Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automating Compliance and Governance within a C...

Automating Compliance and Governance within a Continuously Threatened Technology Landscape

It seems like it was not too long ago that Optus and Medibank had Cyber Attacks launched on them, before other companies followed along as well. With the government stepping up their expectations for companies in navigating this risky time, understanding best practices within compliance and security has never been more needed. In this talk, I will talk about tracking changes within the AWS environment with AWS Config, aligning them with best practices and policies according to industry practices within a multi-account, multi-region configuration with aggregators. I will expand on this by talking about how compliance can be automated through centralizing governance and monitoring through deployment, audit, remediation, and notification workflows.

Renaldi Gondosubroto

February 23, 2023
Tweet

More Decks by Renaldi Gondosubroto

Other Decks in Technology

Transcript

  1. Agenda Motivation Planning for Self Service Utilizing AWS Config Case

    Study Key Takeaways 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 2
  2. A Bit About Me Renaldi Gondosubroto Software Developer for Seek

    Limited @Renaldig @renaldigondosubroto 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 3
  3. Motivation • Greater data breaches such as from Optus and

    Medibank • More work from home causing more workloads run on the Cloud • Audit requirements 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 4
  4. Plan for Self-Service Plan Analyze use cases for our platform

    Discover Discover options from AWS for self-service Design Set up a development framework Implement Implement AWS Services Iterate Revisit and adjust 1 2 3 4 5 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 5
  5. Challenges and Best Practices • Having both business agility and

    governance • Establish standards, design configurations before launching and managing • Establish baselines for each environment 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 6
  6. Establishing Environment Standards 2/21/2023 Automating Compliance and Governance within a

    Continuously Threatened Technology landscape 7 Sandbox Development Staging Production
  7. Self Service Architecture 2/21/2023 Automating Compliance and Governance within a

    Continuously Threatened Technology landscape 8 User Request AWS Service Management Connector AWS Service Catalog AWS Config AWS Systems Manager Amazon EC2 Amazon S3 Amazon WorkSpaces
  8. Utilizing AWS Config • Tracking configuration changes made to the

    cloud for up to 7 years • Evaluate changes against compliance policies set with AWS Config rules • Integrate with providers such as ServiceNow • Provide an aggregated view of compliance 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 9
  9. Using Rules with AWS Config • Setting rules to evaluate

    policies within AWS Config • AWS Config offers a range of pre-built rules that cover common compliance requirements such as HIPAA, PCI, and CIS • While pre-built rules can be very useful, you may have specific compliance requirements that are not covered by the pre-built rules 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 10
  10. Automating Your Config • Setting up Notifications • Working with

    snapshots on S3 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 11 Changing Resources AWS Config AWS Config Rules Notifications API Access History Normalized
  11. Conformance Packs for AW Config • Collection of AWS Config

    Rules • Authoring a Yaml template containing the list of rules 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 12 S3 Bucket API SNS AWS Config AWS Config Conformance Pack Rules Evaluations Stored Resource configuration snapshots Normalized changes
  12. Reporting with Aggregators 2/21/2023 Automating Compliance and Governance within a

    Continuously Threatened Technology landscape 13 Accounts and Regions AWS Config Data Aggregator Aggregated View
  13. Creating an Audit Workflow 2/21/2023 Automating Compliance and Governance within

    a Continuously Threatened Technology landscape 14 All Regions Managed Accounts All Regions Lambda Function Audit SQS Queue Audit Lambda Function Audit ap-southeast-2 Centralized Account
  14. Remediation Workflow 2/21/2023 Automating Compliance and Governance within a Continuously

    Threatened Technology landscape 15 Lambda function Lambda function SQS Queue Remediate DynamoDB Table Exemptions SQS Queue RemediationEvents Systems Manager Document Systems Manager Automation Systems Manager Automation Systems Manager Document AWS Config Rules Non-compliant resource Managed Accounts Centralized Account ap-southeast-2 All Regions
  15. Notification Workflow 2/21/2023 Automating Compliance and Governance within a Continuously

    Threatened Technology landscape 16 Managed Accounts All Regions ap-southeast-2 Internal Centralized Account SNS Topic Notifications EventBridge Event Rule Notifications EventBridge Default Event Bus SQS Queue Notifications Lambda function Email EventBridge Event Rule AWS Config Rules All Regions
  16. New Features from Config • Proactive Compliance for Config Rules

    • Comprehensive Controls Management for AWS Control Tower • Amazon CloudWatch Cross-Account Observability 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 17
  17. Case Study • Problem of costs from patch management •

    Fully automating it through CloudTrail and Config • Saving much more over a long-term scale 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 18
  18. Key Takeaways • We need compliance within today’s Cloud-based world

    • AWS Config is a powerful tool to build compliance workflows around • Need to stay updated with the latest features 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 19