Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Compliance Ihrer Cloud Ressourcen - AWS Cloud Web Day für Mittelstand und Großunternehmen
Vortrag "Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Compliance Ihrer Cloud Ressourcen" von Philipp Behre beim AWS Cloud Web Day für Mittelstand und Großunternehmen. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/1VUJZsT
Ähnlich wie Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Compliance Ihrer Cloud Ressourcen - AWS Cloud Web Day für Mittelstand und Großunternehmen
Ähnlich wie Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Compliance Ihrer Cloud Ressourcen - AWS Cloud Web Day für Mittelstand und Großunternehmen (20)
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Compliance Ihrer Cloud Ressourcen - AWS Cloud Web Day für Mittelstand und Großunternehmen
1. AWS Enterprise Web Day
Automate control and transparency – put
compliance checks for your cloud resources on
autopilot
Philipp Behre
AWS Solutions Architect
pbehre@amazon.de
2. The primary reason businesses are
moving so quickly to AWS and the cloud
#1: Agility
3. • A Culture of Innovation - Experiment Often & Fail Without Risk
• From PoC to Production – create new business opportunities
Project Teams
Agility
Self-
service
Time-to-
market
Agility can lead to …
4. A strong IT Services Team enables innovation
IT Service Team
Compliance
Security
Access
Management
Auditing
and many more Change Management
Cloud
Operations
Control Visibility Compliance
5. IT Service Team Project Teams
Empower agile teams with standardized self-service
Create custom services
and grant access to developers
Use a personalized
portal to find & launch
services
6. Standardize and automate with AWS CloudFormation
creation order?
how long do I pause?
what errors can I recover from?
Instruction
Manual
Instruction
Manual
Instruction
Manual
Provisioning
Script(s)
what environment config and
utilities does my script depend on?
can my script be faster?
will this script work again?
how do I learn all of the AWS APIs?
Templatize
Version
Control
Provision Replicate Update
7. An integrated approach to gain transparency
change
change
publish
Service
Catalog
notifies
Monitor
Change
Monitors AWS
& application
initiates
notifies
MonitorAlert
monitors
Secures audit data
Captures all API
interaction
Capture
Audit
Logs
Durable
Storage
template
Create/Update
Validate
provision
Resource
stack
Select & provision
8. An integrated approach to gain transparency
AWS
ServiceCatalog
publish
AWS CloudTrail
Amazon S3
monitors
Secures audit data
Captures all API
interaction
AWS
CloudWatch
alarm
Monitors AWS
& application
initiates
notifies
AWS Config
Catalog
(resources & changes)
notifies
change
change
template
Create/Update
Validate
provision
Resource
stack
Select & provision
14. Evidence for compliance
aws config-service get-resource-config-history
--resource-type AWS::EC2::VPC
--resource-id vpc-47fa0322
--earlier-time 2015-10-01
...
• Many compliance audits require access to the state of your systems
at arbitrary times (i.e., PCI, HIPAA)
• A complete inventory of all resources and their configuration
attributes is available for any point in time
16. Change management integration: Option 1
AWS
Account 1
Common S3 bucket
Common SNS topic
Adaptor is custom software to convert JSON into
CMDB’s format
BMC, HP,
Custom
CMDB
Adaptor
Data pipe into existing CMDB
AWS
Account 2
AWS
Account 3
17. Change management integration: Option 2
AWS
Config
BMC
HP
API
AdaptorAdaptor
Adaptor is custom software needed to convert JSON
into CMDB’s format
Use in federated form
AWS
Account 1
AWS
Account 2
AWS
Account 3
18. A cloud-based technology company transforming clinical research for life
sciences companies and patients who depend on them.
Infrastructure
Change Log
Audits
Regulatory
Compliance
Engine
Changes
20. Why should I do this
• Compliance: Helps knowing how things are configured…
• “We audit our logs already!” Every minute?
• “We don’t allow changes through IAM policies”: In all
accounts/environments?
• ”We use a CI/CD to push all changes” Awesome...I'll push
the changes using someone else's user account!
21. Why…again
Implement “Compliance Status” for easy overview
• Use pre defined checks
• Create extended custom checks
• Fix the issue while checking
Evaluate/remediate changes/events in your account
• Doesn’t replace log analysis (consider Machine Learning FTW)
• Protect against changes made by (un)authorized accounts
• Automatic remediation for critical events
• Do forensic on the fly
Always Log and Alert!
22. Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and
identifying offending changes
23. AWS Lambda ?
A compute service where you
don’t have to think about:
• Servers
• Being over/under capacity
• Deployments
• Scaling and fault tolerance
• OS or language updates
• Metrics and logging
…but where you can easily
• Bring your own code…
even native libraries
• Run code in parallel
• Create backends, event
handlers, and data
processing systems
• Never pay for idle!
26. An Example …
I need to access this system now!
It can be quick … I will use this user
account we use for automation, to
change the security group
Instance
security group
Instance
security group
Tracks & monitors
Rule
?
Invoke
alertrevise change
Follow up
27. Risks
• You can now automatically mess up your
approved changes
• No proper alerting and follow-up on automatic
events
• Over/under complicated scripts
• No info on desired state
• Race the hacker…automation wars!
28. Creating a blueprint helps (simplified example)
Continuous /
Event based
Config Rules
CloudWatch
Events
Is it region
specific
Will action risk
breaking
something
Yes: Call
human
No: Lambda
Will enable add
cost
Yes: Based on
possible cost
limit call human
No/Minor: Set
rules
Is there a source
of truth
Config Rules:
Check previous
• Caution on
multiple events
CWE: Check
tag/DDB
• Have default
value
Action
Revert change
based on above
Forensic
Is it human (or
unknown
source) or
machine
(CI/CD)
CI/CD: Create
ticket (Jira etc)
Human: Should
we
countermeasur
e/prevent?
Are they using
MFA
• No: Add MFA
(external
Lambda)
Have they done
this before
(check DDB)
• Yes: Disable
account/Keys
Alert
High:
SMS/Page
Low:
Email/tracking
system
Logging
Is it sensitive
Yes: Encrypt
(KMS)
No: Cleartext
Always: Access
control
29. Summary
• AWS services support your organization to introduce, maintain,
and continuously improve governance processes for AWS
resources and their usage.
• Used together they provide continuous transparency into
changes, and allow auditing on changes and API interaction.
• Combined with your organization’s existing best practices,
processes, and tools you can centrally control and govern your
cloud environment without sacrificing the agility and flexibility
of the cloud.
• Automate compliance checks to act on violating changes
immediately and keep your infrastructure at a compliant state –
always log, alert, and follow up with an appropriate process!!