Weitere ähnliche Inhalte Ähnlich wie How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018 (20) Mehr von Amazon Web Services (20) How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How LogMeIn Automates Governance
and Empowers Developers at Scale
Cameron Worrell
Solutions Architect
AWS
S E C 3 0 2
Brian Galura
Principal Technical Operations Architect
LogMeIn Inc.
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Considerations and building blocks
Automation patterns and lifecycle
Deep dive – LogMeIn governance automation
Demo – Governance automation
Summary and path forward
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key takeaways
Remove friction between your developers and
innovation
Free up cycles on your operations teams
Increase visibility into actions across your
environment
Align security controls earlier in the
development lifecycle
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unlocking innovation
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let builders build…
…while maintaining responsible guardrails.
7. IT governance (ITG) is defined as the
processes that ensure the effective and
efficient use of IT in enabling an
organization to achieve its goals.
Gartner
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Flexible developer access …
…while maintaining responsible guardrails.
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource boundaries, policies, and roles
Root
Dev QA Prod
A1
A2
A3A1
A2
A3
A1
A2
A3
Across multiple accounts
IAM
roles
IAM policies
& conditions
Resources &
tagging
Within an account
Identity federation
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM) policy primer
{
"Statement": [{
"Effect": "effect",
"Principal": "principal",
"Action": "action",
"Resource": "arn",
"Condition": {
"condition": {
"key": "value"
}
}
}]
}
IAM mechanisms:
• Implicit deny
• Explicit deny
• Resource-level permissions
• Authorization based on tags
• Resource-based policies
• Permissions boundaries
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy examples
{
"Effect": "Allow",
"Resource”: "arn:aws:ec2:us-west-
2:123456789012:instance/*"
"Condition": {
"StringEquals": {
"ec2:ResourceTag/team":
"dev1"
}
}
}
{
...
"Effect": "Deny",
"Resource": "*",
"Action": [
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
...
]
}
Explicit deny - Prevent high blast radius:
Resource level / tag-based authorization - Tenant separation:
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun
- AWS CloudTrail log data
- Deviations from baseline
- Org and strategy changes
- Roadmap and enhancements
- Understand access patterns
- Correlate actions to events
- Validate control mapping
- Metrics tracking
- Policy as code
- Access brokers
- Automated checks
- Self-service tools
- Notification and remediation
- Monitoring and logging
- Exception handling
- Incident response
- Metrics capture
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developer access considerations
Direct vs. indirect developer access:
Direct access
• Interaction with APIs directly
• Choice of tooling and automation
• Sandbox, experimentation
• Within guardrail activities
Indirect access
• Interaction through a proxy or broker
• Prescriptive tooling and automation
• Deployment-related activities
• High blast radius actions
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Self-service with AWS CloudFormation custom
resources
Call and manage custom actions in your stack
Back custom resources with AWS Lambda functions with governance logic
Broker sensitive actions and automate safety checks
AWS
Lambda
AWS
CloudFormation
AWS::CloudFormation::CustomResource
or
Custom::String
Security group
lookup
IAM policy
validation
Subnet
assignment
Lambda functions
Criteria
Met?
Provision
stack
Failure
log
Template
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated policy check tools
IAM Policy Simulator API - Evaluate the policies that you choose and
determine the effective permissions for each of the actions that you
specify
Zelkova - Leverage automated reasoning to verify policy permissiveness
Ecosystem and custom tools - Customize policy logic to your
environment. Use open-source tools: Repokid, Aardvark, cfn_nag, Cloud
Custodian
16. Zelkova provides provable security for
customers “in the cloud” by leveraging
automated reasoning to verify key IAM
enterprise governance & data privacy controls
are implemented as intended, at scale
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LogMeIn | Thriving business
(NASDAQ:LOGM)
Global company
with revenue of
$1B+
SMB market leader with
top 1 or 2 positon in all
of our addressable
markets
Worldwide operations
with ~ 3,500 employees
in 20+ global offices
25MM+ users with
nearly 300 MM
connections served
every year
Top 10 SaaS company
S&P Mid-Cap 400
$5B+ market cap
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common governance issues
“Don’t get in my way!”
- Developers
“Don’t break other people’s
stuff!”
- Operations
“Don’t spend too much!”
- Finance
“Who has access to this
resource?”
- Security
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LogMeIn AWS governance mission
Appropriate:
Preventative (Guardrails)
• Lambda-backed CF custom
resources
• Zelkova for IAM policy review
Detective (Alerts)
• AWS Config
• Amazon CloudWatch
Auditable:
Cost (Who spent what?)
• Resource tagging
Access Logs (Who did what?)
• AWS CloudTrail
Automation
• Volume Cleanup
• EIP Release
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s go deeper!
AWS CloudFormation custom
resources:
• Amazon Virtual Private Cloud
(Amazon VPC) security groups
• IP addresses
• IAM policies
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – Security groups
“Network Reachability Assessment” within Inspector)
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC security groups
SG creation and changes are through AWS
CloudFormation
AWS CloudFormation custom resource for SGs:
• Reference of SGs by name instead of ID in AWS
CloudFormation templates
• SGs are consistent across contexts (account/region)
AWS Config checks SGs and sends an alert when
appropriate. Change reports are available through
CloudTrail
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – IP Addresses
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IP addresses and subnets
AWS CloudFormation custom resource for subnets:
• IP “load balancing” across subnets
• Reference of subnets by name instead of ID in AWS
CloudFormation templates
• AZ-distributed list of least-utilized subnets
• Subnets are consistent across contexts
(dev/prod/regions)
Same pattern as security groups
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IP addresses and subnets
AWS CloudFormation custom resource for subnets:
• IP “load balancing” across subnets
• Reference of subnets by name instead of ID in AWS
CloudFormation templates
• AZ-distributed list of least-utilized subnets
• Subnets are consistent across contexts
(dev/prod/regions)
Same pattern as security groups
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – IAM policies
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access guardrails – IAM
Developers/operations:
• Federated login
• API token vending machine
• Have appropriate access to use all AWS CloudFormation
custom resources
AWS CloudFormation custom resource for IAM policies:
• Create IAM policies only through an AWS CloudFormation
custom resource
• Attach policies and create roles
• IAM resources must be scoped to an appropriate path
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is IAM so hard?
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How can Zelkova help with IAM?
• Zelkova understands IAM policies
• Zelkova does not just test the policies. It formally
proves that they are compliant
𝑎
𝑏
𝑐
𝑎2 + 𝑏2 = 𝑐2
𝑎 = 3, 𝑏 = 4, 𝑐 = 5
𝑎 = 1, 𝑏 = 1, 𝑐 = 2
𝑎 = 5, 𝑏 = 12, 𝑐 = 13
AWS policy simulator:
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Can IAM permissions boundaries help?
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
Create two AWS CloudFormation stacks:
One will create an IAM policy and instance role
• Meets our governance standards
One will start an Amazon Elastic Compute Cloud (Amazon EC2) instance
• Using the instance role from the first stack
• Select a subnet, Amazon Machine Image, security group, and VPC by
name using AWS CloudFormation custom resource
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detective controls
• AWS Config
• Security groups
• Cloudwatch
• IAM Policies
Guard Duty
Stacksets help scale these to many accounts
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access auditing and reporting
• Aggregated CloudTrail
• Directly searchable using Amazon Athena
• Brokered access through Redash
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access auditing and reporting
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cost guardrails for dev
• Large footprint
• Don’t need 100% uptime
• Good candidate for spot
• Devs can opt in by tagging their Amazon EC2
Auto Scaling groups – Easy win
• Very little downtime when Spot Instances
replaced by On-Demand
• Governance automation
• EIP release
• Detached volume deletion
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring, detection, and response
CloudTrail
CloudWatch
AWS Config
Amazon VPC Flow Logs
Application logs
…
IAM policy check
Insecure config check
Threshold alarms
ML analysis
…
Notify admins
Update / terminate
Resources
Revert changes
Revoke credentials
…
Logging Detection Remediation
AWS Config
rule
Human
analysis
CloudWatch
alarm
CloudWatch
Events
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Evolution and summary
IAM users and groups
Manual policy management
Minimal automation
Manual policy deviation checks
1 2 3
Federated users
Infrastructure as code
Automated governance checks
Metrics and usage analysis
Automated permissions
CI/CD policy pipeline
Brokered access to sensitive actions
Adaptive policy management
Sample maturity stages
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Friday, Nov 30
Mastering Identity at Every Layer of the Cake
10:00 a.m. - 11:00 a.m. | Venetian, Level 4, Delfino 4005
Friday, Nov 30
Adding the Sec to Your DevOps Pipelines
8:30 a.m. - 10:45 a.m. | Venetian, Level 4, Marcello 4403
Friday, Nov 30
Securely Deploying at Scale
8:30 a.m. - 9:30 a.m. | Mirage, Antigua A
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
Slides will be available on SlideShare. Recording will be available on YouTube
IAM friendly names and paths
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names
AMI ID lookup AWS CloudFormation custom resource
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-
lookup-amiids.html
Redash with Athena JDBC
https://blog.redash.io/amazon-athena-in-redash-support-6b71c91aa747
Zelkova/Tiros:
https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
https://aws.amazon.com/security/provable-security/
Terminal plugin for Atom text editor
https://atom.io/packages/platformio-ide-terminal
44. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cameron Worrell
Solutions Architect
AWS
Brian Galura
Principal Technical Operations Architect
LogMeIn Inc.
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.