Blog Post

<- Back

Finally – Your cloud, your standards, at build and runtime.

Michael Schwartz
June 6, 2022

Lightlytics releases its newest feature, Architectural Standards.

Lightlytics enables cloud operation teams to incorporate their tribal knowledge into our system in the form of predefined and custom rules to ensure the collective experience of the team is taken into consideration for any configuration change at any time. Additionally, Lightlytics provides predefined guardrails for security, availability, and cost management right out of the box.


These rules will be applied and enforced after the initial connection of the AWS account into our system, and will show the violations throughout the entire pipeline -
Starting from the moment a change is planned (Discovery) through the pull request phase (Simulation) to the real-time events change log (Events).


In today’s landscape, There are many IaC analysis tools that cover the build, and cloud scanners (CSPMs) that cover the runtime.

However, there is one crucial part missing in all of them: Context.



DevOps are required to analyze who made the change, the impact radius and the actual severity of the alert. This becomes extremely difficult and time-consuming as the organization grows and expands its infrastructure. If a fix is needed, it is necessary to consider what will happen to all the related resources that utilize the problematic resource, which is a difficult task by itself.

Lightlytics delivers context in a simple and efficient manner -

Due to the fact that Lightlytics integrates into your existing pipeline, DevOps engineers can now understand how a certain change will impact existing infrastructure while examining violations according to the predefined and custom rules that are configured in the system. Combining these capabilities with Lightlytics Events, DevOps engineers can perform Root Cause Analysis completely by themselves in a short period of time.
This ability can save a lot of time handling internal cycles within the DevOps departments - an infrastructure change might lead to issues in multiple vectors, such as Security, Cost, Availability and others. Today, in case of an issue, a ticket is opened by the relevant team to the DevOps team, which made the infra change originally.


Lightlytics allows DevOps engineers to avoid these various misconfigurations before they become actual issues and eliminates the time consuming internal process between the various departments.
In addition, the fact that these rules are constantly being enforced, Infrastructure engineers can delegate more responsibilities and abilities to other teams like developers, so they can create, modify and destroy infrastructure with confidence.

Lightlytics introduces a new and efficient method to increase confidence and reduce time while keeping your organization’s architectural standards enforced:

  • Context - always be aware of the impact radius of the change, meaning which actual resources were affected by a certain change, and who made the change.
  • All-around coverage - Enforced both in build and run-time
  • Flexibility - Has the ability to define both resource-based rules and connection/path-based rules, in addition to using Tags, Attributes, Locations, Labels and even Ports as part of the rule’s configuration
  • Reliability - Eliminates false positive alerts
  • Precaution mechanism - Automatically fail a Pull request containing code that violates your business logic
  • Effectiveness - Handle and avoid Security and Availability risks before they become actual issues
  • Coverage - Define and enforce rules across accounts, regions and availability zones in aspects of Security, Permissions and Networking


Lightlytics Architecture standards - Enforce misconfigurations, availability and security violations

Out-of-the-box, Lightlytics provides best-practice policy rules that are enforced both in the Terraform simulation phase and in real-time.

cloud best practices

In the Simulation (Pull request) phase, Lightlytics will inspect the Terraform’s code proposed change and will alert when a violation is detected according to the existing rules in the system.
In addition, if a violation was detected in the Simulation phase, Lightlytics has the ability to automatically fail the Pull request and alert accordingly.


In real-time, after deploying the code or even creating/modifying something via the AWS UI, Lightlytics will inspect the actual CloudTrail events and alert if a violation was detected.
Lightlytics is also capable of sending notifications to Slack/ Email/ any other 3rd party tool in case of a violation.

Here are some examples that can be picked up before/after deploying the IaC code by using Lightlytics:

  • Ensuring IAM policies are not overly permissive
  • Ensuring encryption is enabled on services that provide it
  • Ensuring security groups are not overly permissive
  • Mitigating Internet and public access
  • Cross peering connectivity

The greatest advantage of using Lightlytics - Context! on every violation we provide the full context (dependencies) of the resource and the overall impact of the violation, including all the activity and past changes to the resource.

Cloud misconfigurations

Efficiently understand downstream dependencies to decide how severe the exposure is (resources is exposed on port 22 and has downstream access to OpenSearch)


This ability allows various cloud operation teams to create and enforce custom rules according to their business logic.
Lightlytics also enforces these rules cross accounts and regions.
You can create rules based on specific source, destination, intermediate components and even based on tags, locations and ports.


There are two types of rules that can be created in the system -

Path based rule:
With path-based rules, you can define rules based on source, destination and intermediate components while combining resources specific attributes, location, tags and ports.
For example, you would like to restrict all traffic between a production vpc and a development vpc:

Cloud guardrails

Resource-based rule:
With resource-based rules, you can define rules based on a resource type with specific attributes and tags and enforce them on a specific action.
For example, you want to be alerted in case an instance that is running Jenkins in a certain vpc does not use the dedicated tested ami:

Cloud guardrails

Violations and Alerts:
Inspect the various violations across your entire pipeline, from planning to the execution phase:
You can examine resource violations in the Discovery screen and handle them appropriately :

Cloud posture

Examine violations in real-time events - Inspect violations according to the rules configured with each API call in your cloud environment:

Cloud events impact

Examine violations in the Simulation phase - Inspect violations of every commit when Lightlytics Simulation is triggered

Terraform impact analysis

Combining the Lightlytics simulation with custom rules and policies enforcement, we can help you save time, reduce cycles and make time for the work that matters before tasks add up.  

Why should you choose Lightlytics for your Cloud Guardrails?

Cloud, Kubernetes, Entitlements, and all their dependencies are managed in one platform at Build (Infrastructure-as-Code (IaC)) and Runtime.

So what are you waiting for? Book a demo and start your free trail now!

You’d never cross the street without checking both ways first. Never deploy cloud infrastructure without evaluating the risks and building your plan properly.
GET STARTED