Product8 min read

Cloud-native security for developers with Fix

Automate routine tasks by integrating security data into developer workflows and reduce alert fatigue from traditional CSPM tools.

The existing paradigm for cloud security posture management (CSPM) often assumes a separation of concerns: security detects misconfigurations, and engineering remediates them.

CSPM tools typically capture and present security data optimized for discovery and alerting rather than for remediation. This disconnect leads to false positives that create alert fatigue for developers, resulting in routine tasks such as looking at dashboards and figuring out how to filter and convey data in a format useful to DevOps teams.

Fix is a CSPM tool that addresses this disconnect. With Fix, you can effortlessly track your entire cloud’s compliance posture. It automates the collection of audit evidence and identifies misconfigurations. With support for industry-standard compliance frameworks like the AWS Well-Architected Framework Security Pillar and CIS AWS Benchmark, Fix allows developers and security engineers to detect misconfigurations and prevent security issues.

Fix is also for infrastructure and DevOps engineers. Even if a central security team exists, these engineers may need specific tools. With Fix, they can automate their cloud security tasks using the data Fix collects, all within their current toolchain.

Cloud security as a graph

Looking at a misconfigured cloud resource in isolation isn’t very useful, as it lacks the context of how a resource connects with the rest of the infrastructure. That’s why Fix offers a neighborhood view, where a resource is shown in the context of the resources it’s connected to.

A graph is the simplest way to understand how one entity in a cloud environment interacts with another. Fix scans your cloud stack without agents and stores a graph of the relevant security metadata in the Fix backend. By representing cloud assets as graph nodes and their relationships as edges, we can gain a better understanding of nested connections and identify the most critical risks.

Fix neighborhood view of an Amazon RDS Instance

Fix creates the overall graph and neighborhood view for each cloud resource on top of a baseline inventory after taking an hourly snapshot. Instead of reverse-engineering relationships by examining flow logs or API calls, Fix does the heavy lifting upfront and create models for each supported resource.

Fix’s resource models are open source and explicitly define the list of possible edges to ancestors and descendants alike. At the time of collection, when the snapshot is taken, Fix creates these edges for the resources actually found in the inventory.

Fix also collects, stores, and indexes configuration data for each resource following a strictly typed model. This metadata is available for every resource and includes any detected security issues. Fix also provides a history of the resource, to understand when and how a resource changed and a new security issue was discovered.

Fix uses a single graph for your entire cloud. The power of a single graph is that it allows you to explore many-to-many relationships in a very straightforward way.

In combination with resource metadata, Fix becomes even more powerful. You can search for a resource based on its properties as well as the properties of other resources. This means you can use Fix to discover exposure chains like cross-account or lateral movement paths that lead to high-value resources such as admin identities or data stores. It can reveal the escalation paths across any user or account.

Foundational governance and compliance assessment

While every security team attempts to establish guardrails, developers often have considerable freedom to create and modify resources, leading to unintended consequences. Misconfigurations can arise from default settings, frequent deployments, or even manual changes.

Fix’s out-of-the-box security posture dashboards display an overall security score for your clouds, show the number of tracked resources in your cloud environment, and summarize detected compliance violations and improvements.

Fix's preconfigured security dashboard listing security risks and improvements

CSPM tools evaluate risk by comparing cloud configurations against security and compliance benchmarks. Typically, every business needs to assess their compliance against two sets of benchmarks: standard regulatory frameworks and internally developed custom policies.

Fix employs a matrix to verify each cloud account and its resources for compliance with a specific benchmark. We support the CIS AWS Benchmark and AWS Well-Architected Framework Security Pillar. More support for industry benchmarks and compliance standards is on the way.

Risk matrix between cloud accounts and compliance frameworks

The checks are essentially tests that query resource metadata to identify the configuration, and determine if the result of the query passes or fails the test. For example, AWS recommends activating flow logs in your VPCs as a security best practice. This is a check that Fix automatically runs as part of the benchmark for the AWS Well-Architected Framework Security Pillar.

Fix also has a search bar where you can manually run any check with a custom query. The following query finds all AWS VPCs where flow logs are deactivated:

is(aws_vpc) with(empty, --> is(aws_ec2_flow_log))

  • First, it finds all resources of the kind aws_vpc, no matter in which account or region they may run.

  • Then, it filters for the VPCs without a direct relationship (successor) to an aws_ec2_flow_log resource.

It’s a simple one-line statement—much shorter than, say, a SQL query.

Leverage the graph with Fix search

We’ve found that companies and developers like the ability to run custom checks and define custom policies. This is why we developed a search syntax for Fix. It’s a domain-specific language that leverages the power of the graph, but without the complexity of traditional graph query languages like Cypher. With the Fix search syntax, you can define any type of policy and include them in your compliance checks.

Uncover what is really deployed in your cloud

Some CSPM tools only offer visibility and risk analysis for the most popular cloud services, such as compute instances, storage buckets, and databases. However, AWS alone offers over 200 different services. Developers may begin testing or using any of these services without security knowledge. This introduces new risks as it is difficult for security to detect or review the posture of these services, leading to potential blind spots.

That’s why Fix provides coverage for over 200 AWS services, all of which are part of our data models. This broad coverage helps Fix users see their entire cloud infrastructure. Fix shows exactly in which account and region a particular service runs, including any resources that shouldn’t be running, providing better insight and security.

You can either search “top-down” using drop-down filters or build more complex searches “bottom-up” with the Fix search syntax. To help get started, we offer a set of example searches.

Fix offers preconfigured searches for your inventory

Security teams also need the ability to control and govern cloud service usage. Fix has the ability to discover all deployed resources and understand their usage. For example, identifying abandoned or unused resources such as load balancers with no back-ends or compute instances with low utilization helps both security and the FinOps team.

Another use case for the inventory is to export data directly (e.g., in CSV format). Some engineering teams just want the raw data. Every search in Fix has a download button that downloads a local copy which you can upload to Google Sheets or Excel. A popular use case is to build a simple EC2 asset inventory with information on the instance type, age, and other metadata such as tags.

CSV-format inventory data export from Fix

Automating developer workflows

In Fix, Security teams can set up policies for permitted services, and set up alerting or automation when a non-approved service appears. One of our Fix users is a “Lambda-only” shop, and has set alarms when Fix detects an EC2 instance in their inventory.

Fix integrates with popular chat, alerting, and ticketing tools like email, Discord, Slack, Teams, PagerDuty, and OpsGenie. To enable developer workflows, we’re also shipping Fix with a command-line interface fixctl.

The CLI allows you to explore the graph and find resources of interest in the same way as in the SaaS app, and format the output for use in a third-party script or system.

What makes Fix different?

There are many other agentless CSPM tools out there. So what is it that makes Fix different? We think there are five unique aspects of Fix that combined make the difference:

  • Built to integrate with developer workflows. It’s easy to get security data out of Fix directly through download, via our integrations, or with our CLI.

  • Graph-based. Most CSPM tools still operate with a relational datastore, and do not capture the cross-resource relationships the way Fix does in a graph.

  • Asset history and diff with hourly snapshots. Fix takes a snapshot every hour, creating a granular history of each resource.

  • Self-service with freemium pricing model. Fix is free for a single cloud account, and signup is self-service—no need to talk to a sales rep.

  • Built on open source. Fix is built on our open-source project Fix Inventory. Anyone can deploy and self-host Fix Inventory to make use of a growing library of policy checks.

Start with CSPM today

CSPM expands the scope of your security operations and makes it easy to keep up with a rapidly evolving compliance landscape.

Begin securing your cloud infrastructure today with Fix. Start your 14-day free trial and discover how easy it is to manage your cloud’s security posture. Continue for free on a single cloud account and take the first step towards cloud compliance and security.