LogoLogo
  • Welcome to Firefly Documentation
  • Introduction
    • What is Firefly?
    • Who is Firefly for?
    • Why use Firefly?
    • Terminology (Glossary)
  • Key Features
    • Infrastructure-as-Code Automation
    • Cloud Asset Inventory
    • Drift Detection & Remediation
    • Policy-as-Code for Compliance & Governance
    • Cost Visibility & Optimization
    • AI Assistant
    • ChatOps Integration
  • Getting Started
    • Account Setup & Onboarding
    • Connecting Cloud Accounts
    • UI Walkthrough & Navigation
    • First Steps in Firefly
  • Detailed Guides
    • Dashboard Overview
    • Cloud Asset Inventory
      • Remediating Drifts
      • Deleting Assets
      • Creating IaC-Ignore Rules
      • Creating Exclude-Drift Rules
    • Policy & Governance
      • Creating Policy-as-Code Governance Rules
      • Remediating Policy Violations
    • Workflows & Guardrails
      • Creating Workflows
      • Creating Guardrail Rules
    • Codification
    • Self-Service
    • IaC Explorer
    • Event Center
    • Backup and Disaster Recovery
    • Notifications
    • User Management
    • SSO Configuration
  • Integrations
    • Integrations Overview
    • Integrating Data Sources
      • AWS
      • Azure
      • Google Cloud
      • Kubernetes
      • Akamai
      • Datadog
      • New Relic
      • Okta
      • GitHub
      • Cloudflare
      • NS1
      • PagerDuty
      • MongoDB Atlas
      • HashiCorp Vault
    • Integrating IaC Remote State
      • Terraform Cloud
      • Google Cloud Storage
      • env0
      • HashiCorp Consul
    • Integrating Version Control
      • GitHub
      • GitLab
      • Azure DevOps
      • CodeCommit
      • Bitbucket
    • Integrating Notifications
      • Slack
      • Microsoft Teams
      • PagerDuty
      • Opsgenie
      • Torq
      • Webex
      • Google Chat
      • Webhook
    • Integrating Project Management
      • Jira
      • ServiceNow
    • Integrating Workflows with CI/CD
    • Integrating Backstage
    • Integrating MCP
  • Use Cases & Best Practices
    • Cloud Governance & Visibility
    • Cost Optimization Strategies
    • Compliance and Security Best Practices
    • Infrastructure Automation & Self-Service
    • Best Practices and Implementation Tips
  • Analytics & Reporting
    • Analytics Dashboard Overview
    • Using Analytics for Improvement
    • Exporting and Sharing Reports
    • Analytics Security and Privacy
  • Code Snippets & Examples
    • Terraform Snippet for an AWS EC2 Instance (Codified via Firefly)
    • Example Rego Policy (OPA) for a Custom Rule
    • GitHub Actions Workflow YAML for Firefly Integration
    • JSON Output Example: Exporting Inventory
  • Troubleshooting & FAQs
    • Common Issues and Solutions
    • FAQs
  • General Information
    • Firefly API
      • Authentication
      • Inventory
      • Codification
      • Workflows
      • Self-Service
      • Policy & Governance
      • IaC Explorer
      • Event Center
      • Backup and Disaster Recovery
      • User Management
      • Notifications
      • Integrations
    • Security & Compliance
    • Pricing Tiers & Add-ons
    • Contacting Support
Powered by GitBook
On this page
  • Use Case: A fintech company must adhere to strict compliance standards (e.g., SOC2, GDPR, PCI). They have to ensure their cloud infrastructure meets security benchmarks and be audit-ready at all times. Firefly | Manage Your Cloud with Infrastructure-as-Code becomes their continuous compliance tool.
  • Continuous Compliance Monitoring
  • Audit Preparation
  • Security Incident Response
  • Disaster Recovery (DR) and Backup Verification
  • Granular Access Control
  • Summary

Was this helpful?

  1. Use Cases & Best Practices

Compliance and Security Best Practices

Use Case: A fintech company must adhere to strict compliance standards (e.g., SOC2, GDPR, PCI). They have to ensure their cloud infrastructure meets security benchmarks and be audit-ready at all times. Firefly | Manage Your Cloud with Infrastructure-as-Code becomes their continuous compliance tool.

Continuous Compliance Monitoring

Firefly's built-in policies are mapped against common frameworks like CIS benchmarks for AWS/Azure, etc. The company enables relevant policies (e.g., "MFA should be enabled on root accounts", "No public S3 buckets", "All volumes encrypted"). Firefly runs these checks 24/7.

Best Practice: Align Firefly policies with your required compliance controls. Go through your compliance checklist and make sure each item has a corresponding policy in Firefly. If not, create a custom policy. This way, Firefly will act as an automated auditor, flagging any drift from compliance immediately.

Audit Preparation

When it's time for an external audit, the team uses Firefly's reporting to their advantage. Instead of scrambling to gather evidence:

  • They show auditors the Firefly Dashboard and Governance page, demonstrating real-time compliance status (e.g., "All critical policies passing as of now, any violations are listed and tracked").

  • They export a list of all resources with encryption status, access configurations, etc., from Firefly Inventory, which takes minutes instead of days of manual checking.

  • Auditors are particularly impressed by the automation of policy enforcement: guardrails in pipelines mean non-compliant resources cannot even be deployed. This significantly reduces the scope of possible non-compliance.

Best Practice: Use Firefly's Export and Documentation features to generate audit artifacts. For example, export all open policy violations and how they were resolved, to show auditors your remediation process. Keep an archive (monthly export) of compliance status as evidence of continuous monitoring.

Security Incident Response

Suppose a security incident occurs (say a suspected leaked credential). With Firefly:

  • The team quickly queries Firefly Inventory for any resources created or accessed by that credential's IAM user. The Event Explorer shows exactly what actions were taken by that user. This speeds up incident analysis.

  • They also use Firefly to ensure no unintended changes were made elsewhere: e.g., search for any new "Allow all" security group rules in the last 1 hour — Firefly events would show if any such change happened.

Best Practice: Leverage Firefly in security drills. Run mock scenarios (like "what if an admin account is compromised?") and use Firefly to trace and contain. This both tests the tool and your team's proficiency with it. Because Firefly centralizes info, in a real incident it will be a go-to dashboard. Ensure your security team has access to and is trained on Firefly's searching and filtering capabilities.

Disaster Recovery (DR) and Backup Verification

Compliance often requires DR plans. Firefly's complete knowledge of your infrastructure can assist in DR planning:

  • They use the Relationships and Architecture diagrams to document how systems are interconnected, which is vital for DR. For instance, Firefly's relationship view for an application shows its load balancer, servers, databases, and dependent resources – essentially a blueprint that can be used to recreate the system elsewhere if needed.

  • Firefly's inventory highlights if backups are enabled (via policies like "RDS instance without backups" or "VM snapshot older than 7 days" as violations). The team sets those policies so any lapse in backups is immediately caught. This ensures DR readiness (all critical data is being backed up).

Best Practice: Include Firefly in DR tests. If you simulate losing a region, use Firefly's inventory from that region to enumerate everything that needs recreating in the DR region. You can even use Firefly's codify or existing IaC to spin them up. After the test, verify with Firefly that the DR environment matches the primary (in terms of resource count, configurations, etc.). Using Firefly as a reconciliation tool after a DR drill gives confidence nothing was missed.

Granular Access Control

The company has developers who need insight into infra, but for security, they shouldn't have broad cloud console access. They use Firefly's read-only platform as a safe window into prod. Developers can see resources and configurations in Firefly without needing direct credentials to cloud accounts (which reduces risk). With the viewer role in Firefly, they cannot change anything, but they can get information to debug or plan changes. This satisfies the principle of least privilege.

Best Practice: If you have strict separation of duties, use Firefly's role-based access (Admin vs Viewer) and perhaps set up separate organizations or API keys for different teams. While Firefly doesn't yet do fine-grained RBAC per resource, limiting who can trigger codify or deletion actions in Firefly and who can just view data helps adhere to compliance (e.g., only CloudOps team has Firefly Admin rights to execute changes; all other teams are viewers who can propose changes via code PRs).

Summary

Overall, Firefly ensures that security is not a periodic concern but a continuous one. By baking compliance checks into daily operations (through guardrails and ongoing scans), the company dramatically reduces the likelihood of a surprise during audits or a serious security misconfiguration going unnoticed.

PreviousCost Optimization StrategiesNextInfrastructure Automation & Self-Service

Last updated 10 days ago

Was this helpful?