Welcome to our deep dive into governance within the StackGen platform, where we’ll be focusing on three types of custom policies that can be integrated into governance configurations. Our discussion today is led by StackGen Staff Software Engineer Sean Gahagan, and covers custom security rules, IAM policies, and resource restrictions, culminating in how these policies can be used to assign governance configurations to teams and manage what users can create within their environments.
Custom Security Rules
Our journey begins with creating custom policies (also known as security rules) using StackGen. Custom policies are an extension of the built-in policies within StackGen, allowing users to create, upload, and apply them according to their specific security needs. These custom policies can govern AppStack components through unique RuleIDs for easier identification and versioning, among other attributes. An important aspect of custom policies involves defining resource types and descriptions. These rules are then bundled and deployed in governance configurations that influence infrastructure creation, restricting what team members can develop, and are easily managed within StackGen. At the heart of custom policies is the ‘rules’ section, which is particularly important when defining conditions, operations to validate attributes, and configuring remediation steps for user guidance in case of violations. Uploading custom policies and managing them live in real-time using the StackGen CLI brings clarity to what can be an often murky, undefined process.
Custom IAM Policies
As Sean continues through the walkthrough, we explore custom IAM policies, a crucial tool in customizing access controls within your organization’s infrastructure. In addition to pre-existing user roles like read, write, and admin, StackGen allows for the introduction of custom IAM roles, offering enhanced control over resource permissions. Custom IAM policies can include both hard-coded string permissions or dynamic policies, such as incorporating specific Amazon Resource Name (ARN) outputs. This flexibility can be tailored to meet the unique needs of your organization, ensuring that only authorized actions can be performed on designated resources.
Resource Restriction and Governance
To enforce custom IAM policies, StackGen employs resource IAM restriction policies. These policies define which roles are permissible for specific resource interactions and establish default roles for newly created resources. When these are implemented correctly, IAM restrictions ensure that all team members adhere to organizational safety standards across all applicable infrastructure components. By utilizing StackGen’s governance configurations, these resource restrictions become enforceable, allowing for more robust, predefined security measures that align with your organization’s policies and objectives.
Custom policies and resource governance play a vital role in the StackGen ecosystem. Crafting and enforcing these policies not only helps protect your organization’s infrastructure, but also facilitates secure and efficient infrastructure management at scale. We encourage you to experiment with these tools by signing up for a demo, leveraging one of our example projects to create a new AppStack, explore different policy configurations, and as always, we welcome your feedback so we can continue to enhance our product, resources, and documentation further.
