by Daniele Stroppa, Technical Account Manager, AWS
As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session will focus on Amazon S3 best practices and using AWS Config rules and AWS CloudTrail Data Events to help better protect data residing within S3. The session will include a demonstration of how AWS Config and CloudTrail, in combination with other AWS services, can help with S3 governance and compliance requirements.
2. What to expect from the session?
• Governance and Compliance – should I care? (yes)
• Why automate?
• Overview of CloudTrail and Config
• Use cases and examples
3. What is Governance and Compliance?
Governance is the oversight role and the process by
which companies manage and mitigate business risks.
Compliance ensures that an organization has the process
and internal controls to meet the requirements imposed
by the governance body.
4. Do I need Cloud Governance?
• Cloud introduces few fundamental changes to traditional IT
- Provision IT resources via self-service, APIs
- Pay-as-you-go pricing
- Dynamic scaling
- Resources maybe short lived
• Lack of policy and process consistency could negate the benefits
of being in the cloud
6. Steps to ensure Governance and Compliance
• Understand your IT environment
• Document all compliance requirements
• Design and implement controls to meet the
organization’s compliance requirements
• Identify and document controls owned by outside
parties
• Verify that all control objectives are met
7. Why automate?
• Hard to keep track of
resource inventory
• Numerous compliance
requirements (CIS
benchmarks, PCI, HIPAA)
• Continuous assessment
• Growth is good, but it
comes with its
challenges
* CIS Benchmarks
11. What is CloudTrail?
AWS CloudTrail
Amazon CloudWatch
S3 Bucket
Management Console
CLI
SDK
AWS resources
Troubleshoot
Monitor, alarm
and React
Archive and audit
12. What is CloudTrail?
• Records API calls made on your AWS account
• Delivers logs for audits and compliance
• Provides visibility into account activity (API, console
logins etc.)
• Troubleshoot with look up capability
• Alarm and take actions with Amazon CloudWatch
• New! S3 Data Events: Get object-level API activity
13. Common Use Cases
• Compliance Aid
• Security Analysis
• Data Exfiltration
• Operational Troubleshooting
18. Demo Scenario (Gain visibility into the cloud )
Use CloudTrail to lookup API activity for a specific user,
view activity details and configuration changes via AWS
Config integration
20. Demo scenario (Automating governance & compliance)
Notify the Cloud Admin if there exist any EC2 Security
Groups that allow unrestricted access to port 22 (SSH)
22. Demo Scenario (Instance level software
configurations)
Use AWS System Manager to setup inventory collection
and use Config to get a complete trackable history of:
• OS updates/patches
• Installed applications
• Network configuration etc.
Continuously assess compliance with Config rules.
24. Demo scenario (Automating governance & compliance)
Auto-remediate the issue when an EC2 Security Group that allows
unrestricted access to port 22 (SSH) is detected by revoking the
ingress rule.
Lambda
function
Amazon
SNS
Amazon EC2
Security Group:
0.0.0.0/0 Port 22 AWS
Configusers
Internet