More Related Content Similar to Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017 (20) More from Amazon Web Services (20) Continuous Compliance on AWS at Scale - SID313 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Continuous Compliance on AWS at Scale
S I D 3 1 3
N o v e m b e r 2 9 , 2 0 1 7
P e t e r M e i s t e r | p m e i s t e r @ 2 n d w a t c h . c o m
2 n d W a t c h D i r e c t o r , P r o d u c t M a n a g e m e n t
L a r s C r o m l e y | l c r o m l e y @ 2 n d w a t c h . c o m
2 n d W a t c h D i r e c t o r o f E n g i n e e r i n g , A u t o m a t i o n
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect in this session
• Cloud compliance and security on AWS
• Engineering for compliance
• Compliance automation
• Live demo
• Business outcomes and takeaways
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Engineering Compliance & Security
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Continuous Compliance & Cloud Security
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Management tools and
processes
• Maintain and strictly enforce
enterprise configuration
• Automated procedure to enforce
configuration
• Analyzing data to derive
knowledge for continuous
monitoring and compliance
Configuration Management
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Unified compliance processes
and frameworks
• Stronger compliance
standards
• Catalogs for continuous
compliance
• Bring the skills from the data
center to the cloud
Compliance Standards
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Traditional compliance
approaches
• Risk-based security and
compliance framework
• People, process and technology
• PAG─be prescriptive
• Cloud security and continuous
monitoring
• Security defense in depth
• Endpoint to server─protect the
entire platform
C l o u d S e c u r i t yP o l i c y & P r o c e d u r e
Governance, Risk, & Compliance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Protection improvements
• Unplanned changes
• Configuration enforcement
• Configuration management
• Improved reusability
• Prescriptive and programmatic
management
Benefits of Cloud Compliance on AWS
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Engineering for Compliance
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Unique for each organization
• Vertical-based coupled to
regulatory requirements
• Accelerated with tools
• InSpec─compliance-as-code
• Think compliance by design
Building Compliant Environments
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Accelerate and deploy security-
focused environments
• AWS meets compliance across a
broad range
• AWS Enterprise
Accelerator─compliance offerings
• PCI─DSS – NIST─OMB TIC─DoD
• AWS CloudFormation templates
to support automation and
deployment
Compliance Templates
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Having the right tools is essential
• Combining operations
management tools is best practice
• Utilize provisioning tools and
configuration management tools
• Utilize orchestration and
automation tools and monitoring
tools
• AWS CodeDeploy
• AWS CodePipeline
Operations Tooling
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Reduce complexity of
configuring distributed
infrastructure and resources
• Speed and agility to perform
configuration at scale
• Puppet, Chef, Ansible, SaltStack
provide rich capabilities
• Engineering for compliance
Configuration Management
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automation & Continuous Compliance
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
We had based workload supportability and service level on a set of
tags.
If new infrastructure was created, we needed to know the
environment, service level, who created it, did they follow the
approved process, etc.
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Specifically, these resources…
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Business logic, based on a mutable asset in an environment that
encourages ephemeral architecture and elasticity?
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What could possibly go wrong?
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Task
To leverage AWS Config service, creating a rule to look for our specific
tags, alert when those tags are not present, and then apply said tags to
said resource
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
def handler(event, context):
# log some init stuff
log_start_info()
# handle debug event arg
log_if_debug(event)
# for each item, process and remove from queue
process(bucket, key)
def process(bucket, key):
s3 = boto3.resource('s3')
obj = s3.get_object(Bucket=bucket,Key=key)
body = json.loads(obj['Body'].read())
msg = json.loads(json.loads(msg['raw_event'])['Message'])
if msg['configRuleName'] == CONFIG_RULE_NAME and msg['compliance'] == NOT_COMPLIANT
# CALL ALERT SERVICE
Code
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building Autonomous Systems
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Systems Need Love, Too
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Reality
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Live Technical Demo
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Business Outcomes
• Compliance and security from a
360-
degree vision
• Security awareness
accountability
• Continuous CI/CD flow
• Continuous compliance is a
journey
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Takeaways
“Digital business is essentially software, which means that
organizations that expect to thrive in a digital environment must
have an improved competence in software delivery.”
– Laurie Wurster, Research Director – Gartner
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
V i s i t u s a t :
w w w . 2 n d w a t c h . c o m
E n g a g e w i t h u s @ 2 n d w a t c h
V i s i t u s a t o u r b o o t h : 1 1 0 4