1. Compliance
Superpowers
Ben Blair - VPE Catalytic
June 7, 2018

2. What to
Expect
● Who is this talk for?
● What is compliance
& why should you care?
● Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Vulnerabilities & Malware
2

3. Security
vs.
Agility?

6. What to
Expect
✓ Who is this talk for?
● What is compliance
& why should you care?
● Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
6

7. Catalytic’s Compliance Story
● Founded 3 years ago
● B2B SaaS
● 50 Employees
● 1 in-house former auditor
● HIPAA & SOC 2 in 4 months with
3 engineers
● Opened the door to many F500
& healthcare customers
7

8. Why care about compliance?
8
Laws & Regulations
Unlock Sales
Safe Agility
Happy
Team

9. Why care about compliance?
9
Laws & Regulations
Unlock Sales
Safe Agility
Happy
Team

10. Why care about compliance?
10
Laws & Regulations
Unlock Sales
Safe Agility
Happy
Team

11. Why care about compliance?
11
Laws & Regulations
Unlock Sales
Safe Agility
Trust

12. 12

13. Common Standards
General
SOC 2
ISO
GDPR
HIPAA
PCI
FedRAMP
Specialized
13

14. Audits
Before
Get Help!
Choose Targets
Choose Auditor
Document
Evaluate Readiness
Maintain Process
Periodic Reviews
Track Changes
Keep Evidence
Notify
After
14
During
Point Person
Walkthrough
Review Policies
Review Controls
Gather Evidence

15. Process Matters
not Tech

16. Compliance Should Never
Force a Bad Solution

17. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
● Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
17

18. Change Management
Risks
● Broken functionality (Availability)
● Introduce a vulnerability
● Introduce a time bomb
● Introduce a back door
● Weaken a protection
Controls
● Infrastructure as Code
● Code Review
● Realistic, Isolated Dev / Test
Environments
● Continuous Integration
● Continuous Deployment
● Static Analysis
● Vulnerability Scanning
18

19. git branch
master
CloudFormation
Testing
CodeBuild
Dev Account
Code Review
And Approval
CloudFormationCodeBuild
Prod Account
Code Repo
Code Repo
Change Management
19
Change Ticket

20. Ticket System
● Tracks every change request
● Tickets remain open until closed
● Comments and discussion
matter to your auditors!
● GitHub
● Jira
● Catalytic
● Many others ...
20

21. Code Repository
● Record of *every* change made
● When
● By Whom
● Why
● Comments and discussion
matter to your auditors!
● GitHub
● GitLab
● AWS CodeCommit
● BitBucket
● ...
21

22. Continuous Integration & Deployment
CodeBuild
● Automated Tests for every change
● Test Coverage
● Static Analysis
● Vulnerability / CVE checks
● Reproducible Builds
(AMIs, Docker Images, CF Templates)
● The Only IAM role with Deploy rights
● AWS CodeBuild
● CircleCI
● Jenkins
● CodeShip
● ...
22

23. Infrastructure as Code
CloudFormation
● Safely deploy infrastructure changes many times per day
● Auditable log of infrastructure changes alongside
code changes
● Reproducible infrastructure changes
● Same dev / test / approve / deploy process
for infrastructure changes
● Reduces the most catastrophic kinds of errors
● Encourages immutable infrastructure
● AWS CloudFormation
● Terraform
● Mutable: Chef, Ansible, Puppet, Salt
● ...
23

24. Code Review
● Every change gets reviewed and approved
● Security Review
● Reduces risks
● Spreads knowledge through your team
● Escalate riskier changes
● Capture reasoning in discussions
● GitHub
● GitLab
● Jira
● BitBucket
● ...
24

25. Testing
Manual +
Automated
● Test application & infrastructure changes together
● Automated End-to-end tests
● Manual QA Tests
● Migration / Deployment tests
● Failure recovery tests
● Many different tools for this
● ...
25

26. Production Deploy
CloudFormation
● Exact same as non-production deploy
● Cannot be done without approval
● Know exactly what code & infrastructure
is in production by looking at your repo(s)
● Revert & Merge: Default rollback process!
26

27. Continuous Improvement
● A place and a process to make all other changes
● Trigger reviews for emergency changes
● Place to add new controls
● Place to include security checks and
auto-remediation
27

28. Benefits of Good Change Management
For your team
● Agility
● Safety
● Ease
● Continuous improvement
● Sleep at night
For your auditors
● Auditable, documented process
● Followed every release
● Produces evidence it was
followed
28

29. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
29

30. Organization Master Account
Security Logging Production
Staging
Test
Dev
CI / CD
30

31. Security Logging Production
Staging
Test
Dev
CI / CD
Organization Master Account
31

32. Organization Master Account
Production
Staging
Test
Dev
CI / CD
Security Logging
32

33. Organization Master Account
Production
Staging
Test
Dev
Security Logging
CI / CD
33

34. Organization Master Account
ProductionSecurity Logging
CI / CD
Staging
Test
Dev
34

35. Organization Master Account
Security Logging
CI / CD
Staging
Test
Dev
Production
35

36. Organization Master Account
Security Logging
CI / CD
Staging
Test
Dev
Audit Scope
Production
36

37. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
37

38. Organization Master Account
ProductionLogging
CI / CD
Staging
Test
Dev
Security
38

39. Organization Master Account
ProductionLogging
CI / CD
Staging
Test
Dev
Security
Vault
39

40. Organization Master Account
ProductionLogging
CI / CD
Staging
Test
Dev
Security
Identity Provider
40

41. Organization Master Account
ProductionLogging
CI / CD
DevSecurity
Identity Provider
41

42. Organization Master Account
ProductionLogging
CI / CD
DevSecurity
Identity Provider
42

43. Identity & Authentication
● Never use the root account
● Consider identity federation into one account to
manage users
● Use cross-account role assumption
● IAM users should have very limited privileges
● Use role assumption for “break glass” privilege
escalation when needed
43

44. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware 44

45. Organization Master Account
Security Logging Production
Staging
Test
Dev
CI / CD
45

46. Each Account
CloudTrail
46

47. Each Account
CloudTrail
Logging
47

48. Each Account
CloudWatch
Logs
CloudTrail
Logging
48

49. Each Account
CloudWatch
Logs
CloudTrail
Logging
49

50. Each Account
VPC Flow
Logs
CloudWatch
Logs
CloudTrail
Logging
50

51. Each Account
VPC Flow
Logs
CloudWatch
Logs
Instances
Containers
Applications
CloudTrail
Logging
51

52. Each Account
VPC Flow
Logs
CloudWatch
Logs
CloudWatch
Alarms
Instances
Containers
Applications
CloudTrail
Logging
52

53. Logging Each Account
VPC Flow
Logs
CloudWatch
Logs
CloudWatch
Alarms
Instances
Containers
Applications
CloudTrail
53

54. Logging Each Account
VPC Flow
Logs
CloudWatch
Logs
CloudWatch
Alarms
Instances
Containers
Applications
CloudTrail
Ticketing
System
54

55. Each Account
Ticketing
System
Config
55

56. Each Account
Trusted
Advisor
Ticketing
System
Config
56

57. Each Account
Trusted
Advisor
GuardDuty
Ticketing
System
Config
57

58. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
✓ Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware 58

59. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
59

60. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
60

61. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
61

62. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
62

63. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
63

64. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
64

65. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
65

66. Encryption
66
● Encrypt everything at Rest and in Transit
● Rely on KMS where possible
● ACM & Route53 (or Let’s Encrypt) make https easy

67. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
✓ Monitoring & Logging
✓ Encryption
● Availability & Durability
● Vulnerabilities & Malware 67

68. Availability and Durability
68
● Multi-AZ everywhere
● Cross-region backups, re-encrypted with KMS

69. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
✓ Monitoring & Logging
✓ Encryption
✓ Availability & Durability
● Vulnerabilities & Malware 69

70. Application Account
AZ 3
AZ 2
Public Subnet
AZ 1
AZ 3
AZ 2
Private Subnet
AZ 1
70

71. Application Account
AZ 3
AZ 2
AZ 3
AZ 2
Private Subnet
AZ 1
Immutable:
Rebuild &
Replace
71

72. Application Account
AZ 3
AZ 2
AZ 3
AZ 2
Private Subnet
AZ 1
Patch & CVE
Feed
72
Ticketing
System

73. Application Account
AZ 3
AZ 2
AZ 3
AZ 2
Private Subnet
AZ 1
Read Only FS
Short Lifetime
73

74. Application Account
AZ 3
AZ 2
AZ 3
AZ 2
Private Subnet
AZ 1No SSH
74

75. Application Account
AZ 3
AZ 2
AZ 3
AZ 2
Private Subnet
AZ 1
75
Security
Groups
AWS WAF

76. Vulnerabilities & Malware
76
● Automate building new AMIs and Docker images
for each release
● Use services to scan for and notify you of new
CVEs or patches
● Use the AWS Linux AMI Security (ALAS) site and
RSS feed
● Regular Penetration Tests

77. Resources

78. Resources
Center for Internet Security (CIS) AWS Benchmarks
https://www.cisecurity.org/benchmark/amazon_web_services/
AWS CIS Benchmark QuickStart
https://github.com/awslabs/aws-security-benchmark
CloudFormation Template for CloudTrail alarms
https://github.com/aws-samples/
aws-cloudtrail-analyzer-workshop/blob/master/README.md
78

79. Conclusion
● Agile vs Compliance is a false choice
● Don’t be afraid of compliance
● Some simple best-practices will get you most of
the way there
● Invest in Change Management first
● Earn your customer’s trust!
79

80. https://catalytic.com
@wearecatalytic
ben@catalytic.com
@stochastic_code
Keep in Touch
80

81. Questions