Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017

2,183 views

Published on

As Chick-fil-A became a cloud-first organization, their security team didn't want to become the bottleneck for agility. But the security team also wanted to raise the bar for their security posture on AWS. Robert Davis, security architect at Chick-fil-A, provides an overview about how he and his team recognized that writing code was the best way for their security policies to scale across the many AWS accounts that Chick-fil-A operates. The use of DevSecOps within Chick-fil-A led to the creation of a set of account bootstrapping tools, auditing capabilities, and event-based policy enforcement. This session goes over these tools and how they were built on AWS.

How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How Chick-fil-A Embraces DevSecOps on AWS A n d r e w B a i r d , S o l u t i o n s A r c h i t e c t , A W S R o b e r t D a v i s , S e c u r i t y A r c h i t e c t , C h i c k - f i l - A S I D 3 0 6 N o v e m b e r 2 9 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction • Bold Statements • Tools to Start With • Services to Start With • The Chick-fil-A DevSecOps Story
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The security-focused software developed runs as a part of ongoing operations for your applications/organization • Automated • Embedded in process • Always-on • An extension of your team Introduction to DevSecOps (in one slide) OPSDEV SEC + + • The software developed is explicitly focused on security • Threats • Policies • Identity and Access Control • And more • Develop software • Follow same processes and standards as application development • Tools • Quality • Change management
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold Statements
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(ish) Statement Your team must write code in order to be practicing DevSecOps
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(er) Statement If your application teams are practicing DevOps or embracing automation on AWS and you are not practicing DevSecOps, your security policies are a bottleneck
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(est) Statement If your applications run on AWS and you’re not practicing DevSecOps, your security bar is not high enough
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where Should You Start?
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Taking the First Step Choose a higher level programming language to standardize on Factors to consider: • Skills already existing on your team • Interpreted as opposed to compiled (Hint: choose an interpreted language for DevSecOps) • Available SDKs/tools (especially the AWS SDK) Prescription (not the only choice): Python – https://aws.amazon.com/sdk-for-python/
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reach for Low-Hanging Fruit First Python SDK (boto3) AWS CLI AWS API Amazon CloudWatch Amazon EC2 Systems Manager AWS Config AWS CloudTrail AWS Identity and Access Management S3 Bucket Policies Security Groups Amazon VPC AWS CloudFormation Code with: Build with: Focus on: AWS Lambda
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. It’s Dangerous to Go Alone… Take These •AWS CIS Foundation Benchmark: • https://github.com/awslabs/aws-security-benchmark •Cloud Custodian (OSS from Capital One): • https://github.com/capitalone/cloud-custodian •AWS Config Rules Repository: • https://github.com/awslabs/aws-config-rules •AWS Security Blog: • https://aws.amazon.com/blogs/security/
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Journey to AWS C h i c k - f i l - A
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Strategy • Multi-account for workload segmentation and smaller blast radius • Over 50 accounts and growing • Security account with assume role rights into other accounts • Controls should be repeatable and scriptable • Leverage python (ex: boto3) and AWS CLI everywhere possible • Event driven security and compliance • Serverless where possible
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Strategy Challenges L e v e r a g i n g D e v S e c O p s
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges • Account creation • CLI/SDK access • Visibility • Auditability • Developer enablement
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenets of DevSecOps Automation • No humans required to stay in compliance Event-driven • Actions occur and response is taken immediately Serverless • Allows security team to develop capabilities quickly Enabling agility without compromising security • Puts control in developers’ hands
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Creation L e v e r a g i n g D e v S e c O p s
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Creation If we want to leverage multiple AWS accounts, we must make it easy to create new accounts • Started as a manual process • Scripted using Python and Selenium • Starting point: https://github.com/intuit/aws_account_utils • Organizations – thank you, AWS! • Integrate with ServiceNow to allow self-service
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create AWS Account (Before Organizations) • 500+ lines of Python code • Web browser version issues • Small changes to Web forms break the entire process • Not easy to run in a headless mode • Credit card needed • Human verification needed via phone call
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. import boto3 email = ‘test@test.com’ alias = ‘testalias’ organizations = boto3.client('organizations') create_id = organizations.create_account( Email=email, AccountName=alias, IamUserAccessToBilling='ALLOW’)['CreateAccountStatus'] status = organizations.describe_create_account_status(CreateAccountRequestId=create_id['Id'])['Cre ateAccountStatus'] if status[’State’] == ‘SUCCEEDED’: print “Account created” Create AWS Account (Organizations)
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Templated Security • Looked at AWS CloudFormation first • Python script run as part of account creation • Create standard VPC • Includes network ACLs and standard security groups • Create standard set of IAM federated roles • Create security audit role • Set IAM user password policies • Enable AWS CloudTrail • Set up Amazon CloudWatch event rules • Register account with security AWS account register
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLI/SDK Access L e v e r a g i n g D e v S e c O p s
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account CLI Access If we want to leverage multiple AWS accounts, we must make it easy to access accounts • Python script to generate sts creds for CLI/SDK access • Starting point: • https://aws.amazon.com/blogs/security/how-to-implement- federated-api-and-cli-access-using-saml-2-0-and-ad-fs/ • MFA enabled by way of federation • No long-lived IAM creds on developer machines
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLI Access
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Visibility L e v e r a g i n g D e v S e c O p s
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Visibility If we want to leverage multiple AWS accounts, we must make it easy to see into all accounts Single page app with resources listed from all accounts • Quickly search for IAM users across the org • Get count of resource types across the org (EC2 instances, RDS instances, IAM users, and so on) API Gateway to Lambda for app logic • Assume role into every account • Collect data on relevant resources
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accounts Overview
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Single Account View
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditability L e v e r a g i n g D e v S e c O p s
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Auditability If we want to leverage multiple AWS accounts, we must make it easy to audit all accounts Resource compliance rule engine • Check all EC2 instances for noncompliance • Public IP • Check IAM users for noncompliance • Check all S3 buckets for global access • Runs daily, but can be run on-demand in our compliance portal
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Auditability • Lambda functions run via CloudWatch Events Schedule • Data stored in Amazon S3 as JSON object per account • Data can be visualized in the compliance portal • Can run on demand in portal • Still building rule engine
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit Report
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enablement L e v e r a g i n g D e v S e c O p s
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Enablement If we want to leverage multiple AWS accounts, we must make it easy to enable developers to be secure by default • Event-driven security • Simple CloudFormation template across accounts • Part of AWS account creation process • All “interesting” AWS API calls are checked for compliance issues/concerns • Non-remediated alerts flow into incident response tools and audit/compliance portal • Integrates into Slack and email for communications
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Integration
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Credit CloudCustodian Squirrelbin Intuit – https://github.com/intuit/aws_account_utils AWS Security Blog - https://aws.amazon.com/blogs/security
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×