More Related Content Similar to Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Autonomous DevSecOps:
Five Steps to a Self-Driving Cloud
Nathan Wallace
Founder & CEO
Turbot
https://turbot.com
E N T 2 1 4 - S
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Motivation & Vision
What is a self-driving cloud?
Where are we now?
Governance
Wrap up
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud COE’s face unique governance challenges
Automation requires clear, consistent architecture. Think about the whole.
Application teams will ask for help! Collaborate, learn & share.
BEST PRACTICE
Expectations are very, very high. Don’t miss!
Infrastructure as code needs Software Defined Operations. Be real-time.
CONTROL
Cloud is an innovation engine. Ride it, you cannot compete.
Application teams control their own infrastructure. Teach them to fish.
AGILITY
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roads, bridges, signs
Road & weather conditions
Other cars, drivers & pedestrians
Car
Driver
Rules & Regulations
Driving unit
Sensors
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about developers?
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Level Name Tools Monitor Execute Decision Modes
Human approves changes
0 No automation All configuration performed
manually.
Check, audit & reporting tools.
Human
/
System
Human Human N/A
1 Driver assistance Infrastructure as code. Service
catalog.
System Some
2 Partial autonomy Events > Lambda. System
Automated system approves changes
3 Conditional autonomy Autoscaling. System System System Some
4 High autonomy Guardrails. Many
5 Full autonomy Application guardrails. All
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Governance
Freedom
Rules & Regulations
Infrastructure
Protection
Education
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Freedom – Self-service
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Freedom – Multi-account architecture
Share House
Multiple teams sharing an
account for different
projects.
Innovator
Small team working on
shared goal.
Multi-tenant
Projects operate with
independence and isolation
within agreed rules and
services.
Hosted Services
Handful of centrally
managed accounts (dev,
prod, etc) are shared by
multiple teams.
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules & Regulations
Is the resource still active & valid?
Is the resource encrypted in transit and at rest?
Is the resource configured to specification?
Is the resource logging it’s actions and changes?
Are the resource tags correct?
What scope of permissions should be granted?
Is the resource data protected & retained?
Is the resource approved to exist?
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
DEFINITIONS
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS KMS
Enforce: AWS KMS
Enforce: AWS KMS
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
Enforce: AWS SSE
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS KMS
Enforce: AWS KMS
Enforce: AWS KMS
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Folder Org
Account us-east-1 bucket-1
Account
us-east-1
bucket-2
bucket-3
eu-west-
1
bucket-4
Enforce: AWS SSE
Enforce: AWS KMS
Enforce: None
Enforce: AWS KMS
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure – AWS Landing Zone
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure – Permissions model
Grant <USER> <LEVEL> rights for <SERVICE> on resources in <SCOPE>.
SuperUser =
Owner =
Admin =
Operator =
ReadOnly =
Metadata =
User =
Full access
Manage access; Metadata
Med-High risk changes; and
Low-Med risk changes; and
Read data; and
Read metadata; and
Basic access, no rights
TurbotAWS
S3 RDS …
Turbot LDAP Linux
Org
Account A
VM DB …
Account B
VM …
Folder
Folder
DB
… …
SAML …
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure – Network
Subnet Type
Intranet
Route
Internet
Route
AWS
Route
Route
Table
IP Address
Type
Purposes
Public None IGW IGW Per VPC Public web
DMZ VGW IGW IGW Per VPC Public web
Independent None NAT / EIGW VPCe Per AZ Private app, db, web
Direct VGW NAT / EIGW VPCe Per AZ Private app, db, web
Limited VGW VGW VPCe Per VPC Private app, db, web
Private VGW VGW VGW Per VPC Private app, db, web
Restricted VGW None None Per VPC Private
Isolated None None None Per VPC Private
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.1.0/24
10.1.1.128/26 10.1.1.192/26
us-east-1a us-east-1b
VPC
Isolated
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.2.0/24
10.1.1.0/24
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGWVGW
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Restricted
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
INTERNET
10.1.2.0/24
AWS SERVICES
10.1.1.0/24
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGWVGW
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Private
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
10.1.2.0/24
PE
AWS SERVICES
10.1.1.0/24
PE
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGWVGW
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Limited
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
PE
AWS SERVICES
10.1.1.0/24
PE
10.1.1.0/26 10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Limited with Peering
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
INTERNET
AWS SERVICES
10.1.1.0/24
IGW
10.1.1.128/26 10.1.1.192/26
us-east-1a us-east-1b
VPC
Public
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW
AWS SERVICES
10.1.1.0/24
IGW
10.1.1.128/26 10.1.1.192/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
DMZ
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
Private & DMZ
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
NAT NAT
Direct & DMZ
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
NAT NAT
Direct (via Public)
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
AWS SERVICES
172.31.0.0/16
IGW
172.31.0.0/20 172.31.16.0/20
us-east-1a us-east-1b
VPC
Independent
172.31.0.0/26 172.31.0.64/26
NAT NAT
PE
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PRIVATE ENDPOINTS
INTERNET
CROSS-ACCOUNT PEERING
10.1.2.0/24
IGW PE
AWS SERVICES
10.1.1.0/24
IGW PE
10.1.1.128/26
10.1.1.0/26
10.1.1.192/26
10.1.1.64/26
us-east-1a us-east-1b
VPC VPCVGW PeerVGW Peer
DIRECT CONNECT, INTRANET & OUTBOUND INTERNET
NAT NAT
VPC PEERING
172.31.0.0/16
IGW
172.31.0.0/20 172.31.16.0/20
us-east-1a us-east-1b
FAN Peer
VPC Peering for Independent & Direct
172.31.0.0/26 172.31.0.64/26
NAT NAT
PE
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protection – Real-time Guardrails
AWS Events & SNS SQS Context & Policies Guardrail Audit Trail
CHANGE
CHANGE
MANAGE
REPORT
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Speed
Safety
Accessibility
Productivity
Breadth
Depth
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Complex & Real-time
Human approves changes
0 No automation
1 Driver assistance
2 Partial autonomy
System approves changes
3 Conditional autonomy
4 High autonomy
5 Full autonomy
5 levels of autonomy Governance
Freedom
Rules & Regulations
Protection
Infrastructure
Education
48. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Nathan Wallace
nathan@turbot.com
https://turbot.com
@turbothq
Booth #1020
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.