To implement security best practices in your AWS accounts, you must establish a security baseline and then enforce it across all accounts. In this session, you will learn how to use AWS CloudFormation and AWS Step Functions to execute security best practices, such as using AWS CloudTrail, AWS Config, Amazon VPC Flow Logs, and Amazon S3 Access logs in scenarios where you are managing many AWS accounts across an organization. Learn how to store all of these logs in a centralized logging system such as Elasticsearch or Splunk, and set up alerting and drift detection on anomalous or high risk activity. Attend this session and discover ways to use centralized IAM roles and enforce MFA across multiple accounts. https://aws.amazon.com/government-education/
2. Agenda
• AWS governance in the enterprise
• Key configuration and control points
• Serverless computing with AWS Lambda and
AWS Step Functions
• Example: Building automation to deploy configuration
and remediate issues
• Customer case study: FINRA
3. AWS adoption patterns
• In highly federated organizations,
AWS adoption often begins flowing
from the bottom up
• In parallel, central IT often begins
establishing a formal architecture
for AWS
• Need a governance approach that:
• Meets the organization’s
requirements
• Scales to all users of AWS
• Enables use of the complete
AWS platform
Top down
adoption
Bottom up
adoption
4. Tailor governance based on impact
Higher-impact accounts are
more likely to be managed by
central or departmental IT
groups and will have more
security controls.
Low High
High
Low
Availability
Confidentiality
Lower-impact accounts still
have basic security controls,
but can be issued freely to
end users for test,
development, or low impact
research and production
workloads.
5. For high-impact workloads
• know how to map their
organization’s controls to
appropriate AWS configuration
• use AWS (and partner)
solutions to automate
monitoring and remediation
Administrators should…
For all workloads
• establish infrastructure to
analyze Cost and Usage
Reports and charge back
usage
• automate the issuance and
security of AWS accounts for
all users
• otherwise, end users doing
exploratory or low-risk
work will not be visible
7. Key configuration points: CloudFormation
Administrators:
Type: AWS::IAM::Group
Properties:
GroupName: SecurityAdministrators
ManagedPolicyArns:
- !Ref AssumeAdministratorRoleWithMFAPolicy
- arn:aws:iam::aws:policy/AdministratorAccess
SecurityAuditors:
Type: AWS::IAM::Group
Properties:
GroupName: SecurityAuditors
ManagedPolicyArns:
- !Ref AssumeSecurityAuditorRoleWithMFAPolicy
• Write JSON or YAML
templates to define AWS
resources
• Use to deploy:
• Identity and Access
Management policies
and roles
• Virtual Private Cloud
configurations
• etc.
8. Key Configuration Points: IAM
• Each AWS account should have centrally-managed
Managed Policies and Roles
• Roles should be configured to trust the
organization’s IdP and/or an AWS account used to
supervise managed accounts
Administrator SecurityAuditor
Departmental account
Supervisor account
Trust Policy
9. Key Configuration Points: AWS Config
• AWS Config creates Configuration Snapshots,
which are JSON documents describing the
current state of the environment
• Virtual Private Cloud configurations, running
instances, and more
• AWS Config Rules let you define conditions and
monitor whether an account is in or out of
compliance with policy
• Administrators see red/green status for defined rules
10. How do we manage all these configuration points?
Locally-run scripts
Manually
Fully automated,
composable modules
running in AWS
11. Serverless computing with AWS Lambda
Continuous
Scaling
No Servers to
Manage
Subsecond
Metering
AWS Lambda handles:
• Operations and
management
• Provisioning and
utilization
• Scaling
• Availability and fault
tolerance
Automatically scales your
application, running code in
response to each trigger
Your code runs in parallel and
processes each trigger
individually, scaling precisely
with the size of the workload
Pricing
• CPU and Network
scaled based on
RAM (128 MB to
1500 MB)
• $0.20 per
1M requests
• Price per 100ms
12. Introducing AWS Step Functions
• Write single-task Lambda
functions instead of complex
scripts
• Define your workflow logic in
one place
• Scalable, resilient, agile
• Fully managed by AWS
• No servers to run
• Doesn’t lose state
13. Example: Cross-account CloudWatch Events
• CloudWatch Events enables administrators to
subscribe to events about activity in their AWS
account
• Calls to AWS APIs
• Instance lifecycle (start/stop)
• Maintenance windows and health notifications
• We’d like to automatically enable access logs for
new Amazon Simple Storage Service (S3) buckets
14. Example: Cross-account CloudWatch Events
Managed account Consolidated admin account
API call
CloudWatch event
SNS topic
Publishes event
Lambda event
handler
Subscribes to
Remediation workflow
(Step Functions state
machine)
Creates execution
SupervisorAdminRole
Assumes
Remediation task states
Invokes
Amazon S3
GET bucket logging
PUT bucket logging
15. Example: Deploy CloudFormation template
• Maintain a library of CloudFormation templates to
enable common functionality
• Standard network configurations
• Frequently deployed applications (e.g., LAMP stack)
• We’d like to automatically deploy or update a
given template in a target AWS account
16. Example: Deploy CloudFormation template
Administration Account
SupervisorAdminRole
Trust policy
roles.yaml common.yaml etc.yaml
Template library
Assume
XAcctRole
Trust policy
Apply
Template
Check
TmplStatus
Assumes
role
CloudFormation
stacks
Creates or
updates
stack
Waits for
stack
Step Functions state machines
ApplyTemplate
SupervisorLambdaRole
IAM user
UpdateManaged
Account
Invokes
Managed account
26. Security Configuration
SSM document IAM role based
Approval process AWS-Tag Informed
Security Group bounded
Still tied to organization and firewall security
27. DevOps Methodology
Self Service for Delivery Teams
Allow for secured PEM file
No individual key management
Automated onboarding of fleet
Audit Trail & Reporting