AWSome Day Online 2020_ŕšŕ¸Ąŕ¸ŕ¸šŕ¸Ľ 4: ŕ¸ŕ¸˛ŕ¸Łŕ¸Łŕ¸ąŕ¸ŕ¸Šŕ¸˛ŕ¸ŕ¸§ŕ¸˛ŕ¸Ąŕ¸ŕ¸Ľŕ¸ŕ¸ŕ¸ ูยŕšŕ¸ŕ¸ŕ¸ŕ¸Ľŕ¸´ŕšŕ¸ŕ¸ŕ¸ąŕ¸ŕ¸ŕ¸ŕ¸Łŕ¸°ŕ¸ŕ¸ŕ¸ŕ¸Ľŕ¸˛ŕ¸§ŕ¸ŕšŕ¸ŕ¸ŕ¸ŕ¸ŕ¸¸ŕ¸Amazon Web Services
DevopsDays Geneva 2020 - Compliance & Governance as Code
1. Š 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Compliance & Governance as code
DevopsDays Geneva 2020
AWS Solutions Architect
JĂŠrĂ´me Van Der LindenBashar Al-Fallouji
AWS Solutions Architect
3. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
If only we had more timeâŚ
4. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
The professional adventures of Leon
5.
6. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
Every BIG story has a humble beginningâŚ
7. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
Every BIG stories have a humble beginningâŚ
AWS Cloud
Amazon EC2
Amazon RDS MySQL
DNS
Storage (S3)Amazon EC2
8. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
Initial state
9. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
Frontend Dev Test Staging Prod
Backend Dev Test Staging Prod
AWS Account(s) at Unicorn Rentals
10. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
AWS Account as a Perimeter
Security/Resource
Boundary
Service Limits
Billing Separation
11.
12. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
Why sometimes one isnât enough?
AWS Account as a Perimeter
Many Teams Isolation
Security Controls Business Process
Billing
13. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
Frontend Dev
Backend
Analytics
AI/ML
AWS Accounts at Unicorn Rentals (simplified)
15. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
Governance
Provision
Operate
Stability
Security & Compliance
Agility
Experiment
Be productive
Deliver faster
16. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16
DevSecOps
Break down cultural barriers
Work as one team
Support business and IT agility
Collaborate and communicate
Assurance artifacts
Security Automation
Test, measure, and monitor
Culture
Process
17. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones Edge
Locations
Governance &
Risk
Business
⢠Culture of security and
continual improvement
⢠Ongoing audits and assurance
⢠Protection of large-scale
service endpoints
Security
Operations
Compliance
⢠Lead change
⢠Audits & assurance
⢠Protection of workloads,
shared services, interconnects
⢠MSB definition
⢠Cloud security operations
Product & Platform Teams
⢠MSB customization
⢠Application/Platform
infrastructure
⢠Security development
lifecycle
Enterprise
Security
Shared Responsibility in the Enterprise
18. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
Enable Governance at Scale
Set up a
landing zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
19. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
Enable Governance at Scale
Set up a
landing
zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
20.
21. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
What is a landing zone?
⢠A configured, secure, scalable, multi-account AWS
environment based on AWS best practices
⢠A starting point for net new development and
experimentation
⢠A starting point for migrating applications
⢠An environment that allows for iteration and extension
over time
H
22. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
Centrally govern and manage AWS accounts and resources
Control access and
permissions
Share resources across
accounts
Manage and define your
organization and accounts
Audit, monitor, and secure your
environment for compliance
Centrally manage costs and
billing
23. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
AWS Organizations
Organization
Member account
Master account
Organizational unit (OU)
Administrative root (of an Organization)
Service control policy (SCP)
Organization
OU (BU1) OU (BU2) OU (ADM)
ROOT
24. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
What accounts should I create?
Core Accounts
Security
AWS Organizations : Master Account
Shared
Services
Network
Log
Archive
Dev Pre-Prod
Team/BU/Project/⌠Accounts
Prod
Team
Shared
Services
Network Path
Developer
Sandbox
Developer Accounts Data Center
Orgs: Account management
Log Archive: Logs centralization
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
25. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
InfoSecâs
Cross-
Account
Roles
AWS Account
Credential
Management
(âRoot Accountâ)
Federation
Actions &
Conditions
Map
Enterprise
Roles
AWS
CloudTrail
Enabled
Baseline requirements for all accounts
26.
27. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
AWS Control Tower
AWS Control Tower
Account Management Guardrail Enforcement
Landing
Zone
AWS Landing Zone AWS Organizations AWS Organizations
28. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
Enable Governance at Scale
Set up a
landing zone
Centralize identity
and access
Manage
continuously
Automate
compliant account
provisioning
Establish
guardrails
29. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
AWS Service Catalog
UsersAdministrators
Standardize
Control
Govern
Agility
Self-Service
Time to Market
Allows organizations to create and manage
catalogs of IT services and software on AWS
Users can quickly deploy approved IT
services in a self-service manner.
30. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
AWS Service Catalog
ĂźConstrains
ĂźSecurity controls
ĂźParameter validation
ĂźIAM assignment
ĂźTag enforcement
Standardizes best practices
CloudFormation
or Terraform
AWS Product/Service
AWS
Marketplace
third-party
products
Customer-
Created AWS-
Based
Solution
AWS Service
Catalog
Admin
31.
32. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
Enable Governance at Scale: Preventive Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrails
33. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
Preventive Guardrails with Service Control Policies (SCPs)
⢠Enables to control which AWS service APIs are accessible
⢠Define the list of APIs that are allowed â Whitelisting
⢠Define the list of APIs that must be blocked â Blacklisting
34.
35. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
Inventory resources â the importance of Tags
⢠Operational support
⢠Resource management
⢠Cost & Usage allocation
⢠Enable cost and usage reporting and alerting
⢠Automation
⢠Trigger automation events
⢠Control & compliance
⢠Attribute based access control
36. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36
Inventory resources â Build a Tagging strategy
Define a tagging
taxonomy
Publish a tagging
dictionary
Define the
ârules of the gameâ
Enforce rules
lob=[HR|Fin|âŚ]
cost-center=[C2309|âŚ]
owner=project-lead@comp.com
application=Titan
name=Titan-Backend-Database
env=[dev|test|prod]
version=2.0.1
confidentiality=[Confidential|âŚ
âŚ|Public]
BusinessTechnicalSecuAuto
Confidentiality
Opt-in/Opt-out
37. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37
Catch up untagged resources with Resources Groups Editor
38.
39. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39
Automate: On-Create Tagging with CloudFormation
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock:
'10.42.0.0/16â
Tags:
- Key: Name
Value: '10.42.0.0/16â
- Key: CostCenter
Value: âC3409â
- Key: Environment
Value: âprod'
40. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40
Enforce Tagging with Service Control Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"DenyRunInstanceWithNoCostCenterTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}
41. From: Hans Zummer <Hans.Zummer@unicorn-rentals.ch>
Date: Monday, 3 February 2018 at 11:00
To: âLeonâ <leon@unicorn-rentals.ch>
Subject: SSH Access to our servers
Iâve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world!
Can you tell me what happened ?
Regards,
Hans
Head of Security
42. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42
Capture and analyze activity with AWS CloudTrail
Capture
Record activity as
CloudTrail events
Act
Trigger actions
when important
events are detected
Store
Retain events logs in
secure S3 bucket
Review
Analyze recent
events and logs with
Amazon Athena or
CloudWatch Logs
Insights
43. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43
Investigate a resource configuration change with CloudTrail
44. Thatâs nice but can how can you DETECT IT FASTER and
AVOID this TO HAPPEN AGAIN?
Re: SSH Access to our servers
45. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45
Enable Governance at Scale: Detective Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrail
s
46. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46
R
u
l
e
Configuration management
R
u
l
e
R
u
l
e
47. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47
Configuration management with AWS Config
⢠Continuous recording and continuous assessment service
⢠Tracks configuration changes to AWS resources
⢠Alerts you if the configuration is non-compliant with your policies
⢠Automated remediation of non-compliant resources
⢠Control and manage custom resources
AWS ConfigChanging resources Normalized Config rules
Amazon SNS Topic
CloudWatch Events
AWS Systems Manager
Automation
AWS API Endpoint
48. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48
Detect non-compliance with AWS Config Rules
⢠Config Rules represent the ideal configuration settings
⢠Config Rules are triggered on each resource configuration
change
⢠AWS provides more than 120 managed Rules
⢠Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ,
CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, âŚ
120+AWSConfigManagedRules
⢠⌠and Restricted SSH
49. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49
Remediate to non-conformity with AWS Systems Manager Automation
⢠Automate common and repetitive IT operations and management tasks
⢠60+ Predefined âDocumentsâ (or Playbooks) describe actions to perform
⢠Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWriteâŚ
⢠⌠and DisablePublicAccessForSecurityGroup
50. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50
Enforce conformity with Config Rules and Systems Manager
51. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51
Simplify compliance check with AWS Security Hub
52. Compliance - Custom Rule Example
Rule.Lambda.001 :
âAny environment
variable defined in a
Lambda function must
be encrypted using a
Customer Master Keyâ
57. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57
How to get started
⢠Control Tower: Setup your multi-account AWS environment
⢠https://aws.amazon.com/controltower/
58. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58
How to get started
⢠Define your Tagging Strategy and enforce it with policies
⢠https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf
⢠https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
⢠https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
59. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59
How to get started
⢠Enable Security Hub and CIS AWS Foundations Compliance Checks
⢠https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html
60. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60
How to get started
⢠Enable AWS Config and setup Config Rules with Auto-Remediations
⢠https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html
⢠Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
⢠Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk
61. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61
62. Š 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you !
http://bit.ly/2utnjM2