Introduction

What is Pyrae Policy Engine?

Pyrae Policy Engine (PPE) is a powerful tool designed to help organizations monitor and enforce compliance across their AWS accounts. It is a business rules engine that evaluates your policies against cloud resources, providing valuable insights and ensuring that best practices are followed.

How does it work?

To use Pyrae Policy Engine, during onboarding, organizations must grant access to their AWS account and link it to a Pyrae Organization. Once this is done, PPE receives CloudTrail events of the account's activity, including any configuration changes made within 15 minutes.

From this event, PPE identifies which resources were modified and evaluates them against your organization's policies. CloudTrail events are sent irrespective of how resources are modified (Console, CLI, CloudFormation, CDK, Terraform, Pulumi, etc).

When PPE receives a notification that a resource has been modified, the first step is to identify the owner of that resource within the organization. Our standard owner identification strategy is based on resource tags, or calling a custom lambda. For maximum value from PPE, organizations will need to track ownership on a per-resource basis, which can be a large undertaking if your organization doesn't currently track ownership.

The policies are comprised of several components, including an observer, a set of observer matching rules, and a policy expression.

Observers are lambda functions that return the state of the actual resource, not a static definition, such as IaC. Generally, the lambda performs an AWS API request, but any valid lambda code that returns a JSON object could be used. The lambda's output is then evaluated against the policy expression to determine if there are any policy violations. Observers are not responsible for making judgements, only collecting data. Observances are visible through the PPE UI.

Once a resource has been modified and its ownership has been identified, PPE evaluates all policies that apply to that resource. Each policy contains a policy expression, which is the rule that's evaluated against the new Observance. If a resource isn't compliant with a policy, a violation is generated.

Teams can choose which policies to adopt as policies are not enabled by default. Policies can also be inherited when a parent team adopts a policy, such as when a VP decides that a certain policy should apply to their entire business unit.

Policies can produce many different violations, which is a record that tracks compliance for a specific resource. Violations are available in the PPE UI, along with its history. Every built-in policy has documented use-cases, onboarding, and resolution steps, making it easy to understand and resolve any violations that occur.

Integrations are also triggered for each emitted violation, with support for sending notifications to a variety of third-party tools, such as Slack, Email, OpsGenie, and SNS. If a team identifies that a violation should not apply to a specific resource, they may mark it as By Design, which suppresses only the integration. Marking by design may require an approval process.

Why use Pyrae Policy Engine?

Pyrae Policy Engine is an invaluable tool for organizations looking to ensure compliance across their AWS accounts. By monitoring and enforcing policies, it helps to minimize risk, prevent costly mistakes, and ensure that best practices are followed consistently. And because it is configured only through IaC, it provides a level of consistency and transparency that is difficult to achieve with other tools.