OPEN TALK: Let’s Play Tag: DevSecOps Edition! Automated IaC Resource Tagging Strategy for Security Policy Enrichment


Steve Giguere
Bridgecrew, Developer Advocate

Steve is a Developer Advocate with Bridgecrew by Prisma Cloud specialising in cloud and infrastructure security automation. Steve started his cybersecurity life by being kicked out of his high school computing class for privilege escalation on the school linux system and changing all passwords to ""peaches"" (his friend’s dog's name). But that was a long time ago. Since then he has worked as a Solution Architect for StackRox and Aqua Security, specialising in container and Kubernetes security, and has spent time with Synopsys establishing DevSecOps best practices for enterprise CI/CD pipelines.


Through GitOps practices, automated security checks, and Infrastructure as Code (IaC) strategic tagging automation, we can begin to build pre-flight and runtime policy-as-code to ensure that misconfigured and insecure resource definitions are caught prior to deployment. When resource misconfiguration or drift is discovered at runtime, a consistent tagging strategy allows resources to be traced back to the appropriate commit. This reveals a best fix location and author to vastly reduce MTTR. To show how this all works, we'll use a combination of open source solutions: Checkov (IaC Policy and Scanning) + Yor (IaC Tag and Trace)