As part of the main dashboard view in the ControlMonkey platform, our users gain visibility into several metrics of interest that provide an overview of the AWS account’s status in terms of IaC coverage, Unmanaged Resources, Terraform Drifts, and Console Operations (ClickOps).

About IaC Posture Dashboard

These metrics help our customers understand the level of control they have over their cloud accounts and point out the gaps that require resolution.
For example, Console Operations are a source for Terraform drifts that can potentially cause misconfigurations.

However, our large customers who hold dozens of AWS accounts requested a holistic view that will help them oversee the bigger picture of their organization. Meaning, that rather than toggling between accounts to get the environments’ status, they wanted to get a 30K feet view of all their accounts in one dashboard.

So today we are pleased to announce the latest enhancement to our Cloud Inventory dashboard, Organization View.

Organization View: IaC Posture Dashboard

The Dashboard Organization View is a Cross-organization visualization of all your AWS accounts, with the option to drill down into any specific account, with a click of a button.
This dashboard provides DevOps with a clear and general view of all their AWS accounts so they can understand the gaps and level of control they have over their cloud.

Do you have dozens of accounts and are interested in learning how ControlMonkey helps you manage them more efficiently?
Our team is waiting to speak with you !

We are proud to announce the release of our latest enhancement to ControlMonkey Terraform CI/CD solution, Managed Cost Policies.

Our Terraform CI/CD solution enables DevOps to set proactive Control Policies on any new pull request.
Up until today, ControlMonkey users easily created proactive cost policies that enforced their organization’s budget control on new deployments, and now with this release, these policies are available out of the box.

ControlMonkey’s managed cost policies are predefined policies, which are managed and maintained by ControlMonkey.
Rather than writing and maintaining common cost policies from scratch (with OPA or any equivalent language), we are now offering proactive cost policies to enforce the stack’s budget during the CI/CD.

Additionally, DevOps teams can choose on which namespaces or stacks these policies will be enforced, and also the enforcement level (warning or block).
So if you need to separate and divide your policy enforcement across environments, you now have the deeper level of granularity to do so.

The advantages of the ControlMonkey Managed Cost Policies:

• You get a library of pre-defined cost policies to select from, straight out of the box.
• Save time on writing, managing, and maintaining these policies, ControlMonkey does all the heavy lifting for you.
• By shifting left your FinOps, you are:
  • Preventing budget deviations before they reach production
  • Educating the DevOps team on the organization’s FinOps standards

This feature came as a request we got from a few of our customers, so we are glad to see this come to life.
We are proud to collaborate with our customers on designing and building the ControlMonkey platform.

Want to Shift Left your FinOps efforts and always remain cost-efficient?
Our team is waiting to chat with you!

Today ControlMonkey is pleased to announce that we have reinforced our Terraform Import Engine  with the ability to Import AWS Code Pipeline  resources to Terraform.

AWS CodePipeline is a continuous integration and continuous delivery (CI/CD) service provided by Amazon Web Services (AWS). It automates the build, test, and deployment phases of your release process for software applications.

AWS CodePipeline is commonly used to automate the software release process, ensuring that code changes are tested and deployed quickly and consistently, thus reducing manual errors and speeding up the delivery of features to end-users. It promotes best practices such as infrastructure as code, version control, and automated testing.

ControlMonkey now supports one-click Terraform Import of the following Code Pipeline resources:

Pipeline (aws_codepipeline)
Custom Action Type (aws_codepipeline_custom_action_type)
Webhook (aws_codepipeline_webhook)

Managing AWS CodePipeline with Terraform offers several benefits:

1. Infrastructure as Code (IaC): Terraform allows you to define your CodePipeline configuration in code, which can be version-controlled, reviewed, and managed just like your application code.
   This enables you to maintain consistency and reproducibility in your pipeline configurations.
2. Consistency: With Terraform, you can ensure that your CodePipeline setups are consistent across different environments (e.g., development, staging, production) by using the same Terraform configuration with appropriate variables for each environment.
3. Versioning and Rollbacks: Since Terraform configurations are version-controlled, you can track changes made to your CodePipeline setups over time and easily roll back to previous versions if needed. This helps in maintaining a history of changes and troubleshooting any issues that may arise.

Do you have Code Pipeline resources that you would like to shift to Terraform?
Feel free to book an intro meeting  with us to learn more!

Today ControlMonkey is pleased to announce that we have reinforced our Terraform Import Engine with the ability to Import Network Firewall resources to Terraform.

AWS Network Firewalls are leveraged in order to prevent malicious attacks on the application by defining multiple allow/deny rules on the networking layer.

However, in large-scale cloud environments with a lot of moving parts, the chance for mistakes misconfigurations rises.
For example, downtimes can be caused for your application’s users by blocking your VPC to legitimate connections, and on the other hand, misconfigured firewall rules can expose your application to malicious attacks.
On top of that, you would also want to track all the changes made to your Firewall rules and have the ability to roll back at any given moment to the previous state.

Therefore, managing your Network Firewall configuration with Terraform is highly important and is considered the ideal solution for scale.
But what if you already have a running firewall that you span up manually from the AWS console?
How do you import that to Terraform?

Luckily, ControlMonkey now supports one-click Terraform Import of the following Network Firewall resources:

Network Firewall (aws_networkfirewall_firewall)
Network Firewall Policy (aws_networkfirewall_firewall_policy)
Network Rule Group (aws_networkfirewall_rule_group)

ControlMonkey automatically generates the Terraform code + the Terraform state file so you can shift your Network Firewall management from ClickOps to GitOps in a few minutes with absolutely zero effort.

Managing AWS network firewalls with Terraform code offers several advantages:

1. Infrastructure as Code (IaC): Terraform allows you to define your AWS network firewall configurations as code, making it easier to manage, version control, and replicate across different environments (such as development, staging, and production). This approach enhances consistency and reduces the risk of configuration drift.
2. Automation: Terraform enables you to automate the provisioning, configuration, and management of AWS network firewalls. This automation can save time and reduce the potential for human error that may occur with manual configuration changes.
3. Scalability: With Terraform, you can easily scale your AWS network firewall configurations up or down based on changing requirements. You can dynamically adjust rules, add new firewall instances, or modify existing configurations as needed, without the need for manual intervention.
4. Visibility and Auditability: Using Terraform, you can maintain a clear and documented history of changes to your AWS network firewall configurations. This enhances visibility into your infrastructure and facilitates auditing and compliance efforts.
5. Collaboration: Terraform code can be easily shared and collaborated on by teams of developers and operations engineers. This collaborative approach promotes knowledge sharing, improves communication, and fosters best practices in managing AWS network firewalls.
6. Integration with CI/CD Pipelines: Terraform can be integrated into your continuous integration and continuous delivery (CI/CD) pipelines, allowing you to automate the deployment of changes to your AWS network firewall configurations as part of your software delivery process. This helps streamline the development lifecycle and ensures that infrastructure changes are tested and deployed consistently.

Overall, managing AWS network firewalls with Terraform code provides greater control, automation, scalability, and visibility, leading to more efficient and reliable infrastructure management in the cloud.

Want to learn more? Feel free to book an intro meeting with us.

Terraform Drifts occur whenever there is a discrepancy between your desired configuration state (The Terraform Code) and your actual configuration state (Running configuration of the resource).  

These drifts pose a security, compliance, and cost risk to your environment.

Just a few weeks ago we announced our Drift Source capability that helps to investigate who created the drift, but the main challenge we heard from our customers is the time it takes to actually remediate the drift.
They asked us if we could automate the entire Drift remediation process, and that is exactly what we did.

Starting today, we are enhancing our Drift Center’s capabilities and providing our users with the ability to remediate against Terraform Drifts, with One-click Drift Remediation. 

This means that you can seamlessly resolve Terraform Drifts, directly from the ControlMonkey dashboard, saving your DevOps time and preventing unnecessary risks to your production environment. 

ControlMonkey offers two methods to remediate Terraform Drifts: 

Remediate with ‘Align Code’

In cases where you are certain that the running configuration is the right one, you can use this remediation action to align your Terraform code to what’s running in production.
Yes, that’s right, ControlMonkey is going to alter your existing code to match the resources’ actual state.
When you resolve the drift with the ‘Align Code’ option, ControlMonkey creates a new PR (Pull request) in your Git repository and provides a fix to your Terraform Code which is 100% validated.

ControlMonkey opens a new branch in your Git repository, and whenever the PR is ready, you get a
1-click link to view the new PR.
ControlMonkey also supports fixing the code when you’re using Terraform Modules. Say there’s a drift due to a variable in a module, ControlMonkey will sort it out by fixing the value of the variable that’s sent to the module:

As part of our Terraform CI/CD pipeline, whenever a new PR is created, we automatically start a ‘Terraform Plan’ to the branch of the stack. After the Terraform Plan is completed and the drift is resolved, you can then merge the PR to your main branch. 

Remediate with ‘Reconcile’

In cases where you are certain that the Terraform code is the right configuration, you can use this remediation action which performs a ‘Terraform apply’.
When you resolve the drift with reconcile, ControlMonkey updates the resources’ configuration in production and overrides the running configuration to what’s configured in the code. 

To summarize, ControlMonkey Drift Center is now the one-stop-shop to detect, investigate, and seamlessly remediate Terraform drifts. 

Today ControlMonkey is pleased to announce that we have reinforced our Terraform Import Engine with the ability to Import WAFV2 resources to Terraform.

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to various AWS services and also lets you control access to your content.

Managing WAFV2 in a manual ClickOps methodology and not through Terraform Code increases the risk of misconfigurations which may lead to security incidents.

With ControlMonkey, DevOps can easily import and manage their WAFV2:

aws_wafv2_ip_set
aws_wafv2_regex_pattern_set
aws_wafv2_rule_group
aws_wafv2_web_acl

Manage your WAF with Terraform and benefit from:

1. Modular Deployment: Terraform allows for the creation and management of AWS WAFconfigurations in a modular and reproducible manner, making it easier to deploy and manage security policies across different projects.
2. Code Reusability: Using Terraform, you can define WAF configurations as code, making it possible to reuse these configurations in multiple projects. This is particularly useful when dealing with both global and regional WAF instances, allowing for efficient code reuse and consistency.
3. Improved Visibility and Monitoring: Terraform enables the definition of CloudWatch metrics and sampled requests for better visibility into web traffic inspection. This allows for improved monitoring and analysis of the effectiveness of WAF rules.
4. Flexibility in Scope Definition: Terraform provides flexibility in defining the scope of WAF configurations, such as specifying whether it is for CloudFront (global) or regional resources (e.g., API Gateway). This flexibility ensures that WAF configurations align with the specific needs and architecture of different services.

Want to learn more? Feel free to book an intro meeting with us.

Terraform Modules dramatically reduce the amount of code you have to write for similar infrastructure resources and are considered the most efficient way to replicate services across your AWS account.

However, DevOps teams leveraging Terraform modules have no visibility into which Terraform Modules are being used, if their source is a registry or local Git repository, where are they used in the code, and whether or not they are running on the latest version.

A crucial part of staying on top of your Terraform Operations is having that visibility, so today we are proud to announce the latest enhancement to our Cloud Inventory solution, Terraform Modules Explorer.

ControlMonkey scans your entire Terraform repositories for Terraform Modules and provides a dashboard view where you can investigate your Terraform Modules SBOM (Software bill of materials), and understand exactly:

• What Terraform Modules are being used by you.
• The source of the modules – Registry or a local Git directory.
• How many times are they being used and where exactly they are used in the code.
• The version constraint you’ve set and whether or not you use an outdated version.

Besides providing a holistic view of Terraform Modules, ControlMonkey also enables you to drill down on any Terraform Module to see exactly where it resides in the code and provides a 1-click link to the specific line in your Git repository.
Consider the time you could save in identifying all usages of a module when planning an upgrade.
Moreover, you also gain visibility into which Constraint Version is being used and whether or not it’s outdated.

In some cases, multiple Terraform Modules are used in the same piece of code (main module and sub-modules), so ControlMonkey also provides a view of the full module path.

With Terraform Modules Explorer you can also export the Terraform Modules SBOM in cases of compliance audits or security questionnaires where you need to provide this information to a security officer or auditor.

To summarize, Terraform Modules Explorer solves the challenge of staying on top of your Terraform Modules, makes modules upgrade much easier and provides DevOps teams with full visibility into what was once unknown or unclear.

Last month we released the feature ‘Console Operations Notifications’, which notifies ControlMonkey users whenever someone performs operations from the AWS console.

The feedback we got from our customers was outstanding, but some of them also indicated that there are certain actions that they allow their teams to perform in the AWS console, so they wanted to have a mechanism to allow-list those actions that are permitted in their organization.

So to support this request we have developed a new capability, ‘Allowed Console Operations’.

‘Allowed Console Operations’ enables ControlMonkey users to define rules for specific actions that are permitted to be performed in the AWS console. 
For example: Updating Lambda function code from the AWS console.

This feature’s granularity allows ControlMonkey users to apply the rule to a specific account, region, resource name, or resource type. 

To make things easier, we have also added the option to create an allowed console operation rule directly from a console operations event in our cloud events dashboard, in 2 clicks. 

While our vision is enabling our customers to minimize their ClickOps in the AWS console, this capability adds that extra layer of customization which allows them to also reduce unnecessary ClickOps and also the notifications for permitted actions. 

Today we are super excited to announce the latest capability we added to our Terraform CI/CD solution, which is an absolute game-changer for compliance enforcement, ‘Proactive Compliance Packages’.

Compliance Packages for Terraform & OpenTofu

ControlMonkey Terraform CI/CD solution enables DevOps teams to enforce compliance and security policies proactively during the infrastructure CI/CD, and therefore prevent issues and misconfigurations in production.

So starting today, we are offering our users to enforce compliance standards such as PCI-DSS and CIS-AWS V1.4 on any Terraform pull request, and ControlMonkey will validate the resources configuration, as part of the infrastructure CI/CD.

DevOps teams no longer need to manually configure policies that represent the compliance standard their organization is obligated to, they can enforce that standard on any configuration change, in a few clicks.

By doing that, you’re actually preventing any non-compliant resources from reaching your production environment!

Benefits of Compliance Packages for Terraform and OpenTofu

This capability enables DevOps teams to easily enforce the required Compliance standard proactively, rather than responding to non-compliant resources in production, and risk getting penalized for compliance violations.

Companies usually run compliance validations in a detective way, after the resources are deployed to production, using tools like AWS Security Hub.

‘Proactive Compliance Packages’ are comprised of ControlMonkey’s Managed Policies, built-in policies that are managed and constantly maintained by our engineering team.

1 Click Compliance Packages

If you are required to be PCI-DSS compliant, you can validate every resource’s compliance proactively, out of the box, with zero effort.

On top of that, users have enhanced customization and can enforce compliance using various enforcement levels and apply them to specific stacks or namespaces.

Shift left your infrastructure compliance, keep your environment in ‘Always-Compliant’ mode, and avoid paying unnecessary penalties.

Today we are excited to announce the latest enhancement to ControlMonkey’s Drift Center, Drift auto-sync.

What is Drift auto-sync?

Our Drift Center helps DevOps teams identify and address discrepancies. These lie between the specified configuration in the Terraform, OpenTofu and Terragrunt code and the actual state of resources in the cloud environment.

Whenever a drift is detected and ‘Drift auto-sync’ is enabled, ControlMonkey will automatically trigger a deployment (reconciliation). This is to align the AWS resource (The “Actual State”) to the Terraform Code (The “Desired state”).

This feature is very similar to ArgoCD reconciliation capability.

The new capability is a checkbox configuration that is part of the stack’s configuration. This capability is included to all levels of subscription.

Drift auto-sync supports 2 types of Terraform Drifts:

1. Drift that originated from a configuration change that was made from the AWS, GCP or Azure console. This change was not from Terraform Apply.
2. Drift that originated from a change to a Terraform Data Source.
   e.g An auto-scaling group configuration fetches an image ID from a Data Source and that image ID has changed. This occurs since the last deployment, causing the Auto-scaling group to drift because it has the old image.

What next?

So if your stack is heavily dependent on data sources and you want to validate that you are always using the latest values, then the Drift auto-sync is the ideal solution. It will automatically reconcile the resource and save you the trouble of manually resolving the drift.

Join our Product Showdown this week to see it in action