CASE STUDY

Securing new and existing infrastructure with cloud-native policies

HIGHLIGHTS

Eliminated

CSPM misconfiguration backlog

Faster

Terraform creation and deployment

About Streaming Media Co.

Streaming Co. is a Fortune 1000 media streaming company that a hardware and software platform that delivers video and other content to millions of people every day.

Challenge

Streaming Co.'s security team found it difficult to keep pace wit hthe rising number of security issues identified by Wiz, and developers weren't always using existing security templates effectively.

Outcome

With Resourcely, Streaming Co. improved their compliance and governance stance, conquered their backlog of CSPM findings, and helped developers ship infrastructure faster.

Download PDF Version

Customer Overview

A Fortune 1000 video streaming company called “Streaming Co.” faced increasing challenges in managing cloud security and compliance across its diverse, multi-cloud infrastructure. The company's environment spans Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure, and they were actively migrating significant workloads from AWS to GCP. With a large engineering team and a strong commitment to developer empowerment, Streaming Co. sought a way to balance agility with robust security controls across all cloud environments. 

The Challenge

Streaming Co.'s security team was grappling with several key challenges:

  • Multi-Cloud Complexity: Managing security policies consistently across AWS, Azure, and GCP was complex and time-consuming. Developers were struggling with security and configuration differences between the three different platforms.
  • Cloud Migration Security: The active migration of workloads from AWS to GCP introduced further complexity and incremental work
  • Inconsistent Template Usage: Developers weren't consistently adopting secure-by-default templates provided in Backstage, leading to configuration inconsistencies.
  • Escalating Security Issues: The number of security vulnerabilities flagged by Wiz was continuously increasing, with no practical way to remediate them quickly.
  • Balancing Agility and Security: A need to empower developers while ensuring compliance with security best practices across all cloud environments.

Why Not Backstage?

Streaming Co. initially adopted Backstage to create cloud infrastructure templates given its open source nature. However, they soon ran into many challenges surrounding Backstage:

  • No policies: Backstage doesn’t have a native policy framework, and Streaming Co. was relying on hand-written Rego policies that took too long to build and update.
  • Management burden: Backstage is an open source tool that required Streaming Co. to manage it as an application.
  • Limited integration with the infrastructure ecosystem: Streaming Co. uses Terraform to manage their cloud infrastructure, but Backstage didn’t provide auto-populating fields, type awareness, or an IDE for developing templates and policies
  • Lack of modularity caused excess work: Backstage doesn’t support linking templates together, resulting in maintaining many versions of a single template.

The Solution

Streaming Co. partnered with Resourcely to implement a secure-by-default approach to cloud resource provisioning across its multi-cloud infrastructure. Resourcely offered a solution that addressed Streaming Co.'s challenges by:

  • Multi-Cloud Support: Providing consistent security policies and blueprints natively integrated into AWS, Azure, and GCP.
  • Blueprints: Offering pre-defined, secure templates for common infrastructure components, such as virtual machines and storage buckets, across all cloud environments. These blueprints incorporated security best practices, such as disabling SSH ports and enforcing tagging policies.
  • Guardrails: Implementing automated policy enforcement to prevent misconfigurations and ensure ongoing compliance. Guardrails were designed to be customizable and adaptable to Streaming Co.'s specific security requirements in each cloud environment.
  • Campaigns: Resourcely used campaigns to detect things like Terraform Module version and Provider version, assisting in their upgrade and migration process.
  • GitLab Integration: Integrating with Streaming Co.'s existing GitLab environment, Resourcely enabled automated security checks within the CI/CD pipeline.

Policies implemented

Requiring GCP Resource Labels

This policy requires any Google resources (see the WHEN google* statement) to require the existence of a labels block with four field requirements:

  • A department label matching a particular pattern
  • The existence of a spend category
GUARDRAIL "GCP Mandatory Resource Labels"
  WHEN google*
    REQUIRE labels.department MATCHES REGEX "redacted"
    REQUIRE labels.spend_category MATCHES REGEX "redacted"
  OVERRIDE WITH APPROVAL @security

Disallowing Dangerous IAM Policies

This policy prevents AWS IAM policies from being created that have the resource set to a wildcard - limiting the scope of access for IAM users, groups, or roles.

GUARDRAIL "[IAM] Disallow IAM policies with a wildcard resource public"
  WHEN aws_iam_policy OR aws_iam_role_policy
    REQUIRE NO policy.statement.resource = "*"
  OVERRIDE WITH APPROVAL @security

Allowing only A records for AWS Route53

This policy only allows A type DNS records to be created using AWS Route53. A lot of DNS vulnerabilities stem from forgotten or mismanaged records, especially CNAME records pointing to deprovisioned services (like GitHub Pages, Heroku, AWS S3). These are classic subdomain takeover vectors.

If you're only allowing A records, it means:

  • You’re directly pointing to IPs you control
  • No external dependency redirection
  • No dangling references to third-party services
GUARDRAIL "Route53 APEX records must be A records"
  WHEN aws_route53_record AND aws_route53_record.name MATCHES REGEX "redacted"
    REQUIRE type = "A"

The Results

By implementing Resourcely, Streaming Co. realized significant improvements in its cloud security and compliance posture across its multi-cloud environment:

  • Simplified Cloud Migration: Resourcely provided the security consistency needed to simplify the transition from AWS to GCP, minimizing risk and ensuring continuous compliance.
  • Shifting Left Security: By providing secure-by-default templates and automated guardrails, Resourcely enabled Streaming Co. to shift security responsibilities earlier in the development lifecycle.
  • Improved Developer Experience: Resourcely streamlined the resource provisioning process, making it easier for developers to deploy secure infrastructure without needing deep security expertise across all cloud platforms.
  • Reduced Security Vulnerabilities: Proactive enforcement of security policies helped prevent misconfigurations and reduce the number of outstanding security issues.
  • Enhanced Visibility and Control: Resourcely provided insights into resource usage and compliance, enabling the security team to track adoption of secure templates and identify potential risks.
Resourcely has been instrumental in helping us strike the right balance between developer empowerment and security across our multi-cloud environment. By automating security best practices and providing pre-approved templates, we've been able to accelerate development cycles while maintaining a strong security posture during our cloud migration.
Head of Trust Engineering

Why It Matters

Streaming Co.'s success story underscores the growing importance of consistent security and governance in multi-cloud environments. As organizations increasingly adopt a multi-cloud strategy to avoid vendor lock-in, optimize costs, and enhance resilience, the need for unified security controls becomes paramount. Resourcely enables organizations to:

  • Reduce Security Risks in Multi-Cloud Deployments: By providing a single platform for managing cloud infrastructure from policies to creation to remediation, Resourcely minimizes the risk of misconfigurations and vulnerabilities across diverse cloud environments.
  • Accelerate Cloud Migration: Resourcely simplifies the process of migrating workloads between cloud providers, ensuring consistent security and compliance throughout the transition.
  • Empower Developers with Secure-by-Default Infrastructure: Resourcely enables developers to deploy secure infrastructure without needing deep security expertise, fostering innovation while maintaining a strong security posture.
  • Improve Compliance and Auditability: Resourcely provides centralized visibility into resource usage and compliance, making it easier to meet regulatory requirements and pass audits.

Streaming Co.'s implementation of Resourcely showcases a modern approach to cloud security that aligns with the evolving needs of today's multi-cloud landscape.

Ready to streamline your cloud security, empower your developers, and simplify your cloud migration? See how Resourcely can help your organization achieve a secure-by-default approach across AWS, Azure, and GCP--schedule a demo today!

Ready to get started?

Set up a time to talk to our team to get started with Resourcely.

Get in touch

Meet your Resourcely Superheroes!

No items found.

Your CSPM can't fix cloud infrastructure

Learn how Resourcely can improve your cloud posture in days, not quarters