Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enabling Governance, Compliance, and
Operational...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from the session
• Overview of go...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is governance and compliance?
Governance is...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steps to implement governance
To effectively use...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The challenge
- Define
- Discover
- Monitor
- Ma...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS enables you to do both
- Define
- Discover
-...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define provisioning of resources
v AWS CloudForm...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define provisioning of resources
v AWS CloudForm...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• How do I ensure that
my de...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudFormation
AWS CloudFormation is a servi...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional governance during provisioning
• How ...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service Catalog
• AWS Service Catalog allows...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service Catalog demo
• WordPress site with l...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define provisioning of resources
v AWS CloudForm...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
• Increase visibility into your u...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Examples:
• Gain visibility into root credential...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Continuous Recording & Continuous Assessment s...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• How do I identify S3 bucke...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail and AWS Config demo
• Using AWS C...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• Does my AWS environment co...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define provisioning of resources
v AWS CloudForm...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• How do I audit which appli...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Systems Manager:
Inventory & State Manager
I...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager:
State Manager and In...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• How do I centrally manage ...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager:
Parameter Store
• Cr...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager:
Parameter Store demo...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• How do I view the security...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Systems Manager: Patch Manager
Patch Manager...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Systems Manager: Run Command
Remotely and se...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patch Manager and Run Command demo
• Check the p...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define provisioning of resources
v AWS CloudForm...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Log and respond to changes with
Amazon CloudWatc...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Use Case
• How do I ensure that servi...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define provisioning of resources
v AWS CloudForm...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers who use AWS Management Tools
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Nächste SlideShare
Wird geladen in …5
×

Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017

363 Aufrufe

Veröffentlicht am

In this session, learn how you can enable governance, compliance, and operational and risk auditing of your AWS account through a combination of continuous monitoring, auditing, and evaluation of your AWS resources. With AWS management tools, you can see a history of AWS API calls for your account, review changes in configurations and relationships among AWS resources, and dive into detailed resource configuration histories. You can determine your overall compliance with the configurations specified in your internal guidelines, and you can give developers and systems administrators a secure and compliant means to create and manage AWS resources.

  • Als Erste(r) kommentieren

Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling Governance, Compliance, and Operational and Risk Auditing Using AWS Management Tools E N T 3 2 3 N o v e m b e r 3 0 , 2 0 1 7 S i d G u p t a , C I S S P S r . P r o d u c t M a n a g e r , A W S C o n f i g AWS re:Invent
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect from the session • Overview of governance and compliance • The challenge • Introduction to AWS Management Tools • Governance and Compliance Use Cases • Q&A
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is governance and compliance? Governance is the oversight role and the process by which companies manage and mitigate business risks Compliance ensures that an organization has the process and internal controls to meet the requirements imposed by the governance body
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Steps to implement governance To effectively use IT in enabling an organization to achieve its governance and compliance goals, you need to: • Define—what IT is supposed to do • Discover—what IT resources exist • Monitor—what IT is doing • Respond—to “changes to” and “non-compliance of” IT resources
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The challenge - Define - Discover - Monitor - Manage - Report - Respond - Agility - Innovation Governance Developmentspeed
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS enables you to do both - Define - Discover - Monitor - Manage - Report - Respond - Agility - Innovation Governance Developmentspeed With AWS you can programmatically: • Define provisioning and configuration of resources • Continuously discover new resources and changes to existing resources • Monitor resources and operations for compliance • Manage, report on, and respond to changes to your resources
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define provisioning of resources v AWS CloudFormation v AWS Service Catalog Discover and gain visibility v AWS CloudTrail v AWS Config, Config Rules Manage EC2 instances v Amazon EC2 Systems Manager Monitor, report, and respond to changes v Amazon CloudWatch Introducing AWS Management Tools
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define provisioning of resources v AWS CloudFormation v AWS Service Catalog Introducing AWS Management Tools
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • How do I ensure that my developers provision AWS resources in an orderly and predictable fashion?
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudFormation AWS CloudFormation is a service that provides a common language for you to describe and provision all your infrastructure resources for your cloud environment. Template AWS CloudFormation Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customizable Framework Stack creation Stack updates Error detection and rollback
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional governance during provisioning • How do I enable self-service for my business units so that they can quickly deploy approved IT services? • How do I make sure that every resource that gets provisioned is tagged with a cost-center? • How do I control the size of the resources being provisioned by employees in my enterprise?
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Service Catalog • AWS Service Catalog allows organizations to create and manage catalogs of IT services. • Built on AWS CloudFormation, it enables users to quickly deploy the approved IT services they need in a self-service manner without access to the underlying services in AWS. Organizations Developers Control Standardization Governance Agility Self-service Time to market
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Service Catalog demo • WordPress site with launch constraints
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define provisioning of resources v AWS CloudFormation v AWS Service Catalog Discover and gain visibility v AWS CloudTrail v AWS Config, Config Rules Introducing AWS Management Tools
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by recording activity that occurred • Simplify your compliance audits by automatically recording and storing activity logs
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Examples: • Gain visibility into root credential use • Detect access to sensitive data from unauthorized networks or IP addresses • Troubleshoot misconfigured permissions for applications AWS CloudTrail common use cases
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Continuous Recording & Continuous Assessment service • Tracks configuration changes to AWS resources • Alerts you if the configuration is non-compliant with your policies AWS Config & Config Rules Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • How do I identify S3 buckets that are publicly readable and writeable?
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail and AWS Config demo • Using AWS CloudFormation StackSets, provision a Config Rule across multiple accounts and regions • Using the Config Rule, identify the S3 buckets that are world writeable • Use AWS CloudTrail to view the API events
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • Does my AWS environment comply with best practices (e.g. CIS AWS benchmark)?
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define provisioning of resources v AWS CloudFormation v AWS Service Catalog Discover and gain visibility v AWS CloudTrail v AWS Config, Config Rules Manage EC2 instances v EC2 Systems Manager Introducing AWS Management Tools
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • How do I audit which applications are installed on my EC2 instances? • How do I ensure that certain blacklisted applications are not installed on my EC2 instances?
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager: Inventory & State Manager Inventory—Provides visibility into the software catalog and configuration for your Amazon EC2 instances and on-premises servers State Manager—Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager: State Manager and Inventory demo • Use State Manager to schedule inventory collection every 30 minutes, update SSM agent once a week • Set up a Config Rule to detect FTP software installed on our instances
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • How do I centrally manage secret keys, DB connection strings? • How do I manage my Windows AMIs centrally, and make it easier for my developers to get the latest Windows AMI?
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager: Parameter Store • Critical information stored securely within your environment • Integrates with AWS Identity and Access Management (IAM), AWS KMS, AWS CloudTrail and AWS CloudFormation • Re-use across your AWS configuration and automation workflows • Reference parameters from: • Other Amazon EC2 Systems Manager capabilities (Run Command, Automation, State Manager, etc.) • Other AWS services (Amazon ECS, AWS Lambda, etc.) Centralized store to manage your configuration data, including plain- text data or secrets, encrypted through AWS Key Management Service (AWS KMS)
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager: Parameter Store demo • Let’s retrieve the latest Windows AMI from parameter store and use it in a AWS CloudFormation template
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • How do I view the security patches installed on my EC2 instances? • How can I execute commands across all EC2 instances without requiring my engineers to SSH into the instance?
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager: Patch Manager Patch Manager—Automated tool that helps you simplify your Windows and Linux operating system patching process
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager: Run Command Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS • Use Document to execute a script or just run a command • Execute commands across multiple instances simultaneously • Support for AWS and on-premises infrastructure • Rate Control and Error Control • AWS native
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patch Manager and Run Command demo • Check the patch baseline of our Linux development environment • Use the Run command to update a Java application on all of our Linux instances
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define provisioning of resources v AWS CloudFormation v AWS Service Catalog Discover and gain visibility v AWS CloudTrail v AWS Config Manage EC2 instances v EC2 Systems Manager Monitor, report, and respond to changes v CloudWatch Introducing AWS Management Tools
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Log and respond to changes with Amazon CloudWatch • CloudWatch Events delivers a near real-time stream of system events • Create rules to match events and route them to one or more target functions or streams
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance Use Case • How do I ensure that services like AWS CloudTrail and AWS Config are not accidentally disabled?
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define provisioning of resources v AWS CloudFormation v AWS Service Catalog Discover and gain visibility v AWS CloudTrail v AWS Config, Config Rules Manage EC2 instances v EC2 Systems Manager : Inventory, State Manager, Parameter Store, Run Command, Patch Manager Monitor, report, and respond to changes v CloudWatch Summary: AWS Management Tools
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customers who use AWS Management Tools
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×