Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS Summit

380 views

Published on

The move to AWS enables new application and architectural patterns that are in a continual state of change. The only way that your infrastructure, security, and operations can keep pace with these changes is with automation. In this session, we discuss the various automation tools that can be used to deploy AWS infrastructure (as code), add the VM-Series to help protect against threats (security as code), and then automatically update the policy based on Amazon GuardDuty or AWS Security Hub findings (operations as code). A brief demonstration concludes this session.

  • Be the first to comment

Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT INFRASTRUCTURE, SECURITY AND OPERATIONS “AS CODE” Dula Hernandez Channel Systems Engineer SessionID
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT CLOUD AUTOMATION DRIVERS Agility, DevSecOps, Multi-cloud Palo Alto Networks Automation Capabilities Cloud Security Automation Stack Applying Cloud Security Automation Composable Automation Eco-system Distributable Security Cloud Adoption and Benefits
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT NEED FOR AUTOMATION • Rapidly deploy new applications: Dev 🡪 Test 🡪 Prod • Improve security, increase agility, reduce effort to achieve business goals • Inject security into DevOps 🡪 DevSecOps App Network Security Infrastructur e as Code Securit y as Code Ansible AWS CloudFormation Templates Terraform Provider for AWS Terraform Provider for PAN-OS Infrastructure & Ongoing Configuration “as code” Key Stakeholder Involvement Accelerate Adoption Automation
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT ACCELERATE SECURE CLOUD DEPLOYMENTS Quick Reproducible Repeatable Scalable Deploy in minutes app1 app2 app3 Region1 Region2
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT CLOUD SECURITY AUTOMATION STACK Infrastructure Build-Out Terraform Cloud Templates (Infrastructure as Code) Security Layer Terraform Provider (PAN-OS) (Security as Code) Operations Terraform Integration (Automated Incident Response) Repeatable, Consistent, Agile, and Secure Other public clouds
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT INFRASTRUCTURE AS CODE: BUILD THE ENVIRONMENT Manual Process: slow, delayed and extended rollouts Infrastructure as Code: deployed in minutes, highly reproducible, agile Region 1 Region 2 Region 1 Untrust Security group VP C Untrust Security group VP C Trust Security group VP C Trust Security group VP C Untrust Security group VP C Untrust Security group VP C Trust Security group VP C Trust Security group VP C Untrust Security group VP C Untrust Security group VP C Trust Security group VP C Trust Security group VP C
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT INFRASTRUCTURE AS CODE: FIREWALL HUB WITH ALB’S • Fully automated • Blueprint developed and pushed out company wide • Huge cost savings • VM-Series natively integrated with cloud capabilities • Next: Automate build out of LOB (Line of Business) applications Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT SECURITY AS CODE: INTEGRATE LOB WITH FIREWALL HUB • Automate the creation of private link tunnels • Automate deployment of NAT and Security policies • Seamless integration: App + Security = business objectives • We can do more! • Next: Feed threat intel to VM- Series to block attacks from new sources. VPN Connection PrivateLink PrivateLink Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Network Load Balancer Network Load Balancer VPN GW VPN Connection PrivateLink PrivateLink Network Load Balancer Network Load Balancer VPN GW
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT OPS AS CODE: AMAZON GUARDDUTY INTEGRATION 1) Amazon GuardDuty sends security alerts to AWS CloudWatch Malicious IP address 2) Amazon CloudWatch event triggers a Lambda function Policy: Drop Session 4) DAG’s used in security policy to drop matching sessions. Dynamic Address Group 3) Register the malicious IP to a Dynamic Address Group (DAG) using the XML API. Amazon CloudWatch Lambda Function Amazon GuardDuty Untrust Security group VPC Untrust Security group VPC
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT SUMMARY & KEY TAKEAWAYS • Framework developed with real world use case and workflows • Collaboration based on inputs from customers and cloud providers • Readily available templates • Easy to adopt and use • Highly composable • Well defined integration pointsPalo Alto Networks VM-Series Infrastructure Templates Composable Cloud Security Cloud Success with Security Cloud Native Templates Cloud Native Tunnels Automation with Terraform Security Provider devsecops Extensible Foundation Pillars Beams Cupola
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT DEMO: CLOUD SECURITY AT THE SPEED OF DEVOPS Firewall admin (Sec Team) Developer (App Team) 1. Push new app 3. Commit app security policy 4. Poll and pull changes 5. Push VM-Series policy using PAN-OS Terraform provider AWS CodeDeploy Repeat / Refine / Update 2. Deploy app 0. Infrastructure as code using Terraform templates web app root volume data volume Availability zone 1 Security group Auto Scaling group Security group
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT Thank you! SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speaker Name Contact information
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMITSUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey. !

×