2. What to
Expect
● Who is this talk for?
● What is compliance
& why should you care?
● Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Vulnerabilities & Malware
2
6. What to
Expect
✓ Who is this talk for?
● What is compliance
& why should you care?
● Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
6
7. Catalytic’s Compliance Story
● Founded 3 years ago
● B2B SaaS
● 50 Employees
● 1 in-house former auditor
● HIPAA & SOC 2 in 4 months with
3 engineers
● Opened the door to many F500
& healthcare customers
7
8. Why care about compliance?
8
Laws & Regulations
Unlock Sales
Safe Agility
Happy
Team
9. Why care about compliance?
9
Laws & Regulations
Unlock Sales
Safe Agility
Happy
Team
10. Why care about compliance?
10
Laws & Regulations
Unlock Sales
Safe Agility
Happy
Team
11. Why care about compliance?
11
Laws & Regulations
Unlock Sales
Safe Agility
Trust
14. Audits
Before
Get Help!
Choose Targets
Choose Auditor
Document
Evaluate Readiness
Maintain Process
Periodic Reviews
Track Changes
Keep Evidence
Notify
After
14
During
Point Person
Walkthrough
Review Policies
Review Controls
Gather Evidence
17. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
● Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
17
18. Change Management
Risks
● Broken functionality (Availability)
● Introduce a vulnerability
● Introduce a time bomb
● Introduce a back door
● Weaken a protection
Controls
● Infrastructure as Code
● Code Review
● Realistic, Isolated Dev / Test
Environments
● Continuous Integration
● Continuous Deployment
● Static Analysis
● Vulnerability Scanning
18
20. Ticket System
● Tracks every change request
● Tickets remain open until closed
● Comments and discussion
matter to your auditors!
● GitHub
● Jira
● Catalytic
● Many others ...
20
21. Code Repository
● Record of *every* change made
● When
● By Whom
● Why
● Comments and discussion
matter to your auditors!
● GitHub
● GitLab
● AWS CodeCommit
● BitBucket
● ...
21
22. Continuous Integration & Deployment
CodeBuild
● Automated Tests for every change
● Test Coverage
● Static Analysis
● Vulnerability / CVE checks
● Reproducible Builds
(AMIs, Docker Images, CF Templates)
● The Only IAM role with Deploy rights
● AWS CodeBuild
● CircleCI
● Jenkins
● CodeShip
● ...
22
23. Infrastructure as Code
CloudFormation
● Safely deploy infrastructure changes many times per day
● Auditable log of infrastructure changes alongside
code changes
● Reproducible infrastructure changes
● Same dev / test / approve / deploy process
for infrastructure changes
● Reduces the most catastrophic kinds of errors
● Encourages immutable infrastructure
● AWS CloudFormation
● Terraform
● Mutable: Chef, Ansible, Puppet, Salt
● ...
23
24. Code Review
● Every change gets reviewed and approved
● Security Review
● Reduces risks
● Spreads knowledge through your team
● Escalate riskier changes
● Capture reasoning in discussions
● GitHub
● GitLab
● Jira
● BitBucket
● ...
24
25. Testing
Manual +
Automated
● Test application & infrastructure changes together
● Automated End-to-end tests
● Manual QA Tests
● Migration / Deployment tests
● Failure recovery tests
● Many different tools for this
● ...
25
26. Production Deploy
CloudFormation
● Exact same as non-production deploy
● Cannot be done without approval
● Know exactly what code & infrastructure
is in production by looking at your repo(s)
● Revert & Merge: Default rollback process!
26
27. Continuous Improvement
● A place and a process to make all other changes
● Trigger reviews for emergency changes
● Place to add new controls
● Place to include security checks and
auto-remediation
27
28. Benefits of Good Change Management
For your team
● Agility
● Safety
● Ease
● Continuous improvement
● Sleep at night
For your auditors
● Auditable, documented process
● Followed every release
● Produces evidence it was
followed
28
29. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
● AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
29
37. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
● Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware
37
43. Identity & Authentication
● Never use the root account
● Consider identity federation into one account to
manage users
● Use cross-account role assumption
● IAM users should have very limited privileges
● Use role assumption for “break glass” privilege
escalation when needed
43
44. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
● Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware 44
58. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
✓ Monitoring & Logging
● Encryption
● Availability & Durability
● Vulnerabilities & Malware 58
66. Encryption
66
● Encrypt everything at Rest and in Transit
● Rely on KMS where possible
● ACM & Route53 (or Let’s Encrypt) make https easy
67. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
✓ Monitoring & Logging
✓ Encryption
● Availability & Durability
● Vulnerabilities & Malware 67
69. What to
Expect
✓ Who is this talk for?
✓ What is compliance
& why should you care?
✓ Change Management
✓ AWS Account Organization
✓ Access Control
✓ Monitoring & Logging
✓ Encryption
✓ Availability & Durability
● Vulnerabilities & Malware 69
76. Vulnerabilities & Malware
76
● Automate building new AMIs and Docker images
for each release
● Use services to scan for and notify you of new
CVEs or patches
● Use the AWS Linux AMI Security (ALAS) site and
RSS feed
● Regular Penetration Tests
78. Resources
Center for Internet Security (CIS) AWS Benchmarks
https://www.cisecurity.org/benchmark/amazon_web_services/
AWS CIS Benchmark QuickStart
https://github.com/awslabs/aws-security-benchmark
CloudFormation Template for CloudTrail alarms
https://github.com/aws-samples/
aws-cloudtrail-analyzer-workshop/blob/master/README.md
78
79. Conclusion
● Agile vs Compliance is a false choice
● Don’t be afraid of compliance
● Some simple best-practices will get you most of
the way there
● Invest in Change Management first
● Earn your customer’s trust!
79