AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

1. Atlanta AWS Builders - AWS Cloud Governance & Security through Automation Jason Lutz - DevOps Consultant James Strong - Cloud Native Director 8/20/2020

3. ● 360~ people ● 500+ engagements ● 250+ customers First Customers Financial Services Global Oﬃces A Brief History of Time 3 Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps. Founded 2014 October 2019 Key Industries ● Manufacturing ● Banking & Financial Services ● Telecommunications ● Public Sector & Healthcare ● Travel & Transport

4. Speakers

5. Speakers

6. 6 The DevSecOps & Cyber Security Practice DevSecOps & Cyber Security Practice Where can Contino optimise your security posture? We treat security as a ﬁrst class citizen. Security & Risk Management 3 Apply evidence based controls and governance, that are supported by data and industry best practice. Regulatory aligned governance frameworks that provide rigour & control, with speed in mind. Security Operating Model 2 Establish team structures and operating procedures for a proactive posture. Right sized, structured and skilled workforces to support multi speed enterprise delivery. Move fast and remain secure. Security Advisory & Education 1 Learn new skills and prepare for constantly evolving protagonists. Setting the right path to remain secure in a rapidly evolving digital environment and establishing a baseline security posture. Example Customer Outcomes: 60% effort reduction in administering security controls through automated solutions. 65% faster MTTD and remediation of security vulnerabilities. 16,000 person days saved by automating risk management controls. Remediation of critical vulnerabilities to offset instances of crypto-mining and ransomware. 100% compliance rating with CIS & NIST benchmarks. Industry leading security posture as validated by 3rd party auditors across FS, Healthcare and Public Sector. Security Engineering 4 Best of breed cloud native security solutions, underpinned by Red/Blue Team concepts. Proactive security solutions, integrated with detection, prevention and notiﬁcation systems that have automation at their core. Security Enabled Lighthouse Projects 5 New working practices, tooling and team structures to reduce MTTD of Security vulnerabilities and attacks. Building upon foundational security posture by introducing Security Chaos Engineering and patterns to support advanced attacker techniques across your technology estate.

7. Security is properly integrated into the software development lifecycle (SLDC). Early fast feedback is valued over retrospective corrections. Security is a ﬁnal hurdle/ set of gated checks added to the end of the process Traditional Security vs DevSecOps - DevSecOps 101 Development Commit Build Test Deploy Automated Tests Automated Security Early Feedback Security Validation Code Quality Validation Security Policy Checks Security Requirements Documentation Development Manual Security Tests Manual Penetration Tests Manual Checks Exceptions Manual Signoffs Re-Work Deploy? X Automated Builds Automated Deployment All changes Treated as code

8. Beneﬁts of DevSecOps ● Speed of Delivery ● Speed of Recovery ● Immutable Infrastructure ● Security Auditing, Monitoring, and Notiﬁcation Systems ● Security is Federated ● DevSecOps Fosters a Culture of Openness and Transparency

9. A DevSecOps culture means: ● Communication ● Customer Focused Organization ● Agility and Security ● Ownership “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” - MIT Professor Jerome Saltzer. Creating A Culture of Security - DevSecOps 101

10. AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/

11. Enterprise Security Compliance: ● Security Program ● Security Framework Enterprise Security Compliance Cloud Security Program Workload & Network Security Cloud Security Program: ● Cloud Security Posture Management ● Workload and Network Security

12. NIST CSF ➔ Framework Tiers ➔ Tier 1: Partial ➔ Tier 2: Risk Informed ➔ Tier 3: Repeatable ➔ Tier 4: Adaptive

13. Compliance & Governance Identify Security Hub, Organizations, Control Tower, Trusted Advisor, Service Catalog, Conﬁg, Systems Manager Protect VPC, IoT Device Defender, Direct Connect, Resource Access Manager, Directory Services, AWS Shield, IAM, Secrets Manager, KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO Detect GuardDuty, Macie, Inspector, SecurityHub Respond Automate: CloudWatch, Systems Manager, Lambda Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53 Recover S3, Glacier

14. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Conﬁg (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks

15. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Conﬁg (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks

16. AWS Conﬁg & Conﬁg Aggregator

17. Cloud Service Provider and Account Security Identity and Access Management (IAM) - root, credentials, password policies, MFA, etc. Logging - CloudTrail, CloudWatch, S3 access, VPC Flow Logs, KMS/CMKs Monitoring - Log metrics/alarms: api’s, root, S3 changes, network changes Networking - check for ingress, default security group settings, VPC peering least access

18. CIS and Account Security on AWS

21. CIS Benchmark Demo Prowler

22. Multi Account Architecture of Security Hub

23. Network Security AWS Security Hub Demo https://www.contino.io/insights/aws-config-aggregator-compliance

24. Workload Security NIST Special Publication 800-190 Application Container Security Guide ● Major Risks for Core Components of Container Technologies ● Countermeasures ● Container Threat Scenarios ● Security Considerations for Container Technology Life Cycles NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems CIS Benchmarks Docker & Kubernetes CIS Hardening Guides for Operating Systems & Server Applications

25. Workload Security AWS Demo Container Security

26. As you move to an infrastructure as code approach, Enterprises will also have the potential to integrate compliance and security as code into your infrastructure development pipelines. This enables your application and infrastructure teams to deliver software innovation in a controlled, secure, compliant and governed manner using automation rather than manual reviews and audits. For more thought leadership on DevSecOps please visit the following URLs: ● A Quick Compliance As Code Demo: https://www.contino.io/insights/devsecops-quick-compliance-as-code ● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc ● Enter The Vault: https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino ● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs ● Introduction To DevSecOps White Paper: https://www.contino.io/resources/devsecops-best-practice-guide Contino Approach To DevSecOps

27. Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io