Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance & Governance as code

Compliance & Governance as code

Presentation of compliance and governance on the AWS Cloud, during DevopsDays Geneva 2020.

Jérôme Van Der Linden

February 24, 2020
Tweet

More Decks by Jérôme Van Der Linden

Other Decks in Technology

Transcript

  1. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential and Trademark. Compliance & Governance as code DevopsDays Geneva 2020 AWS Solutions Architect Jérôme Van Der Linden Bashar Al-Fallouji AWS Solutions Architect
  2. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 2 Agenda • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • Remediation … as code • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • ILoveChurros • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • IfYouCanReadThis • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • YouGotBetterEyesThanMe • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • GreatAcronym • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules
  3. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3 If only we had more time…
  4. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 4 The professional adventures of Leon
  5. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 6 Every BIG story has a humble beginning…
  6. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 7 Every BIG stories have a humble beginning… AWS Cloud Amazon EC2 Amazon RDS MySQL DNS Storage (S3) Amazon EC2
  7. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 9 Frontend Dev Test Staging Prod Backend Dev Test Staging Prod AWS Account(s) at Unicorn Rentals
  8. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 10 AWS Account as a Perimeter Security/Resource Boundary Service Limits Billing Separation
  9. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 12 Why sometimes one isn’t enough? AWS Account as a Perimeter Many Teams Isolation Security Controls Business Process Billing
  10. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 13 Frontend Dev Backend Analytics AI/ML AWS Accounts at Unicorn Rentals (simplified)
  11. Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/ Product Owner + Business Analyst “Can you

    open the service for yesterday ?” “It is not yet deployed, we don’t have the permission to create an instance.” “We need to do pen tests before.” “I did not receive any ticket to do so…”
  12. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 15 Governance Provision Operate Stability Security & Compliance Agility Experiment Be productive Deliver faster
  13. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 16 DevSecOps Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Assurance artifacts Security Automation Test, measure, and monitor Culture Process
  14. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints Security Operations Compliance • Lead change • Audits & assurance • Protection of workloads, shared services, interconnects • MSB definition • Cloud security operations Product & Platform Teams • MSB customization • Application/Platform infrastructure • Security development lifecycle Enterprise Security Shared Responsibility in the Enterprise
  15. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 18 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  16. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 19 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  17. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 21 What is a landing zone? • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H
  18. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Organizations Centrally govern and manage AWS accounts and resources Control access and permissions Share resources across accounts Manage and define your organization and accounts Audit, monitor, and secure your environment for compliance Centrally manage costs and billing
  19. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 23 AWS Organizations Organization Member account Master account Organizational unit (OU) Administrative root (of an Organization) Service control policy (SCP) Organization OU (BU1) OU (BU2) OU (ADM) ROOT
  20. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 24 What accounts should I create? Core Accounts Security AWS Organizations : Master Account Shared Services Network Log Archive Dev Pre-Prod Team/BU/Project/… Accounts Prod Team Shared Services Network Path Developer Sandbox Developer Accounts Data Center Orgs: Account management Log Archive: Logs centralization Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  21. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 25 InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Actions & Conditions Map Enterprise Roles AWS CloudTrail Enabled Baseline requirements for all accounts
  22. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 27 AWS Control Tower AWS Control Tower Account Management Guardrail Enforcement Landing Zone AWS Landing Zone AWS Organizations AWS Organizations
  23. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 28 Enable Governance at Scale Set up a landing zone Centralize identity and access Manage continuously Automate compliant account provisioning Establish guardrails
  24. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 29 AWS Service Catalog Users Administrators Standardize Control Govern Agility Self-Service Time to Market Allows organizations to create and manage catalogs of IT services and software on AWS Users can quickly deploy approved IT services in a self-service manner.
  25. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 30 AWS Service Catalog üConstrains üSecurity controls üParameter validation üIAM assignment üTag enforcement Standardizes best practices CloudFormation or Terraform AWS Product/Service AWS Marketplace third-party products Customer- Created AWS- Based Solution AWS Service Catalog Admin
  26. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 32 Enable Governance at Scale: Preventive Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrails
  27. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 33 Preventive Guardrails with Service Control Policies (SCPs) • Enables to control which AWS service APIs are accessible • Define the list of APIs that are allowed – Whitelisting • Define the list of APIs that must be blocked – Blacklisting
  28. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 35 Inventory resources – the importance of Tags • Operational support • Resource management • Cost & Usage allocation • Enable cost and usage reporting and alerting • Automation • Trigger automation events • Control & compliance • Attribute based access control
  29. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 36 Inventory resources – Build a Tagging strategy Define a tagging taxonomy Publish a tagging dictionary Define the “rules of the game” Enforce rules lob=[HR|Fin|…] cost-center=[C2309|…] [email protected] application=Titan name=Titan-Backend-Database env=[dev|test|prod] version=2.0.1 confidentiality=[Confidential|… …|Public] Business Technical Secu Auto Confidentiality Opt-in/Opt-out
  30. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 37 Catch up untagged resources with Resources Groups Editor
  31. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 39 Automate: On-Create Tagging with CloudFormation VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: '10.42.0.0/16’ Tags: - Key: Name Value: '10.42.0.0/16’ - Key: CostCenter Value: ‘C3409’ - Key: Environment Value: ‘prod'
  32. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 40 Enforce Tagging with Service Control Policies { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRunInstanceWithNoCostCenterTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Null": { "aws:RequestTag/CostCenter": "true" } } } ] }
  33. From: Hans Zummer <[email protected]> Date: Monday, 3 February 2018 at

    11:00 To: “Leon” <[email protected]> Subject: SSH Access to our servers I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world! Can you tell me what happened ? Regards, Hans Head of Security
  34. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 42 Capture and analyze activity with AWS CloudTrail Capture Record activity as CloudTrail events Act Trigger actions when important events are detected Store Retain events logs in secure S3 bucket Review Analyze recent events and logs with Amazon Athena or CloudWatch Logs Insights
  35. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 43 Investigate a resource configuration change with CloudTrail
  36. That’s nice but can how can you DETECT IT FASTER

    and AVOID this TO HAPPEN AGAIN? Re: SSH Access to our servers
  37. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 45 Enable Governance at Scale: Detective Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrail s
  38. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 46 R u l e Configuration management R u l e R u l e
  39. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 47 Configuration management with AWS Config • Continuous recording and continuous assessment service • Tracks configuration changes to AWS resources • Alerts you if the configuration is non-compliant with your policies • Automated remediation of non-compliant resources • Control and manage custom resources AWS Config Changing resources Normalized Config rules Amazon SNS Topic CloudWatch Events AWS Systems Manager Automation AWS API Endpoint
  40. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 48 Detect non-compliance with AWS Config Rules • Config Rules represent the ideal configuration settings • Config Rules are triggered on each resource configuration change • AWS provides more than 120 managed Rules • Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ, CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, … 120+ AWS Config Managed Rules • … and Restricted SSH
  41. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 49 Remediate to non-conformity with AWS Systems Manager Automation • Automate common and repetitive IT operations and management tasks • 60+ Predefined ”Documents” (or Playbooks) describe actions to perform • Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite… • … and DisablePublicAccessForSecurityGroup
  42. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 50 Enforce conformity with Config Rules and Systems Manager
  43. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 51 Simplify compliance check with AWS Security Hub
  44. Compliance - Custom Rule Example Rule.Lambda.001 : “Any environment variable

    defined in a Lambda function must be encrypted using a Customer Master Key”
  45. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 57 How to get started • Control Tower: Setup your multi-account AWS environment • https://aws.amazon.com/controltower/
  46. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 58 How to get started • Define your Tagging Strategy and enforce it with policies • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
  47. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 59 How to get started • Enable Security Hub and CIS AWS Foundations Compliance Checks • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html
  48. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 60 How to get started • Enable AWS Config and setup Config Rules with Auto-Remediations • https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html • Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html • Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk
  49. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you ! http://bit.ly/2utnjM2