DevopsDays Geneva 2020 - Compliance & Governance as Code

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Compliance & Governance as code
DevopsDays Geneva 2020
AWS Solutions Architect
Jérôme Van Der LindenBashar Al-Fallouji
AWS Solutions Architect

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Agenda
• Governance
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• Remediation
… as code
• Governance
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• ILoveChurros
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• IfYouCanReadThis
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• YouGotBetterEyesThanMe
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Governance
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• GreatAcronym
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules

If only we had more time…

The professional adventures of Leon

Every BIG story has a humble beginning…

Every BIG stories have a humble beginning…
AWS Cloud
Amazon EC2
Amazon RDS MySQL
DNS
Storage (S3)Amazon EC2

Initial state

Frontend Dev Test Staging Prod
Backend Dev Test Staging Prod
AWS Account(s) at Unicorn Rentals

AWS Account as a Perimeter
Security/Resource
Boundary
Service Limits
Billing Separation

Why sometimes one isn’t enough?
AWS Account as a Perimeter
Many Teams Isolation
Security Controls Business Process
Billing

Frontend Dev
Backend
Analytics
AI/ML
AWS Accounts at Unicorn Rentals (simplified)

Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/
Product Owner +
Business Analyst
“Can you open
the service for
yesterday ?”
“It is not yet
deployed, we don’t
have the permission
to create an
instance.”
“We need to do
pen tests before.”
“I did not receive any
ticket to do so…”

Governance
Provision
Operate
Stability
Security & Compliance
Agility
Experiment
Be productive
Deliver faster

DevSecOps
Break down cultural barriers
Work as one team
Support business and IT agility
Collaborate and communicate
Assurance artifacts
Security Automation
Test, measure, and monitor
Culture
Process

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones Edge
Locations
Governance &
Risk
Business
• Culture of security and
continual improvement
• Ongoing audits and assurance
• Protection of large-scale
service endpoints
Security
Operations
Compliance
• Lead change
• Audits & assurance
• Protection of workloads,
shared services, interconnects
• MSB definition
• Cloud security operations
Product & Platform Teams
• MSB customization
• Application/Platform
infrastructure
• Security development
lifecycle
Enterprise
Security
Shared Responsibility in the Enterprise

Enable Governance at Scale
Set up a
landing zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously

Set up a
landing
zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously

What is a landing zone?
• A configured, secure, scalable, multi-account AWS
environment based on AWS best practices
• A starting point for net new development and
experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension
over time
H

AWS Organizations
Centrally govern and manage AWS accounts and resources
Control access and
permissions
Share resources across
accounts
Manage and define your
organization and accounts
Audit, monitor, and secure your
environment for compliance
Centrally manage costs and
billing

AWS Organizations
Organization
Member account
Master account
Organizational unit (OU)
Administrative root (of an Organization)
Service control policy (SCP)
Organization
OU (BU1) OU (BU2) OU (ADM)
ROOT

What accounts should I create?
Core Accounts
Security
AWS Organizations : Master Account
Shared
Services
Network
Log
Archive
Dev Pre-Prod
Team/BU/Project/… Accounts
Prod
Team
Shared
Services
Network Path
Developer
Sandbox
Developer Accounts Data Center
Orgs: Account management
Log Archive: Logs centralization
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake

InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Actions &
Conditions
Map
Enterprise
Roles
AWS
CloudTrail
Enabled
Baseline requirements for all accounts

AWS Control Tower
AWS Control Tower
Account Management Guardrail Enforcement
Landing
Zone
AWS Landing Zone AWS Organizations AWS Organizations

Set up a
landing zone
Centralize identity
and access
Manage
continuously
Automate
compliant account
provisioning
Establish
guardrails

AWS Service Catalog
UsersAdministrators
Standardize
Control
Govern
Agility
Self-Service
Time to Market
Allows organizations to create and manage
catalogs of IT services and software on AWS
Users can quickly deploy approved IT
services in a self-service manner.

AWS Service Catalog
üConstrains
üSecurity controls
üParameter validation
üIAM assignment
üTag enforcement
Standardizes best practices
CloudFormation
or Terraform
AWS Product/Service
AWS
Marketplace
third-party
products
Customer-
Created AWS-
Based
Solution
AWS Service
Catalog
Admin

Enable Governance at Scale: Preventive Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrails

Preventive Guardrails with Service Control Policies (SCPs)
• Enables to control which AWS service APIs are accessible
• Define the list of APIs that are allowed – Whitelisting
• Define the list of APIs that must be blocked – Blacklisting

Inventory resources – the importance of Tags
• Operational support
• Resource management
• Cost & Usage allocation
• Enable cost and usage reporting and alerting
• Automation
• Trigger automation events
• Control & compliance
• Attribute based access control

Inventory resources – Build a Tagging strategy
Define a tagging
taxonomy
Publish a tagging
dictionary
Define the
“rules of the game”
Enforce rules
lob=[HR|Fin|…]
cost-center=[C2309|…]
owner=project-lead@comp.com
application=Titan
name=Titan-Backend-Database
env=[dev|test|prod]
version=2.0.1
confidentiality=[Confidential|…
…|Public]
BusinessTechnicalSecuAuto
Confidentiality
Opt-in/Opt-out

Catch up untagged resources with Resources Groups Editor

Automate: On-Create Tagging with CloudFormation
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock:
'10.42.0.0/16’
Tags:
- Key: Name
Value: '10.42.0.0/16’
- Key: CostCenter
Value: ‘C3409’
- Key: Environment
Value: ‘prod'

Enforce Tagging with Service Control Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"DenyRunInstanceWithNoCostCenterTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}

From: Hans Zummer <Hans.Zummer@unicorn-rentals.ch>
Date: Monday, 3 February 2018 at 11:00
To: “Leon” <leon@unicorn-rentals.ch>
Subject: SSH Access to our servers
I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world!
Can you tell me what happened ?
Regards,
Hans
Head of Security

Capture and analyze activity with AWS CloudTrail
Capture
Record activity as
CloudTrail events
Act
Trigger actions
when important
events are detected
Store
Retain events logs in
secure S3 bucket
Review
Analyze recent
events and logs with
Amazon Athena or
CloudWatch Logs
Insights

Investigate a resource configuration change with CloudTrail

That’s nice but can how can you DETECT IT FASTER and
AVOID this TO HAPPEN AGAIN?
Re: SSH Access to our servers

Enable Governance at Scale: Detective Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrail
s

R
u
l
e
Configuration management
R
u
l
e
R
u
l
e

Configuration management with AWS Config
• Continuous recording and continuous assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant with your policies
• Automated remediation of non-compliant resources
• Control and manage custom resources
AWS ConfigChanging resources Normalized Config rules
Amazon SNS Topic
CloudWatch Events
AWS Systems Manager
Automation
AWS API Endpoint

Detect non-compliance with AWS Config Rules
• Config Rules represent the ideal configuration settings
• Config Rules are triggered on each resource configuration
change
• AWS provides more than 120 managed Rules
• Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ,
CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, …
120+AWSConfigManagedRules
• … and Restricted SSH

Remediate to non-conformity with AWS Systems Manager Automation
• Automate common and repetitive IT operations and management tasks
• 60+ Predefined ”Documents” (or Playbooks) describe actions to perform
• Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite…
• … and DisablePublicAccessForSecurityGroup

Enforce conformity with Config Rules and Systems Manager

Simplify compliance check with AWS Security Hub

Compliance - Custom Rule Example
Rule.Lambda.001 :
“Any environment
variable defined in a
Lambda function must
be encrypted using a
Customer Master Key”

How to get started
• Control Tower: Setup your multi-account AWS environment
• https://aws.amazon.com/controltower/

How to get started
• Define your Tagging Strategy and enforce it with policies
• https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

How to get started
• Enable Security Hub and CIS AWS Foundations Compliance Checks
• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html

How to get started
• Enable AWS Config and setup Config Rules with Auto-Remediations
• https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html
• Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk

Thank you !
http://bit.ly/2utnjM2

DevopsDays Geneva 2020 - Compliance & Governance as Code

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevopsDays Geneva 2020 - Compliance & Governance as Code

Similar to DevopsDays Geneva 2020 - Compliance & Governance as Code (20)

More from jeromevdl

More from jeromevdl (13)

Recently uploaded

Recently uploaded (20)

DevopsDays Geneva 2020 - Compliance & Governance as Code