The document discusses tools for managing and governing cloud environments using AWS. It describes challenges with using traditional IT tools at cloud scale and how AWS services enable both governance and agility. These services include AWS CloudFormation for provisioning resources, AWS Service Catalog for standardized templates, AWS Organizations for account management, and AWS Config and CloudTrail for operations and compliance management. The document advocates taking a programmatic approach to defining, discovering, monitoring, managing and responding to cloud resources and changes.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Management & Governance:
Control for your cloud environment
using AWS management tools
Darko Meszaros
Solutions Architect
M M M 1

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud management challenges
Traditional IT toolset not
built for cloud scale
infrastructure
Deploying multiple
products is a
significant overhead
Licensing costs
and complexity
Maintaining
enterprise-wide visibility
is challenging
Managing cloud and hybrid environments using a traditional
toolset is complex and costly

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed
The challenge of governance vs. agility

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
With AWS you can programmatically:
• Define provisioning and configuration
of resources
• Continuously discover new resources
and changes to existing resources
• Monitor resources and operations for
compliance
• Manage, report on, and respond to
changes to your resources
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed
AWS enables you to do both

5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Services to improve governance and agility
Integrated & interoperable

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Provisioning
• Programmatically describe and
automate resource creation
• Limit user access to provision only
approved resources from a catalog
• Automate new account provisioning
• Provision across all regions and
accounts securely

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS CloudFormation
• Automate creation of over 300 types of AWS resources
• Update safely with stabilization and rollback
• Deploy many app architectures: Compute, containers, serverless
Code in YAML or JSON
directly or use sample
templates
Upload local
files or from an
S3 bucket
Create stack
using console, API
or CLI
Stacks and
resources are
provisioned

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Service Catalog
• Create & share immutable best practices templates
• Limit access to underlying AWS services
• Enable turn-key self-service solutions for all end-users
Product
AWS
Resource
 Logging
 Security
 Encryption
 Naming
 Tag options
 Immutable config
 Parameter control
 Access control
Best practices
standardized in
template

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Organizations
Key features
• Simplified creation of new
AWS accounts programmatically
• Logically group AWS accounts
for management convenience
• Apply organizational policies
to control access to AWS services
• Consolidate billing and usage
(including RIs and EDPs) across
all accounts into a single bill
• Enable multi-account functionality
for AWS services through integrations
(e.g., CloudTrail, Config, Firewall
Manager, Service Catalog, etc.)
A6
A8
A1
A5
A4
A3
A2
A9
A7
organization
OU
root
DEV TEST
PROD
APP1
APP2

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Control Tower (Preview)
Automated AWS setup
Launch an automated landing zone
with best-practices blueprints
Policy enforcement
Pre-packaged guardrails to enforce
policies or detect violations
Dashboard for oversight
Continuous visibility into workload
compliance with controls
Preview released Q4 2018
– Automated landing zone with AWS Organizations & shared
accounts for log archive, audit, and shared services
– Federated IAM through AWS SSO
– Mandatory and strongly-recommended guardrails
– Account factory for provisioning in AWS Service Catalog
– Dashboard for environment summary and guardrail
compliance

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Configuration management
• Use code to automate the
configuration of your servers
• Automate how servers are
configured, deployed, and managed
across hybrid environments
• Make adjustments quickly when
requirements change

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS OpsWorks
• Provide managed configuration management servers
• Supports Chef Automate and Puppet Enterprise
• Use configuration management DSL to enforce configuration

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Monitoring
• Collect and track metrics
• Collect and monitor log files
• Set alarms
• Automatically react to changes in
your AWS resources

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon CloudWatch
CloudWatch is a monitoring service
for AWS cloud resources and
applications you run on AWS or on-
premises
Monitor EC2Spot trends
Set alarms -
events
Monitor & store
logs
Create dashboards
Troubleshoot
Centralize
monitoring

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Operations & compliance management
• Control your resources with proper
governance and compliance
• Track user activity and API usage
• Inventory and track resources
configuration changes
• Easily view all your resources and
automate common operational
tasks

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS CloudTrail
• Keep track of API usage in a single location, simplifying audit and compliance processes
• Perform security analysis and detect user behavior patterns across services, users, and accounts
• Stay alert to data exfiltration risks by collecting activity data on Amazon Simple Storage
Service (Amazon S3) objects through object-level API events
• Simplify root cause analysis and reduce to time to resolution using AWS CloudTrail events

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Config & AWS Config rules
• Continuously track resource configuration changes
• Evaluate the configuration against policies defined using AWS Config rules
• Receive alerts if the configuration is noncompliant with your policies using
Amazon SNS and Amazon CloudWatch Events
Changing resources AWS Config AWS Config Rules
History, snapshot
Notifications
API Access
Normalized

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Systems Manager
Resource Groups
Run Command
Inventory
Patch Manager
Automation
Parameter Store
State Manager
Maintenance Window
Session Manager
Distributor

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Take this home:
• Structured compliance and Governance!
• Provision, Configure, Monitor and Operate!
• While moving fast and at scale!

21. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Darko Meszaros
@darkosubotica

22. SUMMIT
Security @ De Persgroep:
I know what you did in your AWS account
Lars Veelaert
Security Engineer, De Persgroep
security@persgroep.net

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why so many accounts?
- Account per squad
- Isolation is great (*)
- Less clutter
- Ownership improves
Why even more accounts?
- Account per application
- More isolation is greater
- Cost attribution by design
- Projects can be reassigned
easily

27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
- Only expose 80 (HTTP) & 443 (HTTPS) outside of AWS
- Only SSH with key-based authentication is allowed
- Admins should have MFA
- Everything is restarted every 31 day & up-to-date at launch
- Keep default VPC SG’s empty
- Prevent the use of * in your policies
- CloudTrail has to be enabled in every region
- An anonymous user is only allowed S3 Read-access
“Fantastic risks & where to find them”

30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
- Gathers AWS items with role in every account
- Checks it with our rules
- Attaches issues to item
- Security can mark issues as ‘justified’
Open-Source (by Netflix)
Multi Cloud (AWS, Github, Bitbucket, …)
Runs on EC2 + RDS ($50/month)

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

35. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ~ Wall of Shame ~

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

41. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Results: The Good, the Bad & the Ugly

43. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- Scale is a b*tch, automation is key
- Raise the lowest common bar
- Some risks are here to stay
- Visualize all, universal language
- Competition / shaming / joking works
- Nobody is perfect, let them know ;-)

44. Thank you!
SUMMIT
Lars Veelaert
@larsveelaert
lars.veelaert@persgroep.net

45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.