$30 off During Our Annual Pro Sale. View Details »

Compliance & Governance as code

Compliance & Governance as code

Presentation of compliance and governance on the AWS Cloud, during DevopsDays Geneva 2020.

Jérôme Van Der Linden

February 24, 2020
Tweet

More Decks by Jérôme Van Der Linden

Other Decks in Technology

Transcript

  1. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
    Compliance & Governance as code
    DevopsDays Geneva 2020
    AWS Solutions Architect
    Jérôme Van Der Linden
    Bashar Al-Fallouji
    AWS Solutions Architect

    View Slide

  2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
    Agenda
    • Governance
    • Norms & Processes
    • Risk Management
    • ITSM
    • ITIL
    • Compliance
    • Assets
    • CMDB
    • Rules
    • Remediation
    • Remediation
    • Regulations
    • Dregulation
    • ACRO
    • NYME
    • Buzzword
    • Assets
    • CMDB
    • Rules
    • Remediation
    … as code
    • Governance
    • Norms & Processes
    • Risk Management
    • ITSM
    • ITIL
    • Compliance
    • Assets
    • CMDB
    • Rules
    • Remediation
    • ILoveChurros
    • Regulations
    • Dregulation
    • ACRO
    • NYME
    • Buzzword
    • Assets
    • CMDB
    • Rules
    • IfYouCanReadThis
    • Norms & Processes
    • Risk Management
    • ITSM
    • ITIL
    • Compliance
    • Assets
    • CMDB
    • Rules
    • Remediation
    • Remediation
    • Regulations
    • Dregulation
    • ACRO
    • NYME
    • Buzzword
    • Assets
    • CMDB
    • Rules
    • YouGotBetterEyesThanMe
    • Norms & Processes
    • Risk Management
    • ITSM
    • ITIL
    • Compliance
    • Assets
    • CMDB
    • Rules
    • Remediation
    • Remediation
    • Regulations
    • Dregulation
    • ACRO
    • NYME
    • Buzzword
    • Assets
    • CMDB
    • Governance
    • Norms & Processes
    • Risk Management
    • ITSM
    • ITIL
    • Compliance
    • Assets
    • CMDB
    • Rules
    • Remediation
    • GreatAcronym
    • Regulations
    • Dregulation
    • ACRO
    • NYME
    • Buzzword
    • Assets
    • CMDB
    • Rules

    View Slide

  3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
    If only we had more time…

    View Slide

  4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
    The professional adventures of Leon

    View Slide

  5. View Slide

  6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
    Every BIG story has a humble beginning…

    View Slide

  7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
    Every BIG stories have a humble beginning…
    AWS Cloud
    Amazon EC2
    Amazon RDS MySQL
    DNS
    Storage (S3)
    Amazon EC2

    View Slide

  8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
    Initial state

    View Slide

  9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
    Frontend Dev Test Staging Prod
    Backend Dev Test Staging Prod
    AWS Account(s) at Unicorn Rentals

    View Slide

  10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
    AWS Account as a Perimeter
    Security/Resource
    Boundary
    Service Limits
    Billing Separation

    View Slide

  11. View Slide

  12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
    Why sometimes one isn’t enough?
    AWS Account as a Perimeter
    Many Teams Isolation
    Security Controls Business Process
    Billing

    View Slide

  13. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
    Frontend Dev
    Backend
    Analytics
    AI/ML
    AWS Accounts at Unicorn Rentals (simplified)

    View Slide

  14. Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/
    Product Owner +
    Business Analyst
    “Can you open
    the service for
    yesterday ?”
    “It is not yet
    deployed, we don’t
    have the permission
    to create an
    instance.”
    “We need to do
    pen tests before.”
    “I did not receive any
    ticket to do so…”

    View Slide

  15. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
    Governance
    Provision
    Operate
    Stability
    Security & Compliance
    Agility
    Experiment
    Be productive
    Deliver faster

    View Slide

  16. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16
    DevSecOps
    Break down cultural barriers
    Work as one team
    Support business and IT agility
    Collaborate and communicate
    Assurance artifacts
    Security Automation
    Test, measure, and monitor
    Culture
    Process

    View Slide

  17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Foundation Services
    Compute Storage Database Networking
    AWS Global
    Infrastructure
    Regions
    Availability
    Zones Edge
    Locations
    Governance &
    Risk
    Business
    • Culture of security and
    continual improvement
    • Ongoing audits and assurance
    • Protection of large-scale
    service endpoints
    Security
    Operations
    Compliance
    • Lead change
    • Audits & assurance
    • Protection of workloads,
    shared services, interconnects
    • MSB definition
    • Cloud security operations
    Product & Platform Teams
    • MSB customization
    • Application/Platform
    infrastructure
    • Security development
    lifecycle
    Enterprise
    Security
    Shared Responsibility in the Enterprise

    View Slide

  18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
    Enable Governance at Scale
    Set up a
    landing zone
    Establish
    guardrails
    Automate
    compliant account
    provisioning
    Centralize identity
    and access
    Manage
    continuously

    View Slide

  19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
    Enable Governance at Scale
    Set up a
    landing
    zone
    Establish
    guardrails
    Automate
    compliant account
    provisioning
    Centralize identity
    and access
    Manage
    continuously

    View Slide

  20. View Slide

  21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
    What is a landing zone?
    • A configured, secure, scalable, multi-account AWS
    environment based on AWS best practices
    • A starting point for net new development and
    experimentation
    • A starting point for migrating applications
    • An environment that allows for iteration and extension
    over time
    H

    View Slide

  22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS Organizations
    Centrally govern and manage AWS accounts and resources
    Control access and
    permissions
    Share resources across
    accounts
    Manage and define your
    organization and accounts
    Audit, monitor, and secure your
    environment for compliance
    Centrally manage costs and
    billing

    View Slide

  23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
    AWS Organizations
    Organization
    Member account
    Master account
    Organizational unit (OU)
    Administrative root (of an Organization)
    Service control policy (SCP)
    Organization
    OU (BU1) OU (BU2) OU (ADM)
    ROOT

    View Slide

  24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
    What accounts should I create?
    Core Accounts
    Security
    AWS Organizations : Master Account
    Shared
    Services
    Network
    Log
    Archive
    Dev Pre-Prod
    Team/BU/Project/… Accounts
    Prod
    Team
    Shared
    Services
    Network Path
    Developer
    Sandbox
    Developer Accounts Data Center
    Orgs: Account management
    Log Archive: Logs centralization
    Security: Security tools, AWS Config rules
    Shared services: Directory, limit monitoring
    Network: Direct Connect
    Dev Sandbox: Experiments, Learning
    Dev: Development
    Pre-Prod: Staging
    Prod: Production
    Team SS: Team Shared Services, Data Lake

    View Slide

  25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
    InfoSec’s
    Cross-
    Account
    Roles
    AWS Account
    Credential
    Management
    (“Root Account”)
    Federation
    Actions &
    Conditions
    Map
    Enterprise
    Roles
    AWS
    CloudTrail
    Enabled
    Baseline requirements for all accounts

    View Slide

  26. View Slide

  27. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
    AWS Control Tower
    AWS Control Tower
    Account Management Guardrail Enforcement
    Landing
    Zone
    AWS Landing Zone AWS Organizations AWS Organizations

    View Slide

  28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
    Enable Governance at Scale
    Set up a
    landing zone
    Centralize identity
    and access
    Manage
    continuously
    Automate
    compliant account
    provisioning
    Establish
    guardrails

    View Slide

  29. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
    AWS Service Catalog
    Users
    Administrators
    Standardize
    Control
    Govern
    Agility
    Self-Service
    Time to Market
    Allows organizations to create and manage
    catalogs of IT services and software on AWS
    Users can quickly deploy approved IT
    services in a self-service manner.

    View Slide

  30. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
    AWS Service Catalog
    üConstrains
    üSecurity controls
    üParameter validation
    üIAM assignment
    üTag enforcement
    Standardizes best practices
    CloudFormation
    or Terraform
    AWS Product/Service
    AWS
    Marketplace
    third-party
    products
    Customer-
    Created AWS-
    Based
    Solution
    AWS Service
    Catalog
    Admin

    View Slide

  31. View Slide

  32. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
    Enable Governance at Scale: Preventive Guardrails
    Set up a
    landing zone
    Automate
    compliant account
    provisioning
    Centralize identity
    and access
    Manage
    continuously
    Establish
    guardrails

    View Slide

  33. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
    Preventive Guardrails with Service Control Policies (SCPs)
    • Enables to control which AWS service APIs are accessible
    • Define the list of APIs that are allowed – Whitelisting
    • Define the list of APIs that must be blocked – Blacklisting

    View Slide

  34. View Slide

  35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
    Inventory resources – the importance of Tags
    • Operational support
    • Resource management
    • Cost & Usage allocation
    • Enable cost and usage reporting and alerting
    • Automation
    • Trigger automation events
    • Control & compliance
    • Attribute based access control

    View Slide

  36. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36
    Inventory resources – Build a Tagging strategy
    Define a tagging
    taxonomy
    Publish a tagging
    dictionary
    Define the
    “rules of the game”
    Enforce rules
    lob=[HR|Fin|…]
    cost-center=[C2309|…]
    [email protected]
    application=Titan
    name=Titan-Backend-Database
    env=[dev|test|prod]
    version=2.0.1
    confidentiality=[Confidential|…
    …|Public]
    Business
    Technical
    Secu
    Auto
    Confidentiality
    Opt-in/Opt-out

    View Slide

  37. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37
    Catch up untagged resources with Resources Groups Editor

    View Slide

  38. View Slide

  39. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39
    Automate: On-Create Tagging with CloudFormation
    VPC:
    Type: 'AWS::EC2::VPC'
    Properties:
    CidrBlock:
    '10.42.0.0/16’
    Tags:
    - Key: Name
    Value: '10.42.0.0/16’
    - Key: CostCenter
    Value: ‘C3409’
    - Key: Environment
    Value: ‘prod'

    View Slide

  40. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40
    Enforce Tagging with Service Control Policies
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid":
    "DenyRunInstanceWithNoCostCenterTag",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": [
    "arn:aws:ec2:*:*:instance/*"
    ],
    "Condition": {
    "Null": {
    "aws:RequestTag/CostCenter": "true"
    }
    }
    }
    ]
    }

    View Slide

  41. From: Hans Zummer
    Date: Monday, 3 February 2018 at 11:00
    To: “Leon”
    Subject: SSH Access to our servers
    I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world!
    Can you tell me what happened ?
    Regards,
    Hans
    Head of Security

    View Slide

  42. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42
    Capture and analyze activity with AWS CloudTrail
    Capture
    Record activity as
    CloudTrail events
    Act
    Trigger actions
    when important
    events are detected
    Store
    Retain events logs in
    secure S3 bucket
    Review
    Analyze recent
    events and logs with
    Amazon Athena or
    CloudWatch Logs
    Insights

    View Slide

  43. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43
    Investigate a resource configuration change with CloudTrail

    View Slide

  44. That’s nice but can how can you DETECT IT FASTER and
    AVOID this TO HAPPEN AGAIN?
    Re: SSH Access to our servers

    View Slide

  45. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45
    Enable Governance at Scale: Detective Guardrails
    Set up a
    landing zone
    Automate
    compliant account
    provisioning
    Centralize identity
    and access
    Manage
    continuously
    Establish
    guardrail
    s

    View Slide

  46. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46
    R
    u
    l
    e
    Configuration management
    R
    u
    l
    e
    R
    u
    l
    e

    View Slide

  47. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47
    Configuration management with AWS Config
    • Continuous recording and continuous assessment service
    • Tracks configuration changes to AWS resources
    • Alerts you if the configuration is non-compliant with your policies
    • Automated remediation of non-compliant resources
    • Control and manage custom resources
    AWS Config
    Changing resources Normalized Config rules
    Amazon SNS Topic
    CloudWatch Events
    AWS Systems Manager
    Automation
    AWS API Endpoint

    View Slide

  48. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48
    Detect non-compliance with AWS Config Rules
    • Config Rules represent the ideal configuration settings
    • Config Rules are triggered on each resource configuration
    change
    • AWS provides more than 120 managed Rules
    • Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ,
    CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, …
    120+ AWS Config Managed Rules
    • … and Restricted SSH

    View Slide

  49. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49
    Remediate to non-conformity with AWS Systems Manager Automation
    • Automate common and repetitive IT operations and management tasks
    • 60+ Predefined ”Documents” (or Playbooks) describe actions to perform
    • Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite…
    • … and DisablePublicAccessForSecurityGroup

    View Slide

  50. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50
    Enforce conformity with Config Rules and Systems Manager

    View Slide

  51. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51
    Simplify compliance check with AWS Security Hub

    View Slide

  52. Compliance - Custom Rule Example
    Rule.Lambda.001 :
    “Any environment
    variable defined in a
    Lambda function must
    be encrypted using a
    Customer Master Key”

    View Slide

  53. Custom Config Rules

    View Slide

  54. Custom Config Rules

    View Slide

  55. Custom Config Rules

    View Slide

  56. View Slide

  57. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57
    How to get started
    • Control Tower: Setup your multi-account AWS environment
    • https://aws.amazon.com/controltower/

    View Slide

  58. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58
    How to get started
    • Define your Tagging Strategy and enforce it with policies
    • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf
    • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
    • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

    View Slide

  59. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59
    How to get started
    • Enable Security Hub and CIS AWS Foundations Compliance Checks
    • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html

    View Slide

  60. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60
    How to get started
    • Enable AWS Config and setup Config Rules with Auto-Remediations
    • https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html
    • Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
    • Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk

    View Slide

  61. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61

    View Slide

  62. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Thank you !
    http://bit.ly/2utnjM2

    View Slide