SlideShare a Scribd company logo

Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017

Amazon Web Services
Amazon Web Services

When you use the cloud to enable speed and agility, how do you know if you did it right? We are on a mission to help builders follow industry best practices within security guide rails by creating the largest compliance-as-code repo, available to all. Compliance-as-code is the idea to translate those best practices, guide rails, policies, or standards into codified unit testing. Apply this to your AWS environment to provide insights on what can/must be improved. Learn why compliance-as-code matters to gain speed (by getting developers, architects, and security pros on the same page), how it is currently used (demo), and how to start to use it or be part of building it.

1 of 81
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Building the Largest Repo for Serverless Compliance-as-Code Gilles Baillet – Standard Chartered Bank – Head, Cloud and DevOps Architecture Jonathan Rault – AWS – Security Lead APJC, Professional Services Prashant Prahlad – AWS – Sr. Manager Product Management S I D 2 0 5 N o v e m b e r 3 0 , 2 0 1 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction to compliance-as-code • Voice of the customer: Standard Chartered Bank • Personas, goals, challenges, and solutions • Your next three months
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Be Compliant a.k.a. The state of meeting rules or standards
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View C h e ck list o f co n tr o l re qu ire m e n t s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View C h e ck list o f co n tr o l re qu ire m e n t s A u dit p ro ce ss
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s Go Upstream! Organizational perspective: four steps to compliance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer-facing Four Steps to Compliance Analyze Define and document Checklist Audit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Che c kl i st o f c o ntr o l r e qui r e m e nts A udi t p r o c e ss
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Sp r e adshe e t A udi t p r o c e ss Inf o Se c
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Sp r e adshe e t Inf o Se c A udi to rQue sti o n nai r e do c s/ sc r e e nsho ts
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges E x p e r t i s e i s n o t g i v e n t o a l l ​ T i m e - c o n s u m i n g f o r e v e r y o n e G e t - r e a d y - f o r - t h e - a u d i t m i n d s e t
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Be Compliant-as-Code a.k.a. The state of meeting rules or standards via a programmatic test-driven approach
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Audit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Codified Checklist Audit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Codified Checklist Audit Continuous Visibility
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer-facing Four Steps to Compliance Analyze Define and document Checklist Audit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Steps to Compliance with Code Customer-facing Analyze Define and document Checklist Continuous Visibility Codified Checklist
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits S c a l e c o n s i s t e n t l y t o a l l c u s t o m e r s F o c u s t i m e a n d r e s o u r c e s o n v a l u e P a r t o f ​ d a y - t o - d a y
Everything-as-Code Gilles Baillet Head, Cloud and DevOps Architecture
A Global Bank
Increasingly, Banking is Technology
“We are embarking on a journey to shape the future of banking while creating a culture of innovation, efficiency and automation. We are introducing global platforms, machine learning and bringing forth intelligent technology. We want to lead this change and not be led by it.” Michael Gorriz Group Chief Information Officer
SCB Early Adopter Program
5 applications in Production on AWS
Our Cloud Foundational Principles
Our Cloud Foundational Principles Customer first
Our Cloud Foundational Principles Learn from Others
Our Cloud Foundational Principles Start simple and build the complexity on top
Our Cloud Foundational Principles Gall’s Law “A complex system that works is invariably found to have evolved from a simple system that worked. A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over with a working simple system.” - John Gall -
Our Cloud Foundational Principles Native capabilities with Reversibility in mind
Our Cloud Foundational Principles Involve DevOps early
Our Cloud Foundational Principles Security and Compliance from Day 1
Our Use Cases
Use Case 1 Compliance-as-Code for storing customer data § Changes tracked via AWS CloudTrail § AWS Config o Data encrypted at rest using KMS o No public access to S3 buckets o Principle of Least Privilege enforced § Extensible
Use Case 2 Compliance-as-Code for Internet Access § Changes tracked via AWS CloudTrail § AWS Config o Data encrypted in transit using SSL o Inbound access enforced via our Content Delivery Network o Running Amazon Machine Image (AMI) up-to-date § Extensible
Use Case 3 Compliance-as-code for trusting compliance-as-code Inception phase!
What’s next?
As code!
Thank you!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building the Largest Repo of Compliance-as-Code
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Six Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist Operate and integrate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. C o m p l i a n c e - a s - c o d e Six Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist Operate and integrate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Input/Output of Compliance-as-Code Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e Input/Output of Compliance-as-Code
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Input/Output of Compliance-as-Code Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e Joe Sec Toby Dev Greg Ops Mike App Tim Audit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Acronym addict (CIS, GxP, TLS, etc.) Has many obscure security certifications Got the super-power of “not approved by compliance” Ultimately responsible for security!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Needs to do the heavy lifting Work harder not smarter because of inflexibility of tools, and too any escalation Meet Joe Sec Challenges Help app owner to do the right thing Be out of the critical path Goals
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Solutions3
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Training is available to get up to speed • AWS re:Invent and videos • Online and on-site • Certifications Solutions3 1 AWS Security Fundamental (3-hour online) https://aws.amazon.com/training/course-descriptions/security-fundamentals/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Solutions3 AWS Config is available in all AWS regions • Continuously monitor configurations • Record configuration changes AWS Config: https://aws.amazon.com/config/ 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Best practices are available • AWS re:Invent and videos • Two CIS Benchmarks for AWS • AWS Whitepapers Solutions3 3 CIS: https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Policy to Dev-Readable Requirements Define the use case and test cases for test-driven security # Check that CloudTrail trails are encrypted, optionally with K key. # Input parameter (optional): K – AWS KMS Customer Master Key ARN (overrides the default of “None”) # Description: # Returns COMPLIANT if CloudTrail is encrypted and K is not specified # Returns COMPLIANT if CloudTrail is encrypted with K and K is specified # Returns NON-COMPLIANT if CloudTrail is encrypted, CloudTrail is not encrypted with K and K is specified # Returns NON-COMPLIANT if CloudTrail is not encrypted
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Writing Test Case 101 1. Cover all permutations of inputs 2. Keep distinct coverage in the test cases 3. Think that human needs to fix it (at first) 4. Reasoning approach is the future, and the future is now
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hoodies, Headphones, Espresso, Craft Breweries Knows 20 programing languages with two years of experience each (according to his resume) Known for not liking meetings Meet Toby Dev Ultimately responsible for delivering code!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Not knowledgeable about security Struggles often with non-precise requirements Feels need to reinvent the wheel too often Lots of console and/or home-backed scripts Meet Toby Dev Challenges Freedom to be creative Wants impact (and recognition) by doing awesome code Goals
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev Solutions2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev Solutions2 70+ compliance-as-code rules already available • Cover several common controls • Include test cases • Verified by the community and AWS • Integrate with AWS Config AWS Managed Config Rules Custom rules: https://github.com/awslabs/aws-config-rules 1
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev NEW – Rule Development Kit • Initiate your dev environment locally • Initiate your dev environment in AWS • Deploy rule and test from your IDE Solutions2 2 Rule Development Kit: https://pypi.python.org/pypi/rdk
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Likes Michelin-starred restaurants Affected by the phantom vibration syndrome Perceived like Dad: old-fashioned but the first person you call in case of emergency Ultimately responsible for stability!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Running more servers, means more workload Not used to automation, can adapt but not build from scratch Meet Greg “Ninja” Ops Challenges More is less – including for being paged at 3a.m. Goals
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2 Run on serverless with AWS Lambda • Event-driven • Automated administration • Integrated security model • Bring your own code AWS Lambda: https://aws.amazon.com/lambda/details/ 1 L a m b d a
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2 NEW – Compliance-as-code engine available • Multi-account • 1-step deployment • Serverless • Code securely located in a segregated and dedicated AWS Account Github: https://github.com/awslabs/aws-config-engine-for-compliance-as-code 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Finally, Meet… Has to deal with checklist and meetings with Sec team Lack of clear guidance to move forwardChallenges Wants to go to prod ASAP Goals Mike App and Tim Audit Seen more as the policeman Must ask to get the information Be a trusted advisor on doing the right thing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Mike App and Tim Audit Solutions2 NEW – Compliance-as-code Engine available • Multi-account, 1-step deployment, Serverless, securely segregated Code • Can be integrated in his DevOps pipeline • Dashboard with actionable insights • Store all historical compliance status/changes • Dashboard for Compliance-as-code Analytics Rest of 2 Github: https://github.com/awslabs/aws-config-engine-for-compliance-as- code
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Compliance-as-code Engine 1. Dashboard for Compliance-as-code Analytics 2. One-step deployment in a new Application Account 3. Dashboard for Application Owner to gain insights
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework – Security CAF Security perspective – Guidance and process for your security specific to AWS https://d0.awsstatic.com/whitepapers/AWS_CAF_Security _Perspective.pdf New – Compliance-as-code RuleSet from the CAF Security recommendations Github: https://github.com/awslabs/aws-config-engine- for-compliance-as-code
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workbook for PCI Compliance in AWS PCI Qualified Security Assessor Company (QSAC) Workbook – Partner with AWS on a Workbook for PCI Compliance in the AWS Cloud Link: https://d1.awsstatic.com/whitepapers/compliance/AW S_Anitian_Workbook_PCI_Cloud_Compliance.pdf New – Compliance-as-code RuleSet from the workbook’s recommendation Github: https://github.com/awslabs/aws-config- engine-for-compliance-as-code
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In conclusion…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Key Learnings 1. Get a dedicated Security member as part of the cloud team 2. Iterate on controls and provide solutions to your customers 3. Treat edge cases carefully 4. Devs like to have clear goals, stand up all together 5. Start with Cloud Native tools first
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Getting Started: Next Three Months Stand-up together at least twice a week (Dev-Sec-Ops) Demonstrate visibility by POCing the engine with one available RuleSet Get buy-in from the account owners Sprint 1 (two weeks) Deploy the engine in all your accounts Select three relevant controls to be fixed, listen to feedback Finish Sprint 2 Select three more controls to be fixed, listen to feedback Start documenting iteratively your security baseline Select three more controls to be fixed, listen to feedback Train your Devs on the RDK Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Select the one control you know is hard Build first exec metrics. Communicate broadly the results. Empower. Plan your next three months
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! P l e a s e f i l l o u t y o u r s u r v e y

Recommended

SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamAmazon Web Services
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017Amazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadAmazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Amazon Web Services
 

Recommended

SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamAmazon Web Services
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017Amazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadAmazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Amazon Web Services
 
AWS reInvent 2017 recap - Managed Rules on AWS WAF
AWS reInvent 2017 recap - Managed Rules on AWS WAFAWS reInvent 2017 recap - Managed Rules on AWS WAF
AWS reInvent 2017 recap - Managed Rules on AWS WAFAmazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017Amazon Web Services
 
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfSRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfAmazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
GPSTEC311_Enhancing customer security using AIML on AWS
GPSTEC311_Enhancing customer security using AIML on AWSGPSTEC311_Enhancing customer security using AIML on AWS
GPSTEC311_Enhancing customer security using AIML on AWSAmazon Web Services
 
What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureAmazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaAmazon Web Services
 
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017Amazon Web Services
 
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...Amazon Web Services
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Amazon Web Services
 
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTIOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTAmazon Web Services
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the UnionAmazon Web Services
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedAmazon Web Services
 
CON320_Monitoring, Logging and Debugging Containerized Services
CON320_Monitoring, Logging and Debugging Containerized ServicesCON320_Monitoring, Logging and Debugging Containerized Services
CON320_Monitoring, Logging and Debugging Containerized ServicesAmazon Web Services
 
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...Amazon Web Services
 
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...Amazon Web Services
 
AWS re:Invent 2017 | CloudHealth Tech Session
AWS re:Invent 2017 | CloudHealth Tech SessionAWS re:Invent 2017 | CloudHealth Tech Session
AWS re:Invent 2017 | CloudHealth Tech SessionCloudHealth by VMware
 

More Related Content

What's hot

AWS reInvent 2017 recap - Managed Rules on AWS WAF
AWS reInvent 2017 recap - Managed Rules on AWS WAFAWS reInvent 2017 recap - Managed Rules on AWS WAF
AWS reInvent 2017 recap - Managed Rules on AWS WAFAmazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017Amazon Web Services
 
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfSRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfAmazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
GPSTEC311_Enhancing customer security using AIML on AWS
GPSTEC311_Enhancing customer security using AIML on AWSGPSTEC311_Enhancing customer security using AIML on AWS
GPSTEC311_Enhancing customer security using AIML on AWSAmazon Web Services
 
What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureAmazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaAmazon Web Services
 
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017Amazon Web Services
 
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...Amazon Web Services
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Amazon Web Services
 
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTIOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTAmazon Web Services
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the UnionAmazon Web Services
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedAmazon Web Services
 
CON320_Monitoring, Logging and Debugging Containerized Services
CON320_Monitoring, Logging and Debugging Containerized ServicesCON320_Monitoring, Logging and Debugging Containerized Services
CON320_Monitoring, Logging and Debugging Containerized ServicesAmazon Web Services
 
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...Amazon Web Services
 

What's hot (20)

AWS reInvent 2017 recap - Managed Rules on AWS WAF
AWS reInvent 2017 recap - Managed Rules on AWS WAFAWS reInvent 2017 recap - Managed Rules on AWS WAF
AWS reInvent 2017 recap - Managed Rules on AWS WAF
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017
 
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfSRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
 
GPSTEC311_Enhancing customer security using AIML on AWS
GPSTEC311_Enhancing customer security using AIML on AWSGPSTEC311_Enhancing customer security using AIML on AWS
GPSTEC311_Enhancing customer security using AIML on AWS
 
What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
NEW LAUNCH! AWS IoT Device Management - IOT330 - re:Invent 2017
 
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
Become a Serverless Black Belt: Optimizing Your Serverless Applications - SRV...
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
 
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTIOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the Union
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
 
CON320_Monitoring, Logging and Debugging Containerized Services
CON320_Monitoring, Logging and Debugging Containerized ServicesCON320_Monitoring, Logging and Debugging Containerized Services
CON320_Monitoring, Logging and Debugging Containerized Services
 
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
NEW LAUNCH! Hear how OwnZones is using AWS Elemental MediaConvert to help med...
 

Similar to Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017

Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...Amazon Web Services
 
AWS re:Invent 2017 | CloudHealth Tech Session
AWS re:Invent 2017 | CloudHealth Tech SessionAWS re:Invent 2017 | CloudHealth Tech Session
AWS re:Invent 2017 | CloudHealth Tech SessionCloudHealth by VMware
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Amazon Web Services
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Amazon Web Services
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MCasey Lee
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MAmazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkAmazon Web Services
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedAmazon Web Services
 
GPSTEC306-Continuous Compliance for Healthcare and Life Sciences
GPSTEC306-Continuous Compliance for Healthcare and Life SciencesGPSTEC306-Continuous Compliance for Healthcare and Life Sciences
GPSTEC306-Continuous Compliance for Healthcare and Life SciencesAmazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkAmazon Web Services
 
How to get from Zero to Hundreds of Certified Engineers
How to get from Zero to Hundreds of Certified EngineersHow to get from Zero to Hundreds of Certified Engineers
How to get from Zero to Hundreds of Certified EngineersAmazon Web Services
 
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...Amazon Web Services
 
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...Amazon Web Services
 
Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...Amazon Web Services
 
Achieving Compliance and Selling to Regulated Markets on AWS
Achieving Compliance and Selling to Regulated Markets on AWSAchieving Compliance and Selling to Regulated Markets on AWS
Achieving Compliance and Selling to Regulated Markets on AWSAmazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
FSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine LearningFSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine LearningAmazon Web Services
 
LFS307_Using AWS to Maximize Digital Marketing Reach and Efficiency
LFS307_Using AWS to Maximize Digital Marketing Reach and EfficiencyLFS307_Using AWS to Maximize Digital Marketing Reach and Efficiency
LFS307_Using AWS to Maximize Digital Marketing Reach and EfficiencyAmazon Web Services
 

Similar to Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017 (20)

Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
 
AWS re:Invent 2017 | CloudHealth Tech Session
AWS re:Invent 2017 | CloudHealth Tech SessionAWS re:Invent 2017 | CloudHealth Tech Session
AWS re:Invent 2017 | CloudHealth Tech Session
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
 
ENT315_Landing Zones
ENT315_Landing ZonesENT315_Landing Zones
ENT315_Landing Zones
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
 
GPSTEC306-Continuous Compliance for Healthcare and Life Sciences
GPSTEC306-Continuous Compliance for Healthcare and Life SciencesGPSTEC306-Continuous Compliance for Healthcare and Life Sciences
GPSTEC306-Continuous Compliance for Healthcare and Life Sciences
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 
How to get from Zero to Hundreds of Certified Engineers
How to get from Zero to Hundreds of Certified EngineersHow to get from Zero to Hundreds of Certified Engineers
How to get from Zero to Hundreds of Certified Engineers
 
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
 
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
 
Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...
 
Achieving Compliance and Selling to Regulated Markets on AWS
Achieving Compliance and Selling to Regulated Markets on AWSAchieving Compliance and Selling to Regulated Markets on AWS
Achieving Compliance and Selling to Regulated Markets on AWS
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
FSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine LearningFSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine Learning
 
LFS307_Using AWS to Maximize Digital Marketing Reach and Efficiency
LFS307_Using AWS to Maximize Digital Marketing Reach and EfficiencyLFS307_Using AWS to Maximize Digital Marketing Reach and Efficiency
LFS307_Using AWS to Maximize Digital Marketing Reach and Efficiency
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Building the Largest Repo for Serverless Compliance-as-Code Gilles Baillet – Standard Chartered Bank – Head, Cloud and DevOps Architecture Jonathan Rault – AWS – Security Lead APJC, Professional Services Prashant Prahlad – AWS – Sr. Manager Product Management S I D 2 0 5 N o v e m b e r 3 0 , 2 0 1 7
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction to compliance-as-code • Voice of the customer: Standard Chartered Bank • Personas, goals, challenges, and solutions • Your next three months
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Be Compliant a.k.a. The state of meeting rules or standards
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View C h e ck list o f co n tr o l re qu ire m e n t s
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View C h e ck list o f co n tr o l re qu ire m e n t s A u dit p ro ce ss
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s Go Upstream! Organizational perspective: four steps to compliance
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer-facing Four Steps to Compliance Analyze Define and document Checklist Audit
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Che c kl i st o f c o ntr o l r e qui r e m e nts A udi t p r o c e ss
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Sp r e adshe e t A udi t p r o c e ss Inf o Se c
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Sp r e adshe e t Inf o Se c A udi to rQue sti o n nai r e do c s/ sc r e e nsho ts
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges E x p e r t i s e i s n o t g i v e n t o a l l ​ T i m e - c o n s u m i n g f o r e v e r y o n e G e t - r e a d y - f o r - t h e - a u d i t m i n d s e t
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Be Compliant-as-Code a.k.a. The state of meeting rules or standards via a programmatic test-driven approach
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Audit
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Codified Checklist Audit
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Codified Checklist Audit Continuous Visibility
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer-facing Four Steps to Compliance Analyze Define and document Checklist Audit
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Steps to Compliance with Code Customer-facing Analyze Define and document Checklist Continuous Visibility Codified Checklist
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits S c a l e c o n s i s t e n t l y t o a l l c u s t o m e r s F o c u s t i m e a n d r e s o u r c e s o n v a l u e P a r t o f ​ d a y - t o - d a y
  • 23. “We are embarking on a journey to shape the future of banking while creating a culture of innovation, efficiency and automation. We are introducing global platforms, machine learning and bringing forth intelligent technology. We want to lead this change and not be led by it.” Michael Gorriz Group Chief Information Officer
  • 24. SCB Early Adopter Program
  • 25. 5 applications in Production on AWS
  • 27. Our Cloud Foundational Principles Customer first
  • 28. Our Cloud Foundational Principles Learn from Others
  • 29. Our Cloud Foundational Principles Start simple and build the complexity on top
  • 30. Our Cloud Foundational Principles Gall’s Law “A complex system that works is invariably found to have evolved from a simple system that worked. A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over with a working simple system.” - John Gall -
  • 31. Our Cloud Foundational Principles Native capabilities with Reversibility in mind
  • 32. Our Cloud Foundational Principles Involve DevOps early
  • 33. Our Cloud Foundational Principles Security and Compliance from Day 1
  • 35. Use Case 1 Compliance-as-Code for storing customer data § Changes tracked via AWS CloudTrail § AWS Config o Data encrypted at rest using KMS o No public access to S3 buckets o Principle of Least Privilege enforced § Extensible
  • 36. Use Case 2 Compliance-as-Code for Internet Access § Changes tracked via AWS CloudTrail § AWS Config o Data encrypted in transit using SSL o Inbound access enforced via our Content Delivery Network o Running Amazon Machine Image (AMI) up-to-date § Extensible
  • 37. Use Case 3 Compliance-as-code for trusting compliance-as-code Inception phase!
  • 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building the Largest Repo of Compliance-as-Code
  • 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist
  • 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Six Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist Operate and integrate
  • 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. C o m p l i a n c e - a s - c o d e Six Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist Operate and integrate
  • 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Input/Output of Compliance-as-Code Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e
  • 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e Input/Output of Compliance-as-Code
  • 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Input/Output of Compliance-as-Code Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e Joe Sec Toby Dev Greg Ops Mike App Tim Audit
  • 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Acronym addict (CIS, GxP, TLS, etc.) Has many obscure security certifications Got the super-power of “not approved by compliance” Ultimately responsible for security!
  • 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Needs to do the heavy lifting Work harder not smarter because of inflexibility of tools, and too any escalation Meet Joe Sec Challenges Help app owner to do the right thing Be out of the critical path Goals
  • 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Solutions3
  • 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Training is available to get up to speed • AWS re:Invent and videos • Online and on-site • Certifications Solutions3 1 AWS Security Fundamental (3-hour online) https://aws.amazon.com/training/course-descriptions/security-fundamentals/
  • 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Solutions3 AWS Config is available in all AWS regions • Continuously monitor configurations • Record configuration changes AWS Config: https://aws.amazon.com/config/ 2
  • 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  • 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  • 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  • 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  • 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
  • 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
  • 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
  • 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Best practices are available • AWS re:Invent and videos • Two CIS Benchmarks for AWS • AWS Whitepapers Solutions3 3 CIS: https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/
  • 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Policy to Dev-Readable Requirements Define the use case and test cases for test-driven security # Check that CloudTrail trails are encrypted, optionally with K key. # Input parameter (optional): K – AWS KMS Customer Master Key ARN (overrides the default of “None”) # Description: # Returns COMPLIANT if CloudTrail is encrypted and K is not specified # Returns COMPLIANT if CloudTrail is encrypted with K and K is specified # Returns NON-COMPLIANT if CloudTrail is encrypted, CloudTrail is not encrypted with K and K is specified # Returns NON-COMPLIANT if CloudTrail is not encrypted
  • 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Writing Test Case 101 1. Cover all permutations of inputs 2. Keep distinct coverage in the test cases 3. Think that human needs to fix it (at first) 4. Reasoning approach is the future, and the future is now
  • 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hoodies, Headphones, Espresso, Craft Breweries Knows 20 programing languages with two years of experience each (according to his resume) Known for not liking meetings Meet Toby Dev Ultimately responsible for delivering code!
  • 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Not knowledgeable about security Struggles often with non-precise requirements Feels need to reinvent the wheel too often Lots of console and/or home-backed scripts Meet Toby Dev Challenges Freedom to be creative Wants impact (and recognition) by doing awesome code Goals
  • 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev Solutions2
  • 66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev Solutions2 70+ compliance-as-code rules already available • Cover several common controls • Include test cases • Verified by the community and AWS • Integrate with AWS Config AWS Managed Config Rules Custom rules: https://github.com/awslabs/aws-config-rules 1
  • 67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev NEW – Rule Development Kit • Initiate your dev environment locally • Initiate your dev environment in AWS • Deploy rule and test from your IDE Solutions2 2 Rule Development Kit: https://pypi.python.org/pypi/rdk
  • 68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Likes Michelin-starred restaurants Affected by the phantom vibration syndrome Perceived like Dad: old-fashioned but the first person you call in case of emergency Ultimately responsible for stability!
  • 69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Running more servers, means more workload Not used to automation, can adapt but not build from scratch Meet Greg “Ninja” Ops Challenges More is less – including for being paged at 3a.m. Goals
  • 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2
  • 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2 Run on serverless with AWS Lambda • Event-driven • Automated administration • Integrated security model • Bring your own code AWS Lambda: https://aws.amazon.com/lambda/details/ 1 L a m b d a
  • 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2 NEW – Compliance-as-code engine available • Multi-account • 1-step deployment • Serverless • Code securely located in a segregated and dedicated AWS Account Github: https://github.com/awslabs/aws-config-engine-for-compliance-as-code 2
  • 73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Finally, Meet… Has to deal with checklist and meetings with Sec team Lack of clear guidance to move forwardChallenges Wants to go to prod ASAP Goals Mike App and Tim Audit Seen more as the policeman Must ask to get the information Be a trusted advisor on doing the right thing
  • 74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Mike App and Tim Audit Solutions2 NEW – Compliance-as-code Engine available • Multi-account, 1-step deployment, Serverless, securely segregated Code • Can be integrated in his DevOps pipeline • Dashboard with actionable insights • Store all historical compliance status/changes • Dashboard for Compliance-as-code Analytics Rest of 2 Github: https://github.com/awslabs/aws-config-engine-for-compliance-as- code
  • 75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Compliance-as-code Engine 1. Dashboard for Compliance-as-code Analytics 2. One-step deployment in a new Application Account 3. Dashboard for Application Owner to gain insights
  • 76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework – Security CAF Security perspective – Guidance and process for your security specific to AWS https://d0.awsstatic.com/whitepapers/AWS_CAF_Security _Perspective.pdf New – Compliance-as-code RuleSet from the CAF Security recommendations Github: https://github.com/awslabs/aws-config-engine- for-compliance-as-code
  • 77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workbook for PCI Compliance in AWS PCI Qualified Security Assessor Company (QSAC) Workbook – Partner with AWS on a Workbook for PCI Compliance in the AWS Cloud Link: https://d1.awsstatic.com/whitepapers/compliance/AW S_Anitian_Workbook_PCI_Cloud_Compliance.pdf New – Compliance-as-code RuleSet from the workbook’s recommendation Github: https://github.com/awslabs/aws-config- engine-for-compliance-as-code
  • 78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In conclusion…
  • 79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Key Learnings 1. Get a dedicated Security member as part of the cloud team 2. Iterate on controls and provide solutions to your customers 3. Treat edge cases carefully 4. Devs like to have clear goals, stand up all together 5. Start with Cloud Native tools first
  • 80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Getting Started: Next Three Months Stand-up together at least twice a week (Dev-Sec-Ops) Demonstrate visibility by POCing the engine with one available RuleSet Get buy-in from the account owners Sprint 1 (two weeks) Deploy the engine in all your accounts Select three relevant controls to be fixed, listen to feedback Finish Sprint 2 Select three more controls to be fixed, listen to feedback Start documenting iteratively your security baseline Select three more controls to be fixed, listen to feedback Train your Devs on the RDK Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Select the one control you know is hard Build first exec metrics. Communicate broadly the results. Empower. Plan your next three months
  • 81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! P l e a s e f i l l o u t y o u r s u r v e y