© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Compliance & Governance as code DevopsDays Geneva 2020 AWS Solutions Architect Jérôme Van Der Linden Bashar Al-Fallouji AWS Solutions Architect

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2 Agenda • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • Remediation … as code • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • ILoveChurros • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • IfYouCanReadThis • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • YouGotBetterEyesThanMe • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • GreatAcronym • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3 If only we had more time…

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 The professional adventures of Leon

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6 Every BIG story has a humble beginning…

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7 Every BIG stories have a humble beginning… AWS Cloud Amazon EC2 Amazon RDS MySQL DNS Storage (S3) Amazon EC2

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8 Initial state

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Frontend Dev Test Staging Prod Backend Dev Test Staging Prod AWS Account(s) at Unicorn Rentals

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10 AWS Account as a Perimeter Security/Resource Boundary Service Limits Billing Separation

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12 Why sometimes one isn’t enough? AWS Account as a Perimeter Many Teams Isolation Security Controls Business Process Billing

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13 Frontend Dev Backend Analytics AI/ML AWS Accounts at Unicorn Rentals (simplified)

Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/ Product Owner + Business Analyst “Can you open the service for yesterday ?” “It is not yet deployed, we don’t have the permission to create an instance.” “We need to do pen tests before.” “I did not receive any ticket to do so…”

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15 Governance Provision Operate Stability Security & Compliance Agility Experiment Be productive Deliver faster

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16 DevSecOps Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Assurance artifacts Security Automation Test, measure, and monitor Culture Process

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints Security Operations Compliance • Lead change • Audits & assurance • Protection of workloads, shared services, interconnects • MSB definition • Cloud security operations Product & Platform Teams • MSB customization • Application/Platform infrastructure • Security development lifecycle Enterprise Security Shared Responsibility in the Enterprise

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21 What is a landing zone? • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations Centrally govern and manage AWS accounts and resources Control access and permissions Share resources across accounts Manage and define your organization and accounts Audit, monitor, and secure your environment for compliance Centrally manage costs and billing

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23 AWS Organizations Organization Member account Master account Organizational unit (OU) Administrative root (of an Organization) Service control policy (SCP) Organization OU (BU1) OU (BU2) OU (ADM) ROOT

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24 What accounts should I create? Core Accounts Security AWS Organizations : Master Account Shared Services Network Log Archive Dev Pre-Prod Team/BU/Project/… Accounts Prod Team Shared Services Network Path Developer Sandbox Developer Accounts Data Center Orgs: Account management Log Archive: Logs centralization Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Actions & Conditions Map Enterprise Roles AWS CloudTrail Enabled Baseline requirements for all accounts

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27 AWS Control Tower AWS Control Tower Account Management Guardrail Enforcement Landing Zone AWS Landing Zone AWS Organizations AWS Organizations

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28 Enable Governance at Scale Set up a landing zone Centralize identity and access Manage continuously Automate compliant account provisioning Establish guardrails

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29 AWS Service Catalog Users Administrators Standardize Control Govern Agility Self-Service Time to Market Allows organizations to create and manage catalogs of IT services and software on AWS Users can quickly deploy approved IT services in a self-service manner.

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30 AWS Service Catalog üConstrains üSecurity controls üParameter validation üIAM assignment üTag enforcement Standardizes best practices CloudFormation or Terraform AWS Product/Service AWS Marketplace third-party products Customer- Created AWS- Based Solution AWS Service Catalog Admin

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32 Enable Governance at Scale: Preventive Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrails

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33 Preventive Guardrails with Service Control Policies (SCPs) • Enables to control which AWS service APIs are accessible • Define the list of APIs that are allowed – Whitelisting • Define the list of APIs that must be blocked – Blacklisting

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35 Inventory resources – the importance of Tags • Operational support • Resource management • Cost & Usage allocation • Enable cost and usage reporting and alerting • Automation • Trigger automation events • Control & compliance • Attribute based access control

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36 Inventory resources – Build a Tagging strategy Define a tagging taxonomy Publish a tagging dictionary Define the “rules of the game” Enforce rules lob=[HR|Fin|…] cost-center=[C2309|…] owner=project-lead@comp.com application=Titan name=Titan-Backend-Database env=[dev|test|prod] version=2.0.1 confidentiality=[Confidential|… …|Public] Business Technical Secu Auto Confidentiality Opt-in/Opt-out

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37 Catch up untagged resources with Resources Groups Editor

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39 Automate: On-Create Tagging with CloudFormation VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: '10.42.0.0/16’ Tags: - Key: Name Value: '10.42.0.0/16’ - Key: CostCenter Value: ‘C3409’ - Key: Environment Value: ‘prod'

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40 Enforce Tagging with Service Control Policies { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRunInstanceWithNoCostCenterTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Null": { "aws:RequestTag/CostCenter": "true" } } } ] }

From: Hans Zummer Date: Monday, 3 February 2018 at 11:00 To: “Leon” Subject: SSH Access to our servers I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world! Can you tell me what happened ? Regards, Hans Head of Security

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42 Capture and analyze activity with AWS CloudTrail Capture Record activity as CloudTrail events Act Trigger actions when important events are detected Store Retain events logs in secure S3 bucket Review Analyze recent events and logs with Amazon Athena or CloudWatch Logs Insights

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43 Investigate a resource configuration change with CloudTrail

That’s nice but can how can you DETECT IT FASTER and AVOID this TO HAPPEN AGAIN? Re: SSH Access to our servers

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45 Enable Governance at Scale: Detective Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrail s

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46 R u l e Configuration management R u l e R u l e

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47 Configuration management with AWS Config • Continuous recording and continuous assessment service • Tracks configuration changes to AWS resources • Alerts you if the configuration is non-compliant with your policies • Automated remediation of non-compliant resources • Control and manage custom resources AWS Config Changing resources Normalized Config rules Amazon SNS Topic CloudWatch Events AWS Systems Manager Automation AWS API Endpoint

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48 Detect non-compliance with AWS Config Rules • Config Rules represent the ideal configuration settings • Config Rules are triggered on each resource configuration change • AWS provides more than 120 managed Rules • Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ, CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, … 120+ AWS Config Managed Rules • … and Restricted SSH

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49 Remediate to non-conformity with AWS Systems Manager Automation • Automate common and repetitive IT operations and management tasks • 60+ Predefined ”Documents” (or Playbooks) describe actions to perform • Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite… • … and DisablePublicAccessForSecurityGroup

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50 Enforce conformity with Config Rules and Systems Manager

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51 Simplify compliance check with AWS Security Hub

Compliance - Custom Rule Example Rule.Lambda.001 : “Any environment variable defined in a Lambda function must be encrypted using a Customer Master Key”

Custom Config Rules

Custom Config Rules

Custom Config Rules

No content

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57 How to get started • Control Tower: Setup your multi-account AWS environment • https://aws.amazon.com/controltower/

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58 How to get started • Define your Tagging Strategy and enforce it with policies • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59 How to get started • Enable Security Hub and CIS AWS Foundations Compliance Checks • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60 How to get started • Enable AWS Config and setup Config Rules with Auto-Remediations • https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html • Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html • Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you ! http://bit.ly/2utnjM2