Pacbot - Platform For Continuous Compliance Monitoring, Compliance Reporting In Addition To Safety Automation For The Cloud
Policy every bit Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting as well as safety automation for the cloud. In PacBot, safety as well as compliance policies are implemented every bit code. All resources discovered past times PacBot are evaluated against these policies to justice policy conformance. The PacBot auto-fix framework provides the might to automatically reply to policy violations past times taking predefined actions. PacBot packs inwards powerful visualization features, giving a simplified persuasion of compliance as well as making it slow to analyze as well as remediate policy violations. PacBot is to a greater extent than than a tool to care cloud misconfiguration, it is a generic platform that tin ship away live used to practice continuous compliance monitoring as well as reporting for whatever domain.
More Than Cloud Compliance Assessment
PacBot's plugin-based information ingestion architecture allows ingesting information from multiple sources. We guide keep built plugins to delineate information from Qualys Vulnerability Assessment Platform, Bitbucket, TrendMicro Deep Security, Tripwire, Venafi Certificate Management, Redhat Satellite, Spacewalk, Active Directory as well as several other custom-built internal solutions. We are working to opened upward source these plugins as well as other tools every bit well. You could write rules based on information collected past times these plugins to learn a consummate moving painting of your ecosystem as well as non merely cloud misconfigurations. For example, inside T-Mobile nosotros guide keep implemented a policy to grade all EC2 instances having i or to a greater extent than severity five (CVSS score > 7) vulnerabilities every bit non-compliant.
Quick Demo
How Does It Work?
Assess -> Report -> Remediate -> Repeat
Assess -> Report -> Remediate -> Repeat is PacBot's philosophy. PacBot discovers resources as well as assesses them against the policies implemented every bit code. All policy violations are recorded every bit an issue. Whenever an Auto-Fix claw is available alongside the policies, those auto-fixes are executed when the resources neglect the evaluation. Policy violations cannot live unopen manually, the number has to live fixed at the source as well as PacBot volition grade it unopen inwards the side past times side scan. Exceptions tin ship away live added to policy violations. Sticky exceptions (Exception based on resources attribute matching criteria) tin ship away live added to exempt similar resources that may live created inwards future.
PacBot's Asset Groups are a powerful means to visualize compliance. Asset Groups are created past times defining i or to a greater extent than target resource's attribute matching criteria. For example, you lot could practice an Asset Group of all running assets past times defining criteria to agree all EC2 instances alongside attribute instancestate.name=running. Any novel EC2 representative launched later the creation of the Asset Group volition live automatically included inwards the group. In PacBot UI you lot tin ship away select the compass of the portal to a specific property group. All the information points shown inwards the PacBot portal volition live confined to the selected Asset Group. Teams using cloud tin ship away laid the compass of the portal to their application or org as well as focus alone on their policy violations. This reduces dissonance as well as provides a clear moving painting to cloud users. At T-Mobile, nosotros practice an Asset Groups per stakeholder, per application, per AWS account, per Environment etc.
Asset groups tin ship away also live used to define the compass of dominion executions every bit well. PacBot policies are implemented every bit i or to a greater extent than rules. These rules tin ship away live configured to run against all resources or a specific Asset Group. The rules volition evaluate all resources inwards the property grouping configured every bit the compass for the rule. This provides an chance to write policies which are really specific to an application or org. For example, merely about teams would similar to enforce additional tagging standards apart from the global standards laid for all of the cloud. They tin ship away implement such policies alongside custom rules as well as configure these rules to run alone on their assets.
PacBot Key Capabilities
- Continuous compliance assessment.
- Detailed compliance reporting.
- Auto-Fix for policy violations.
- Omni Search - Ability to search all discovered resources.
- Simplified policy violation tracking.
- Self-Service portal.
- Custom policies as well as custom auto-fix actions.
- Dynamic property grouping to persuasion compliance.
- Ability to practice multiple compliance domains.
- Exception management.
- Email Digests.
- Supports multiple AWS accounts.
- Completely automated installer.
- Customizable dashboards.
- OAuth Support.
- Azure AD integration for login.
- Role-based access control.
- Asset 360 degree.
Technology Stack
- Front End - Angular
- Backend End APIs, Jobs, Rules - Java
- Installer - Python as well as Terraform
Deployment Stack
- AWS ECS & ECR - For hosting UI as well as APIs
- AWS Batch - For rules as well as resources collection jobs
- AWS CloudWatch Rules - For dominion trigger, scheduler
- AWS Redshift - Data warehouse for all the inventory collected from multiple sources
- AWS Elastic Search - Primary information shop used past times the spider web application
- AWS RDS - For admin CRUD functionalities
- AWS S3 - For storing inventory files as well as persistent storage of historical data
- AWS Lambda - For gluing few components of PacBot
PacBot UI Dashboards & Widgets
- Compliance Dashboard
- Asset 360 / Asset Details Page
Installation
Detailed installation instructions are available here
Usage
The installer volition launch required AWS services listed inwards the installation instructions. After successful installation, opened upward the UI load balancer URL. Log into the application using the credentials supplied during the installation. The results from the policy evaluation volition offset getting populated inside an hour. Trendline widgets volition live populated when at that topographic point are at to the lowest degree 2 information points.
When you lot install PacBot, the AWS occupation organisation human relationship where you lot install is the base of operations account. PacBot installed on the base of operations occupation organisation human relationship tin ship away monitor other target AWS accounts. Refer to the instructions here to add together novel accounts to PacBot. By default base of operations occupation organisation human relationship volition live monitored past times PacBot.
Login every bit Admin user as well as become to the Admin page from the laissez passer on off menu. In the Admin section, you lot can
- Create/Manage Policies
- Create/Manage Rules as well as associate Rules alongside Policies
- Create/Manage Asset Groups
- Create/Manage Sticky Exception
- Manage Jobs
- Create/Manage Access Roles
- Manage PacBot Configurations
User Guide / Wiki
Wiki is here.
Announcement Blog Post
Introducing PacBot