by Daniele Stroppa, Technical Account Manager, AWS As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session will focus on Amazon S3 best practices and using AWS Config rules and AWS CloudTrail Data Events to help better protect data residing within S3. The session will include a demonstration of how AWS Config and CloudTrail, in combination with other AWS services, can help with S3 governance and compliance requirements.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Automated Compliance and Governance with AWS Config and
AWS CloudTrail
Daniele Stroppa
Technical Account Manager
AWS

2. What to expect from the session?
• Governance and Compliance – should I care? (yes)
• Why automate?
• Overview of CloudTrail and Config
• Use cases and examples

3. What is Governance and Compliance?
Governance is the oversight role and the process by
which companies manage and mitigate business risks.
Compliance ensures that an organization has the process
and internal controls to meet the requirements imposed
by the governance body.

4. Do I need Cloud Governance?
• Cloud introduces few fundamental changes to traditional IT
- Provision IT resources via self-service, APIs
- Pay-as-you-go pricing
- Dynamic scaling
- Resources maybe short lived
• Lack of policy and process consistency could negate the benefits
of being in the cloud

5. AWS Shared Responsibility model

6. Steps to ensure Governance and Compliance
• Understand your IT environment
• Document all compliance requirements
• Design and implement controls to meet the
organization’s compliance requirements
• Identify and document controls owned by outside
parties
• Verify that all control objectives are met

7. Why automate?
• Hard to keep track of
resource inventory
• Numerous compliance
requirements (CIS
benchmarks, PCI, HIPAA)
• Continuous assessment
• Growth is good, but it
comes with its
challenges
* CIS Benchmarks

8. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

9. Range of capabilities
Provision
Speed
Infra. as
code
Templatize
Agility
Self-
service
Delineated
access
privilege
Guardrails
Control
Alarm
Auto
Correct
Visibility
Audit
Trouble-
shoot
AWS CloudFormation AWS Service Catalog AWS CloudTrail AWS Config Amazon CloudWatch

10. We’ll focus on..
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

11. What is CloudTrail?
AWS CloudTrail
Amazon CloudWatch
S3 Bucket
Management Console
CLI
SDK
AWS resources
Troubleshoot
Monitor, alarm
and React
Archive and audit

12. What is CloudTrail?
• Records API calls made on your AWS account
• Delivers logs for audits and compliance
• Provides visibility into account activity (API, console
logins etc.)
• Troubleshoot with look up capability
• Alarm and take actions with Amazon CloudWatch
• New! S3 Data Events: Get object-level API activity

13. Common Use Cases
• Compliance Aid
• Security Analysis
• Data Exfiltration
• Operational Troubleshooting

14. AWS Config
Record changing
resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized

15. AWS Config
• Continuous recording of configuration
• Inventory of AWS resources, includes deleted
• View resource relationships
• New! OS level patches, installed applications, network
configuration with EC2 Systems Manager
• Check compliance with desired configuration using rules
• Pre-built rules by AWS, Custom rules using AWS Lambda
• Configuration and Compliance change notifications
• Compliance dashboard
• GitHub repo: Community sourced rules

16. Common Use Cases
• Continuous monitoring
• Continuous assessment
• Audit and Compliance
• Change management
• Operational troubleshooting

17. Visibility & Audit
Guardrails
Control
Alarm
Auto
Correct
Visibility
Audit
Trouble-
shoot

18. Demo Scenario (Gain visibility into the cloud )
Use CloudTrail to lookup API activity for a specific user,
view activity details and configuration changes via AWS
Config integration

19. Control and Alarm
Guardrails
Control
Alarm
Auto
Correct
Visibility
Audit
Trouble-
shoot

20. Demo scenario (Automating governance & compliance)
Notify the Cloud Admin if there exist any EC2 Security
Groups that allow unrestricted access to port 22 (SSH)

21. Compliance change notification via SNS

22. Demo Scenario (Instance level software
configurations)
Use AWS System Manager to setup inventory collection
and use Config to get a complete trackable history of:
• OS updates/patches
• Installed applications
• Network configuration etc.
Continuously assess compliance with Config rules.

23. Control and Auto-Correct
Guardrails
Control
Alarm
Auto
Correct
Visibility
Audit
Trouble-
shoot

24. Demo scenario (Automating governance & compliance)
Auto-remediate the issue when an EC2 Security Group that allows
unrestricted access to port 22 (SSH) is detected by revoking the
ingress rule.
Lambda
function
Amazon
SNS
Amazon EC2
Security Group:
0.0.0.0/0 Port 22 AWS
Configusers
Internet

25. Code snippet: Fix an EC2 security group

26. Code snippet: Fix an EC2 security group

27. But who watches the watcher?
Guardrails
Control
Alarm
Auto
Correct
Visibility
Audit
Trouble-
shoot

28. Demo scenario (Automating governance & compliance)
Automatically turn on CloudTrail logging if it has been
disabled

29. Summary
AWS Config Rules repo:
https://github.com/awslabs/aws-config-rules
Find out more here:
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/config/
Management tools:
https://aws.amazon.com/products/management

30. Thank you!

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS