AWS Cloud Operations & Migrations Blog

AWS OpsWorks for Chef Automate Now Supports Compliance

AWS OpsWorks for Chef Automate gives you a fully managed Chef server with a suite of automation tools.  The release of Chef Automate version 1.6 includes the new Compliance view for Chef Automate UI. With AWS OpsWorks for Chef Automate integrated with compliance, you can track the compliance of your infrastructure based on a predefined policy. This allows you to frequently audit your applications for vulnerabilities and remediate violations.

Use cases and benefits

With this update, you can detect and correct security risks and compliance issues across your entire infrastructure.

  • Move from manual compliance to continuous compliance by frequently conducting assessments and managing compliance as code. This means that you can bake compliance into your Chef workflow.
  • Select from 88 pre-packaged profiles that meet industry benchmarks, available in Profile Store. Further, you can customize these profiles to fulfill your information security needs.
  • Use the Compliance pane, which offers a unified dashboard for identifying issues, remediating them, and tracking progress. In addition, you can view Scan Results for various Nodes and Profiles.
  • Describe compliance controls in InSpec, an open-source testing framework, and integrate these automated tests into any stage of your deployment pipeline.

To get started, go to the AWS Management Console, and open the OpsWorks console. On the AWS OpsWorks Stacks home page, choose Go to OpsWorks for Chef Automate.  Then choose Compliance. In the left navigation pane, choose Profile Store. Then, in the Available tab, select a profile such as DevSec SSH Baseline, and choose Get to install.

On the profile details page, you can view a brief profile description, set of controls, and their severity. Choose + to see the expected outcome of a control and code that it executes.

After it’s installed, configure the Audit Cookbook with the compliance profile you selected in the previous step. Add the recipe to your node’s run list.

After the node’s run list is executed with audit attributes set as expected, you can see the profile status on the Compliance page.

Go to the Profiles tab, choose Scan Results, and select a node to find each failed control with details of what failed within that control. This means you can view the expected and actual outcome of each failed test. With this information, you can reconfigure the nodes to ensure that all test cases pass and a rerun is successful.

This update is now generally available and you can start using it today. With OpsWorks for Chef Automate, you pay for the Amazon EC2 instance used to run your managed Chef server (pricing details here). You can launch OpsWorks for Chef Automate today in the following AWS Regions: US East (Northern Virginia), US West (Oregon), and EU (Ireland). To learn more, read Configure the Chef Server Using the Starter Kit in the OpsWorks User Guide.

About the Author

Rahul Gulati is a Product Manager at AWS OpsWorks. He enjoys working with customers and engineering teams to build software products.