SlideShare a Scribd company logo

Introduction to DevSecOps on AWS

Amazon Web Services
Amazon Web Services

Learn the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using AWS tools.

Presentations & Public Speaking
1 of 35
© 2016 AWS and affiliates, all rights reserved Introduction to DevSecOps on AWS Chuck Meyer Security Solutions Architect
© 2016 AWS and affiliates, all rights reserved What is DevOps? Cultural Philosophy Practices Tools
© 2016 AWS and affiliates, all rights reserved Competing Forces Business Development Operations Build it faster Keep it stable Security Make it secure
© 2016 AWS and affiliates, all rights reserved Who is DevSecOps DevSecOps is • Team/Community effort, not a person • Automated and autonomous security • Security at scale DevSecOps role • Not there to audit code • Implement the control segments to validate and audit code and artifacts as part of the CI/CD process Security OperationsDevelopment
© 2016 AWS and affiliates, all rights reserved Terminology DevSecOps / Security Automation / Security at Scale Make up your mind…
© 2016 AWS and affiliates, all rights reserved Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable
© 2016 AWS and affiliates, all rights reserved Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
© 2016 AWS and affiliates, all rights reserved Why security automation High pace of innovation is great
© 2016 AWS and affiliates, all rights reserved Why security automation We also want high pace of: • Detection • Alerting • Remediation • Countermeasures • Forensics
© 2016 AWS and affiliates, all rights reserved What is DevSecOps Three flavors - Security of the CI/CD Pipeline - Automated IAM roles, Jenkins server hardening, etc. - Security in the CI/CD Pipeline - Automated security tests, code analysis, etc. - Security Automation - Automated Incident Response Remediation, forensics, etc.
© 2016 AWS and affiliates, all rights reserved Security in/of the CI/CD Pipeline
© 2016 AWS and affiliates, all rights reserved What is DevSecOps DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle developers customers releasetestbuild plan monitor delivery pipeline feedback loop Software development lifecycle Security
© 2016 AWS and affiliates, all rights reserved CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
© 2016 AWS and affiliates, all rights reserved Version Control CI Server Package Builder Promote Process Validate Git-SecretsDev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
© 2016 AWS and affiliates, all rights reserved What Does DevSecOps CI/CD Give Us? • Confidence that our code is validated against corporate security policies. • Avoid infrastructure/application failure in a later deployment due to different security configuration • Match DevOps pace of innovation • Audit and alert • Security at scale!
© 2016 AWS and affiliates, all rights reserved Security Automation
© 2016 AWS and affiliates, all rights reserved AWS CloudFormation primer Infrastructure is code
© 2016 AWS and affiliates, all rights reserved AWS CloudFormation Primer Allows you to define a “template” • Composed of different “resources” • Provision that template into repeatable, live, “stacks”. CloudFormation (CFn) provides a single service interface • Let CFn perform state changes and govern who calls CFn Treat as Code • Check in your templates CFn templates can hook into external configuration management frameworks • Jenkins/Chef/Puppet/etc.
© 2016 AWS and affiliates, all rights reserved AWS CloudFormation Stacks JSON Template Stack Stack Stack Dev Test Staging Prod Demos Regions
© 2016 AWS and affiliates, all rights reserved Split Ownership Configurations Who knows your solution best? • Dev, Infra, Sec…? • Delegate ownership • Infra – VPC design, IGW Deployment, Subnets, etc • DevOps – EC2, Elastic BeanStalk, RDS, DynamoDB, etc • OS Patching, Security Agent Deployments, IAM Roles, etc Use Yaml and split file into chunks or functions • Separate file sources with access control – Use IAM/VPC-E/etc. • Push files -> Validate -> Merge files -> Validate -> Deploy -> Validate AWS CodePipeline or Jenkins for deployment • Promotion flows • Move from manual to Automation based on validation quality • Excellent for merging jobs of split configurations
© 2016 AWS and affiliates, all rights reserved Merging From single file or multiple files • Maintain access control using policies • Use different source stores if needed Based on function/state Reusable patterns Maintain order, especially of validation • Security validation last to execute • Security should always win
© 2016 AWS and affiliates, all rights reserved Validation Keep track of what section you are validating • Stage vs Prod • Merged vs separated Validate often and log/alert • Validate part and end result • Run-time validation Tools • AWS CodeCommit • AWS Lambda • Config / Config Rules • CloudWatch Logs / CloudWatch Events • Etc.
© 2016 AWS and affiliates, all rights reserved Where else can this be applied? CloudFormation Template Task Definition Application Specification File (AppSpec file) …and more. AWS CloudFormation AWS CodeDeployAmazon EC2 Container Service
© 2016 AWS and affiliates, all rights reserved AWS Tooling Execution • Lambda Tracking • AWS Config Rules Amazon CloudWatch Events • AWS CloudTrail • AWS Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • SNS Third party Open Source
© 2016 AWS and affiliates, all rights reserved Other resources / Open Source • Some of the projects out there: – ThreatResponse.cloud https://threatresponse.cloud – Cloud Custodian https://github.com/capitalone/cloud-custodian – Security Monkey https://github.com/Netflix/security_monkey – FIDO https://github.com/Netflix/Fido • And many more…
© 2016 AWS and affiliates, all rights reserved Automatic Incident Response Remediation
© 2016 AWS and affiliates, all rights reserved Creating a blueprint Continuous / Event based Config Rules CloudWatch Events Is it region specific Will action risk breaking something Yes: Call human No: Lambda Will enable add cost Yes: Based on possible cost limit call human No/Minor: Set rules Is there a source of truth Config Rules: Check previous •Caution on multiple events CWE: Check tag/DDB •Have default value Action Revert change based on above Forensic Is it human (or unknown source) or machine (CI/CD) CI/CD: Create ticket (Jira etc) Human: Should we countermeasur e/prevent? Are they using MFA •No: Add MFA (external Lambda) First occurrence (check DDB) •Yes: Disable account/Keys Alert High: SMS/Page Low: Email/tracking system Logging Is it sensitive Yes: Encrypt (KMS) No: Cleartext Always: Access control
© 2016 AWS and affiliates, all rights reserved The anatomy of security automation Mode Section Actions Initiate React Config Rules / CloudWatch Events / Log Parsing Trigger Lambda Learn Lambda / CloudWatch Logs Execution Priority Action Restart service, delete user, etc. Forensics Discover: Who/where/when, allowed to execute? Countermeasure Disable access keys, isolate instance, etc. Alert Text/Page, email, ticket system Logging Database, ticket system, encrypt data?
© 2016 AWS and affiliates, all rights reserved How do I know what happened - Config
© 2016 AWS and affiliates, all rights reserved The key to Custom Rules response = client.put_evaluations( Evaluations=[ { 'ComplianceResourceType': 'string', 'ComplianceResourceId': 'string', 'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', 'Annotation': 'string', 'OrderingTimestamp': datetime(2015, 1, 1) }, ], ResultToken='string’ )
© 2016 AWS and affiliates, all rights reserved How do I know what happened – CloudWatch Events { ”account”: “111111111111”, ”region”: “us-east-1”, ”detail”: { ”eventVersion”: “1.02”, ”eventID”: “c78ce8de-46ee-4fea-bcf4-0e889d419f2f”, ”eventTime”: “2016-01-18T03:32:18Z”, ”requestParameters”: { ”userName”: “trigger” }, ”eventType”: “AwsApiCall”, ”responseElements”: { ”user”: { ”userName”: “trigger”, ”path”: “/”, ”createDate”: “Jan 18, 2016 3:32:18 AM”, ”userId”: “AIDAIKL7LKTAUFPNJQ3LY”, ”arn”: “arn:aws:iam::111111111111:user/trigger” } }, ”awsRegion”: “us-east-1”, ”eventName”: “CreateUser”, ”userIdentity”: { ”userName”: “IAM-API-RW”, ”principalId”: “AIDAI5SJPHVGH1WK7HTQS”, ”accessKeyId”: “AKIAIGYEYSX4EVED52YA”, ”type”: “IAMUser”, ”arn”: “arn:aws:iam::111111111111:user/IAM-API-RW”, ”accountId”: “111111111111” }, ”eventSource”: “iam.amazonaws.com”, ”requestID”: “13bb2739-bd94-11e5-9abd-af4e7ff9090f”, ”userAgent”: “aws-cli/1.9.20 Python/2.7.10 Darwin/15.2.0 botocore/1.3.20”, ”sourceIPAddress”: “111.112.113.114” }, ”detail-type”: “AWS API Call via CloudTrail”, ”source”: “aws.iam”, ”version”: “0”, ”time”: “2016-01-18T03:32:18Z”, ”id”: “d818DD19-7b16-4e1d-a491-794a26b51657”,
© 2016 AWS and affiliates, all rights reserved Different sources have different event ”eventName”: “CreateUser”, ”userIdentity”: { ”userName”: “IAM-API-RW”, ”principalId”: “AIDAI5RTPJGHE43K7GEQS”, ”accessKeyId”: “AKIADSJGHSXRKVDM52DA”, ”type”: “IAMUser”, ”arn”: “arn:aws:iam::111111111111:user ”accountId”: “111111111111” ”eventName”: “CreateUser”, "userIdentity": { "principalId": "AROGKTYFTCBFKTESCEVK:henrikj", "accessKeyId": ”GFSHKUOLZG53JE5DHKRC", "sessionContext": { "sessionIssuer": { "userName": ”AssumeAdministrator", "type": "Role", "arn": "arn:aws:iam::111111111111:role/Administrator", "principalId": "AROSKTRDFTXBUFLSKCEVK", "accountId": " 111111111111 " }, "attributes": { "creationDate": "2016-01-18T16:50:04Z", "mfaAuthenticated": "false" } }, "type": "AssumedRole", "arn": "arn:aws:sts::111111111111:assumed- role/Administrator/henrikj", "accountId": "111111111111"
© 2016 AWS and affiliates, all rights reserved How can I get the different events? import json def lambda_handler(event, context): eventdump = json.dumps(event, indent=2) print("Received event: " + json.dumps(event, indent=2)) return eventdump
© 2016 AWS and affiliates, all rights reserved Risks • You can now automatically mess up your approved changes • No proper alerting and follow-up on automatic events • Over/under complicated scripts • No info on desired state • Race the hacker…automation wars!
© 2016 AWS and affiliates, all rights reserved Best practices Implement “Compliance Status” for easy overview • Use pre defined checks • Create extended custom checks • Fix the issue while checking Evaluate/remediate changes/events in your account • Doesn’t replace log analysis (Machine Learning FTW) • Protect against changes made by (un)authorized accounts • Automatic remediation for critical events • Do forensic on the fly Always Log and Alert!

Recommended

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeAmazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
App Modernisation with Microsoft Azure
App Modernisation with Microsoft AzureApp Modernisation with Microsoft Azure
App Modernisation with Microsoft AzureAdam Stephensen
 

Recommended

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeAmazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
App Modernisation with Microsoft Azure
App Modernisation with Microsoft AzureApp Modernisation with Microsoft Azure
App Modernisation with Microsoft AzureAdam Stephensen
 
Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesAmazon Web Services
 
Moving a Monolith to Kubernetes
Moving a Monolith to KubernetesMoving a Monolith to Kubernetes
Moving a Monolith to KubernetesM. Scott Ford
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevOps and Cloud
DevOps and CloudDevOps and Cloud
DevOps and CloudFernando Honig
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
DevOps
DevOpsDevOps
DevOpsGehad Elsayed
 
Getting started with containers on Azure
Getting started with containers on AzureGetting started with containers on Azure
Getting started with containers on AzureMicrosoft Tech Community
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps FoundationHomepree Rloy
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsHawkman Academy
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOpsCallon Campbell
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...Amazon Web Services
 
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...Amazon Web Services
 

More Related Content

What's hot

Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesAmazon Web Services
 
Moving a Monolith to Kubernetes
Moving a Monolith to KubernetesMoving a Monolith to Kubernetes
Moving a Monolith to KubernetesM. Scott Ford
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 

What's hot (20)

Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
 
Moving a Monolith to Kubernetes
Moving a Monolith to KubernetesMoving a Monolith to Kubernetes
Moving a Monolith to Kubernetes
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevOps and Cloud
DevOps and CloudDevOps and Cloud
DevOps and Cloud
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
DevOps
DevOpsDevOps
DevOps
 
Getting started with containers on Azure
Getting started with containers on AzureGetting started with containers on Azure
Getting started with containers on Azure
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps Foundation
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 

Viewers also liked

AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...Amazon Web Services
 
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...Amazon Web Services
 
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWSCloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWSAWS Vietnam Community
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Amazon Web Services
 
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016Amazon Web Services
 
DevOps with Amazon Web Services
DevOps with Amazon Web ServicesDevOps with Amazon Web Services
DevOps with Amazon Web ServicesJulien SIMON
 
Jenkins and AWS DevOps Tools
Jenkins and AWS DevOps ToolsJenkins and AWS DevOps Tools
Jenkins and AWS DevOps ToolsJimmy Ray
 
Pipelining DevOps with Jenkins and AWS
Pipelining DevOps with Jenkins and AWSPipelining DevOps with Jenkins and AWS
Pipelining DevOps with Jenkins and AWSJimmy Ray
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...Amazon Web Services
 
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...Amazon Web Services
 
AWS Summit Paris 2017 : DevOps in a container world
AWS Summit Paris 2017 : DevOps in a container worldAWS Summit Paris 2017 : DevOps in a container world
AWS Summit Paris 2017 : DevOps in a container worldDevoteam Revolve
 
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Devops with Amazon Web Services (January 2017)
Devops with Amazon Web Services (January 2017)Devops with Amazon Web Services (January 2017)
Devops with Amazon Web Services (January 2017)Julien SIMON
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...Amazon Web Services
 
Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...
Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...
Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...Amazon Web Services
 
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)Amazon Web Services
 
Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar Series
Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar SeriesGetting Started With Continuous Delivery on AWS - AWS April 2016 Webinar Series
Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar SeriesAmazon Web Services
 

Viewers also liked (20)

AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
AWS re:Invent 2016: How I learned to embrace DevOps and Configure Infrastruct...
 
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...
 
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWSCloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
 
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
 
DevOps with Amazon Web Services
DevOps with Amazon Web ServicesDevOps with Amazon Web Services
DevOps with Amazon Web Services
 
Jenkins and AWS DevOps Tools
Jenkins and AWS DevOps ToolsJenkins and AWS DevOps Tools
Jenkins and AWS DevOps Tools
 
DevOps in Amazon.com
DevOps in Amazon.com DevOps in Amazon.com
DevOps in Amazon.com
 
Pipelining DevOps with Jenkins and AWS
Pipelining DevOps with Jenkins and AWSPipelining DevOps with Jenkins and AWS
Pipelining DevOps with Jenkins and AWS
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
 
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
 
AWS Summit Paris 2017 : DevOps in a container world
AWS Summit Paris 2017 : DevOps in a container worldAWS Summit Paris 2017 : DevOps in a container world
AWS Summit Paris 2017 : DevOps in a container world
 
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Devops with Amazon Web Services (January 2017)
Devops with Amazon Web Services (January 2017)Devops with Amazon Web Services (January 2017)
Devops with Amazon Web Services (January 2017)
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
 
Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...
Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...
Delivering DevOps on AWS: Accelerating Software Delivery with AWS Developer T...
 
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
 
Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar Series
Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar SeriesGetting Started With Continuous Delivery on AWS - AWS April 2016 Webinar Series
Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar Series
 

Similar to Introduction to DevSecOps on AWS

Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfAmazon Web Services
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Amazon Web Services
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfAmazon Web Services
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Improving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsImproving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsAmazon Web Services
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Kristana Kane
 
Secure Management of Fleet at Scale
Secure Management of Fleet at ScaleSecure Management of Fleet at Scale
Secure Management of Fleet at ScaleAmazon Web Services
 
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...Amazon Web Services
 
Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...
Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...
Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...Amazon Web Services
 
Managing Software from Development to Deployment in the Cloud
Managing Software from Development to Deployment in the CloudManaging Software from Development to Deployment in the Cloud
Managing Software from Development to Deployment in the CloudCloudBees
 
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)Amazon Web Services
 

Similar to Introduction to DevSecOps on AWS (20)

Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdf
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Improving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsImproving Security Agility using DevSecOps
Improving Security Agility using DevSecOps
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Secure Management of Fleet at Scale
Secure Management of Fleet at ScaleSecure Management of Fleet at Scale
Secure Management of Fleet at Scale
 
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
 
Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...
Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...
Advanced Deployment Best Practices with AWS CodeDeploy (DEV404-R2) - AWS re:I...
 
Managing Software from Development to Deployment in the Cloud
Managing Software from Development to Deployment in the CloudManaging Software from Development to Deployment in the Cloud
Managing Software from Development to Deployment in the Cloud
 
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...university
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerkumenegertelayegrama
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SESaleh Ibne Omar
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this periodSaraIsabelJimenez
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 

Recently uploaded (19)

Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeeger
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SE
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this period
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 

Introduction to DevSecOps on AWS

  • 1. © 2016 AWS and affiliates, all rights reserved Introduction to DevSecOps on AWS Chuck Meyer Security Solutions Architect
  • 2. © 2016 AWS and affiliates, all rights reserved What is DevOps? Cultural Philosophy Practices Tools
  • 3. © 2016 AWS and affiliates, all rights reserved Competing Forces Business Development Operations Build it faster Keep it stable Security Make it secure
  • 4. © 2016 AWS and affiliates, all rights reserved Who is DevSecOps DevSecOps is • Team/Community effort, not a person • Automated and autonomous security • Security at scale DevSecOps role • Not there to audit code • Implement the control segments to validate and audit code and artifacts as part of the CI/CD process Security OperationsDevelopment
  • 5. © 2016 AWS and affiliates, all rights reserved Terminology DevSecOps / Security Automation / Security at Scale Make up your mind…
  • 6. © 2016 AWS and affiliates, all rights reserved Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable
  • 7. © 2016 AWS and affiliates, all rights reserved Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
  • 8. © 2016 AWS and affiliates, all rights reserved Why security automation High pace of innovation is great
  • 9. © 2016 AWS and affiliates, all rights reserved Why security automation We also want high pace of: • Detection • Alerting • Remediation • Countermeasures • Forensics
  • 10. © 2016 AWS and affiliates, all rights reserved What is DevSecOps Three flavors - Security of the CI/CD Pipeline - Automated IAM roles, Jenkins server hardening, etc. - Security in the CI/CD Pipeline - Automated security tests, code analysis, etc. - Security Automation - Automated Incident Response Remediation, forensics, etc.
  • 11. © 2016 AWS and affiliates, all rights reserved Security in/of the CI/CD Pipeline
  • 12. © 2016 AWS and affiliates, all rights reserved What is DevSecOps DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle developers customers releasetestbuild plan monitor delivery pipeline feedback loop Software development lifecycle Security
  • 13. © 2016 AWS and affiliates, all rights reserved CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
  • 14. © 2016 AWS and affiliates, all rights reserved Version Control CI Server Package Builder Promote Process Validate Git-SecretsDev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
  • 15. © 2016 AWS and affiliates, all rights reserved What Does DevSecOps CI/CD Give Us? • Confidence that our code is validated against corporate security policies. • Avoid infrastructure/application failure in a later deployment due to different security configuration • Match DevOps pace of innovation • Audit and alert • Security at scale!
  • 16. © 2016 AWS and affiliates, all rights reserved Security Automation
  • 17. © 2016 AWS and affiliates, all rights reserved AWS CloudFormation primer Infrastructure is code
  • 18. © 2016 AWS and affiliates, all rights reserved AWS CloudFormation Primer Allows you to define a “template” • Composed of different “resources” • Provision that template into repeatable, live, “stacks”. CloudFormation (CFn) provides a single service interface • Let CFn perform state changes and govern who calls CFn Treat as Code • Check in your templates CFn templates can hook into external configuration management frameworks • Jenkins/Chef/Puppet/etc.
  • 19. © 2016 AWS and affiliates, all rights reserved AWS CloudFormation Stacks JSON Template Stack Stack Stack Dev Test Staging Prod Demos Regions
  • 20. © 2016 AWS and affiliates, all rights reserved Split Ownership Configurations Who knows your solution best? • Dev, Infra, Sec…? • Delegate ownership • Infra – VPC design, IGW Deployment, Subnets, etc • DevOps – EC2, Elastic BeanStalk, RDS, DynamoDB, etc • OS Patching, Security Agent Deployments, IAM Roles, etc Use Yaml and split file into chunks or functions • Separate file sources with access control – Use IAM/VPC-E/etc. • Push files -> Validate -> Merge files -> Validate -> Deploy -> Validate AWS CodePipeline or Jenkins for deployment • Promotion flows • Move from manual to Automation based on validation quality • Excellent for merging jobs of split configurations
  • 21. © 2016 AWS and affiliates, all rights reserved Merging From single file or multiple files • Maintain access control using policies • Use different source stores if needed Based on function/state Reusable patterns Maintain order, especially of validation • Security validation last to execute • Security should always win
  • 22. © 2016 AWS and affiliates, all rights reserved Validation Keep track of what section you are validating • Stage vs Prod • Merged vs separated Validate often and log/alert • Validate part and end result • Run-time validation Tools • AWS CodeCommit • AWS Lambda • Config / Config Rules • CloudWatch Logs / CloudWatch Events • Etc.
  • 23. © 2016 AWS and affiliates, all rights reserved Where else can this be applied? CloudFormation Template Task Definition Application Specification File (AppSpec file) …and more. AWS CloudFormation AWS CodeDeployAmazon EC2 Container Service
  • 24. © 2016 AWS and affiliates, all rights reserved AWS Tooling Execution • Lambda Tracking • AWS Config Rules Amazon CloudWatch Events • AWS CloudTrail • AWS Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • SNS Third party Open Source
  • 25. © 2016 AWS and affiliates, all rights reserved Other resources / Open Source • Some of the projects out there: – ThreatResponse.cloud https://threatresponse.cloud – Cloud Custodian https://github.com/capitalone/cloud-custodian – Security Monkey https://github.com/Netflix/security_monkey – FIDO https://github.com/Netflix/Fido • And many more…
  • 26. © 2016 AWS and affiliates, all rights reserved Automatic Incident Response Remediation
  • 27. © 2016 AWS and affiliates, all rights reserved Creating a blueprint Continuous / Event based Config Rules CloudWatch Events Is it region specific Will action risk breaking something Yes: Call human No: Lambda Will enable add cost Yes: Based on possible cost limit call human No/Minor: Set rules Is there a source of truth Config Rules: Check previous •Caution on multiple events CWE: Check tag/DDB •Have default value Action Revert change based on above Forensic Is it human (or unknown source) or machine (CI/CD) CI/CD: Create ticket (Jira etc) Human: Should we countermeasur e/prevent? Are they using MFA •No: Add MFA (external Lambda) First occurrence (check DDB) •Yes: Disable account/Keys Alert High: SMS/Page Low: Email/tracking system Logging Is it sensitive Yes: Encrypt (KMS) No: Cleartext Always: Access control
  • 28. © 2016 AWS and affiliates, all rights reserved The anatomy of security automation Mode Section Actions Initiate React Config Rules / CloudWatch Events / Log Parsing Trigger Lambda Learn Lambda / CloudWatch Logs Execution Priority Action Restart service, delete user, etc. Forensics Discover: Who/where/when, allowed to execute? Countermeasure Disable access keys, isolate instance, etc. Alert Text/Page, email, ticket system Logging Database, ticket system, encrypt data?
  • 29. © 2016 AWS and affiliates, all rights reserved How do I know what happened - Config
  • 30. © 2016 AWS and affiliates, all rights reserved The key to Custom Rules response = client.put_evaluations( Evaluations=[ { 'ComplianceResourceType': 'string', 'ComplianceResourceId': 'string', 'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', 'Annotation': 'string', 'OrderingTimestamp': datetime(2015, 1, 1) }, ], ResultToken='string’ )
  • 31. © 2016 AWS and affiliates, all rights reserved How do I know what happened – CloudWatch Events { ”account”: “111111111111”, ”region”: “us-east-1”, ”detail”: { ”eventVersion”: “1.02”, ”eventID”: “c78ce8de-46ee-4fea-bcf4-0e889d419f2f”, ”eventTime”: “2016-01-18T03:32:18Z”, ”requestParameters”: { ”userName”: “trigger” }, ”eventType”: “AwsApiCall”, ”responseElements”: { ”user”: { ”userName”: “trigger”, ”path”: “/”, ”createDate”: “Jan 18, 2016 3:32:18 AM”, ”userId”: “AIDAIKL7LKTAUFPNJQ3LY”, ”arn”: “arn:aws:iam::111111111111:user/trigger” } }, ”awsRegion”: “us-east-1”, ”eventName”: “CreateUser”, ”userIdentity”: { ”userName”: “IAM-API-RW”, ”principalId”: “AIDAI5SJPHVGH1WK7HTQS”, ”accessKeyId”: “AKIAIGYEYSX4EVED52YA”, ”type”: “IAMUser”, ”arn”: “arn:aws:iam::111111111111:user/IAM-API-RW”, ”accountId”: “111111111111” }, ”eventSource”: “iam.amazonaws.com”, ”requestID”: “13bb2739-bd94-11e5-9abd-af4e7ff9090f”, ”userAgent”: “aws-cli/1.9.20 Python/2.7.10 Darwin/15.2.0 botocore/1.3.20”, ”sourceIPAddress”: “111.112.113.114” }, ”detail-type”: “AWS API Call via CloudTrail”, ”source”: “aws.iam”, ”version”: “0”, ”time”: “2016-01-18T03:32:18Z”, ”id”: “d818DD19-7b16-4e1d-a491-794a26b51657”,
  • 32. © 2016 AWS and affiliates, all rights reserved Different sources have different event ”eventName”: “CreateUser”, ”userIdentity”: { ”userName”: “IAM-API-RW”, ”principalId”: “AIDAI5RTPJGHE43K7GEQS”, ”accessKeyId”: “AKIADSJGHSXRKVDM52DA”, ”type”: “IAMUser”, ”arn”: “arn:aws:iam::111111111111:user ”accountId”: “111111111111” ”eventName”: “CreateUser”, "userIdentity": { "principalId": "AROGKTYFTCBFKTESCEVK:henrikj", "accessKeyId": ”GFSHKUOLZG53JE5DHKRC", "sessionContext": { "sessionIssuer": { "userName": ”AssumeAdministrator", "type": "Role", "arn": "arn:aws:iam::111111111111:role/Administrator", "principalId": "AROSKTRDFTXBUFLSKCEVK", "accountId": " 111111111111 " }, "attributes": { "creationDate": "2016-01-18T16:50:04Z", "mfaAuthenticated": "false" } }, "type": "AssumedRole", "arn": "arn:aws:sts::111111111111:assumed- role/Administrator/henrikj", "accountId": "111111111111"
  • 33. © 2016 AWS and affiliates, all rights reserved How can I get the different events? import json def lambda_handler(event, context): eventdump = json.dumps(event, indent=2) print("Received event: " + json.dumps(event, indent=2)) return eventdump
  • 34. © 2016 AWS and affiliates, all rights reserved Risks • You can now automatically mess up your approved changes • No proper alerting and follow-up on automatic events • Over/under complicated scripts • No info on desired state • Race the hacker…automation wars!
  • 35. © 2016 AWS and affiliates, all rights reserved Best practices Implement “Compliance Status” for easy overview • Use pre defined checks • Create extended custom checks • Fix the issue while checking Evaluate/remediate changes/events in your account • Doesn’t replace log analysis (Machine Learning FTW) • Protect against changes made by (un)authorized accounts • Automatic remediation for critical events • Do forensic on the fly Always Log and Alert!

Editor's Notes

  1. Lets start looking at what DevOps is… Three things: Cultural philosophy on how changes and deployments are handled within the organization Practices around this What tools you have/use/develop to perform this
  2. Developers are paid to change things i.e. write code, Ops folks are paid to NOT change things and keep things stable Adding security to the mix we can say that security is paid to make sure what development is doing is not introducing insecurity that ops then will make public
  3. The perimeter is no longer an option… Security, now more than ever, is an arms race… The only way to win: - Customer focus - Open and transparent - Iteration over perfection - Hunting over reaction
  4. Doesn’t matter if you need to run it one time or 1000 times…
  5. Don’t worry…we still need humans, just focus
  6. - Lets look at a software development lifecycle - here's the general development lifecycle for an application or service - every new feature or bug fix goes through this process - developer writes code, code is built and unit tested, app is deployed to a testing environment for deeper testing, finally given a thumbs up and deployed to production where customers can use it - after that happens, the company can collect feedback from customers, make decisions, and continue to iterate and improve the product - the faster you can complete that loop, the faster you can innovate Where does security come in here? It’s important to understand that we cannot implement one point of presence We need to integrate with the flow of events in order to be agile and elastic and not be a blocker for pace of innovation
  7. Example of a CI/CD flow
  8. Add Git-Secrets Looking at the same flow using our secret DevSec goggles we see a different picture We need to inject ourselves in all parts and sections of the flow Highlight promotion process and manual vs automated process as segway to next slide Mention git-secrets to look for keys on commits
  9. One of the key components in this is treating your infrastructure as code.
  10. You may want to stage that application stack through Dev/Test/Prod. You may want to have a stripped down version of the stack for demo purposes. You may want to have the stack in multiple regions. You may want to package the configuration and ship it to a customer. You can also version control the template you have carefully designed. Templatization and replication is useful in other scenarios as well. If you want everyone in your company to use a standard VPC configuration, you can capture the standard configuration in a CloudFormation template and have everyone use it. If you have an IT service catalog that needs to stamp out copies of services to multiple users, you can use CloudFormation as a building block.
  11. Poll: Who knows what Yaml stands for (Yaml Aint Markup Language) Important to validate post merging to get the correct build/State Notice I mentioned Validate…it’s important!
  12. If security fail, the flow fails
  13. Keeping track of target is important when working on checked in resources thru for example jenkins jobs. Validating the wrong file/state can cause instant failures or insecure deployments We will show more on Run-time validation shortly… Script is validating that all of the IP addresses within the CFn are from the corporate CIDR block
  14. Where this becomes really important is when you look at the actual components and what you can do in terms of securing and validating the workload. CFN - Explain CloudFormation template and how you can use it to enforce certain AMIs, network config, SG, etc. ECS - Explain Task Definition and how this allows you to enforce port mappings, CPU/RAM usage, etc. CodeDeploy - Explain AppSpec.yml and how you can run validation scripts and fail deployment if they fail – define what software to install and what lifecycle hooks to take action upon In general, you have a software artifact that you can deploy with an AWS service, and these services can be configured to enforce your security processes Validation is key! Task Definition Which Docker images to use with the containers in your task How much CPU and memory to use with each container Whether containers are linked together in a task What (if any) ports from the container are mapped to the host container instance Whether the task should continue to run if the container finishes or fails The command the container should run when it is started What (if any) environment variables should be passed to the container when it starts Any data volumes that should be used with the containers in the task
  15. !30s slide! Make new slide for best practices if needed We are not going to focus on the tools but quick roundup. Pen is mightier then the sword…but Lambda is running circles around that pen...
  16. Config Rules only in us-east-1 atm Region specific, IAM = us-east-1
  17. Priced based on number of active rules per month $2.00 per active rule per month with account-level allowance of 20,000 evaluations per active rule. Overage of $0.0001 per evaluation Evaluation: Single result reported for the rule/resource. Evaluations are shared across rules in account. Active Rule: Rule with at least one evaluation that month Customer Managed Rules may incur an additional charges from AWS Lambda
  18. Why is this important (logging)
  19. First step for any new function…Introducing…the dump function Easy, just tie to the trigger and dump
  20. Pre defined checks have a growing library