As your cloud operations evolve, complexity of governance, compliance, and risk auditing of your AWS account increases. With AWS Config you can automate your controls and compliance efforts so that they scale with your cloud footprint. You can proactively audit your AWS resources, assess changes in configurations, and leverage visual dashboard to check your overall compliance status. In this session, we will help you use AWS Config and other AWS Management Tools to automate configuration governance so that compliance is embedded in the development process.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automating Compliance & Governance
Jeffery Levine, Solutions Architect
Rahul Rahul, Technical Act Manager

2. Agenda
• What are compliance & governance?
• Why automation?
• AWS IAM & Service Catalog (Briefly)
• AWS Config
• AWS CloudTrail
• Pulling it together
• Demo

3. What are compliance & governance?
According to Gartner:
Compliance is the “process of adhering to policies and decisions.”
http://www.gartner.com/it-glossary/compliance
“IT governance (ITG) is defined as the processes that ensure the effective and
efficient use of IT in enabling an organization to achieve its goals.”
http://www.gartner.com/it-glossary/it-governance

4. So what does this mean for us?
If we want to ensure the effective use of IT in enabling an
organization to achieve its governance and compliance
goals, we have to know what our IT is doing.
• Phase 1: Control what IT is supposed to do
• Phase 2: Monitor what IT is doing
• Phase 3: Respond to IT incidents and perform reporting
and remediation as appropriate.

5. Who is responsible?

6. But we have a problem….
The cloud is dynamic.
Resources come and go.
Things scale up and they scale down.
So how do you implement governance in the cloud?

7. Automation.
Use the cloud to protect the cloud.

8. Why governance automation?
• Reduce risk of human error
• - Automation is effective
• - Automation is reliable
• - Automation is scalable
• Don’t worry…we still need humans!

9. Phase 1: Control
• Prevent actions that could be bad
• IAM Policies
• Service Catalog
• Disable Root credentials
• Check on GitHub for access keys available publicly

10. IAM Policy to Restrict Instance Types
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": “t2.micro"
}
}
}
]
}
t2.micro = $0.012/hr
p2.16xlarge = $14.4/hr

11. IAM User Access keys: Keep them safe
• Do not generate access key for root account
• Use IAM roles
• Code to prevent you from committing secrets and
credentials into git repositories
• https://github.com/awslabs/git-secrets

12. Example: AWS Config: No IAM permissions

13. CloudTrail: Read-only permissions

14. What is AWS Service Catalog?
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy the approved
IT services they need in a self-service manner.
Organizations Developers
Control
Standardization
Governance
Agility
Self-service
Time to market

15. Why should I use AWS Service Catalog?
• Self-service
• Increase agility with access to services
• Promote standardization
• Compliance with business goals and policies
• Control provisioning of AWS resources
• Restrict user permissions

16. Phase 2: Monitor
Gather necessary data to see how IT resources are being
used.
• AWS Config/Config Rules
• CloudTrail

17. AWS Config / Config Rules - Overview
AWS Config
• Enables you to assess, audit, and evaluate the
configurations of your AWS resources
• Monitors and records your AWS resource configurations
AWS Config Rules
• Managed (pre-defined) or Customer-created rules that
AWS periodically runs to evaluate your configuration to
see if configuration is in compliance and provides action.

18. AWS Config – Recording Process
• AWS periodically interrogates AWS resources using
list and describe API calls.
• AWS Config seeks to answer the question “What is the
state of my resources?” not “How did my resources get
to be configured as they are?”

19. AWS Config - Overview
In short:
AWS Config offers a configuration management “lens” on
your AWS resources that can be helpful in your corporate
governance objectives.

20. AWS Config – Configuration Items
• AWS Config records Configuration Items that contain
information about an AWS resource. It also keeps track
of relationships between resources.
• AWS Config sends a configuration history file every six
hours to your S3 bucket if changes were made in that
interval. It can also send a snapshot on demand.

21. AWS Config Rules
• Rules can either be managed (supplied by AWS) or
customer-defined using Lambda functions
• Rules are run either on a scheduled basis or in response
to resource changes.

22. AWS Config & Config Rules
Changing
resources
AWS Config
Config Rules
Evaluations
History, Snapshot
Notifications
API Access
Normalize

23. AWS Config: Inventory and compliance

24. AWS CloudTrail - Overview
• AWS CloudTrail is a
fully managed service
that records API calls
made on your AWS
account.
• CloudTrail helps you
gain visibility into API
activity, enables you to
troubleshoot
operational issues,
conduct security
analysis and meet
internal or external
compliance
requirements.
Customers
are making
API calls...
On a
growing set
of services
around the
world…
CloudTrail is
continuously
recording API
calls…
And
delivering
events and
log files to
customers

25. What can you answer using a CloudTrail event?
 Who made the API call?
 When was the API call made?
 What was the API call?
 Which resources were acted up on in the API call?
 Where was the API call made from and made to?
AWS CloudTrail seeks to answer the question “What is in the process
of happening in my AWS environment?”

26. CloudTrail Features
Service Coverage
• Most AWS services are integrated
with CloudTrail
• Includes most new services
Features
• S3 Data Events: Get timely events for object-level API
activity for action and audit
• Event selectors to filter or add event types to a trail
• User identity included in AssumeRole calls, so you can
trace IAM user, even in role-based APIs.
• Turn on a trail in all existing and future AWS regions
• Support for 5 trails per region
• Encrypt CloudTrail log files using your KMS key
• Log File Integrity Validation
• PCI, ISO 270001/9001, 27017, 27018, SOC1,2,3
• API events can be captured by CloudWatch events

27. What does an event look like?
{
"userIdentity":{
"type":"AssumedRole",
"principalId":"ABCDEFGHIJKLMNOPQRSTU:awsusername",
"arn":"arn:aws:sts::123456789012:assumed-role/Admin/awsusername",
"accountId":"123456789012",
"accessKeyId":"ABCDEFGHIJKLMNOPQRST",
}
},
"eventTime":"2017-07-06T01:51:41Z",
"eventSource":"ec2.amazonaws.com",
"eventName":"AuthorizeSecurityGroupIngress",
"awsRegion":"us-west-2",
"sourceIPAddress":"999.999.999.999",
"userAgent":"console.ec2.amazonaws.com",
"requestParameters":{
"groupId":"sg-ABCDEFGH",
"ipPermissions":{
"items":[{"ipProtocol":"tcp", "fromPort":23, "toPort":23}]
}
},
"responseElements":{"_return":true},
"requestID":"1-2-3-4-5",
"eventID":"6-7-8-9-0",
"eventType":"AwsApiCall"
}

28. Scenario:
Suppose someone adds an ingress port to an EC2 security
group. How can we detect the change?
Using AWS Config?
Using AWS CloudTrail?

29. The AWS Config Approach
AWS Config will periodically use the list and describe
calls to see if the resource has changed and execute a rule
if requested. AWS Config keeps track of the resource
state over those periods. It’s a configuration timeline.

30. The AWS CloudTrail Approach
You can use AWS CloudTrail to see if an API call (e.g.
AuthorizeSecurityGroupIngress) acted upon the security
group and generated an API event that could be processed
by CloudWatch Events in near real time.

31. So which is better?
Q: Should you use AWS Config or AWS CloudTrail to
monitor security groups?
A: You can use either. It depends on your goal. Is your
goal to maintain a configuration timeline? Or, is your goal
to respond to a security incident. You can use both for a
defense-in-depth approach

32. Phase 3: Respond using AWS services
AWS Config Rules
CloudWatch Events
with Lambda rules

33. Lambda Functions – Event-Driven
• For AWS Config Rules
• Lambda function is passed an event
• Function processes event and optionally performs remediation
• Returns status of COMPLIANT, NON_COMPLIANT, or NOT_APPLICABLE
• Compliance status is reflected in AWS Config Dashboard
• Community repository of functions at
https://github.com/awslabs/aws-config-rules
• For Amazon Cloudtrail/CloudWatch Events
• Lambda function is passed an API event
• Function performs notification through CloudWatch Logs and optionally
performs remediation.

34. Pulling it All Together
Phase 1
Control
IAM
Service Catalog
Phase 2
Monitor
Config
CloudTrail
Phase 3
Respond
Config Rules
CloudWatch Events
+
CloudFormation Templates
=
Governance as Code

35. DEMO!

36. Additional Resources
https://aws.amazon.com/blogs/security/how-to-monitor-
aws-account-configuration-changes-and-api-calls-to-
amazon-ec2-security-groups/
https://aws.amazon.com/blogs/security/now-available-
videos-and-slide-decks-from-reinvent-2016-security-and-
compliance-sessions/#more-2173
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/config/
https://github.com/awslabs/aws-security-
benchmark/blob/master/aws_cis_foundation_framework/aw
s-cis-foundation-benchmark-checklist.py

37. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS