In this post, we will cover:

📜 Policies-as-Code with CloudFormation Guard and Open Policy Agent

🔍 SAST with Amazon Inspector Code and external tools

👀 Observability with CloudWatch, X-Ray and Security Hub integration

🛠️ Practical workflow examples to apply these concepts

1. Policies-as-Code: security as code

Defining security policies as code is a pillar of modern DevSecOps. This ensures that:

• Every resource created complies with the defined standards
• Validation occurs before deployment
• We can version and audit the applied rules

Common tools:

• AWS Config + Config Rules – Automatically audits the state of the infrastructure.
• CloudFormation Guard – Validates CloudFormation templates before applying them.
• OPA (Open Policy Agent) – Allows applying policies to multiple sources (Terraform, Kubernetes, etc.).
• Terraform Sentinel – For those using Terraform Enterprise.

Practical example: validating that S3 buckets must have blockPublicAccess enabled with Cfn-Guard

[rule.s3_block_public_access]
let bucket = Resources.*[ Type == "AWS::S3::Bucket" ]
bucket.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true
bucket.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true

2. SAST: detecting vulnerabilities in source code

What is SAST?

SAST (Static Application Security Testing) analyzes code without executing the application, looking for insecure patterns, hardcoded credentials, use of vulnerable libraries and other flaws.