As a Cloud Service Operations administrator, you must ensure that vRealize Automation Cloud Guardrails integrates with various products. Cloud Guardrails aggregates the state of your infrastructure, the guardrails definitions, and the policies assigned as code to the resources in your environment. It runs the code by using the policy engines in native public clouds, SaltStack SecOps, CloudHealth Secure State, and more.

To manage your AWS environment so that it complies with your policies, you must perform several actions. For example, the integrations with AWS require that you consider the baseline guardrail requirements for preventative policies in AWS organizational units (OUs).

Important: Before you can use the Cloud Guardrails baseline security guardrail template with AWS, you must ensure that AWS machine images (AMIs) have minions embedded in them. If they don't, you must add them manually.

For example, the cloud security preventative policy for a baseline cloud guardrail must provide the following requirements for each AWS OU.

Table 1. Preventative policy baseline guardrail recommendations for AWS OUs
Policy recommendations for AWS OUs What the policy enforces
Tags A set of tags that indicate the purpose of the OU, and that Cloud Guardrails is managing the OU, with any additional metadata required.
CloudTrail and AWS Config CloudTrail and AWS Config must be enabled in the AWS OUs by default, and not be editable. Logs must get forwarded to a log parser or S3 bucket that is not publicly accessible, such as an S3 bucket that a security team in a security OU owns.
Backup policy A backup policy must be defined and enforced.
Clear service control policy (SCP) The AWS OU can define a clear service control policy (SCP), with allow or deny, that specifies the exact services and actions that are allowed in the OU. This policy could be manually defined or driven by a predefined mapping of the purpose tag to an SCP.
Multi-factor authentication Must require multi-factor authentication for users.
Full admin IAM account Must create a full admin IAM account that is available only by using a just-in-time (JIT) mechanism.
No root access Must have root access disabled.
Alerts Must have alerts configured to monitor access to the full admin account or root account, and have thorough logging enforced on those accounts.
Preset list of approved IAM roles Must have a preset list of approved IAM roles that can be assigned to users with logging enforced.
Security policies enforced Must enforce known security policies such as all security groups block ingress from to port 22 and 3389.
Default security group to a VPC Must have a default security group to a VPC that restricts all traffic.


What to do next

Manage user access and begin using Cloud Guardrails.