Scanning AWS resources using OPAL

[massimiliano96]

I would like to ask if it is possible to use OPA and OPAL to check infrastructure resource policies deployed on AWS in real-time. For instance, suppose I have a policy written in Rego that ensures all my EC2 instances have the tag "cost_center". I want to detect if both existing and newly deployed resources comply with this tag. Additionally, I want to detect changes, such as if someone attempts to delete the tag from a resource.

Furthermore, I plan to deploy OPAL server and OPAL client on an EKS cluster for real-time monitoring.

[maya-barak]

Hi @massimiliano96,
I will check with the team and get back to you :)

[massimiliano96]

Hi @orweis, ok that makes sense.

So is there any way to connect OPAL with AWS Cloud Trail events? Can you provide me more details?

[orweis]

Both the OPAL client and server spit out logs to stderr, check out the configuration options for tweaking the logs. Behind the scenes Loguru is used.
https://opal.ac/getting-started/configuration

I'd suggest you start with the docker compose tutorials to get familiar with the system and its common settings.

[orweis]

I might have interpreted your question wrongly as to mean only propagating logs of OPAL into CloudTrail .
Another meaning could be tracking the IAM event themselves which OPAL is a part of.

Inbound: I'd use as @rficcaglia suggested EventBridge to invoke data updates into OPAL , or policy updates into Git
Outbound: you can use an OPAL-client to listen on the pub/sub channel and subscribe to events - like OPToggles does

[massimiliano96]

Thanks @orweis, my use case is the Inbound one, but if we deploy OPAL on Lambda and we integrate it with Event Bridge, which are the benefits of using OPAL with respect to running directly OPA?

[orweis]

1. I wouldn't recommend running OPAL on lambda - the server and client are meant to maintain always-on web-sockets connections for policy / data updates ...

2. OPAL is used to make sure OPA(s) have the policy (usually tracked from Git) and data (fetched from a distributed data plane) they need to make up to date decisions.

Please refer to the docs at opal.ac

[rficcaglia]

Maybe CT -> EventBridge -> SNS -> Lambda invocation -> OPAL?

[massimiliano96]

Considering this architecture, is OPAL deployed on a Lambda function? Otherwise, which is the scope of the Lambda?