Cloudrail is a pioneer in advancing policy-as-code framework for IaC. It was the first to introduce graph theory into Infrastructure-as-Code security and introduced advancements in static code analysis so that organizations can predict what security issues would happen in deploying IaC into an existing cloud infrastructure. Cloudrail was built, from the ground up, to scale to enterprise-grade security analysis.

Managing security evaluations of infrastructure-as-code (IaC) files becomes increasingly difficult as a company grows. Many organizations only have a few engineers with cloud security expertise, and they could have tens of thousands of objects running in production at one time. There may be multiple projects happening at the same time, using the same set of Terraform files, or using separate sets of files targeting the same cloud environment and influencing each other. Reviewing all these files manually is time-consuming and can slow down delivery times. And if something is missed, the consequences can be costly. Research commissioned by IBM revealed the average cost of a data breach in 2020 was nearly $4 million.

While there are other solutions that work in conjunction with your infrastructure automation tools to identify security issues early in the development cycle, they are mostly reactive and limited in scope. They only analyze files in the “build state” and are unable to see how issues will affect existing cloud environments. This allows many security issues to go undetected. These solutions also lack an understanding of the relationships between resources, which leads to many false positives. Cloudrail analyzes infrastructure-as-code files together with the cloud environments they are targeting. Because it is capable of executing complicated rules and understanding the relationships between resources (their “context”), it proactively identifies the most critical issues without excess “noise.” 

Cloudrail maintains a graph database that tracks resource relations within the context of the network, compute, storage and IAM space. This allows it to see how one cloud resource has access to another. It can answer simple, yet convoluted questions, such as determining what makes any resource exposed to the public before the customer deploys a project in a particular configuration. 

Indeni’s team of cloud security experts regularly update the context engine to analyze additional risk patterns.

Application security testing (AST) is the process of making applications more resistant to security threats, by identifying security weaknesses and vulnerabilities in application source code. AST is security testing for application code, think of Cloudrail as security testing for infrastructure-as-code. IaC security testing is the process of making your infrastructure secure by identifying security violations before the infrastructure is deployed.

Please see our pricing page. 

There are several ways to try Cloudrail. First, you can see how Cloudrail works before you apply it to your own files. Simply go to https://web.cloudrail.app/signup to see it in action. 

When you’re ready to try it for yourself, go to the AWS Marketplace and try it for free with no obligation under the Flex plan. This gives you 30 free evaluations with no minimum commitment. 

Cloudrail provides guardrails to your developers early in the development cycle so they can stay agile without inadvertently compromising security. Cloudrail can detect a misconfiguration or policy violation in an automated fashion. It can be integrated into your CI/CD pipeline to prevent security issues from making into your cloud environment or alert your developer to the issue that needs remediation actions before it is too late. The security shift left approach is good for reducing not only cyber risk but also cost.

Cloudrail runs evaluations using a CLI tool. Depending on your IaC language of choice, the instructions are different. For example, with Terraform, you can pass the directory where the main.tf file is. You can also pass the plan file instead if that is preferred. 

Cloudrail will list the violations it finds, with a detailed explantation of how it concluded these violations exist. You can run Cloudrail locally in your machine or you can integrate Cloudrail with your CI/CD process (a container is provided).

You will need to create an IAM role in your account in order for Cloudrail to be able to use STS assume role to get temporary read access to your account. We require view only and security audit access. For more information, visit this page.

Unlike other tools, we perform context-aware analysis to understand the relationships among resources in your live environment. This is key to eliminating false positives and finding potential exposures caused by resources already in the cloud environment (not referenced by the plan).

The container we provide takes the plan file and reduces it to the minimum amount of information needed by Cloudrail to conduct our context-based analysis. The reduced content does not include passwords, certificates, and other sensitive items.

You can review the reduced content before it is uploaded to the Cloudrail Service for analysis.

Cloudrail is SOC2 certified. We follow the criteria for managing your data based on three “trust service principles” – security, availability and confidentiality.

Not yet. Cloudrail is currently offered as a SaaS. In future releases, we will be adding support for running Cloudrail in your local environment.