open the service for yesterday ?” “It is not yet deployed, we don’t have the permission to create an instance.” “We need to do pen tests before.” “I did not receive any ticket to do so…”
rights reserved. 16 DevSecOps Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Assurance artifacts Security Automation Test, measure, and monitor Culture Process
rights reserved. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints Security Operations Compliance • Lead change • Audits & assurance • Protection of workloads, shared services, interconnects • MSB definition • Cloud security operations Product & Platform Teams • MSB customization • Application/Platform infrastructure • Security development lifecycle Enterprise Security Shared Responsibility in the Enterprise
rights reserved. 18 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
rights reserved. 19 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
rights reserved. 21 What is a landing zone? • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H
rights reserved. AWS Organizations Centrally govern and manage AWS accounts and resources Control access and permissions Share resources across accounts Manage and define your organization and accounts Audit, monitor, and secure your environment for compliance Centrally manage costs and billing
rights reserved. 23 AWS Organizations Organization Member account Master account Organizational unit (OU) Administrative root (of an Organization) Service control policy (SCP) Organization OU (BU1) OU (BU2) OU (ADM) ROOT
rights reserved. 24 What accounts should I create? Core Accounts Security AWS Organizations : Master Account Shared Services Network Log Archive Dev Pre-Prod Team/BU/Project/… Accounts Prod Team Shared Services Network Path Developer Sandbox Developer Accounts Data Center Orgs: Account management Log Archive: Logs centralization Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
rights reserved. 27 AWS Control Tower AWS Control Tower Account Management Guardrail Enforcement Landing Zone AWS Landing Zone AWS Organizations AWS Organizations
rights reserved. 28 Enable Governance at Scale Set up a landing zone Centralize identity and access Manage continuously Automate compliant account provisioning Establish guardrails
rights reserved. 29 AWS Service Catalog Users Administrators Standardize Control Govern Agility Self-Service Time to Market Allows organizations to create and manage catalogs of IT services and software on AWS Users can quickly deploy approved IT services in a self-service manner.
rights reserved. 32 Enable Governance at Scale: Preventive Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrails
rights reserved. 33 Preventive Guardrails with Service Control Policies (SCPs) • Enables to control which AWS service APIs are accessible • Define the list of APIs that are allowed – Whitelisting • Define the list of APIs that must be blocked – Blacklisting
rights reserved. 35 Inventory resources – the importance of Tags • Operational support • Resource management • Cost & Usage allocation • Enable cost and usage reporting and alerting • Automation • Trigger automation events • Control & compliance • Attribute based access control
rights reserved. 36 Inventory resources – Build a Tagging strategy Define a tagging taxonomy Publish a tagging dictionary Define the “rules of the game” Enforce rules lob=[HR|Fin|…] cost-center=[C2309|…] [email protected] application=Titan name=Titan-Backend-Database env=[dev|test|prod] version=2.0.1 confidentiality=[Confidential|… …|Public] Business Technical Secu Auto Confidentiality Opt-in/Opt-out
11:00 To: “Leon” <[email protected]> Subject: SSH Access to our servers I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world! Can you tell me what happened ? Regards, Hans Head of Security
rights reserved. 42 Capture and analyze activity with AWS CloudTrail Capture Record activity as CloudTrail events Act Trigger actions when important events are detected Store Retain events logs in secure S3 bucket Review Analyze recent events and logs with Amazon Athena or CloudWatch Logs Insights
rights reserved. 45 Enable Governance at Scale: Detective Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrail s
rights reserved. 47 Configuration management with AWS Config • Continuous recording and continuous assessment service • Tracks configuration changes to AWS resources • Alerts you if the configuration is non-compliant with your policies • Automated remediation of non-compliant resources • Control and manage custom resources AWS Config Changing resources Normalized Config rules Amazon SNS Topic CloudWatch Events AWS Systems Manager Automation AWS API Endpoint
rights reserved. 49 Remediate to non-conformity with AWS Systems Manager Automation • Automate common and repetitive IT operations and management tasks • 60+ Predefined ”Documents” (or Playbooks) describe actions to perform • Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite… • … and DisablePublicAccessForSecurityGroup
rights reserved. 58 How to get started • Define your Tagging Strategy and enforce it with policies • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
rights reserved. 59 How to get started • Enable Security Hub and CIS AWS Foundations Compliance Checks • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html
rights reserved. 60 How to get started • Enable AWS Config and setup Config Rules with Auto-Remediations • https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html • Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html • Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk