Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[2019.12 Meetup] [LIGHTNING TALK 04] Rodrigo Na...

[2019.12 Meetup] [LIGHTNING TALK 04] Rodrigo Nascimento - Compliance as Code

DevOps Lisbon

December 16, 2019
Tweet

More Decks by DevOps Lisbon

Other Decks in Technology

Transcript

  1. Compliance as code can be defined as the process of

    codifying an organization’s internal and external standards. The code is then used to automatically identify, report and remediate noncompliant resources. IDENTIFICATION NOTIFICATION REMEDIATION
  2. Traceability & Feedback Ensuring that we deliver what have been

    promised and learning from past experiences.
  3. Terraform was used to create and destroy the test environment,

    and Inspec to validate configuration. TEST AWS CLI was used to share the image with other organisation’s accounts. PUBLISH Packer was used to create the AWS AMI (Image) along with Puppet to apply the configuration. BUILD AWS AMI Automation Use Case Use of TeamCity to orchestrate the image creation automation. noncompliant
  4. AWS Centralised Compliance Management Use Case (I) AWS Security Hub

    Master and Member accounts Member Security Hub Master Security Hub Member Security Hub Member Security Hub Member Security Hub Member Security Hub
  5. AWS Centralised Compliance Management Use Case (II) Noncompliant issues are

    identified by using Cloud Custodian and AWS Security Hub.
  6. AWS Centralised Compliance Management Use Case (III) Notification using CloudWatch

    and SNS New findings in Security Hub trigger CloudWatch events. CloudWatch filters the events and send them to a SNS Topic. SNS send the notifications to subscribers.
  7. AWS Centralised Compliance Management Use Case (IV) Remediation using Security

    Hub and Cloud Custodian Master Account Member Account Member Account Member Account