[2019.12 Meetup] [LIGHTNING TALK 04] Rodrigo Nascimento - Compliance as Code

Transcript

1. Compliance as Code A smooth approach to consume and comply

   to standards

2. Compliance as code can be defined as the process of

   codifying an organization’s internal and external standards. The code is then used to automatically identify, report and remediate noncompliant resources. IDENTIFICATION NOTIFICATION REMEDIATION

3. Some Benefits • Central Management • Visibility • Improved Quality

   • Increased Security • Reusability

4. Traceability & Feedback Ensuring that we deliver what have been

   promised and learning from past experiences.

5. Compliance as Code Tools

6. Use Cases

7. Terraform was used to create and destroy the test environment,

   and Inspec to validate configuration. TEST AWS CLI was used to share the image with other organisation’s accounts. PUBLISH Packer was used to create the AWS AMI (Image) along with Puppet to apply the configuration. BUILD AWS AMI Automation Use Case Use of TeamCity to orchestrate the image creation automation. noncompliant

8. AWS Centralised Compliance Management Use Case (I) AWS Security Hub

   Master and Member accounts Member Security Hub Master Security Hub Member Security Hub Member Security Hub Member Security Hub Member Security Hub

9. AWS Centralised Compliance Management Use Case (II) Noncompliant issues are

   identified by using Cloud Custodian and AWS Security Hub.

10. AWS Centralised Compliance Management Use Case (III) Notification using CloudWatch

    and SNS New findings in Security Hub trigger CloudWatch events. CloudWatch filters the events and send them to a SNS Topic. SNS send the notifications to subscribers.

11. AWS Centralised Compliance Management Use Case (IV) Remediation using Security

    Hub and Cloud Custodian Master Account Member Account Member Account Member Account