Yor Automates Tagging for Infrastructure as Code
Network security company Palo Alto Networks recently released Yor, an open-source tool that automatically tags cloud resources within infrastructure as code (IaC) frameworks. According to Barak Schoster, a chief architect with Palo Alto Networks, Yor came about as an idea after asking users for input on another security tool he and his team created.
“One of the reasons that we decided to develop Yor is because we talked with Checkov users, and with OPA [Open Policy Agent] users and other policy as code engines, and we asked them, ‘What would be the most common policy that you will run within your organization?’ and the most common policy that people ask for is having consistent tags,” said Schoster. “Yor is the way to fix that. It’s all about giving superpowers to the SREs and the DevOps team and automating a lot of their manual tasks, instead of having them reading a lot of Confluence and docs pages.”
Schoster is formerly the CTO and co-founder of Bridgecrew, the company recently acquired by Palo Alto Networks that created Checkov, the policy as code scanning tool, and now Yor. In addition to polling users of policy as code engines, Schoster says that attempting to tag large numbers of microservices also led them to the idea for Yor.
“When you have tons of microservices, when you’re operating in the cloud, it brings with it a lot of advantages, and it also brings a lot of questions around operations. For example, if an issue is coming up on your PagerDuty, who owns that microservice? Which team owns it? Is it sensitive? Does it contain sensitive data? Or is it business critical?” said Schoster. “A lot of big enterprises have huge documentation pages saying this is how you should tag each and every resource in the cloud. You get a list of 50 different tags, and there are over 160 services just on AWS. It’s a very tedious and manual task.”
The first time you run Yor, it will query your Git history to examine any changes made to your cloud infrastructure manifest, whether Terraform, Cloud Formation, or Serverless Framework, populating tags based on those changes. On the next deployment, it will push those tags into production, retroactively assigning tags, such as git organization, repository, file, git modifier, a unique trace per resource, and any custom tags users add. Yor also comes with a set of built-in rules and best practices for tagging, and in addition to automatic tagging, it enables the tracing of security misconfiguration from code to cloud, without access to sensitive data such as plan or state files. Yor can be executed both as a continuous integration (CI) tool, but also as a continuous integration and continuous delivery (CI/CD) process that will add the context, whether owner, cost center, or other custom tagging rule users define, for every commit.
Tagging, said Schoster, helps organizations manage six distinct realms — inventory, ownership, risk management, access control, cost allocation, and process automation — and those misconfigurations are among the leading causes for breaches and outages, partly as a result of the tedious and error-prone process that is only exaggerated when operating across multiple clouds. Checkov and Yor, he said, operate in concert with each other to prevent these sorts of issues.
“Let’s say that you have a public S3 bucket or over-privileged identity access management (IAM) policies, both of those are misconfigurations that can happen in the cloud, and if you have a public asset, it means that your data might leak out. Or if you have an over-privileged role, you might grant access to someone who shouldn’t have access to a sensitive set of data sources,” said Schoster. “When you want to respond to those misconfigurations, Checkov will help you to detect them, and Yor will give you the additional context required to solve those issues quickly by attaching an owner to each and every resource in the cloud.”
Moving forward, Yor will add support for Kubernetes, and potentially kustomize, said Schoster.