Nirmata Cloud Control Point

User Documentation for Nirmata Cloud Control Point

Introduction

Cloud Control Point is an innovative admission controller designed for cloud environments, introduced by Nirmata to bring robust governance and security capabilities to any cloud or cloud service. Inspired by Kubernetes admission controllers like Kyverno, Cloud Control Point fills a critical gap in cloud-native operations by enforcing policy-as-code standards directly in cloud resource configurations. This capability enables organizations to prevent misconfigurations from reaching production environments, ensuring that resources adhere to defined policies for security and compliance.

As a core component of the Nirmata Control Hub, Cloud Control Point provides a unified solution for managing security and governance across pipelines, clusters, and cloud environments. With admission control, continuous background scanning, and event-driven reporting, Cloud Control Point helps teams maintain a consistent and secure posture across their entire cloud infrastructure.

Key Features

  • Cloud Admission Control: Cloud Control Point introduces admission control for cloud environments, allowing you to prevent misconfigurations before they impact production. It enforces policies at the moment resources are created or modified, ensuring compliance from the start.
  • Comprehensive Multi-Cloud Compatibility: Designed to work with any cloud provider and service, Cloud Control Point offers flexibility for diverse environments. Its policies can be applied universally, giving organizations consistent security and governance across all cloud platforms.
  • Continuous Background Scanning: Beyond initial admission control, Cloud Control Point performs ongoing scans of cloud resources, identifying and alerting teams to misconfigurations and potential vulnerabilities as environments evolve. This continuous monitoring enhances long-term compliance and security.
  • Event-Driven Reporting: Cloud Control Point generates detailed reports based on events, similar to Kyverno’s report formats, and integrates with the working group policy API. These reports provide insights into policy compliance, security posture, and operational effectiveness.
  • Integration with Nirmata Control Hub: As part of the Nirmata Control Hub, Cloud Control Point enables centralized visibility into pipeline, cluster, and cloud security. By consolidating governance data in one platform, it empowers teams to proactively manage their security and compliance postures across all stages of the deployment lifecycle.

AWS Asset Discovery

AWS Organisation and Account Discovery

The AWS Organisation and Account Discovery feature introduces a new custom resource called AWSOrgConfig. This feature allows users to create an AWSOrgConfig for an Organisation Unit or root Org. The cloud controller will then discover all the child OUs for the configured org, create an AWSOrgConfig for them, and discover the AWS accounts within those OUs, creating AWSAccountConfig for them. The discovery process is recursive, ensuring that all child orgs and child accounts at all levels are discovered.

Example AWSOrgConfig

apiVersion: nirmata.io/v1alpha1
kind: AWSOrgConfig
metadata:
  name: root
spec:
  customAssumeRoleName: DevTestAccountAccessRole
  orgID: r-zyre
  orgName: Root
  regions:
  - us-west-1
  roleARN: arn:aws:iam::<account-id>:role/<role-name>
  scanInterval: 1h
  services:
  - EKS
  - ECS
  - EC2
  - Lambda
  - RDS

Field Descriptions

  • orgID: The ID of the organisation unit or root to be configured, assigned by AWS.
  • orgName: The name of the organisation as desired by the user. It is recommended to keep it the same as the AWS assigned name.
  • regions: The regions from which resources need to be scanned in the discovered child AWS accounts.
  • scanInterval: The frequency of the scan.
  • services: The services in which resources need to be scanned.
  • roleARN: This is the critical role that needs to be created in the management account. It must have permissions to fetch accounts, fetch OUs, describe them, and can be assumed by the IAM role bound to the Service account of the cloud scanner through the pod identity agent.
  • customAssumeRoleName: The name of the IAM role that must be present in the discovered accounts, with permissions to fetch resources in the specified services. It is similar to the role for the scanner.

Pricing Information

Contact Nirmata Customer Support for pricing details.


AWS Asset Discovery Guide

Step-by-step guide for setting up AWS Organisation and Account Discovery

Cloud Admission Controller

Cloud Admission Controller

Getting Started

An introduction to Cloud Admission Controller and Cloud Scanner

Cloud Scanner

Ensuring Cloud Resource Compliance

Reporting System

Reporting System