Case Studies
How Reddit Secures Its Cloud with CloudQuery
TL;DR
Reddit's security and platform teams use CloudQuery to centralize their cloud infrastructure data into a single, queryable format. This allows their engineering, product, and GRC teams to self-service cloud resource information. With CloudQuery, Reddit gets complete visibility into the resources running in our cloud environments. This allows them to ensure that everything is configured in a secure way that meets all their security and compliance requirements.
Reddit is one of the world's largest social platforms, with billions of users and a complex, multi-cloud infrastructure spanning AWS, GCP, and other providers. As Reddit's engineering teams scale their operations, maintaining comprehensive visibility and governance across their cloud environments has become critical to their security and compliance posture.
In this interview, Nathan Handler from the Reddit SPACE (security, privacy, assurance, and corporate engineering) team walks us through their adoption of CloudQuery. Before CloudQuery Reddit was manually stitching together data and fragmented, point-in-time snapshots to answer questions about their cloud. They now have a single, authoritative source of truth for cloud resources.
Now, security is no longer a bottleneck: engineering, product, and GRC teams can self-serve cloud infrastructure data in SQL. This has resulted in increased engineering autonomy, reduced operational friction, and a strengthened security posture.
Full Transcript #
Role, Team, and Responsibilities at Reddit #
Chris Reuter (VP Marketing, CloudQuery): Can you tell us about your role at Reddit and the team you work on? And then, what are your responsibilities? Do you have internal customers?
Nathan Handler: I'm a staff infrastructure security engineer within Reddit's SPACE Organization—Security, Privacy, Assurance, and Corporate Engineering. My job is to make sure that all the infrastructure being launched to power Reddit is done so securely.
This involves working closely with infrastructure, product, and compliance teams to provide tooling and visibility that make secure choices the easy default. We build and maintain systems that surface potential misconfigurations early, automate common security controls, and help teams understand the security posture of their environments without slowing down development.
Our internal customers include teams across Reddit who rely on our data and tools to launch, operate, and audit their services with confidence. In short, we focus on enabling security at scale through collaboration and automation.
Primary Outcomes Achieved With CloudQuery #
Chris Reuter: What are the primary outcomes you achieve by using CloudQuery?
Nathan Handler: CloudQuery provides us with visibility into the resources running in our cloud environments. This allows us to ensure that everything is configured in a secure way that meets all security and compliance requirements. We can then expose this information through curated dashboards to other teams in the company to give them insights into the data that they care about in a safe and controlled manner.
Challenges Managing Cloud Infrastructure Data #
Chris Reuter: What are some of the main challenges your team faces with managing and understanding cloud infrastructure data?
Nathan Handler: My team is quite small in relation to the rest of the company. It's impossible for us to directly review every change being made, and this creates the challenge of how can we best utilize our limited resources to prevent or identify and mitigate security issues with our infrastructure.
Handling Cloud Visibility Before CloudQuery #
Chris Reuter: Before CloudQuery, how were you handling cloud asset visibility and data integration?
Nathan Handler: Prior to CloudQuery, we were using a similar product and a few in-house services to inventory our cloud assets. Those tools gave us partial visibility, but they weren't designed for deep integration across multiple cloud providers or for sharing that data easily with other teams.
Much of the work involved stitching together different APIs, normalizing data formats, and maintaining separate pipelines for each data source. This approach required a lot of manual effort to keep data accurate and up to date, and it often meant that only a few teams had direct access to the full picture.
When other teams needed information about their resources, permissions, or configurations, they usually had to file requests or rely on point-in-time exports. CloudQuery gave us a way to consolidate all of that info into a single consistent framework. Instead of maintaining multiple systems, we can now ingest data from all of our cloud providers through one platform and expose it in a way that's queryable, auditable, and useful across the company.
Limitations of the Previous Approach #
Chris Reuter: And what were your biggest limitations or frustrations with that approach?
Nathan Handler: The cloud's more than just AWS and GCP. We have resources being deployed in countless other systems, and having no real way to track them was proving problematic. Our engineers also didn't want to have to learn yet another tool to work with this data. They wanted it available in the same destinations that they already are using to analyze data produced by the services they're developing.
Impact on Productivity and Business #
Chris Reuter: How did those challenges affect your team's productivity or the business more broadly?
Nathan Handler: Those challenges meant that we were collecting data, but it was not complete enough to earn a spot in the everyday toolbox of our engineers. As a result, outside of checkbox compliance, it never provided much value and was largely viewed as a cost.
Why Reddit Adopted CloudQuery #
Chris Reuter: What made you decide to try CloudQuery?
Nathan Handler: Following our 2023 security breach, we wanted to improve visibility into all of our cloud resources across the company. That event highlighted how important it is to understand what exists in our environment, how it is configured, and who has access.
We chose to try CloudQuery because it allowed us to pull in data from all of our cloud providers, not just AWS. Its wide selection of plugins, along with the ability to create our own, meant that we could get a complete picture of our infrastructure in one place. Just as importantly, it let us expose that data in a way that was actually useful to teams beyond security—product, GRC, and other groups could explore and use the same data to inform their decisions.
In short, we adopted CloudQuery to build a shared, accurate view of our cloud environment and make that visibility accessible across the company.
Benefits Since Adopting CloudQuery #
Chris Reuter: What benefits have you seen since adopting CloudQuery?
Nathan Handler: CloudQuery has allowed us to provide teams with access to curated dashboards that give them visibility into our running infrastructure and the ability to answer questions such as, "What resources does my team own?", "Which resources are not configured in a way that meets our compliance standards?", and "Are any of our resources configured in a way that makes them vulnerable to this newly discovered attack factor?"
An unexpected benefit of CloudQuery has been discovering cloud resources not being managed via infrastructure-as-code. We accomplished this by using the Terraform Source plugin to generate a list of all resources managed as code, and comparing it against the resources returned by the AWS plugin. We can then follow up to get the untracked resources cleaned up or imported.
How Reddit Uses CloudQuery for AWS #
Chris Reuter: Tell me specifically about AWS and CloudQuery at Reddit. What AWS services do you focus on most using CloudQuery data?
Nathan Handler: Reddit uses a large number of AWS services. EC2, IAM, and S3 likely get the majority of our attention. However, CloudQuery makes it possible for us to keep tabs on all of the services and prove to ourselves that we're not using any unexpected ones.
We leverage CloudQuery to generate reports around who can access certain sensitive data, which of our compute instances meet our compliance and security requirements, and to generally keep track of the countless S3 buckets constantly being spun up to store a wide range of data.
Other CloudQuery Sources in Use #
Chris Reuter: Other than AWS, what other sources do you use the most?
Nathan Handler: In addition to AWS, we have around a dozen other sources in use. GCP, Kubernetes, and HashiCorp Vault are likely the ones receiving the most usage.
How CloudQuery Enables Autonomy and Saves Engineering Hours #
Chris Reuter: How has CloudQuery helped your team or the teams you serve work more autonomously or free up engineering hours?
Nathan Handler: CloudQuery has helped us empower other teams to get the data they need without waiting on security to manually provide it. Before, a lot of our visibility work required custom scripts or one-off requests to pull inventory or configuration data from different cloud providers.
With CloudQuery, that data is automatically collected and made queryable in a familiar SQL format so teams can self-serve what they need. Because it supports such a wide range of plugins, we can pull in resources from across our entire cloud footprint—not just AWS—and make that information accessible to the rest of the company.
It also means we no longer have to grant these teams direct access to the underlying cloud environments, which simplifies permissions and reduces risk. Overall, this has freed up engineering time, reduced operational friction, and made other teams more autonomous in understanding and improving their own infrastructure.
Chris Reuter: If you had to describe CloudQuery in one sentence to another engineering leader, what would you say?
Nathan Handler: Infrastructure as code defines the desired state. Audit logs show the actions being taken. CloudQuery completes the trifecta by showing you the actual state of your infrastructure and allowing you to readily query and visualize it.
Learn More #
Interested in building a similar solution for your organization? Get started with CloudQuery or explore the CloudQuery Platform for a fully managed experience.
Want to chat with our team about your specific use case? Contact us here or join the CloudQuery community to connect with other users and experts.
