Capital One is a leading global financial institution that has reimagined banking. Attend this session to learn how the company is governing and securing mission-critical infrastructure, its AWS environment, and its users and customers by building an integrated identity governance program that secures the organization and enables its workforce. Capital One shares its successes and lessons learned while building its identity strategy, and it covers what the company recommends that you consider when building or expanding your identity program. Learn how Capital One secures the wallet that it refers to when asking, “What’s in your wallet?”

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Capital One case study: Addressing compliance
and security within AWS
Kevin Bumgarner
Director of Software Engineering, IAM
Capital One
F N D 2 1 9
Jing Zhu
Head of Horizontal ISVs
Amazon Web Services

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS security services and partner community
A journey to the cloud
Bumps in the road
Reducing the impact of compliance on developers
What’s next
Q&A

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and solutions
Scale with superior
visibility and
control
Move to AWS
Strengthen your security posture

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS security services ecosystem
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS
Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot ArchiveAWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS
Shield
AWS
Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal
Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon
VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS
Control
Tower
AWS
Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS
Systems
Manager

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Largest security partner community

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A journey to the cloud

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Complete mediation of IAM users and role creation

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enterprise—everyone has a key to the kingdom
Everyone has access to create IAM user or role
Ownership issue of IAM users and roles
Chaos about usage of users and roles
Difficult to manage access key and secret access key
Difficult to be cloud compliant
System maintenance issue due to conflicting policies of the IAM role

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bumps in the road

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Considerations
Self-service IAM user and role creation
Users should have self-service capability to create IAM user and role with limited permissions
Pre-approved permissions—auto approved
Privileged permissions—follows approval cycle
Compliance policies enforced
Centralized IAM role policies management

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SailPoint’s identity management
Optimized for hybrid IT environments
(mainframe, on-premises, cloud, or
SaaS applications)
Controls both structured and
unstructured data
Cloud AppsOn-premises
Apps
Devices
Unstructured
Data
Directories Structured
Data
Web Apps
Infrastructure
Built to manage all users,
employees, contractors, business
partners, or even bots
Four deployment models (data center,
public cloud, MSP, or SaaS)

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
We Put Identity at the Center of Security and IT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
We Put Identity at the Center of Security and IT
Big Data
Access
Management
Privileged Account Mgmt.
SIEM
Systems Management
Service Management
GRC
Enterprise Mobility
Management
User Behavior Analysis
We put identity at the center of security and IT

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Complete mediation of IAM users
AWS Cloud
VPC
AWS Auto Scaling group
Availability Zone 1 Availability Zone 2
SailPoint IdentityIQ

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create IAM user
def create_user(client, resource_name):
print('Creating system ID as: {}...'.format(resource_name))
response = client.create_user(
Path='/',
UserName=resource_name)
print('System ID {} was successfully created.'.format(resource_name))

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create IAM role
def create_role(client, resource_name, role_type, policies, asv_ci):
if 'ecs' in role_type:
ecs_role_type = []
ecs_role_type.append('ecs.amazonaws.com’)
', '.join('{0}'.format(r) for r in ecs_role_type)
trust = establish_trust_ecs(client, ecs_role_type)
# create role
response = client.create_role(
Description='Custom IAM role for {}'.format(asv_ci),
Path='/',
RoleName=resource_name,
AssumeRolePolicyDocument=json.dumps(trust))

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity life cycle support
• Provision IAM users,
groups, policies; also
update roles
• Access requests to
AWS policies via
federated roles
• Certification of the
policy content and
membership
assignment

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy support
• AWS policy details
available
• Parse policy
statements to show
resources and
conditional elements

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Federation mapping
• Automated mapping of
enterprise directory
groups to AWS roles
• Following naming
conventions such as
“aws{account#}/{role
name}”

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Separation of duties policy rules
• Separation of duties
policy rules
• Ability to specify
elements within an
AWS policy when
creating violation
rules such as
resources and actions

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reducing the impact of
compliance on
developers

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access key rotation
AWS Cloud
VPC

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create access key
def create_access_keys(client, resource_name, aws_account, account_number):
print('Creating access keys for {}...'.format(resource_name))
# creates access keys
response = client.create_access_key(UserName=resource_name)
user_keys = {
'Status': 'Successful',
'AWSAccount': '{}'.format(aws_account),
'UserName': response['AccessKey']['UserName'],
'AccessKeyId': response['AccessKey']['AccessKeyId'],
'SecretAccessKey': response['AccessKey']['SecretAccessKey']}
print ('Access keys successfully created for {}.'.format(resource_name))
return user_keys

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Delete access key
def delete_access_keys(client, resource_name, access_key):
print(‘Deleting access keys for {}...'.format(resource_name))
# creates access keys
response = client.delete_access_key( AccessKeyId=access_key, UserName=resource_name)
return response

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Questions

27. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kevin Bumgarner Jing Zhu