Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

153 views

Published on

In this session, learn how LogMeIn moves quickly and stays secure through the power of automation on AWS. We walk through core AWS security building blocks, such as IAM, AWS CloudTrail, AWS Config, and Amazon CloudWatch. We dive deep into LogMeIn’s approach for empowering developers on AWS while also meeting required security controls.

  • Be the first to comment

  • Be the first to like this

How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How LogMeIn Automates Governance and Empowers Developers at Scale Cameron Worrell Solutions Architect AWS S E C 3 0 2 Brian Galura Principal Technical Operations Architect LogMeIn Inc.
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Considerations and building blocks Automation patterns and lifecycle Deep dive – LogMeIn governance automation Demo – Governance automation Summary and path forward
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Remove friction between your developers and innovation Free up cycles on your operations teams Increase visibility into actions across your environment Align security controls earlier in the development lifecycle
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Unlocking innovation
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let builders build… …while maintaining responsible guardrails.
  6. 6. IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. Gartner
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flexible developer access … …while maintaining responsible guardrails.
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource boundaries, policies, and roles Root Dev QA Prod A1 A2 A3A1 A2 A3 A1 A2 A3 Across multiple accounts IAM roles IAM policies & conditions Resources & tagging Within an account Identity federation
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) policy primer { "Statement": [{ "Effect": "effect", "Principal": "principal", "Action": "action", "Resource": "arn", "Condition": { "condition": { "key": "value" } } }] } IAM mechanisms: • Implicit deny • Explicit deny • Resource-level permissions • Authorization based on tags • Resource-based policies • Permissions boundaries
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policy examples { "Effect": "Allow", "Resource”: "arn:aws:ec2:us-west- 2:123456789012:instance/*" "Condition": { "StringEquals": { "ec2:ResourceTag/team": "dev1" } } } { ... "Effect": "Deny", "Resource": "*", "Action": [ "ec2:AttachInternetGateway", "ec2:AssociateRouteTable", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ... ] } Explicit deny - Prevent high blast radius: Resource level / tag-based authorization - Tenant separation:
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun - AWS CloudTrail log data - Deviations from baseline - Org and strategy changes - Roadmap and enhancements - Understand access patterns - Correlate actions to events - Validate control mapping - Metrics tracking - Policy as code - Access brokers - Automated checks - Self-service tools - Notification and remediation - Monitoring and logging - Exception handling - Incident response - Metrics capture
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer access considerations Direct vs. indirect developer access: Direct access • Interaction with APIs directly • Choice of tooling and automation • Sandbox, experimentation • Within guardrail activities Indirect access • Interaction through a proxy or broker • Prescriptive tooling and automation • Deployment-related activities • High blast radius actions
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service with AWS CloudFormation custom resources Call and manage custom actions in your stack Back custom resources with AWS Lambda functions with governance logic Broker sensitive actions and automate safety checks AWS Lambda AWS CloudFormation AWS::CloudFormation::CustomResource or Custom::String Security group lookup IAM policy validation Subnet assignment Lambda functions Criteria Met? Provision stack Failure log Template
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated policy check tools IAM Policy Simulator API - Evaluate the policies that you choose and determine the effective permissions for each of the actions that you specify Zelkova - Leverage automated reasoning to verify policy permissiveness Ecosystem and custom tools - Customize policy logic to your environment. Use open-source tools: Repokid, Aardvark, cfn_nag, Cloud Custodian
  15. 15. Zelkova provides provable security for customers “in the cloud” by leveraging automated reasoning to verify key IAM enterprise governance & data privacy controls are implemented as intended, at scale
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. LogMeIn | Thriving business (NASDAQ:LOGM) Global company with revenue of $1B+ SMB market leader with top 1 or 2 positon in all of our addressable markets Worldwide operations with ~ 3,500 employees in 20+ global offices 25MM+ users with nearly 300 MM connections served every year Top 10 SaaS company S&P Mid-Cap 400 $5B+ market cap
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. “Ensure the appropriate and auditable use of resources to meet business objectives”
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common governance issues “Don’t get in my way!” - Developers “Don’t break other people’s stuff!” - Operations “Don’t spend too much!” - Finance “Who has access to this resource?” - Security
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. LogMeIn AWS governance mission Appropriate: Preventative (Guardrails) • Lambda-backed CF custom resources • Zelkova for IAM policy review Detective (Alerts) • AWS Config • Amazon CloudWatch Auditable: Cost (Who spent what?) • Resource tagging Access Logs (Who did what?) • AWS CloudTrail Automation • Volume Cleanup • EIP Release
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s go deeper! AWS CloudFormation custom resources: • Amazon Virtual Private Cloud (Amazon VPC) security groups • IP addresses • IAM policies
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun – Security groups “Network Reachability Assessment” within Inspector)
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon VPC security groups SG creation and changes are through AWS CloudFormation AWS CloudFormation custom resource for SGs: • Reference of SGs by name instead of ID in AWS CloudFormation templates • SGs are consistent across contexts (account/region) AWS Config checks SGs and sends an alert when appropriate. Change reports are available through CloudTrail
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun – IP Addresses
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IP addresses and subnets AWS CloudFormation custom resource for subnets: • IP “load balancing” across subnets • Reference of subnets by name instead of ID in AWS CloudFormation templates • AZ-distributed list of least-utilized subnets • Subnets are consistent across contexts (dev/prod/regions) Same pattern as security groups
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IP addresses and subnets AWS CloudFormation custom resource for subnets: • IP “load balancing” across subnets • Reference of subnets by name instead of ID in AWS CloudFormation templates • AZ-distributed list of least-utilized subnets • Subnets are consistent across contexts (dev/prod/regions) Same pattern as security groups
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun – IAM policies
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access guardrails – IAM Developers/operations: • Federated login • API token vending machine • Have appropriate access to use all AWS CloudFormation custom resources AWS CloudFormation custom resource for IAM policies: • Create IAM policies only through an AWS CloudFormation custom resource • Attach policies and create roles • IAM resources must be scoped to an appropriate path
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is IAM so hard?
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How can Zelkova help with IAM? • Zelkova understands IAM policies • Zelkova does not just test the policies. It formally proves that they are compliant 𝑎 𝑏 𝑐 𝑎2 + 𝑏2 = 𝑐2 𝑎 = 3, 𝑏 = 4, 𝑐 = 5 𝑎 = 1, 𝑏 = 1, 𝑐 = 2 𝑎 = 5, 𝑏 = 12, 𝑐 = 13 AWS policy simulator:
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Can IAM permissions boundaries help?
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Create two AWS CloudFormation stacks: One will create an IAM policy and instance role • Meets our governance standards One will start an Amazon Elastic Compute Cloud (Amazon EC2) instance • Using the instance role from the first stack • Select a subnet, Amazon Machine Image, security group, and VPC by name using AWS CloudFormation custom resource
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls • AWS Config • Security groups • Cloudwatch • IAM Policies Guard Duty Stacksets help scale these to many accounts
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access auditing and reporting • Aggregated CloudTrail • Directly searchable using Amazon Athena • Brokered access through Redash
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access auditing and reporting
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cost guardrails for dev • Large footprint • Don’t need 100% uptime • Good candidate for spot • Devs can opt in by tagging their Amazon EC2 Auto Scaling groups – Easy win • Very little downtime when Spot Instances replaced by On-Demand • Governance automation • EIP release • Detached volume deletion
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring, detection, and response CloudTrail CloudWatch AWS Config Amazon VPC Flow Logs Application logs … IAM policy check Insecure config check Threshold alarms ML analysis … Notify admins Update / terminate Resources Revert changes Revoke credentials … Logging Detection Remediation AWS Config rule Human analysis CloudWatch alarm CloudWatch Events
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Evolution and summary IAM users and groups Manual policy management Minimal automation Manual policy deviation checks 1 2 3 Federated users Infrastructure as code Automated governance checks Metrics and usage analysis Automated permissions CI/CD policy pipeline Brokered access to sensitive actions Adaptive policy management Sample maturity stages
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Friday, Nov 30 Mastering Identity at Every Layer of the Cake 10:00 a.m. - 11:00 a.m. | Venetian, Level 4, Delfino 4005 Friday, Nov 30 Adding the Sec to Your DevOps Pipelines 8:30 a.m. - 10:45 a.m. | Venetian, Level 4, Marcello 4403 Friday, Nov 30 Securely Deploying at Scale 8:30 a.m. - 9:30 a.m. | Mirage, Antigua A
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources Slides will be available on SlideShare. Recording will be available on YouTube IAM friendly names and paths https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names AMI ID lookup AWS CloudFormation custom resource https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda- lookup-amiids.html Redash with Athena JDBC https://blog.redash.io/amazon-athena-in-redash-support-6b71c91aa747 Zelkova/Tiros: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/ https://aws.amazon.com/security/provable-security/ Terminal plugin for Atom text editor https://atom.io/packages/platformio-ide-terminal
  43. 43. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cameron Worrell Solutions Architect AWS Brian Galura Principal Technical Operations Architect LogMeIn Inc.
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×