Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Architecting security and governance across your AWS environment

518 views

Published on

Architecting security and governance across your AWS environment

  • Be the first to comment

  • Be the first to like this

Architecting security and governance across your AWS environment

  1. 1. S U M M I T AMST ERDAM
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Architecting security & governance across your AWS environment Enrico A. Romani Solutions Architect Amazon Web Services S E C 0 0 2 Renate Hendriksen Cloud Engineer NN-Group Maurits Barendregt Cloud Engineer NN-Group
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda • An enterprise-ready landing zone framework • NN-group • Looking forward
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security/Resource Boundary API Limits/Throttling Billing Separation AWS Account
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Account security considerations Baseline Requirements Lock Enable Define Federate Establish Identify
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why one account isn’t enough Billing Many Teams Security / Compliance Controls Business Process Isolation
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T One account, Isolation with IAM and VPC “Gray” boundaries Complicated and messy over time Difficult to track resources People stepping on each other AWS Account
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T A New Solution We need: • Access to AWS services without barriers • Ability to make mistakes and fail fast without collateral damage • Smaller blast-radius for security incidents • Operations team to become Cloud Architects • Everyone able to influence digital transformation • Costs and resources tracked to individuals • Optimize code for AWS
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Guardrails NOT Blockers Auditable Flexible Automated Scalable Self-service Goals
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What accounts should I create? Security AWS Account Network AWS AccountAWS Account Shared ServicesLog Archive AWS Account Organizations Account AWS Account SDLC AWS Account Sandbox AWS Account Business Unit AWS Account New Product AWS Account Other AWS Account
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Log Archive Security Shared Services Network AWS Organizations AWS Organizations Core OU Corporate data center Sandbox Accounts DevelopmentQA Resource Accounts Product Accounts Business Unit Accounts ` Business Application OU
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations and IAM • Create groups of AWS accounts with AWS Organizations (“ou”). • Use Organizations to attach SCPs to those groups to centrally control AWS service use. • Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account.
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • SCPs are: Immutable to all users in the child account, including root Invisible to all users in the child account, including root Applied to all users in the child account, including root • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • IAM policy simulator is SCP aware
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disable Service APIs you Won’t be Using { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”<Insert unwanted service prefix here>:*", "Resource": "*" } ] } NotAction (New) (Optional) List the AWS actions exempt from the SCP. Used in place of the Action element. Resource (New) List the AWS resources the SCP applies to. Condition (New) (Optional) Specify conditions for when the statement is in effect. NEW Don’t miss: Track 2 - Security Deep Dive Elicium 1 @Margo Cronin
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations Master AWS Organizations Corporate data center No connection to DC Service control policies Consolidated billing Volume discount Minimal resources Limited access Restrict Orgs role!
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared Services Log Archive Security Network Core accounts AWS Organizations Core Accounts Corporate data center Foundational Building Blocks Once per organization Have their own development life cycle (dev/qa/prod a.k.a OTAP)
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared Services Log Archive Security Network Log archive account AWS Organizations Log Archive Core Accounts Corporate data center Versioned Amazon S3 bucket Restricted - MFA delete CloudTrail logs Security logs Single source of truth Alarm on user login Limited access
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Log Archive Security Network Security account AWS Organizations Log Archive Security Core Accounts Corporate data center Optional data center connectivity Security tools and audit GuardDuty Master Cross-account read/write Automated Tooling Limited access Shared Services
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Log Archive Security Shared Services Network Shared services account AWS Organizations Log Archive Security Core Accounts Corporate data center Connected to DC DNS LDAP/Active Directory Shared Services VPC Deployment tools Golden AMI Pipeline Scanning infrastructure Inactive instances Improper tags Snapshot lifecycle Monitoring Limited access
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared Services Network account AWS Organizations Log Archive Security Network Core Accounts Corporate data center Managed by network team Networking services AWS Direct Connect AWS Direct Connect Gateway Transit Gateway Limited access
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Sandbox Accounts DevelopmentQA Resource Accounts Product Accounts Business Unit Accounts Team/Group Accounts AWS Organizations Corporate data center ` Team/Group Accounts Based on level of needed isolation Match your development lifecycle Think Small
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Sandbox Accounts Product Accounts Business Unit Accounts Resource Accounts AWS Organizations Corporate data center ` Team/Group Accounts Based on level of needed isolation Match your development lifecycle Think Small DevelopmentQAProduction Resource Accounts Sandbox Accounts
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Resource Accounts Multi-account approach AWS Organizations Log Archive Security Shared Services Network Core Accounts Corporate data center ` Team/Group Accounts Product Accounts Business Unit Accounts Sandbox Accounts
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NN-Group S e c u r i t y & C o m p l i a n c e i n t h e c l o u d a t N N - G r o u p Renate Hendriksen Cloud Engineer at NN-Group renate.hendriksen@nn-group.com Maurits Barendregt Cloud Engineer at NN-Group maurits.barendregt@nn-group.com
  25. 25. 25 • NN’s roots lie in the 18th- century the Netherlands • Strong business positions; market positions built organically • Unified international culture with shared best practices • 17 million customers (excl. NN IP) • About 15,000 employees • Successful IPO on 2 July 2014 • Businesses rebranded to “NN” in 2015 • ING’s divestment of NN Group completed in April 2016 • Tender offer for Delta Lloyd successfully completed in April 2017 • Shareholders’ equity of EUR 22.7 bn at 15 February 2018 • Credit ratings1: A/stable (S&P), A+/stable (Fitch) International financial services company with strong businesses in Europe and Japan Some facts and figures Our brand promise ‘You matter’ 1. Financial Strength Ratings Key takeaways: 1. We are an European financial company, meaning we are regulated by the Dutch National Bank but also by other regulators 2. We have a lot of ‘proven technology’ 3. We are of reasonable size
  26. 26. What are our Key Takeaways? 1. Determine risk based the balance between security and freedom. • Risk Assessment – Control • Operating Model 2. Automation of security and compliance by design in a multi-account environment. • Scalability • Security & Compliance 26
  27. 27. How to use public cloud in a secure and compliant way? Step 1: Perform a risk assessment. Step 2: Incorporate Compliance Principles. Step 3: Determine the high-level security principles. (Cloud Risk & Security framework) Step 4: Set-up Security standards (CIA). Framework for cloud risk control Compliance Principles Security Principles Security Models Cloud Risk Assessment Security Standards Security Architecture Assumption: Cloud Services are not compliant by default!
  28. 28. What is the right balance between security and freedom? •All platform IT will be centrally organized. •Automated, self-service and designed for scale. 28 Operating Model Physical infrastructure Application services Solution Design with standard NN compliant building blocks 1 Use scripts and tools to automatically build, configure, test and manage services 1 Use tooling to operate, monitor and optimize Cloud infrastructure Develop standardized NN compliant components Generic service monitoring and reporting (e.g. security) Develop and test standard Cloud infra products Operate and manage Cloud infra services Design of standardized Cloud products Require basic understanding of NN infra components, infra development in automated environments (scripting, tools) and infra operations Requires capabilities to build NN compliant infra services in an automated Cloud environment Large part of the (manual) infra activities are placed at the CSPs: design, develop and operate standardized infra services and automation of processes Physical infrastructure is housed, managed and maintained by 3rd party CSPs Self-service interface AWSNNInfraNNBU’s
  29. 29. What is the right balance between security and freedom? •Risk assessment - biggest risks are known. •Different internal customers with different requirements, need certain level of freedom. •Balance between security and freedom: • Main boundaries implemented. • Enforced v.s. monitored. 29 Boundaries
  30. 30. Platform compliance (1/2) 30 Goal Providing a compliant AWS platform for our customers. Technical state compliance monitoring •Based on CIS best practice. •Some controls are enforced (risk based: e.g. public IP, disk encryption), the rest monitored. •Cloud custodian is used to implement the controls. Security event monitoring •AWS CloudTrail enforced on AWS Organizations level, send to our Central SIEM solution. •Security monitoring is done at our SOC. •Threat detection using AWS Guard Duty.
  31. 31. Platform compliance (2/2) 31 IAM •Automated role provisioning of IAM roles and policies to both AD and AWS. •SSO with multi factor. Change control and traceability •No manual access to A/P accounts. •Everything is automatically tested and deployed via a pipeline. •AWS Config enabled and enforced in all accounts. VCS Cloud team (Concourse) CI Pipeline Build Test Deploy Platform compliance TCM SIEM IAM Multi-account segregation Threat detection Linux/windows Base images TCM SIEM IAM Hardened OS CI/CD Capabilities GIT Build CI Test Community driven
  32. 32. What did we learn? Lessons learned • We started creating infrastructure manually, approach did not work because of: • Well, manually… •The next step was: Automation for a limited amount of accounts, approach did not work because of: • We ran into limits with our configuration. • A lot of work creating an account. • Multiple teams working in the same account, no clear ownership. •Next step: automation at scale (current setup), this approach works because of: • Very generic setup. • Fixes all the above things. •Next step: everything modular. 32
  33. 33. Multi-account setup 33 1. Infra as code 2. Automatically tested 3. Automatically deployed in all accounts 4. Results sent to our team
  34. 34. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Resource Accounts Multi-account approach AWS Organizations Log Archive Security Shared Services Network Core Accounts Corporate data center ` Team/Group Accounts Product Accounts Business Unit Accounts Sandbox Accounts
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Next steps Define tagging strategy Define automation strategy Create Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer Sandbox account(s)
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Landing Zone structure - Basic AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Account vending machine AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation factory • User Interface to create new accounts • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security AWS Log Archive AWS Shared Services AWS AWS New AWS
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Next steps Define tagging strategy Define automation strategy Create Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer Sandbox account(s)
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Control Tower’s automated landing zone ü AWS Organizations with a master and pre-created accounts for central log archive, cross-account audit, and shared services ü Pre-configured directory and single sign-on using AWS SSO (with Active Directory custom option*) ü Centralized monitoring and alerts using AWS Config, AWS CloudTrail, and AWS CloudWatch *Active Directory support is a roadmap feature post GA PREVIEW
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Security Hub PREVIEW
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security Hub Compliance Standards • Based on CIS AWS Foundations Benchmark • Findings are displayed on main dashboard for quick access • Best practices information is provided to help mitigate issues Compliance Standards PREVIEW
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Putting it All Together Policy Enforcement AWS Landing Zone Policy Deployment Notification Remediation Account Metadata: Owner, Function, Policies, BU, SDLC, Cost Center etc… Prod • Encrypt EBS • No IGW • Guardrail “x” QA • Encrypt EBS • Guardrail “x” • Guardrail “y” Policy “p” • Encrypt EBS • No IGW • Guardrail “y”
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Additional Resources AWS Security Pillar Well Architected Framework http://bit.ly/WellArchSec CIS AWS Security Foundations Benchmark http://bit.ly/AWSCIS AWS Solutions: AWS Landing Zone http://bit.ly/AWSALZ CIS AWS Three-tier Web Architecture Benchmark http://bit.ly/AWSCIS3T
  46. 46. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  47. 47. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enrico A. Romani eromani@amazon.nl
  48. 48. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  49. 49. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×