Slide 1

Slide 1 text

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Compliance & Governance as code DevopsDays Geneva 2020 AWS Solutions Architect Jérôme Van Der Linden Bashar Al-Fallouji AWS Solutions Architect

Slide 2

Slide 2 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2 Agenda • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • Remediation … as code • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • ILoveChurros • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • IfYouCanReadThis • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • YouGotBetterEyesThanMe • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • GreatAcronym • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules

Slide 3

Slide 3 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3 If only we had more time…

Slide 4

Slide 4 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 The professional adventures of Leon

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6 Every BIG story has a humble beginning…

Slide 7

Slide 7 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7 Every BIG stories have a humble beginning… AWS Cloud Amazon EC2 Amazon RDS MySQL DNS Storage (S3) Amazon EC2

Slide 8

Slide 8 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8 Initial state

Slide 9

Slide 9 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Frontend Dev Test Staging Prod Backend Dev Test Staging Prod AWS Account(s) at Unicorn Rentals

Slide 10

Slide 10 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10 AWS Account as a Perimeter Security/Resource Boundary Service Limits Billing Separation

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12 Why sometimes one isn’t enough? AWS Account as a Perimeter Many Teams Isolation Security Controls Business Process Billing

Slide 13

Slide 13 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13 Frontend Dev Backend Analytics AI/ML AWS Accounts at Unicorn Rentals (simplified)

Slide 14

Slide 14 text

Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/ Product Owner + Business Analyst “Can you open the service for yesterday ?” “It is not yet deployed, we don’t have the permission to create an instance.” “We need to do pen tests before.” “I did not receive any ticket to do so…”

Slide 15

Slide 15 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15 Governance Provision Operate Stability Security & Compliance Agility Experiment Be productive Deliver faster

Slide 16

Slide 16 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16 DevSecOps Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Assurance artifacts Security Automation Test, measure, and monitor Culture Process

Slide 17

Slide 17 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints Security Operations Compliance • Lead change • Audits & assurance • Protection of workloads, shared services, interconnects • MSB definition • Cloud security operations Product & Platform Teams • MSB customization • Application/Platform infrastructure • Security development lifecycle Enterprise Security Shared Responsibility in the Enterprise

Slide 18

Slide 18 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

Slide 19

Slide 19 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21 What is a landing zone? • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H

Slide 22

Slide 22 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations Centrally govern and manage AWS accounts and resources Control access and permissions Share resources across accounts Manage and define your organization and accounts Audit, monitor, and secure your environment for compliance Centrally manage costs and billing

Slide 23

Slide 23 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23 AWS Organizations Organization Member account Master account Organizational unit (OU) Administrative root (of an Organization) Service control policy (SCP) Organization OU (BU1) OU (BU2) OU (ADM) ROOT

Slide 24

Slide 24 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24 What accounts should I create? Core Accounts Security AWS Organizations : Master Account Shared Services Network Log Archive Dev Pre-Prod Team/BU/Project/… Accounts Prod Team Shared Services Network Path Developer Sandbox Developer Accounts Data Center Orgs: Account management Log Archive: Logs centralization Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake

Slide 25

Slide 25 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Actions & Conditions Map Enterprise Roles AWS CloudTrail Enabled Baseline requirements for all accounts

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27 AWS Control Tower AWS Control Tower Account Management Guardrail Enforcement Landing Zone AWS Landing Zone AWS Organizations AWS Organizations

Slide 28

Slide 28 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28 Enable Governance at Scale Set up a landing zone Centralize identity and access Manage continuously Automate compliant account provisioning Establish guardrails

Slide 29

Slide 29 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29 AWS Service Catalog Users Administrators Standardize Control Govern Agility Self-Service Time to Market Allows organizations to create and manage catalogs of IT services and software on AWS Users can quickly deploy approved IT services in a self-service manner.

Slide 30

Slide 30 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30 AWS Service Catalog üConstrains üSecurity controls üParameter validation üIAM assignment üTag enforcement Standardizes best practices CloudFormation or Terraform AWS Product/Service AWS Marketplace third-party products Customer- Created AWS- Based Solution AWS Service Catalog Admin

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32 Enable Governance at Scale: Preventive Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrails

Slide 33

Slide 33 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33 Preventive Guardrails with Service Control Policies (SCPs) • Enables to control which AWS service APIs are accessible • Define the list of APIs that are allowed – Whitelisting • Define the list of APIs that must be blocked – Blacklisting

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35 Inventory resources – the importance of Tags • Operational support • Resource management • Cost & Usage allocation • Enable cost and usage reporting and alerting • Automation • Trigger automation events • Control & compliance • Attribute based access control

Slide 36

Slide 36 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36 Inventory resources – Build a Tagging strategy Define a tagging taxonomy Publish a tagging dictionary Define the “rules of the game” Enforce rules lob=[HR|Fin|…] cost-center=[C2309|…] [email protected] application=Titan name=Titan-Backend-Database env=[dev|test|prod] version=2.0.1 confidentiality=[Confidential|… …|Public] Business Technical Secu Auto Confidentiality Opt-in/Opt-out

Slide 37

Slide 37 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37 Catch up untagged resources with Resources Groups Editor

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39 Automate: On-Create Tagging with CloudFormation VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: '10.42.0.0/16’ Tags: - Key: Name Value: '10.42.0.0/16’ - Key: CostCenter Value: ‘C3409’ - Key: Environment Value: ‘prod'

Slide 40

Slide 40 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40 Enforce Tagging with Service Control Policies { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRunInstanceWithNoCostCenterTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Null": { "aws:RequestTag/CostCenter": "true" } } } ] }

Slide 41

Slide 41 text

From: Hans Zummer Date: Monday, 3 February 2018 at 11:00 To: “Leon” Subject: SSH Access to our servers I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world! Can you tell me what happened ? Regards, Hans Head of Security

Slide 42

Slide 42 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42 Capture and analyze activity with AWS CloudTrail Capture Record activity as CloudTrail events Act Trigger actions when important events are detected Store Retain events logs in secure S3 bucket Review Analyze recent events and logs with Amazon Athena or CloudWatch Logs Insights

Slide 43

Slide 43 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43 Investigate a resource configuration change with CloudTrail

Slide 44

Slide 44 text

That’s nice but can how can you DETECT IT FASTER and AVOID this TO HAPPEN AGAIN? Re: SSH Access to our servers

Slide 45

Slide 45 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45 Enable Governance at Scale: Detective Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrail s

Slide 46

Slide 46 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46 R u l e Configuration management R u l e R u l e

Slide 47

Slide 47 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47 Configuration management with AWS Config • Continuous recording and continuous assessment service • Tracks configuration changes to AWS resources • Alerts you if the configuration is non-compliant with your policies • Automated remediation of non-compliant resources • Control and manage custom resources AWS Config Changing resources Normalized Config rules Amazon SNS Topic CloudWatch Events AWS Systems Manager Automation AWS API Endpoint

Slide 48

Slide 48 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48 Detect non-compliance with AWS Config Rules • Config Rules represent the ideal configuration settings • Config Rules are triggered on each resource configuration change • AWS provides more than 120 managed Rules • Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ, CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, … 120+ AWS Config Managed Rules • … and Restricted SSH

Slide 49

Slide 49 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49 Remediate to non-conformity with AWS Systems Manager Automation • Automate common and repetitive IT operations and management tasks • 60+ Predefined ”Documents” (or Playbooks) describe actions to perform • Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite… • … and DisablePublicAccessForSecurityGroup

Slide 50

Slide 50 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50 Enforce conformity with Config Rules and Systems Manager

Slide 51

Slide 51 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51 Simplify compliance check with AWS Security Hub

Slide 52

Slide 52 text

Compliance - Custom Rule Example Rule.Lambda.001 : “Any environment variable defined in a Lambda function must be encrypted using a Customer Master Key”

Slide 53

Slide 53 text

Custom Config Rules

Slide 54

Slide 54 text

Custom Config Rules

Slide 55

Slide 55 text

Custom Config Rules

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57 How to get started • Control Tower: Setup your multi-account AWS environment • https://aws.amazon.com/controltower/

Slide 58

Slide 58 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58 How to get started • Define your Tagging Strategy and enforce it with policies • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

Slide 59

Slide 59 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59 How to get started • Enable Security Hub and CIS AWS Foundations Compliance Checks • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html

Slide 60

Slide 60 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60 How to get started • Enable AWS Config and setup Config Rules with Auto-Remediations • https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html • Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html • Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk

Slide 61

Slide 61 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61

Slide 62

Slide 62 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you ! http://bit.ly/2utnjM2