Weitere ähnliche Inhalte Ähnlich wie The Zen of governance - Establish guardrails and empower builders - SVC201 - Atlanta AWS Summit (20) Mehr von Amazon Web Services (20) The Zen of governance - Establish guardrails and empower builders - SVC201 - Atlanta AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The Zen of governance:
Establish guardrails and empower builders
Sam Hennessy
Solutions architect
Amazon Web Services
S V C 2 0 1
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Once upon a time …
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The story
W
al
l
Product owners IT operationsDevelopers
W
al
l
W
al
l
W
al
l
QA Security
1
2
1
3
4
5
6
6
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Competing priorities
Lack of understanding
Wildly different environments
No singular tool chain
Slow
Repetitive workflows
Lack of security influence
Everyone is frustrated (usually with each other)
Does this work?
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Just do DevOps
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Who is responsible for what
Responsible for
Their
product
Deployment tools
CI/CD tools
Monitoring tools
Metrics tool
Logging tools
APM tools
Infrastructure provisioning
tools
Security tools
Database management tools
Testing tools
….
Not responsible for
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Who does QA?
• The team
Who is responsible to deliver a secure product?
• The team
Who is responsible to operate and maintain the product?
• The team
Who is responsible for production failures and issues (on call)?
• The team
Who is responsible for monitoring, logging, and application analysis?
• The team
Do you see a pattern?
Who is responsible for what
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
This will solve all my problems?
Not quite …
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The challenges
Training
Tools
Processes
Bottlenecks
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Training
Quality
Security
Operations
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The bottlenecks
Security and compliance validation
Software release
Infrastructure provisioning
Account provisioning
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Self service is the key to scalability
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
You want to let whom do what?
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Guardrails to the rescue
Secure SDLC (sSDLC)
Separation of duties
Logging
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Guardrails enablement tools
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
sSDLC: Software guardrails
Code review
Authorization controls
Security testing
Separation of duties
Security monitoring
Audit trail
Security training
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separation of duties: Isolation guardrails
Account throttling and limits
Minimal permission
Reduce blast effect
Framework compliance
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separation of duties: Tools and processes
Tools should be managed like internal services
Teams should manage the access and availability of the tools, not their use
Ask why self-service cannot be used, instead of why it should be used
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separation of duties: Production
AWS Cloud
Shared services
CI/CD tools
QA
Staging
Production
Logging and change control
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Logging: Tracking guardrails
Change control
Centralized collection
Don’t just let logs sit there
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Guardrails at scale
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account
Centralized management
Access administration
Easy auditing
Security assets
AWS Cloud
Organizations
Master
Shared services
Security and logging
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account: Provisioning
Organizations
Homegrown
AWS Landing Zones
AWS Control Tower
Amazon CloudWatchIAMAWS CloudTrail
AWS Systems
Manager documents
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account: Continuous compliance
AWS Config
AWS Systems Manager
AWS CloudFormation drift detection
AWS CloudTrail
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account: Example
AWS Cloud
AWS Organizations
Master Security
Shared
SCPs
AWS Landing Zone
AWS Control Tower
Homegrown
Application accounts
AWS Service Catalog
AWS Config
AWS Systems Manager
Shared production tools
AWS CloudTrail
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Resource provisioning
Should be part of CI/CD process
AWS CloudFormation
AWS Service Catalog
AWS OpsWorks
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Resource provisioning: Processes
ReleaseBuildSource
Testing
Security
peer review
static code analysis
linters
style guides
Testing
Security
unit testing
• functional
• security
Testing
Security
integration testing
performanace testing
UAT
pen/vuln testing
smoke testing
AWS CodePipeline
AWS CodeBuild
AWS CodeCommit
AWS CodeDeploy
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Recap
DevOps is a good starting point
Self-service is the key to enablement
Multi-account tooling
Centralized governance; tighten controls to loosen innovation
29. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sam Hennessy