SlideShare a Scribd company logo

How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (FSV325) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

Cloud-native and with security integrated early in the software development process, Nubank is the largest digital bank in the world outside of Asia. Demand for higher levels of service and value, constantly evolving technology capabilities, and stringent regulatory requirements are all powerful forces reshaping retail banking. In this session, Nubank CTO Edward Wible discusses how the company mixes engineering culture, security philosophy and structure, automation, and integration with AWS security services. Learn how to leverage the day-to-day software development workflow for extensive security and maximum engineering throughput while minimizing the operational pain of running a large infrastructure.

1 of 43
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD Edward Wible Co-founder & CTO Nubank F S V 3 2 5
“Nubank is the largest digital bank in the world outside of Asia”
CREDIT CARD September 2014
BANK ACCOUNT October 2017 13
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Growing quickly in a sensitive domain Unique applications 18M+ Countries 198 Customers 5M+ Deploys per day 50 Microservices 180 Engineers 100+ 0.0 1.3 2.5 3.8 5.0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. FIGHT COMPLEXITY TO EMPOWER PEOPLE Core Purpose
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Be trustworthy competence reliability how { integrity benevolence why {
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Banking (and security) as a software engineering problem Teams empowered to execute independently, cradle to grave autonomy Rapidly evolving systems in small increments velocity Carefully manage blast radius and time-to-fix for inevitable bugs reliability Build for the long term, scale out, significant operating leverage scalability
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Web Services (AWS) tools are critical to achieving the right balance AWS Identity and Access Management (IAM) AWS Lambda AWS CloudTrail & Amazon Virtual Private Cloud (Amazon VPC)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Minimal permissions (self-healing) Lambdas Fine-grained, just enough to accomplish work Constant evolution • 80+ official Lambdas • Fine-grained control and orchestration of underlying systems • Management of accounts across providers • Integrations to Slack, OpsGenie, and more • Active monitoring (every n minutes)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM groups Minimal permissions (self-healing) • 100+ IAM groups for people • 500+ IAM roles for machines • Access to specific operations on AWS services • Base permissions set, temporary escalation, automatic reaping Lambdas Fine-grained, just enough to accomplish work Constant evolution
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OAuth Scopes IAM groups Minimal permissions (self-healing) users++ Lambdas Fine-grained, just enough to accomplish work Constant evolution • ~300 scopes in use • Oauth style, endpoint level granularity • Pre-approved, grants often contingent upon proof of completed training (with tests!) • Restricted scopes and toxic combinations • Short-lived (expire), with longer-lived refresh tokens for rapid renewal • Auto-reaped scopes after inactivity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow HTTP reqs AWS CloudTrail Lambdas Nucli events DNS Load balancers Pervasive audit trail Set up for forensic analysis in advance Multiple audit trails covering the same flows + Amazon Redshift All data from all production databases (daily) Including data provenance: • Metadata associated with reified DB transactions, incl. correlation ID, user, service version • Append-only (Datomic or Kafka) • Automatically integrated to ETL for high throughput querying Splunk + Amazon S3 Unify all logs, including all server logs Dashboards Alarms
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense in depth Boundary defense is fundamental, but doesn’t address all attack vectors Once the boundary has been compromised, it is necessary to defend subsequent layers SERVICE A SERVICE B mTLS Modern ciphers & forward secrecy Requests without certificates rejected at session layer Device reputation scoring Short-lived OAuth token grants endpoint-level scopes Ubiquitous rate limits Storage Encryption at rest Security groups per service Specific IAM roles Kafka Digital signing of all messages Sensitive topics envelope encrypted Security groups Office network RADIUS + 802.11 authentication w/ certificates Segregated subnets by function AWS Session Manager for SSH
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. In-house security teams
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Engineering Top-of-the-line gas range Sharp knives Small batches Sophisticated plate warming
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Operations Center (SOC) 19 authorized personnel Temperature normal Order backlog normal Behavior patterns normal
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Blue team Non-skid floor Safety hats and aprons Food contamination risk Segregated roles and access control
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Red team Propane tank + Sharp knife + Sparker = Profit
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Blue Team Red Team SOC Engineering Security Support Intelligence Physical Infra In-house security teams • Don’t be an adversary • Be part of the product lifecycle • Work closely with other control functions • Rotate team members
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code: Role creation (before) Deploy Internal Clojure project wrapping cloud APIs Nucli Internal CLI to automate operational workflows AWS CloudFormation template Declarative, cohesive infrastructure provisioning Provisioning Amazon EC2 IAM roles Security groups Load balancers …
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. copy/paste Security as code: Role creation (before)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code: Role creation (after) Deploy Internal Clojure project wrapping cloud APIs Nucli Internal cli to automate operational workflows AWS CloudFormation template Declarative, cohesive infrastructure provisioning Amazon EC2 Security groups Load balancers … IAM roles Lambda Robotic kitchen staff
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code: Lambda CI/CD IAM-policies Internal repository for all things IAM (with code reuse) Lambda Robotic kitchen staffpull requests CI/CD Lambda-automation Lambdas as code in Git
Nucli “Automation is the Contingency Plan that protects Software Systems from human failure”
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: Granting OAuth scopes nu security grant <scope> <user> --for=1hour … 2 Enforce user has permission to grant and not a self-grant 5 User can refresh token 3 Whitelist scope for user in auth service 4 Schedule scope revoke 1 Log event and alert via Slack
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: IAM inline policies nu security grant <username> s3 read <bucket> —for=20min … 3 Attach new inline policy for IAM user from pre-existing template 4 Schedule policy revoke (and eventually execute via Lambda) 1 Request & receive permission to read 2 Log event and alert via Slack
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: Performance profiling nu service flamegraph <service> <shard> … 2 Open SSH port in the right security group 5 Restore kernel parameter + close SSH port 3 Change kernel parameter for profiling within Docker container 4 Wait for data collection window, download SVG 1 Log event and alert via Slack
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: Kafka maintenance nu kafka increase-partitions <cluster> <topic> … 3 Open zookeeper port 5 Close zookeeper port, revoke permission 1 Ensure you are in the right IAM group 4 bin/kafka-topics.sh --alter --zookeeper zkurl:2181 --topic topic1 --partitions 4 2 Log event and alert via Slack
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why Nucli? • Prevent people from doing manual task checklists • Create leverage for security - Change once and everyone changes behavior automatically • Engineers will invent less-secure shortcuts unless provided with secure shortcuts • Make shortcuts robust to technology refresh cycles • Over time, multi-step shell scripts become Lambdas
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security monitoring
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security monitoring: Dashboards AWS CloudTrail Elastic Load Balancing AlertsVPC Flow Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudTrail ELB Action! e.g.: drop machine thresholds & triggers Splunk realtime ingestion Action! e.g.: create new machine declarative capacity requirements Security monitoring: Automated response
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Technology / Layers 1 2 3 4 5 6 7 VPC - - - - - - - ELB - - - - - - - CloudTrail - - - - - - - HTTPS - - - 3 - - - SSH - - - - - - - Kafka - - - - - - - Security monitoring: Automated response
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Fostering a security ownership mind-set
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security ownership Account management No centralized login system Automated onboarding & offboarding; active correlation of accounts across providers with Lambda 2FA and Yubikeys mandatory Integrated logging and alerting Account admins aren’t tool admins Slack-based workflow for requesting permissions Change management Secure design by co-creating with embedded security team members Pull request workflow, protected master branch for more sensitive repositories Automated tests (including version checks and other security scans) in immutable build pipelines Auditable manifests for every deployable artifact containing ALL versions used for a build Engineering productivity team treats CI/CD environment as security critical IT management Physical Office Network threat modeling RADIUS technology mapping and managing employees to different subnets and VLANs Fully automated network infrastructure Automated employee machine provisioning and maintenance Nucli as the path of least resistance
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary Security as code (Nucli) Distributed security ownership Decentralized change management autonomy Real-time log ingestion Slack alerting Monitoring / automated response velocity Minimal permissions Menu instead of kitchen Defense in depth Audit trail reliability Distributed permissions granting Automate all the things Auto-reaping In-house security team scalability
Body Level One Body Level Two Body Level Three Body Level Four Body Level Five Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in the mobile app. ! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

AWS Cloud Cost Optimization
AWS Cloud Cost OptimizationAWS Cloud Cost Optimization
AWS Cloud Cost OptimizationTonyStark452635
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An IntroductionAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)Amazon Web Services Korea
 
Winning Enterprise Cloud Engagements
Winning Enterprise Cloud EngagementsWinning Enterprise Cloud Engagements
Winning Enterprise Cloud EngagementsAmazon Web Services
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWSAmazon Web Services
 
Best Practices for Partnering with AWS
Best Practices for Partnering with AWSBest Practices for Partnering with AWS
Best Practices for Partnering with AWSAmazon Web Services
 
Application Value Assessment
Application Value AssessmentApplication Value Assessment
Application Value AssessmentGerry Appeltants
 

Recommended

AWS Cloud Cost Optimization
AWS Cloud Cost OptimizationAWS Cloud Cost Optimization
AWS Cloud Cost OptimizationTonyStark452635
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An IntroductionAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)Amazon Web Services Korea
 
Winning Enterprise Cloud Engagements
Winning Enterprise Cloud EngagementsWinning Enterprise Cloud Engagements
Winning Enterprise Cloud EngagementsAmazon Web Services
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWSAmazon Web Services
 
Best Practices for Partnering with AWS
Best Practices for Partnering with AWSBest Practices for Partnering with AWS
Best Practices for Partnering with AWSAmazon Web Services
 
Application Value Assessment
Application Value AssessmentApplication Value Assessment
Application Value AssessmentGerry Appeltants
 
20150109 - AWS BlackBelt - IAM (Korean)
20150109 - AWS BlackBelt - IAM (Korean)20150109 - AWS BlackBelt - IAM (Korean)
20150109 - AWS BlackBelt - IAM (Korean)Amazon Web Services Korea
 
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...Amazon Web Services Korea
 
Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019Amazon Web Services
 
HigherEducation-Cloud Operating Model and Approach Forward.pdf
HigherEducation-Cloud Operating Model and Approach Forward.pdfHigherEducation-Cloud Operating Model and Approach Forward.pdf
HigherEducation-Cloud Operating Model and Approach Forward.pdfAmazon Web Services
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateDeep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateAmazon Web Services
 
Cost Optimization on AWS
Cost Optimization on AWSCost Optimization on AWS
Cost Optimization on AWSAmazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSAmazon Web Services
 
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...Amazon Web Services Korea
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWSAmazon Web Services
 
Tune Up AWS Lambda
Tune Up AWS LambdaTune Up AWS Lambda
Tune Up AWS LambdaKeisuke Nishitani
 
Building the business case for AWS
Building the business case for AWSBuilding the business case for AWS
Building the business case for AWSAmazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Amazon Web Services
 
Effective API Design
Effective API DesignEffective API Design
Effective API DesignBansilal Haudakari
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Azure Cloud Governance
Azure Cloud GovernanceAzure Cloud Governance
Azure Cloud GovernanceJonathan Wade
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Building Event-driven Architectures with Amazon EventBridge
Building Event-driven Architectures with Amazon EventBridge Building Event-driven Architectures with Amazon EventBridge
Building Event-driven Architectures with Amazon EventBridge James Beswick
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWSAmazon Web Services
 
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 

More Related Content

What's hot

AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...Amazon Web Services Korea
 
Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019Amazon Web Services
 
HigherEducation-Cloud Operating Model and Approach Forward.pdf
HigherEducation-Cloud Operating Model and Approach Forward.pdfHigherEducation-Cloud Operating Model and Approach Forward.pdf
HigherEducation-Cloud Operating Model and Approach Forward.pdfAmazon Web Services
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateDeep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateAmazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSAmazon Web Services
 
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...Amazon Web Services Korea
 
Building the business case for AWS
Building the business case for AWSBuilding the business case for AWS
Building the business case for AWSAmazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Azure Cloud Governance
Azure Cloud GovernanceAzure Cloud Governance
Azure Cloud GovernanceJonathan Wade
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Building Event-driven Architectures with Amazon EventBridge
Building Event-driven Architectures with Amazon EventBridge Building Event-driven Architectures with Amazon EventBridge
Building Event-driven Architectures with Amazon EventBridge James Beswick
 

What's hot (20)

20150109 - AWS BlackBelt - IAM (Korean)
20150109 - AWS BlackBelt - IAM (Korean)20150109 - AWS BlackBelt - IAM (Korean)
20150109 - AWS BlackBelt - IAM (Korean)
 
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
AWS 관리형 서비스를 중심으로 한 NCSOFT 와 Reality Reflection의 클라우드 사용기 - AWS Summit Seoul ...
 
Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019
 
HigherEducation-Cloud Operating Model and Approach Forward.pdf
HigherEducation-Cloud Operating Model and Approach Forward.pdfHigherEducation-Cloud Operating Model and Approach Forward.pdf
HigherEducation-Cloud Operating Model and Approach Forward.pdf
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
 
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateDeep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
 
Cost Optimization on AWS
Cost Optimization on AWSCost Optimization on AWS
Cost Optimization on AWS
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
 
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
Secure Virtual Private Cloud(VPC)를 활용한 보안성 강화와 비용절감 - 안경진 부장, 포티넷 코리아 :: AWS ...
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
Tune Up AWS Lambda
Tune Up AWS LambdaTune Up AWS Lambda
Tune Up AWS Lambda
 
Building the business case for AWS
Building the business case for AWSBuilding the business case for AWS
Building the business case for AWS
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
Effective API Design
Effective API DesignEffective API Design
Effective API Design
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 
Azure Cloud Governance
Azure Cloud GovernanceAzure Cloud Governance
Azure Cloud Governance
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Building Event-driven Architectures with Amazon EventBridge
Building Event-driven Architectures with Amazon EventBridge Building Event-driven Architectures with Amazon EventBridge
Building Event-driven Architectures with Amazon EventBridge
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 

Similar to How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (FSV325) - AWS re:Invent 2018

Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...Amazon Web Services
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...
Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...
Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless AppsAmazon Web Services
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 

Similar to How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (FSV325) - AWS re:Invent 2018 (20)

Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...
Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...
Deep Dive into AWS X-Ray: Monitor Modern Applications (DEV324) - AWS re:Inven...
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (FSV325) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD Edward Wible Co-founder & CTO Nubank F S V 3 2 5
  • 3. “Nubank is the largest digital bank in the world outside of Asia”
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Growing quickly in a sensitive domain Unique applications 18M+ Countries 198 Customers 5M+ Deploys per day 50 Microservices 180 Engineers 100+ 0.0 1.3 2.5 3.8 5.0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. FIGHT COMPLEXITY TO EMPOWER PEOPLE Core Purpose
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Be trustworthy competence reliability how { integrity benevolence why {
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Banking (and security) as a software engineering problem Teams empowered to execute independently, cradle to grave autonomy Rapidly evolving systems in small increments velocity Carefully manage blast radius and time-to-fix for inevitable bugs reliability Build for the long term, scale out, significant operating leverage scalability
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Web Services (AWS) tools are critical to achieving the right balance AWS Identity and Access Management (IAM) AWS Lambda AWS CloudTrail & Amazon Virtual Private Cloud (Amazon VPC)
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Minimal permissions (self-healing) Lambdas Fine-grained, just enough to accomplish work Constant evolution • 80+ official Lambdas • Fine-grained control and orchestration of underlying systems • Management of accounts across providers • Integrations to Slack, OpsGenie, and more • Active monitoring (every n minutes)
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM groups Minimal permissions (self-healing) • 100+ IAM groups for people • 500+ IAM roles for machines • Access to specific operations on AWS services • Base permissions set, temporary escalation, automatic reaping Lambdas Fine-grained, just enough to accomplish work Constant evolution
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OAuth Scopes IAM groups Minimal permissions (self-healing) users++ Lambdas Fine-grained, just enough to accomplish work Constant evolution • ~300 scopes in use • Oauth style, endpoint level granularity • Pre-approved, grants often contingent upon proof of completed training (with tests!) • Restricted scopes and toxic combinations • Short-lived (expire), with longer-lived refresh tokens for rapid renewal • Auto-reaped scopes after inactivity
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow HTTP reqs AWS CloudTrail Lambdas Nucli events DNS Load balancers Pervasive audit trail Set up for forensic analysis in advance Multiple audit trails covering the same flows + Amazon Redshift All data from all production databases (daily) Including data provenance: • Metadata associated with reified DB transactions, incl. correlation ID, user, service version • Append-only (Datomic or Kafka) • Automatically integrated to ETL for high throughput querying Splunk + Amazon S3 Unify all logs, including all server logs Dashboards Alarms
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense in depth Boundary defense is fundamental, but doesn’t address all attack vectors Once the boundary has been compromised, it is necessary to defend subsequent layers SERVICE A SERVICE B mTLS Modern ciphers & forward secrecy Requests without certificates rejected at session layer Device reputation scoring Short-lived OAuth token grants endpoint-level scopes Ubiquitous rate limits Storage Encryption at rest Security groups per service Specific IAM roles Kafka Digital signing of all messages Sensitive topics envelope encrypted Security groups Office network RADIUS + 802.11 authentication w/ certificates Segregated subnets by function AWS Session Manager for SSH
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. In-house security teams
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Engineering Top-of-the-line gas range Sharp knives Small batches Sophisticated plate warming
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Operations Center (SOC) 19 authorized personnel Temperature normal Order backlog normal Behavior patterns normal
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Blue team Non-skid floor Safety hats and aprons Food contamination risk Segregated roles and access control
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Red team Propane tank + Sharp knife + Sparker = Profit
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Blue Team Red Team SOC Engineering Security Support Intelligence Physical Infra In-house security teams • Don’t be an adversary • Be part of the product lifecycle • Work closely with other control functions • Rotate team members
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code: Role creation (before) Deploy Internal Clojure project wrapping cloud APIs Nucli Internal CLI to automate operational workflows AWS CloudFormation template Declarative, cohesive infrastructure provisioning Provisioning Amazon EC2 IAM roles Security groups Load balancers …
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. copy/paste Security as code: Role creation (before)
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code: Role creation (after) Deploy Internal Clojure project wrapping cloud APIs Nucli Internal cli to automate operational workflows AWS CloudFormation template Declarative, cohesive infrastructure provisioning Amazon EC2 Security groups Load balancers … IAM roles Lambda Robotic kitchen staff
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security as code: Lambda CI/CD IAM-policies Internal repository for all things IAM (with code reuse) Lambda Robotic kitchen staffpull requests CI/CD Lambda-automation Lambdas as code in Git
  • 29. Nucli “Automation is the Contingency Plan that protects Software Systems from human failure”
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: Granting OAuth scopes nu security grant <scope> <user> --for=1hour … 2 Enforce user has permission to grant and not a self-grant 5 User can refresh token 3 Whitelist scope for user in auth service 4 Schedule scope revoke 1 Log event and alert via Slack
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: IAM inline policies nu security grant <username> s3 read <bucket> —for=20min … 3 Attach new inline policy for IAM user from pre-existing template 4 Schedule policy revoke (and eventually execute via Lambda) 1 Request & receive permission to read 2 Log event and alert via Slack
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: Performance profiling nu service flamegraph <service> <shard> … 2 Open SSH port in the right security group 5 Restore kernel parameter + close SSH port 3 Change kernel parameter for profiling within Docker container 4 Wait for data collection window, download SVG 1 Log event and alert via Slack
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nucli: Kafka maintenance nu kafka increase-partitions <cluster> <topic> … 3 Open zookeeper port 5 Close zookeeper port, revoke permission 1 Ensure you are in the right IAM group 4 bin/kafka-topics.sh --alter --zookeeper zkurl:2181 --topic topic1 --partitions 4 2 Log event and alert via Slack
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why Nucli? • Prevent people from doing manual task checklists • Create leverage for security - Change once and everyone changes behavior automatically • Engineers will invent less-secure shortcuts unless provided with secure shortcuts • Make shortcuts robust to technology refresh cycles • Over time, multi-step shell scripts become Lambdas
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security monitoring
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security monitoring: Dashboards AWS CloudTrail Elastic Load Balancing AlertsVPC Flow Logs
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudTrail ELB Action! e.g.: drop machine thresholds & triggers Splunk realtime ingestion Action! e.g.: create new machine declarative capacity requirements Security monitoring: Automated response
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Technology / Layers 1 2 3 4 5 6 7 VPC - - - - - - - ELB - - - - - - - CloudTrail - - - - - - - HTTPS - - - 3 - - - SSH - - - - - - - Kafka - - - - - - - Security monitoring: Automated response
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Fostering a security ownership mind-set
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security ownership Account management No centralized login system Automated onboarding & offboarding; active correlation of accounts across providers with Lambda 2FA and Yubikeys mandatory Integrated logging and alerting Account admins aren’t tool admins Slack-based workflow for requesting permissions Change management Secure design by co-creating with embedded security team members Pull request workflow, protected master branch for more sensitive repositories Automated tests (including version checks and other security scans) in immutable build pipelines Auditable manifests for every deployable artifact containing ALL versions used for a build Engineering productivity team treats CI/CD environment as security critical IT management Physical Office Network threat modeling RADIUS technology mapping and managing employees to different subnets and VLANs Fully automated network infrastructure Automated employee machine provisioning and maintenance Nucli as the path of least resistance
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary Security as code (Nucli) Distributed security ownership Decentralized change management autonomy Real-time log ingestion Slack alerting Monitoring / automated response velocity Minimal permissions Menu instead of kitchen Defense in depth Audit trail reliability Distributed permissions granting Automate all the things Auto-reaping In-house security team scalability
  • 42. Body Level One Body Level Two Body Level Three Body Level Four Body Level Five Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. Please complete the session survey in the mobile app. ! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.