How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How LogMeIn Automates Governance
and Empowers Developers at Scale
Cameron Worrell
Solutions Architect
AWS
S E C 3 0 2
Brian Galura
Principal Technical Operations Architect
LogMeIn Inc.

Agenda
Considerations and building blocks
Automation patterns and lifecycle
Deep dive – LogMeIn governance automation
Demo – Governance automation
Summary and path forward

Key takeaways
Remove friction between your developers and
innovation
Free up cycles on your operations teams
Increase visibility into actions across your
environment
Align security controls earlier in the
development lifecycle

Unlocking innovation

Let builders build…
…while maintaining responsible guardrails.

IT governance (ITG) is defined as the
processes that ensure the effective and
efficient use of IT in enabling an
organization to achieve its goals.
Gartner

Flexible developer access …
…while maintaining responsible guardrails.

Resource boundaries, policies, and roles
Root
Dev QA Prod
A1
A2
A3A1
A2
A3
A1
A2
A3
Across multiple accounts
IAM
roles
IAM policies
& conditions
Resources &
tagging
Within an account
Identity federation

AWS Identity and Access Management (IAM) policy primer
{
"Statement": [{
"Effect": "effect",
"Principal": "principal",
"Action": "action",
"Resource": "arn",
"Condition": {
"condition": {
"key": "value"
}
}
}]
}
IAM mechanisms:
• Implicit deny
• Explicit deny
• Resource-level permissions
• Authorization based on tags
• Resource-based policies
• Permissions boundaries

IAM policy examples
{
"Effect": "Allow",
"Resource”: "arn:aws:ec2:us-west-
2:123456789012:instance/*"
"Condition": {
"StringEquals": {
"ec2:ResourceTag/team":
"dev1"
}
}
}
{
...
"Effect": "Deny",
"Resource": "*",
"Action": [
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
...
]
}
Explicit deny - Prevent high blast radius:
Resource level / tag-based authorization - Tenant separation:

Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun
- AWS CloudTrail log data
- Deviations from baseline
- Org and strategy changes
- Roadmap and enhancements
- Understand access patterns
- Correlate actions to events
- Validate control mapping
- Metrics tracking
- Policy as code
- Access brokers
- Automated checks
- Self-service tools
- Notification and remediation
- Monitoring and logging
- Exception handling
- Incident response
- Metrics capture

Developer access considerations
Direct vs. indirect developer access:
Direct access
• Interaction with APIs directly
• Choice of tooling and automation
• Sandbox, experimentation
• Within guardrail activities
Indirect access
• Interaction through a proxy or broker
• Prescriptive tooling and automation
• Deployment-related activities
• High blast radius actions

Self-service with AWS CloudFormation custom
resources
Call and manage custom actions in your stack
Back custom resources with AWS Lambda functions with governance logic
Broker sensitive actions and automate safety checks
AWS
Lambda
AWS
CloudFormation
AWS::CloudFormation::CustomResource
or
Custom::String
Security group
lookup
IAM policy
validation
Subnet
assignment
Lambda functions
Criteria
Met?
Provision
stack
Failure
log
Template

Automated policy check tools
IAM Policy Simulator API - Evaluate the policies that you choose and
determine the effective permissions for each of the actions that you
specify
Zelkova - Leverage automated reasoning to verify policy permissiveness
Ecosystem and custom tools - Customize policy logic to your
environment. Use open-source tools: Repokid, Aardvark, cfn_nag, Cloud
Custodian

Zelkova provides provable security for
customers “in the cloud” by leveraging
automated reasoning to verify key IAM
enterprise governance & data privacy controls
are implemented as intended, at scale

LogMeIn | Thriving business
(NASDAQ:LOGM)
Global company
with revenue of
$1B+
SMB market leader with
top 1 or 2 positon in all
of our addressable
markets
Worldwide operations
with ~ 3,500 employees
in 20+ global offices
25MM+ users with
nearly 300 MM
connections served
every year
Top 10 SaaS company
S&P Mid-Cap 400
$5B+ market cap

“Ensure the appropriate and auditable
use of resources to meet business
objectives”

Common governance issues
“Don’t get in my way!”
- Developers
“Don’t break other people’s
stuff!”
- Operations
“Don’t spend too much!”
- Finance
“Who has access to this
resource?”
- Security

LogMeIn AWS governance mission
Appropriate:
Preventative (Guardrails)
• Lambda-backed CF custom
resources
• Zelkova for IAM policy review
Detective (Alerts)
• AWS Config
• Amazon CloudWatch
Auditable:
Cost (Who spent what?)
• Resource tagging
Access Logs (Who did what?)
• AWS CloudTrail
Automation
• Volume Cleanup
• EIP Release

Let’s go deeper!
AWS CloudFormation custom
resources:
• Amazon Virtual Private Cloud
(Amazon VPC) security groups
• IP addresses
• IAM policies

Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – Security groups
“Network Reachability Assessment” within Inspector)

Amazon VPC security groups
SG creation and changes are through AWS
CloudFormation
AWS CloudFormation custom resource for SGs:
• Reference of SGs by name instead of ID in AWS
CloudFormation templates
• SGs are consistent across contexts (account/region)
AWS Config checks SGs and sends an alert when
appropriate. Change reports are available through
CloudTrail

Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – IP Addresses

IP addresses and subnets
AWS CloudFormation custom resource for subnets:
• IP “load balancing” across subnets
• Reference of subnets by name instead of ID in AWS
CloudFormation templates
• AZ-distributed list of least-utilized subnets
• Subnets are consistent across contexts
(dev/prod/regions)
Same pattern as security groups

Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – IAM policies

Access guardrails – IAM
Developers/operations:
• Federated login
• API token vending machine
• Have appropriate access to use all AWS CloudFormation
custom resources
AWS CloudFormation custom resource for IAM policies:
• Create IAM policies only through an AWS CloudFormation
custom resource
• Attach policies and create roles
• IAM resources must be scoped to an appropriate path

Why is IAM so hard?

How can Zelkova help with IAM?
• Zelkova understands IAM policies
• Zelkova does not just test the policies. It formally
proves that they are compliant
𝑎
𝑏
𝑐
𝑎2 + 𝑏2 = 𝑐2
𝑎 = 3, 𝑏 = 4, 𝑐 = 5
𝑎 = 1, 𝑏 = 1, 𝑐 = 2
𝑎 = 5, 𝑏 = 12, 𝑐 = 13
AWS policy simulator:

Can IAM permissions boundaries help?

Demo
Create two AWS CloudFormation stacks:
One will create an IAM policy and instance role
• Meets our governance standards
One will start an Amazon Elastic Compute Cloud (Amazon EC2) instance
• Using the instance role from the first stack
• Select a subnet, Amazon Machine Image, security group, and VPC by
name using AWS CloudFormation custom resource

Detective controls
• AWS Config
• Security groups
• Cloudwatch
• IAM Policies
Guard Duty
Stacksets help scale these to many accounts

Access auditing and reporting
• Aggregated CloudTrail
• Directly searchable using Amazon Athena
• Brokered access through Redash

Access auditing and reporting

Cost guardrails for dev
• Large footprint
• Don’t need 100% uptime
• Good candidate for spot
• Devs can opt in by tagging their Amazon EC2
Auto Scaling groups – Easy win
• Very little downtime when Spot Instances
replaced by On-Demand
• Governance automation
• EIP release
• Detached volume deletion

Monitoring, detection, and response
CloudTrail
CloudWatch
AWS Config
Amazon VPC Flow Logs
Application logs
…
IAM policy check
Insecure config check
Threshold alarms
ML analysis
…
Notify admins
Update / terminate
Resources
Revert changes
Revoke credentials
…
Logging Detection Remediation
AWS Config
rule
Human
analysis
CloudWatch
alarm
CloudWatch
Events

Evolution and summary
IAM users and groups
Manual policy management
Minimal automation
Manual policy deviation checks
1 2 3
Federated users
Infrastructure as code
Automated governance checks
Metrics and usage analysis
Automated permissions
CI/CD policy pipeline
Brokered access to sensitive actions
Adaptive policy management
Sample maturity stages

Related breakouts
Friday, Nov 30
Mastering Identity at Every Layer of the Cake
10:00 a.m. - 11:00 a.m. | Venetian, Level 4, Delfino 4005
Friday, Nov 30
Adding the Sec to Your DevOps Pipelines
8:30 a.m. - 10:45 a.m. | Venetian, Level 4, Marcello 4403
Friday, Nov 30
Securely Deploying at Scale
8:30 a.m. - 9:30 a.m. | Mirage, Antigua A

Resources
Slides will be available on SlideShare. Recording will be available on YouTube
IAM friendly names and paths
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names
AMI ID lookup AWS CloudFormation custom resource
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-
lookup-amiids.html
Redash with Athena JDBC
https://blog.redash.io/amazon-athena-in-redash-support-6b71c91aa747
Zelkova/Tiros:
https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
https://aws.amazon.com/security/provable-security/
Terminal plugin for Atom text editor
https://atom.io/packages/platformio-ide-terminal

Thank you!
Cameron Worrell
Solutions Architect
AWS
Brian Galura
Principal Technical Operations Architect
LogMeIn Inc.

How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

Ähnlich wie How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018