state template SLS code:

Create Vulnerability Policy on target:
  saltstack.vulnerability_policy.present:
  - name: <Name of policy>
  - tgt_name: <Name of target>
  - remediate: {{ remediate }}

For AWS and Azure: Install the Salt minion

You will enforce the Salt minion policy that installs the Salt minion on existing AWS EC2 instances or Azure VMs.

You must install the Salt minion on:

  • All AWS EC2 instances inside the region of your AWS account.
  • All virtual machines inside a region of your Azure subscription.

When you install the Salt minion, you will run a desired state template.

  • For AWS EC2 instances, the policy is Install or verify VMware Aria Automation for Secure Host minion on AWS EC2 instance.
  • For Azure subscriptions, the policy is Install or verify VMware Aria Automation for Secure Host minion on Azure Virtual Machine.

The desired state template provides the following actions for the Salt minion installation:

  • For AWS: Attaches the IAM instance profile to the AWS EC2 instance.
  • Installs the Salt minion in the AWS EC2 instance or the Azure subscription.
  • Starts the Salt minion service.
  • Exposes the cloud metadata server grains.
  • Auto accepts the Salt minion on the Salt master.

Note: The Salt minion installation is only supported on the Linux operating system. For a list of supported operating systems, refer to https://docs.saltproject.io/salt/install-guide/en/latest/topics/salt-supported-operating-systems.html.

You must have the following minimum permissions for AWS and Azure.

Provider Read-only / Monitor mode Elevated / Enforcement mode
Amazon AWS -"ec2:DescribeIamInstanceProfileAssociations"
- "iam:GetRole"
- "iam:GetInstanceProfile"
- "iam:ListAttachedRolePolicies"
- "ssm:ListCommandInvocations"
-"ec2:AssociateIamInstanceProfile"
- "ec2:DescribeIamInstanceProfileAssociations"
- "ec2:ReplaceIamInstanceProfileAssociation"
- "iam:AddRoleToInstanceProfile"
- "iam:AttachRolePolicy"
- "iam:CreateInstanceProfile"
- "iam:CreateRole"
- "iam:GetRole"
- "iam:GetInstanceProfile"
- "iam:ListAttachedRolePolicies"
- "iam:PassRole"
- "ssm:ListCommandInvocations"
- "ssm:SendCommand"
Microsoft Azure For the minimum permissions required, refer to Access permissions for Microsoft Azure desired state templates in VMware Tanzu Guardrails. No additional permissions are required. - "Microsoft.Compute/virtualMachines/runCommand/action"
-"Microsoft.Authorization/policyAssignments/write"

Before you install the Salt minion:

  • Verify that a Salt master is available in the AWS region in the relevant AWS account, or in the region of your Azure subscription.
  • Verify that the metadata server grains are exposed on the Salt master so that they can identify a suitable Salt master to connect with the newly installed minion. Refer to https://docs.saltproject.io/en/master/ref/grains/all/salt.grains.metadata_azure.html.
  • For AWS: Verify that your AWS EC2 instance has the ssm-agent installed and running.
  • For AWS: Be aware that the maximum number of AWS EC2 instances that get fetched from the Tanzu Hub inventory is 1000. This limit also applies to the number of minion installations.
  • For Azure: Verify that your Azure VM has virtual machine (VM) agent installed and running.
  • For both AWS and Azure: Be aware that the maximum number of instances or VMs that get fetched from the Tanzu Hub inventory is 1000. This limit also applies to the number of minion installations.
  • Be aware of the following limitations:
    • Only Linux VMs are supported.
    • The supported Linux operating systems include:
      • Ubuntu 22.04 LTS
      • Red Hat Enterprise Linux 9
      • Amazon Linux 2023
    • If the Run command is already in progress, at times the install minion might fail.
    • If a VM already includes a Salt master, the minion gets installed successfully, even if a minion was already present on the VM.
    • An Azure VM takes a minimum of 20 seconds to get submitted. Then, after 2 to 5 minutes, the minion becomes visible in the list of accepted keys.

The Salt minion installation involves several files for both AWS instances and Azure subscriptions.

  • The metadata server grains are exposed and remediated for tampering in the configuration file named /etc/salt/minion.d/guardrails.conf.
  • The Salt master IP host is configured and remediated for tampering in the file named /etc/salt/minion.d/99-master-address.conf.
  • The Salt minion ID is configured and remediated for tampering in the file named /etc/salt/minion_id.

To install the Salt minion, the policy performs the following steps:

  1. For AWS:
    1. Create an IAM role that is required to create an IAM instance profile.
    2. Attach the SSM policy to the IAM role. The policy named AmazonSSMManagedInstanceCore gets attached to the IAM instance profile so that it can get the SSM permissions on the AWS EC2 instance.
    3. Create an IAM instance profile from the IAM role. The IAM instance profile:
      • Gets created from the IAM role that you created.
      • Gets attached to the AWS EC2 instance so that it can provide AWS SSM the permission it needs to run the scripts inside the AWS EC2 instance.
  2. For Azure:
    1. Add an admin subscription.
    2. Add a resource group.
    3. Add the elevated access permission named “Microsoft.Compute/virtualMachines/runCommand/action” to the Azure application. This credential gets used at the time of account onboarding.
  3. Get the AWS EC2 instances or the Azure subscriptions from the Tanzu Hub inventory.
    • The installation fetches a maximum of 1000 AWS EC2 instances or Azure subscriptions from the inventory.
    • The SLS file provides a query filter that uses the Tanzu Hub search query as input and fetches a list of instances.
    • For more information about the search query, go to Graph database search query construction in VMware Tanzu Hub.
  4. Get a Salt master from VMware Aria Automation for Secure Hosts.
    • The metadata server grains must be exposed in the Salt master.
    • The API for VMware Aria Automation for Secure Hosts gets the list of connected Salt masters and filters the list based on the account ID and the region that you provide. The API passes the provider into the API request and you can choose either AWS or Azure.
    • If no provider is specified, default provider is AWS.
  5. Get a uuid that allows the installation to automatically accept minions from the Salt master.
  6. Install the Salt minion on the AWS EC2 instance or the Azure subscription.
    • Be aware that the Salt minion installation uses the inputs of:
      • The AWS EC2 instance IDs or the Azure subscription IDs from the Tanzu Hub inventory.
      • The private IP of the Salt master from VMware Aria Automation for Secure Hosts.
      • The automatic acceptance of the uuid that gets generated and is set in the Salt master.
      • The name of the newly created IAM instance profile.
    • For AWS: This step attaches the AWS instance profile to all AWS EC2 instances and installs minions on them with the help of AWS SSM.
    • For Azure: This step used the Azure Run command and the Azure provided rest interface script, which gets executed and results in the minion installation.

Parent topic:Define and apply governance policies in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon