Current State

With the increase adaption of cloud, many organisations are battling the Infrastructure drift , cost of unused resources, security and compliance related issue due to untrusted workloads.
There are tools and approaches out there to solve some of the issues but not fully.

For example, Lets say we deploy our resources via automation using something like Terraform , Crossplane etc . These automation tools can detect drift for the resources they provision based on some CI/CD systems like Github Actions , Argo CD.

However they cannot detect drift related to resources created manually using cloud provided api, cli or console. These unmanaged resources increase cost, security and compliance related issues.

Proposed Solution

To solve the above issue, what we need is a feature we call Signed Infrastructure .

The concept of Signed Infrastructure look like the following.

  • All infrastructure components will be signed while provisioning. This would be similar to signed commits from Github and GitLab or like binary Authorization from GCP
  • The Cloud Service provider will monitor and delete/alert(based on Oraganization Policy) if the Infrastructure components are not signed by trusted sources.
  • The cloud services provider should not only monitor the services but their dependencies too( example KMS keys created automatically for a Cloud Bucket)
  • Incases where a particular apis of a service cannot be provisioning using IaC Systems, may be due to lack of support from IaC system, since there can be more than one trusted source, the services should be deployed from trusted source.
  • There should be a feature to enforce the list of trusted sources, Reconciliation patterns for untrusted workloads.

The following diagram shows this concept.

Some one can argue that we can implement above using tags, labels and writing our own monitoring system. Issue we will have there is some services may not support all tags, labels, the monitoring system needs to be maintained and deployed across org.

What can above solution can achieve ?

  • Reduced cost as the we can enforce a org level policy to delete resources deployed manually
  • Improved security. Example If an intruder able to access the cloud api and try to provision new services, they will not be able to as the workload will not be signed(unless the trusted provisioners are compromised or admin creds are stolen)

Conclusion.

We would like to call major Cloud providers (AWS, Azure and GCP) to implement this feature to solve cost, Infrastructure drift, security and compliance related issues.

Read the next insight