SlideShare a Scribd company logo
1 of 45
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How LogMeIn Automates Governance
and Empowers Developers at Scale
Cameron Worrell
Solutions Architect
AWS
S E C 3 0 2
Brian Galura
Principal Technical Operations Architect
LogMeIn Inc.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Considerations and building blocks
Automation patterns and lifecycle
Deep dive – LogMeIn governance automation
Demo – Governance automation
Summary and path forward
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key takeaways
Remove friction between your developers and
innovation
Free up cycles on your operations teams
Increase visibility into actions across your
environment
Align security controls earlier in the
development lifecycle
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unlocking innovation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let builders build…
…while maintaining responsible guardrails.
IT governance (ITG) is defined as the
processes that ensure the effective and
efficient use of IT in enabling an
organization to achieve its goals.
Gartner
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Flexible developer access …
…while maintaining responsible guardrails.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource boundaries, policies, and roles
Root
Dev QA Prod
A1
A2
A3A1
A2
A3
A1
A2
A3
Across multiple accounts
IAM
roles
IAM policies
& conditions
Resources &
tagging
Within an account
Identity federation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM) policy primer
{
"Statement": [{
"Effect": "effect",
"Principal": "principal",
"Action": "action",
"Resource": "arn",
"Condition": {
"condition": {
"key": "value"
}
}
}]
}
IAM mechanisms:
• Implicit deny
• Explicit deny
• Resource-level permissions
• Authorization based on tags
• Resource-based policies
• Permissions boundaries
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy examples
{
"Effect": "Allow",
"Resource”: "arn:aws:ec2:us-west-
2:123456789012:instance/*"
"Condition": {
"StringEquals": {
"ec2:ResourceTag/team":
"dev1"
}
}
}
{
...
"Effect": "Deny",
"Resource": "*",
"Action": [
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
...
]
}
Explicit deny - Prevent high blast radius:
Resource level / tag-based authorization - Tenant separation:
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun
- AWS CloudTrail log data
- Deviations from baseline
- Org and strategy changes
- Roadmap and enhancements
- Understand access patterns
- Correlate actions to events
- Validate control mapping
- Metrics tracking
- Policy as code
- Access brokers
- Automated checks
- Self-service tools
- Notification and remediation
- Monitoring and logging
- Exception handling
- Incident response
- Metrics capture
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developer access considerations
Direct vs. indirect developer access:
Direct access
• Interaction with APIs directly
• Choice of tooling and automation
• Sandbox, experimentation
• Within guardrail activities
Indirect access
• Interaction through a proxy or broker
• Prescriptive tooling and automation
• Deployment-related activities
• High blast radius actions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Self-service with AWS CloudFormation custom
resources
Call and manage custom actions in your stack
Back custom resources with AWS Lambda functions with governance logic
Broker sensitive actions and automate safety checks
AWS
Lambda
AWS
CloudFormation
AWS::CloudFormation::CustomResource
or
Custom::String
Security group
lookup
IAM policy
validation
Subnet
assignment
Lambda functions
Criteria
Met?
Provision
stack
Failure
log
Template
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated policy check tools
IAM Policy Simulator API - Evaluate the policies that you choose and
determine the effective permissions for each of the actions that you
specify
Zelkova - Leverage automated reasoning to verify policy permissiveness
Ecosystem and custom tools - Customize policy logic to your
environment. Use open-source tools: Repokid, Aardvark, cfn_nag, Cloud
Custodian
Zelkova provides provable security for
customers “in the cloud” by leveraging
automated reasoning to verify key IAM
enterprise governance & data privacy controls
are implemented as intended, at scale
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LogMeIn | Thriving business
(NASDAQ:LOGM)
Global company
with revenue of
$1B+
SMB market leader with
top 1 or 2 positon in all
of our addressable
markets
Worldwide operations
with ~ 3,500 employees
in 20+ global offices
25MM+ users with
nearly 300 MM
connections served
every year
Top 10 SaaS company
S&P Mid-Cap 400
$5B+ market cap
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Ensure the appropriate and auditable
use of resources to meet business
objectives”
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common governance issues
“Don’t get in my way!”
- Developers
“Don’t break other people’s
stuff!”
- Operations
“Don’t spend too much!”
- Finance
“Who has access to this
resource?”
- Security
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
LogMeIn AWS governance mission
Appropriate:
Preventative (Guardrails)
• Lambda-backed CF custom
resources
• Zelkova for IAM policy review
Detective (Alerts)
• AWS Config
• Amazon CloudWatch
Auditable:
Cost (Who spent what?)
• Resource tagging
Access Logs (Who did what?)
• AWS CloudTrail
Automation
• Volume Cleanup
• EIP Release
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s go deeper!
AWS CloudFormation custom
resources:
• Amazon Virtual Private Cloud
(Amazon VPC) security groups
• IP addresses
• IAM policies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – Security groups
“Network Reachability Assessment” within Inspector)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC security groups
SG creation and changes are through AWS
CloudFormation
AWS CloudFormation custom resource for SGs:
• Reference of SGs by name instead of ID in AWS
CloudFormation templates
• SGs are consistent across contexts (account/region)
AWS Config checks SGs and sends an alert when
appropriate. Change reports are available through
CloudTrail
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – IP Addresses
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IP addresses and subnets
AWS CloudFormation custom resource for subnets:
• IP “load balancing” across subnets
• Reference of subnets by name instead of ID in AWS
CloudFormation templates
• AZ-distributed list of least-utilized subnets
• Subnets are consistent across contexts
(dev/prod/regions)
Same pattern as security groups
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IP addresses and subnets
AWS CloudFormation custom resource for subnets:
• IP “load balancing” across subnets
• Reference of subnets by name instead of ID in AWS
CloudFormation templates
• AZ-distributed list of least-utilized subnets
• Subnets are consistent across contexts
(dev/prod/regions)
Same pattern as security groups
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Collect
Analyze
Develop &
deploy
Operate Policies
Policy is a verb, not a noun – IAM policies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access guardrails – IAM
Developers/operations:
• Federated login
• API token vending machine
• Have appropriate access to use all AWS CloudFormation
custom resources
AWS CloudFormation custom resource for IAM policies:
• Create IAM policies only through an AWS CloudFormation
custom resource
• Attach policies and create roles
• IAM resources must be scoped to an appropriate path
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is IAM so hard?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How can Zelkova help with IAM?
• Zelkova understands IAM policies
• Zelkova does not just test the policies. It formally
proves that they are compliant
𝑎
𝑏
𝑐
𝑎2 + 𝑏2 = 𝑐2
𝑎 = 3, 𝑏 = 4, 𝑐 = 5
𝑎 = 1, 𝑏 = 1, 𝑐 = 2
𝑎 = 5, 𝑏 = 12, 𝑐 = 13
AWS policy simulator:
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Can IAM permissions boundaries help?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
Create two AWS CloudFormation stacks:
One will create an IAM policy and instance role
• Meets our governance standards
One will start an Amazon Elastic Compute Cloud (Amazon EC2) instance
• Using the instance role from the first stack
• Select a subnet, Amazon Machine Image, security group, and VPC by
name using AWS CloudFormation custom resource
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detective controls
• AWS Config
• Security groups
• Cloudwatch
• IAM Policies
Guard Duty
Stacksets help scale these to many accounts
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access auditing and reporting
• Aggregated CloudTrail
• Directly searchable using Amazon Athena
• Brokered access through Redash
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access auditing and reporting
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cost guardrails for dev
• Large footprint
• Don’t need 100% uptime
• Good candidate for spot
• Devs can opt in by tagging their Amazon EC2
Auto Scaling groups – Easy win
• Very little downtime when Spot Instances
replaced by On-Demand
• Governance automation
• EIP release
• Detached volume deletion
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring, detection, and response
CloudTrail
CloudWatch
AWS Config
Amazon VPC Flow Logs
Application logs
…
IAM policy check
Insecure config check
Threshold alarms
ML analysis
…
Notify admins
Update / terminate
Resources
Revert changes
Revoke credentials
…
Logging Detection Remediation
AWS Config
rule
Human
analysis
CloudWatch
alarm
CloudWatch
Events
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Evolution and summary
IAM users and groups
Manual policy management
Minimal automation
Manual policy deviation checks
1 2 3
Federated users
Infrastructure as code
Automated governance checks
Metrics and usage analysis
Automated permissions
CI/CD policy pipeline
Brokered access to sensitive actions
Adaptive policy management
Sample maturity stages
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Friday, Nov 30
Mastering Identity at Every Layer of the Cake
10:00 a.m. - 11:00 a.m. | Venetian, Level 4, Delfino 4005
Friday, Nov 30
Adding the Sec to Your DevOps Pipelines
8:30 a.m. - 10:45 a.m. | Venetian, Level 4, Marcello 4403
Friday, Nov 30
Securely Deploying at Scale
8:30 a.m. - 9:30 a.m. | Mirage, Antigua A
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
Slides will be available on SlideShare. Recording will be available on YouTube
IAM friendly names and paths
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names
AMI ID lookup AWS CloudFormation custom resource
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-
lookup-amiids.html
Redash with Athena JDBC
https://blog.redash.io/amazon-athena-in-redash-support-6b71c91aa747
Zelkova/Tiros:
https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
https://aws.amazon.com/security/provable-security/
Terminal plugin for Atom text editor
https://atom.io/packages/platformio-ide-terminal
Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cameron Worrell
Solutions Architect
AWS
Brian Galura
Principal Technical Operations Architect
LogMeIn Inc.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

More Related Content

What's hot

What's hot (20)

Building Highly Scalable Retail Order Management Systems with Serverless
Building Highly Scalable Retail Order Management Systems with ServerlessBuilding Highly Scalable Retail Order Management Systems with Serverless
Building Highly Scalable Retail Order Management Systems with Serverless
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
 
MassMutual Goes Cloud First with Hybrid Cloud on AWS (ENT210) - AWS re:Invent...
MassMutual Goes Cloud First with Hybrid Cloud on AWS (ENT210) - AWS re:Invent...MassMutual Goes Cloud First with Hybrid Cloud on AWS (ENT210) - AWS re:Invent...
MassMutual Goes Cloud First with Hybrid Cloud on AWS (ENT210) - AWS re:Invent...
 
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
 
DevSecOps: Instituting Cultural Transformation for Public Sector Organization...
DevSecOps: Instituting Cultural Transformation for Public Sector Organization...DevSecOps: Instituting Cultural Transformation for Public Sector Organization...
DevSecOps: Instituting Cultural Transformation for Public Sector Organization...
 
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
 
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 
Closing Loops and Opening Minds: How to Take Control of Systems, Big and Smal...
Closing Loops and Opening Minds: How to Take Control of Systems, Big and Smal...Closing Loops and Opening Minds: How to Take Control of Systems, Big and Smal...
Closing Loops and Opening Minds: How to Take Control of Systems, Big and Smal...
 
Building a Monitoring Plan.pdf
Building a Monitoring Plan.pdfBuilding a Monitoring Plan.pdf
Building a Monitoring Plan.pdf
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
 
Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018
Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018
Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
Drive Customer Value with Data-Driven Decisions (GPSBUS206) - AWS re:Invent 2018
Drive Customer Value with Data-Driven Decisions (GPSBUS206) - AWS re:Invent 2018Drive Customer Value with Data-Driven Decisions (GPSBUS206) - AWS re:Invent 2018
Drive Customer Value with Data-Driven Decisions (GPSBUS206) - AWS re:Invent 2018
 
Automating Compliance Certification with Automated Mathematical Proof (SEC330...
Automating Compliance Certification with Automated Mathematical Proof (SEC330...Automating Compliance Certification with Automated Mathematical Proof (SEC330...
Automating Compliance Certification with Automated Mathematical Proof (SEC330...
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica Hive
 
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
 
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
 
DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3
 

Similar to How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
Amazon Web Services
 

Similar to How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018 (20)

Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...
Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...
Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day Israel
 
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormationDeep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 

More from Amazon Web Services

Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How LogMeIn Automates Governance and Empowers Developers at Scale Cameron Worrell Solutions Architect AWS S E C 3 0 2 Brian Galura Principal Technical Operations Architect LogMeIn Inc.
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Considerations and building blocks Automation patterns and lifecycle Deep dive – LogMeIn governance automation Demo – Governance automation Summary and path forward
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Remove friction between your developers and innovation Free up cycles on your operations teams Increase visibility into actions across your environment Align security controls earlier in the development lifecycle
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Unlocking innovation
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let builders build… …while maintaining responsible guardrails.
  • 7. IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. Gartner
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flexible developer access … …while maintaining responsible guardrails.
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource boundaries, policies, and roles Root Dev QA Prod A1 A2 A3A1 A2 A3 A1 A2 A3 Across multiple accounts IAM roles IAM policies & conditions Resources & tagging Within an account Identity federation
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) policy primer { "Statement": [{ "Effect": "effect", "Principal": "principal", "Action": "action", "Resource": "arn", "Condition": { "condition": { "key": "value" } } }] } IAM mechanisms: • Implicit deny • Explicit deny • Resource-level permissions • Authorization based on tags • Resource-based policies • Permissions boundaries
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policy examples { "Effect": "Allow", "Resource”: "arn:aws:ec2:us-west- 2:123456789012:instance/*" "Condition": { "StringEquals": { "ec2:ResourceTag/team": "dev1" } } } { ... "Effect": "Deny", "Resource": "*", "Action": [ "ec2:AttachInternetGateway", "ec2:AssociateRouteTable", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ... ] } Explicit deny - Prevent high blast radius: Resource level / tag-based authorization - Tenant separation:
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun - AWS CloudTrail log data - Deviations from baseline - Org and strategy changes - Roadmap and enhancements - Understand access patterns - Correlate actions to events - Validate control mapping - Metrics tracking - Policy as code - Access brokers - Automated checks - Self-service tools - Notification and remediation - Monitoring and logging - Exception handling - Incident response - Metrics capture
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer access considerations Direct vs. indirect developer access: Direct access • Interaction with APIs directly • Choice of tooling and automation • Sandbox, experimentation • Within guardrail activities Indirect access • Interaction through a proxy or broker • Prescriptive tooling and automation • Deployment-related activities • High blast radius actions
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service with AWS CloudFormation custom resources Call and manage custom actions in your stack Back custom resources with AWS Lambda functions with governance logic Broker sensitive actions and automate safety checks AWS Lambda AWS CloudFormation AWS::CloudFormation::CustomResource or Custom::String Security group lookup IAM policy validation Subnet assignment Lambda functions Criteria Met? Provision stack Failure log Template
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated policy check tools IAM Policy Simulator API - Evaluate the policies that you choose and determine the effective permissions for each of the actions that you specify Zelkova - Leverage automated reasoning to verify policy permissiveness Ecosystem and custom tools - Customize policy logic to your environment. Use open-source tools: Repokid, Aardvark, cfn_nag, Cloud Custodian
  • 16. Zelkova provides provable security for customers “in the cloud” by leveraging automated reasoning to verify key IAM enterprise governance & data privacy controls are implemented as intended, at scale
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. LogMeIn | Thriving business (NASDAQ:LOGM) Global company with revenue of $1B+ SMB market leader with top 1 or 2 positon in all of our addressable markets Worldwide operations with ~ 3,500 employees in 20+ global offices 25MM+ users with nearly 300 MM connections served every year Top 10 SaaS company S&P Mid-Cap 400 $5B+ market cap
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. “Ensure the appropriate and auditable use of resources to meet business objectives”
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common governance issues “Don’t get in my way!” - Developers “Don’t break other people’s stuff!” - Operations “Don’t spend too much!” - Finance “Who has access to this resource?” - Security
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. LogMeIn AWS governance mission Appropriate: Preventative (Guardrails) • Lambda-backed CF custom resources • Zelkova for IAM policy review Detective (Alerts) • AWS Config • Amazon CloudWatch Auditable: Cost (Who spent what?) • Resource tagging Access Logs (Who did what?) • AWS CloudTrail Automation • Volume Cleanup • EIP Release
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s go deeper! AWS CloudFormation custom resources: • Amazon Virtual Private Cloud (Amazon VPC) security groups • IP addresses • IAM policies
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun – Security groups “Network Reachability Assessment” within Inspector)
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon VPC security groups SG creation and changes are through AWS CloudFormation AWS CloudFormation custom resource for SGs: • Reference of SGs by name instead of ID in AWS CloudFormation templates • SGs are consistent across contexts (account/region) AWS Config checks SGs and sends an alert when appropriate. Change reports are available through CloudTrail
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun – IP Addresses
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IP addresses and subnets AWS CloudFormation custom resource for subnets: • IP “load balancing” across subnets • Reference of subnets by name instead of ID in AWS CloudFormation templates • AZ-distributed list of least-utilized subnets • Subnets are consistent across contexts (dev/prod/regions) Same pattern as security groups
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IP addresses and subnets AWS CloudFormation custom resource for subnets: • IP “load balancing” across subnets • Reference of subnets by name instead of ID in AWS CloudFormation templates • AZ-distributed list of least-utilized subnets • Subnets are consistent across contexts (dev/prod/regions) Same pattern as security groups
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Collect Analyze Develop & deploy Operate Policies Policy is a verb, not a noun – IAM policies
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access guardrails – IAM Developers/operations: • Federated login • API token vending machine • Have appropriate access to use all AWS CloudFormation custom resources AWS CloudFormation custom resource for IAM policies: • Create IAM policies only through an AWS CloudFormation custom resource • Attach policies and create roles • IAM resources must be scoped to an appropriate path
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is IAM so hard?
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How can Zelkova help with IAM? • Zelkova understands IAM policies • Zelkova does not just test the policies. It formally proves that they are compliant 𝑎 𝑏 𝑐 𝑎2 + 𝑏2 = 𝑐2 𝑎 = 3, 𝑏 = 4, 𝑐 = 5 𝑎 = 1, 𝑏 = 1, 𝑐 = 2 𝑎 = 5, 𝑏 = 12, 𝑐 = 13 AWS policy simulator:
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Can IAM permissions boundaries help?
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Create two AWS CloudFormation stacks: One will create an IAM policy and instance role • Meets our governance standards One will start an Amazon Elastic Compute Cloud (Amazon EC2) instance • Using the instance role from the first stack • Select a subnet, Amazon Machine Image, security group, and VPC by name using AWS CloudFormation custom resource
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls • AWS Config • Security groups • Cloudwatch • IAM Policies Guard Duty Stacksets help scale these to many accounts
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access auditing and reporting • Aggregated CloudTrail • Directly searchable using Amazon Athena • Brokered access through Redash
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access auditing and reporting
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cost guardrails for dev • Large footprint • Don’t need 100% uptime • Good candidate for spot • Devs can opt in by tagging their Amazon EC2 Auto Scaling groups – Easy win • Very little downtime when Spot Instances replaced by On-Demand • Governance automation • EIP release • Detached volume deletion
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring, detection, and response CloudTrail CloudWatch AWS Config Amazon VPC Flow Logs Application logs … IAM policy check Insecure config check Threshold alarms ML analysis … Notify admins Update / terminate Resources Revert changes Revoke credentials … Logging Detection Remediation AWS Config rule Human analysis CloudWatch alarm CloudWatch Events
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Evolution and summary IAM users and groups Manual policy management Minimal automation Manual policy deviation checks 1 2 3 Federated users Infrastructure as code Automated governance checks Metrics and usage analysis Automated permissions CI/CD policy pipeline Brokered access to sensitive actions Adaptive policy management Sample maturity stages
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Friday, Nov 30 Mastering Identity at Every Layer of the Cake 10:00 a.m. - 11:00 a.m. | Venetian, Level 4, Delfino 4005 Friday, Nov 30 Adding the Sec to Your DevOps Pipelines 8:30 a.m. - 10:45 a.m. | Venetian, Level 4, Marcello 4403 Friday, Nov 30 Securely Deploying at Scale 8:30 a.m. - 9:30 a.m. | Mirage, Antigua A
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources Slides will be available on SlideShare. Recording will be available on YouTube IAM friendly names and paths https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names AMI ID lookup AWS CloudFormation custom resource https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda- lookup-amiids.html Redash with Athena JDBC https://blog.redash.io/amazon-athena-in-redash-support-6b71c91aa747 Zelkova/Tiros: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/ https://aws.amazon.com/security/provable-security/ Terminal plugin for Atom text editor https://atom.io/packages/platformio-ide-terminal
  • 44. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cameron Worrell Solutions Architect AWS Brian Galura Principal Technical Operations Architect LogMeIn Inc.
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.