Compliance & Governance as code

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Compliance & Governance as code
DevopsDays Geneva 2020
AWS Solutions Architect
Jérôme Van Der Linden
Bashar Al-Fallouji
AWS Solutions Architect

View Slide

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Agenda
• Governance
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• Remediation
… as code
• Governance
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• ILoveChurros
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• IfYouCanReadThis
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• YouGotBetterEyesThanMe
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Governance
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• GreatAcronym
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules

View Slide

If only we had more time…

View Slide

The professional adventures of Leon

View Slide

View Slide

Every BIG story has a humble beginning…

View Slide

Every BIG stories have a humble beginning…
AWS Cloud
Amazon EC2
Amazon RDS MySQL
DNS
Storage (S3)
Amazon EC2

View Slide

Initial state

View Slide

Frontend Dev Test Staging Prod
Backend Dev Test Staging Prod
AWS Account(s) at Unicorn Rentals

View Slide

AWS Account as a Perimeter
Security/Resource
Boundary
Service Limits
Billing Separation

View Slide

View Slide

Why sometimes one isn’t enough?
AWS Account as a Perimeter
Many Teams Isolation
Security Controls Business Process
Billing

View Slide

Frontend Dev
Backend
Analytics
AI/ML
AWS Accounts at Unicorn Rentals (simplified)

View Slide

Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/
Product Owner +
Business Analyst
“Can you open
the service for
yesterday ?”
“It is not yet
deployed, we don’t
have the permission
to create an
instance.”
“We need to do
pen tests before.”
“I did not receive any
ticket to do so…”

View Slide

Governance
Provision
Operate
Stability
Security & Compliance
Agility
Experiment
Be productive
Deliver faster

View Slide

DevSecOps
Break down cultural barriers
Work as one team
Support business and IT agility
Collaborate and communicate
Assurance artifacts
Security Automation
Test, measure, and monitor
Culture
Process

View Slide

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones Edge
Locations
Governance &
Risk
Business
• Culture of security and
continual improvement
• Ongoing audits and assurance
• Protection of large-scale
service endpoints
Security
Operations
Compliance
• Lead change
• Audits & assurance
• Protection of workloads,
shared services, interconnects
• MSB definition
• Cloud security operations
Product & Platform Teams
• MSB customization
• Application/Platform
infrastructure
• Security development
lifecycle
Enterprise
Security
Shared Responsibility in the Enterprise

View Slide

Enable Governance at Scale
Set up a
landing zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously

View Slide

Set up a
landing
zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously

View Slide

View Slide

What is a landing zone?
• A configured, secure, scalable, multi-account AWS
environment based on AWS best practices
• A starting point for net new development and
experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension
over time
H

View Slide

AWS Organizations
Centrally govern and manage AWS accounts and resources
Control access and
permissions
Share resources across
accounts
Manage and define your
organization and accounts
Audit, monitor, and secure your
environment for compliance
Centrally manage costs and
billing

View Slide

AWS Organizations
Organization
Member account
Master account
Organizational unit (OU)
Administrative root (of an Organization)
Service control policy (SCP)
Organization
OU (BU1) OU (BU2) OU (ADM)
ROOT

View Slide

What accounts should I create?
Core Accounts
Security
AWS Organizations : Master Account
Shared
Services
Network
Log
Archive
Dev Pre-Prod
Team/BU/Project/… Accounts
Prod
Team
Shared
Services
Network Path
Developer
Sandbox
Developer Accounts Data Center
Orgs: Account management
Log Archive: Logs centralization
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake

View Slide

InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Actions &
Conditions
Map
Enterprise
Roles
AWS
CloudTrail
Enabled
Baseline requirements for all accounts

View Slide

View Slide

AWS Control Tower
AWS Control Tower
Account Management Guardrail Enforcement
Landing
Zone
AWS Landing Zone AWS Organizations AWS Organizations

View Slide

Set up a
landing zone
Centralize identity
and access
Manage
continuously
Automate
compliant account
provisioning
Establish
guardrails

View Slide

AWS Service Catalog
Users
Administrators
Standardize
Control
Govern
Agility
Self-Service
Time to Market
Allows organizations to create and manage
catalogs of IT services and software on AWS
Users can quickly deploy approved IT
services in a self-service manner.

View Slide

AWS Service Catalog
üConstrains
üSecurity controls
üParameter validation
üIAM assignment
üTag enforcement
Standardizes best practices
CloudFormation
or Terraform
AWS Product/Service
AWS
Marketplace
third-party
products
Customer-
Created AWS-
Based
Solution
AWS Service
Catalog
Admin

View Slide

View Slide

Enable Governance at Scale: Preventive Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrails

View Slide

Preventive Guardrails with Service Control Policies (SCPs)
• Enables to control which AWS service APIs are accessible
• Define the list of APIs that are allowed – Whitelisting
• Define the list of APIs that must be blocked – Blacklisting

View Slide

View Slide

Inventory resources – the importance of Tags
• Operational support
• Resource management
• Cost & Usage allocation
• Enable cost and usage reporting and alerting
• Automation
• Trigger automation events
• Control & compliance
• Attribute based access control

View Slide

Inventory resources – Build a Tagging strategy
Define a tagging
taxonomy
Publish a tagging
dictionary
Define the
“rules of the game”
Enforce rules
lob=[HR|Fin|…]
cost-center=[C2309|…]
[email protected]
application=Titan
name=Titan-Backend-Database
env=[dev|test|prod]
version=2.0.1
confidentiality=[Confidential|…
…|Public]
Business
Technical
Secu
Auto
Confidentiality
Opt-in/Opt-out

View Slide

Catch up untagged resources with Resources Groups Editor

View Slide

View Slide

Automate: On-Create Tagging with CloudFormation
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock:
'10.42.0.0/16’
Tags:
- Key: Name
Value: '10.42.0.0/16’
- Key: CostCenter
Value: ‘C3409’
- Key: Environment
Value: ‘prod'

View Slide

Enforce Tagging with Service Control Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"DenyRunInstanceWithNoCostCenterTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}

View Slide

From: Hans Zummer
Date: Monday, 3 February 2018 at 11:00
To: “Leon”
Subject: SSH Access to our servers
I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world!
Can you tell me what happened ?
Regards,
Hans
Head of Security

View Slide

Capture and analyze activity with AWS CloudTrail
Capture
Record activity as
CloudTrail events
Act
Trigger actions
when important
events are detected
Store
Retain events logs in
secure S3 bucket
Review
Analyze recent
events and logs with
Amazon Athena or
CloudWatch Logs
Insights

View Slide

Investigate a resource configuration change with CloudTrail

View Slide

That’s nice but can how can you DETECT IT FASTER and
AVOID this TO HAPPEN AGAIN?
Re: SSH Access to our servers

View Slide

Enable Governance at Scale: Detective Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrail
s

View Slide

R
u
l
e
Configuration management
R
u
l
e
R
u
l
e

View Slide

Configuration management with AWS Config
• Continuous recording and continuous assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant with your policies
• Automated remediation of non-compliant resources
• Control and manage custom resources
AWS Config
Changing resources Normalized Config rules
Amazon SNS Topic
CloudWatch Events
AWS Systems Manager
Automation
AWS API Endpoint

View Slide

Detect non-compliance with AWS Config Rules
• Config Rules represent the ideal configuration settings
• Config Rules are triggered on each resource configuration
change
• AWS provides more than 120 managed Rules
• Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ,
CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, …
120+ AWS Config Managed Rules
• … and Restricted SSH

View Slide

Remediate to non-conformity with AWS Systems Manager Automation
• Automate common and repetitive IT operations and management tasks
• 60+ Predefined ”Documents” (or Playbooks) describe actions to perform
• Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite…
• … and DisablePublicAccessForSecurityGroup

View Slide

Enforce conformity with Config Rules and Systems Manager

View Slide

Simplify compliance check with AWS Security Hub

View Slide

Compliance - Custom Rule Example
Rule.Lambda.001 :
“Any environment
variable defined in a
Lambda function must
be encrypted using a
Customer Master Key”

View Slide

Custom Config Rules

View Slide

View Slide

How to get started
• Control Tower: Setup your multi-account AWS environment
• https://aws.amazon.com/controltower/

View Slide

How to get started
• Define your Tagging Strategy and enforce it with policies
• https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

View Slide

How to get started
• Enable Security Hub and CIS AWS Foundations Compliance Checks
• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html

View Slide

How to get started
• Enable AWS Config and setup Config Rules with Auto-Remediations
• https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html
• Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk

View Slide


View Slide

Thank you !
http://bit.ly/2utnjM2

View Slide

Compliance & Governance as code

Compliance & Governance as code

Jérôme Van Der Linden

More Decks by Jérôme Van Der Linden

Other Decks in Technology

Featured

Transcript