In this session, we outline the five levels of cloud operations automation, providing a clear path and maturity model for achieving security, compliance, and architecture best practices. Using real-world case studies from Fortune 100 enterprises, we demonstrate how secure AWS Landing Zones and policy-based, automated guardrails accelerate the safe migration and ongoing operation of hundreds of enterprise applications, putting your team on the road to DevSecOps maturity. This session is brought to you by AWS partner, Turbot HQ, Inc.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Autonomous DevSecOps:
Five Steps to a Self-Driving Cloud
Nathan Wallace
Founder & CEO
Turbot
https://turbot.com
E N T 2 1 4 - S

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Motivation & Vision
What is a self-driving cloud?
Where are we now?
Governance
Wrap up

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud COE’s face unique governance challenges
Automation requires clear, consistent architecture. Think about the whole.
Application teams will ask for help! Collaborate, learn & share.
BEST PRACTICE
Expectations are very, very high. Don’t miss!
Infrastructure as code needs Software Defined Operations. Be real-time.
CONTROL
Cloud is an innovation engine. Ride it, you cannot compete.
Application teams control their own infrastructure. Teach them to fish.
AGILITY

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about developers?

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Level Name Tools Monitor Execute Decision Modes
Human approves changes
0 No automation All configuration performed
manually.
Check, audit & reporting tools.
Human
/
System
Human Human N/A
1 Driver assistance Infrastructure as code. Service
catalog.
System Some
2 Partial autonomy Events > Lambda. System
Automated system approves changes
3 Conditional autonomy Autoscaling. System System System Some
4 High autonomy Guardrails. Many
5 Full autonomy Application guardrails. All

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Governance
Freedom
Rules & Regulations
Infrastructure
Protection
Education

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Freedom – Self-service

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Freedom – Multi-account architecture
Share House
Multiple teams sharing an
account for different
projects.
Innovator
Small team working on
shared goal.
Multi-tenant
Projects operate with
independence and isolation
within agreed rules and
services.
Hosted Services
Handful of centrally
managed accounts (dev,
prod, etc) are shared by
multiple teams.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules & Regulations
Is the resource still active & valid?
Is the resource encrypted in transit and at rest?
Is the resource configured to specification?
Is the resource logging it’s actions and changes?
Are the resource tags correct?
What scope of permissions should be granted?
Is the resource data protected & retained?
Is the resource approved to exist?

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
DEFINITIONS

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS KMS
Enforce: AWS KMS
Enforce: AWS KMS

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS KMS
Enforce: AWS KMS
Enforce: AWS KMS

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS KMS
Enforce: None
Enforce: AWS KMS

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure – AWS Landing Zone

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure – Permissions model
Grant <USER> <LEVEL> rights for <SERVICE> on resources in <SCOPE>.
SuperUser =
Owner =
Admin =
Operator =
ReadOnly =
Metadata =
User =
Full access
Manage access; Metadata
Med-High risk changes; and
Low-Med risk changes; and
Read data; and
Read metadata; and
Basic access, no rights
TurbotAWS
S3 RDS …
Turbot LDAP Linux
Org
Account A
VM DB …
Account B
VM …
Folder
Folder
DB
… …
SAML …

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure – Network
Subnet Type
Intranet
Route
Internet
Route
AWS
Route
Route
Table
IP Address
Type
Purposes
Public None IGW IGW Per VPC Public web
DMZ VGW IGW IGW Per VPC Public web
Independent None NAT / EIGW VPCe Per AZ Private app, db, web
Direct VGW NAT / EIGW VPCe Per AZ Private app, db, web
Limited VGW VGW VPCe Per VPC Private app, db, web
Private VGW VGW VGW Per VPC Private app, db, web
Restricted VGW None None Per VPC Private
Isolated None None None Per VPC Private

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.1.0/24
10.1.1.128/26 10.1.1.192/26
us-east-1a us-east-1b
VPC
Isolated

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.2.0/24
10.1.1.0/24
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGWVGW
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Restricted

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
INTERNET
10.1.2.0/24
AWS SERVICES
10.1.1.0/24
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGWVGW
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Private

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
10.1.2.0/24
PE
AWS SERVICES
10.1.1.0/24
PE
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGWVGW
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Limited

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
PE
AWS SERVICES
10.1.1.0/24
PE
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Limited with Peering

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
INTERNET
AWS SERVICES
10.1.1.0/24
IGW
10.1.1.128/26 10.1.1.192/26
us-east-1a us-east-1b
VPC
Public

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW
AWS SERVICES
10.1.1.0/24
IGW
10.1.1.128/26 10.1.1.192/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
DMZ

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Private & DMZ

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
NAT NAT
Direct & DMZ

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
NAT NAT
Direct (via Public)

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
AWS SERVICES
172.31.0.0/16
IGW
172.31.0.0/20 172.31.16.0/20
us-east-1a us-east-1b
VPC
Independent
172.31.0.0/26 172.31.0.64/26
NAT NAT
PE

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
NAT NAT
VPC PEERING
172.31.0.0/16
IGW
172.31.0.0/20 172.31.16.0/20
us-east-1a us-east-1b
FAN Peer
VPC Peering for Independent & Direct
172.31.0.0/26 172.31.0.64/26
NAT NAT
PE

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protection – Real-time Guardrails
AWS Events & SNS SQS Context & Policies Guardrail Audit Trail
CHANGE
CHANGE
MANAGE
REPORT

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Speed
Safety
Accessibility
Productivity
Breadth
Depth

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Complex & Real-time
Human approves changes
0 No automation
1 Driver assistance
2 Partial autonomy
System approves changes
3 Conditional autonomy
4 High autonomy
5 Full autonomy
5 levels of autonomy Governance
Freedom
Rules & Regulations
Protection
Infrastructure
Education

48. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Nathan Wallace
nathan@turbot.com
https://turbot.com
@turbothq
Booth #1020

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.