Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017

1,634 views

Published on

In cloud migrations, the cloud's elastic nature is often touted as a critical capability in delivering on key business initiatives. However, you must account for it in your security and compliance plans or face some real challenges. Always counting on a virtual host to be running, for example, causes issues when that host is rebooted or retired. Managing security and compliance in the cloud is continuous, requiring forethought and automation. Learn how a leading, next generation managed cloud provider uses automation and cloud expertise to manage security and compliance at scale in an ever-changing environment. Through code examples and live demos, we show tools and automation to provide continuous compliance of your cloud infrastructure.

Session sponsored by 2nd Watch

  • Be the first to comment

Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Continuous Compliance on AWS at Scale S I D 3 1 3 N o v e m b e r 2 9 , 2 0 1 7 P e t e r M e i s t e r | p m e i s t e r @ 2 n d w a t c h . c o m 2 n d W a t c h D i r e c t o r , P r o d u c t M a n a g e m e n t L a r s C r o m l e y | l c r o m l e y @ 2 n d w a t c h . c o m 2 n d W a t c h D i r e c t o r o f E n g i n e e r i n g , A u t o m a t i o n
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect in this session • Cloud compliance and security on AWS • Engineering for compliance • Compliance automation • Live demo • Business outcomes and takeaways
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Engineering Compliance & Security
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Continuous Compliance & Cloud Security
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Management tools and processes • Maintain and strictly enforce enterprise configuration • Automated procedure to enforce configuration • Analyzing data to derive knowledge for continuous monitoring and compliance Configuration Management
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Unified compliance processes and frameworks • Stronger compliance standards • Catalogs for continuous compliance • Bring the skills from the data center to the cloud Compliance Standards
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Traditional compliance approaches • Risk-based security and compliance framework • People, process and technology • PAG─be prescriptive • Cloud security and continuous monitoring • Security defense in depth • Endpoint to server─protect the entire platform C l o u d S e c u r i t yP o l i c y & P r o c e d u r e Governance, Risk, & Compliance © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Protection improvements • Unplanned changes • Configuration enforcement • Configuration management • Improved reusability • Prescriptive and programmatic management Benefits of Cloud Compliance on AWS
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Engineering for Compliance
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Unique for each organization • Vertical-based coupled to regulatory requirements • Accelerated with tools • InSpec─compliance-as-code • Think compliance by design Building Compliant Environments
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Accelerate and deploy security- focused environments • AWS meets compliance across a broad range • AWS Enterprise Accelerator─compliance offerings • PCI─DSS – NIST─OMB TIC─DoD • AWS CloudFormation templates to support automation and deployment Compliance Templates
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Having the right tools is essential • Combining operations management tools is best practice • Utilize provisioning tools and configuration management tools • Utilize orchestration and automation tools and monitoring tools • AWS CodeDeploy • AWS CodePipeline Operations Tooling
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Reduce complexity of configuring distributed infrastructure and resources • Speed and agility to perform configuration at scale • Puppet, Chef, Ansible, SaltStack provide rich capabilities • Engineering for compliance Configuration Management
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automation & Continuous Compliance
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. We had based workload supportability and service level on a set of tags. If new infrastructure was created, we needed to know the environment, service level, who created it, did they follow the approved process, etc.
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Specifically, these resources…
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Business logic, based on a mutable asset in an environment that encourages ephemeral architecture and elasticity?
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What could possibly go wrong?
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our Task To leverage AWS Config service, creating a rule to look for our specific tags, alert when those tags are not present, and then apply said tags to said resource
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. def handler(event, context): # log some init stuff log_start_info() # handle debug event arg log_if_debug(event) # for each item, process and remove from queue process(bucket, key) def process(bucket, key): s3 = boto3.resource('s3') obj = s3.get_object(Bucket=bucket,Key=key) body = json.loads(obj['Body'].read()) msg = json.loads(json.loads(msg['raw_event'])['Message']) if msg['configRuleName'] == CONFIG_RULE_NAME and msg['compliance'] == NOT_COMPLIANT # CALL ALERT SERVICE Code
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Autonomous Systems
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Systems Need Love, Too
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Reality
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Live Technical Demo
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Business Outcomes • Compliance and security from a 360- degree vision • Security awareness accountability • Continuous CI/CD flow • Continuous compliance is a journey
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Takeaways “Digital business is essentially software, which means that organizations that expect to thrive in a digital environment must have an improved competence in software delivery.” – Laurie Wurster, Research Director – Gartner
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! V i s i t u s a t : w w w . 2 n d w a t c h . c o m E n g a g e w i t h u s @ 2 n d w a t c h V i s i t u s a t o u r b o o t h : 1 1 0 4

×