Automating Compliance and Governance within a Continuously Threatened Technology Landscape

Transcript

1. Automating Compliance and Governance within a Continuously Threatened Technology Landscape

   Renaldi Gondosubroto

2. Agenda Motivation Planning for Self Service Utilizing AWS Config Case

   Study Key Takeaways 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 2

3. A Bit About Me Renaldi Gondosubroto Software Developer for Seek

   Limited @Renaldig @renaldigondosubroto 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 3

4. Motivation • Greater data breaches such as from Optus and

   Medibank • More work from home causing more workloads run on the Cloud • Audit requirements 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 4

5. Plan for Self-Service Plan Analyze use cases for our platform

   Discover Discover options from AWS for self-service Design Set up a development framework Implement Implement AWS Services Iterate Revisit and adjust 1 2 3 4 5 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 5

6. Challenges and Best Practices • Having both business agility and

   governance • Establish standards, design configurations before launching and managing • Establish baselines for each environment 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 6

7. Establishing Environment Standards 2/21/2023 Automating Compliance and Governance within a

   Continuously Threatened Technology landscape 7 Sandbox Development Staging Production

8. Self Service Architecture 2/21/2023 Automating Compliance and Governance within a

   Continuously Threatened Technology landscape 8 User Request AWS Service Management Connector AWS Service Catalog AWS Config AWS Systems Manager Amazon EC2 Amazon S3 Amazon WorkSpaces

9. Utilizing AWS Config • Tracking configuration changes made to the

   cloud for up to 7 years • Evaluate changes against compliance policies set with AWS Config rules • Integrate with providers such as ServiceNow • Provide an aggregated view of compliance 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 9

10. Using Rules with AWS Config • Setting rules to evaluate

    policies within AWS Config • AWS Config offers a range of pre-built rules that cover common compliance requirements such as HIPAA, PCI, and CIS • While pre-built rules can be very useful, you may have specific compliance requirements that are not covered by the pre-built rules 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 10

11. Automating Your Config • Setting up Notifications • Working with

    snapshots on S3 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 11 Changing Resources AWS Config AWS Config Rules Notifications API Access History Normalized

12. Conformance Packs for AW Config • Collection of AWS Config

    Rules • Authoring a Yaml template containing the list of rules 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 12 S3 Bucket API SNS AWS Config AWS Config Conformance Pack Rules Evaluations Stored Resource configuration snapshots Normalized changes

13. Reporting with Aggregators 2/21/2023 Automating Compliance and Governance within a

    Continuously Threatened Technology landscape 13 Accounts and Regions AWS Config Data Aggregator Aggregated View

14. Creating an Audit Workflow 2/21/2023 Automating Compliance and Governance within

    a Continuously Threatened Technology landscape 14 All Regions Managed Accounts All Regions Lambda Function Audit SQS Queue Audit Lambda Function Audit ap-southeast-2 Centralized Account

15. Remediation Workflow 2/21/2023 Automating Compliance and Governance within a Continuously

    Threatened Technology landscape 15 Lambda function Lambda function SQS Queue Remediate DynamoDB Table Exemptions SQS Queue RemediationEvents Systems Manager Document Systems Manager Automation Systems Manager Automation Systems Manager Document AWS Config Rules Non-compliant resource Managed Accounts Centralized Account ap-southeast-2 All Regions

16. Notification Workflow 2/21/2023 Automating Compliance and Governance within a Continuously

    Threatened Technology landscape 16 Managed Accounts All Regions ap-southeast-2 Internal Centralized Account SNS Topic Notifications EventBridge Event Rule Notifications EventBridge Default Event Bus SQS Queue Notifications Lambda function Email EventBridge Event Rule AWS Config Rules All Regions

17. New Features from Config • Proactive Compliance for Config Rules

    • Comprehensive Controls Management for AWS Control Tower • Amazon CloudWatch Cross-Account Observability 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 17

18. Case Study • Problem of costs from patch management •

    Fully automating it through CloudTrail and Config • Saving much more over a long-term scale 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 18

19. Key Takeaways • We need compliance within today’s Cloud-based world

    • AWS Config is a powerful tool to build compliance workflows around • Need to stay updated with the latest features 2/21/2023 Automating Compliance and Governance within a Continuously Threatened Technology landscape 19

20. Thank you Connect with me Twitter Handle: @Renaldig LinkedIn: @renaldigondosubroto