As information technology increasingly becomes strategic to more enterprises and government agencies, and as the threat landscape evolves and becomes more challenging, governance, risk management, and compliance (GRC) increasingly become c-suite issues. In this session, we examine how the AWS cloud platform, through APIs and automation, enables advances and the implementation of best practices in governance and compliance. Learn how AWS can help senior leadership confidently answer key governance questions, such as: What do I have? How it is performing? Who controls it? Is it secure and compliant? Are we using the right processes and protections when we make changes? What is it costing me?
2. IT governance: high-level definition
• “The leadership, organizational structures, and
processes to ensure that the organization's IT
sustains and extends the organization's
strategies and objectives.”
→IT Governance Institute
3. Where does governance sit?
• Part of a larger complex of GRC(S): governance, risk
management, compliance/security
• Compliance (policy) and security (implementation) are shared
responsibilities on AWS
• Risk management (balancing of risks and benefits) is a
strategic requirement and responsibility
• Governance: high level category encompassing all required
policies and practices that assure safe and sane usage of IT
• Governance is your responsibility, with help from AWS tools
and capabilities
4. Key governance questions
• What do I have?
• How it is performing?
• Who is controlling it?
• What is it costing me?
• Is it secure and compliant?
• Are changes occurring with the right processes and
protections?
5. AWS and governance
• AWS capabilities and services provide key building
blocks for systems that answer these questions
• Better answers than ever before in traditional
infrastructure
• Integration challenges remain, but don’t be constrained
by on-prem systems when leveraging the cloud
6. What do I have?
• Describe* calls provide comprehensive lists of all
resources (for example, aws ec2 describe-instances)
• AWS Config provides graph-based integration, time-
based insights
• (Building a comprehensive, accurate configuration DB on-
premises is practically impossible)
• AWS Config Rules to evaluate changes and respond
• Partner ecosystem adds more value, richer capabilities
• Theme: AWS provides data feeds, anyone can build tooling
7. How is it performing?
• Services emit metrics into Amazon CloudWatch
• Accessible through console, CLI, API
• Alerting and alarming on all metrical data
• Amazon CloudWatch Logs integrates OS and app log data
• AWS Elastic Search automates the pooling, querying, and
visualization of CW Logs
• Rich integration of both CW and CWL w/ Simple Notification Service
• AWS Trusted Advisor (TA) for dashboard and alerts for under-
utilization, security, availability issues
• Rich integration into third-party monitoring platforms from
AWS partners
8. Who is controlling it?
• Powerful, fine-grained AWS Identity and Access
Management (IAM) capabilities
• Authentication and authorization
• Reporting and analysis
• Rich integration to enterprise identity systems
through SAML or directly into Active Directory
• Tagging for authorization, administration, billing
9. Cost transparency and control
• Everything billed by hour, gigabyte, etc.
• Billing data updated ~4x per day
• Programmatic access to all billing data
linked to user-created resource tags
• Cost Explorer and other tooling
• CloudWatch tools/alarms for billing data
• AWS MarketPlace helps with software
license management challenges
10. Secure and compliant?...
• … Are changes occurring with the right processes and
protections?
• AWS infrastructure: yes
• See frequently updated third-party audits
• Customer usage: get to yes like never before
• Great tools and building blocks to build the right models,
processes, and automation
11. Tools and building blocks
• Trusted Advisor displays obvious (possible) issues
• CloudWatch (Logs), VPC Flow Logs, Amazon S3 logs, Elastic
Load Balancing logs
• AWS Elasticsearch Service for managed search, analysis, visualization
• AWS CloudTrail, Config, and Config Rules, Inspector
• VPC peering (including cross-account)
• Identity federation and cross-account role-based access
• AWS Service Catalog/AWS CloudFormation for repeatable
processes
• GoldBase: pre-audited layers w/ automation framework for
completely compliant environments (demo coming)
12. Customer’s horizontal shared responsibility
• Mission teams control their own infrastructure (VPCs,
instances, Amazon Machine Images (AMIs), databases,
S3 buckets, etc.)
• Central GRC/security team has audit and control rights
over core infrastructure along with “shared security &
compliance services”
• Best of both worlds: agility benefits of mission-driven
“shadow IT,” governance/security benefits of central IT
control
13. Concretely: Managed Services Organization (MSO)
• Central team providing shared services:
• Account creation and AWS IAM provisioning/setup
• Identity management, federation endpoints
• Core networking security and IAM policies
• Golden OS images (AMIs), associated IAM limits
• Central auditing services
• CloudTrail, Config, security log management
• Incident response/forensics services
• Cost alarm/review/auditing services
14. Demo: scenario
• Development Team requires:
• Direct access to AWS Management Console
• On-demand provisioning of dev environments
• Login credentials for running instances
• Support for continuous integration and deployment
• Company requires:
• Adherence to approved reference architectures
• Auditability of activities within the account and instances
• Visibility to resources used and network traffic flow
• Control of the account, VPCs, and instances
15. Demo: automating governance
• Company creates a Managed Services Organization (MSO)
• Delivers the implementation piece of
the governance puzzle
• Provides automated, self-service
delivery of approved architectures
• Maintains centralized control of
accounts, security oversight
• Leverages AWS GoldBase
18. Automate, automate, automate
• Programmable infrastructure changes everything!
• Service Catalog, AWS CloudFormation, APIs for everything at
the infrastructure level
• For apps, AWS Elastic Beanstalk, AWS OpsWorks, AWS
CodeDeploy, AWS CodePipeline
• Visibility and control via
• Manage everything (including security and compliance) using
SDL from a source code repository
• Security and compliance baked in to your continuous
integration/continuous deployment pipeline
19. It’s happening!
• Not a pipe dream, but a growing reality at enterprises
and agencies around the globe
• Even security-conscious government agencies like USA
Dept of Homeland Security (Citizenship and Immigration
Services)
• Mark Schwartz, CIO: https://youtu.be/QwHVlJtqhaI
• DevOps and CI/CD on the AWS cloud providing dev/ops
CI/CD agility with baked-in governance and security
benefits
20. Relevant upcoming sessions
• SEC314: AWS Config: Using Visibility to Improve Governance over
Configuration Changes to Your ResourcesSEC318: AWS CloudTrail Deep
Dive
• SEC403: Timely Security Alerts and Analytics: Diving into AWS CloudTrail Events
by Using Apache Spark on Amazon EMR
• SEC321: AWS for the Enterprise—Implementing Policy, Governance, and
Security for Enterprise Workloads
• SEC307: A Progressive Journey Through AWS IAM Federation Options:
From Roles to SAML to Custom Identity Brokers
• SEC316: Harden Your Architecture with Security Incident Response
Simulations (SIRS)
• DVO206L: Lessons from a CISO: How to Securely Scale Teams,
Workloads, and Budgets