SlideShare a Scribd company logo
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Compliance & Governance as code
DevopsDays Geneva 2020
AWS Solutions Architect
Jérôme Van Der LindenBashar Al-Fallouji
AWS Solutions Architect
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Agenda
• Governance
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• Remediation
… as code
• Governance
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• ILoveChurros
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• IfYouCanReadThis
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
• YouGotBetterEyesThanMe
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• Remediation
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Governance
• Norms & Processes
• Risk Management
• ITSM
• ITIL
• Compliance
• Assets
• CMDB
• Rules
• Remediation
• GreatAcronym
• Regulations
• Dregulation
• ACRO
• NYME
• Buzzword
• Assets
• CMDB
• Rules
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
If only we had more time…
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
The professional adventures of Leon
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
Every BIG story has a humble beginning…
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
Every BIG stories have a humble beginning…
AWS Cloud
Amazon EC2
Amazon RDS MySQL
DNS
Storage (S3)Amazon EC2
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
Initial state
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
Frontend Dev Test Staging Prod
Backend Dev Test Staging Prod
AWS Account(s) at Unicorn Rentals
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
AWS Account as a Perimeter
Security/Resource
Boundary
Service Limits
Billing Separation
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
Why sometimes one isn’t enough?
AWS Account as a Perimeter
Many Teams Isolation
Security Controls Business Process
Billing
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
Frontend Dev
Backend
Analytics
AI/ML
AWS Accounts at Unicorn Rentals (simplified)
Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/
Product Owner +
Business Analyst
“Can you open
the service for
yesterday ?”
“It is not yet
deployed, we don’t
have the permission
to create an
instance.”
“We need to do
pen tests before.”
“I did not receive any
ticket to do so…”
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
Governance
Provision
Operate
Stability
Security & Compliance
Agility
Experiment
Be productive
Deliver faster
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16
DevSecOps
Break down cultural barriers
Work as one team
Support business and IT agility
Collaborate and communicate
Assurance artifacts
Security Automation
Test, measure, and monitor
Culture
Process
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones Edge
Locations
Governance &
Risk
Business
• Culture of security and
continual improvement
• Ongoing audits and assurance
• Protection of large-scale
service endpoints
Security
Operations
Compliance
• Lead change
• Audits & assurance
• Protection of workloads,
shared services, interconnects
• MSB definition
• Cloud security operations
Product & Platform Teams
• MSB customization
• Application/Platform
infrastructure
• Security development
lifecycle
Enterprise
Security
Shared Responsibility in the Enterprise
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
Enable Governance at Scale
Set up a
landing zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
Enable Governance at Scale
Set up a
landing
zone
Establish
guardrails
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
What is a landing zone?
• A configured, secure, scalable, multi-account AWS
environment based on AWS best practices
• A starting point for net new development and
experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension
over time
H
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
Centrally govern and manage AWS accounts and resources
Control access and
permissions
Share resources across
accounts
Manage and define your
organization and accounts
Audit, monitor, and secure your
environment for compliance
Centrally manage costs and
billing
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
AWS Organizations
Organization
Member account
Master account
Organizational unit (OU)
Administrative root (of an Organization)
Service control policy (SCP)
Organization
OU (BU1) OU (BU2) OU (ADM)
ROOT
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
What accounts should I create?
Core Accounts
Security
AWS Organizations : Master Account
Shared
Services
Network
Log
Archive
Dev Pre-Prod
Team/BU/Project/… Accounts
Prod
Team
Shared
Services
Network Path
Developer
Sandbox
Developer Accounts Data Center
Orgs: Account management
Log Archive: Logs centralization
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Actions &
Conditions
Map
Enterprise
Roles
AWS
CloudTrail
Enabled
Baseline requirements for all accounts
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
AWS Control Tower
AWS Control Tower
Account Management Guardrail Enforcement
Landing
Zone
AWS Landing Zone AWS Organizations AWS Organizations
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
Enable Governance at Scale
Set up a
landing zone
Centralize identity
and access
Manage
continuously
Automate
compliant account
provisioning
Establish
guardrails
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
AWS Service Catalog
UsersAdministrators
Standardize
Control
Govern
Agility
Self-Service
Time to Market
Allows organizations to create and manage
catalogs of IT services and software on AWS
Users can quickly deploy approved IT
services in a self-service manner.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
AWS Service Catalog
üConstrains
üSecurity controls
üParameter validation
üIAM assignment
üTag enforcement
Standardizes best practices
CloudFormation
or Terraform
AWS Product/Service
AWS
Marketplace
third-party
products
Customer-
Created AWS-
Based
Solution
AWS Service
Catalog
Admin
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
Enable Governance at Scale: Preventive Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrails
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
Preventive Guardrails with Service Control Policies (SCPs)
• Enables to control which AWS service APIs are accessible
• Define the list of APIs that are allowed – Whitelisting
• Define the list of APIs that must be blocked – Blacklisting
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
Inventory resources – the importance of Tags
• Operational support
• Resource management
• Cost & Usage allocation
• Enable cost and usage reporting and alerting
• Automation
• Trigger automation events
• Control & compliance
• Attribute based access control
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36
Inventory resources – Build a Tagging strategy
Define a tagging
taxonomy
Publish a tagging
dictionary
Define the
“rules of the game”
Enforce rules
lob=[HR|Fin|…]
cost-center=[C2309|…]
owner=project-lead@comp.com
application=Titan
name=Titan-Backend-Database
env=[dev|test|prod]
version=2.0.1
confidentiality=[Confidential|…
…|Public]
BusinessTechnicalSecuAuto
Confidentiality
Opt-in/Opt-out
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37
Catch up untagged resources with Resources Groups Editor
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39
Automate: On-Create Tagging with CloudFormation
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock:
'10.42.0.0/16’
Tags:
- Key: Name
Value: '10.42.0.0/16’
- Key: CostCenter
Value: ‘C3409’
- Key: Environment
Value: ‘prod'
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40
Enforce Tagging with Service Control Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"DenyRunInstanceWithNoCostCenterTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}
From: Hans Zummer <Hans.Zummer@unicorn-rentals.ch>
Date: Monday, 3 February 2018 at 11:00
To: “Leon” <leon@unicorn-rentals.ch>
Subject: SSH Access to our servers
I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world!
Can you tell me what happened ?
Regards,
Hans
Head of Security
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42
Capture and analyze activity with AWS CloudTrail
Capture
Record activity as
CloudTrail events
Act
Trigger actions
when important
events are detected
Store
Retain events logs in
secure S3 bucket
Review
Analyze recent
events and logs with
Amazon Athena or
CloudWatch Logs
Insights
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43
Investigate a resource configuration change with CloudTrail
That’s nice but can how can you DETECT IT FASTER and
AVOID this TO HAPPEN AGAIN?
Re: SSH Access to our servers
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45
Enable Governance at Scale: Detective Guardrails
Set up a
landing zone
Automate
compliant account
provisioning
Centralize identity
and access
Manage
continuously
Establish
guardrail
s
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46
R
u
l
e
Configuration management
R
u
l
e
R
u
l
e
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47
Configuration management with AWS Config
• Continuous recording and continuous assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant with your policies
• Automated remediation of non-compliant resources
• Control and manage custom resources
AWS ConfigChanging resources Normalized Config rules
Amazon SNS Topic
CloudWatch Events
AWS Systems Manager
Automation
AWS API Endpoint
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48
Detect non-compliance with AWS Config Rules
• Config Rules represent the ideal configuration settings
• Config Rules are triggered on each resource configuration
change
• AWS provides more than 120 managed Rules
• Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ,
CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, …
120+AWSConfigManagedRules
• … and Restricted SSH
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49
Remediate to non-conformity with AWS Systems Manager Automation
• Automate common and repetitive IT operations and management tasks
• 60+ Predefined ”Documents” (or Playbooks) describe actions to perform
• Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite…
• … and DisablePublicAccessForSecurityGroup
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50
Enforce conformity with Config Rules and Systems Manager
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51
Simplify compliance check with AWS Security Hub
Compliance - Custom Rule Example
Rule.Lambda.001 :
“Any environment
variable defined in a
Lambda function must
be encrypted using a
Customer Master Key”
Custom Config Rules
Custom Config Rules
Custom Config Rules
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57
How to get started
• Control Tower: Setup your multi-account AWS environment
• https://aws.amazon.com/controltower/
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58
How to get started
• Define your Tagging Strategy and enforce it with policies
• https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59
How to get started
• Enable Security Hub and CIS AWS Foundations Compliance Checks
• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60
How to get started
• Enable AWS Config and setup Config Rules with Auto-Remediations
• https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html
• Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you !
http://bit.ly/2utnjM2

More Related Content

What's hot

Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Tom Laszewski
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
VIJAY REDDY
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Cloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdf
Cloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdfCloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdf
Cloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdf
Amazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Amazon Web Services
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Amazon Web Services
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Amazon Web Services
 
Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.
Amazon Web Services
 
AWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_SingaporeAWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_Singapore
Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
Amazon Web Services
 
AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理
Amazon Web Services
 
State of the Union : Security
State of the Union : SecurityState of the Union : Security
State of the Union : Security
Amazon Web Services
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
Amazon Web Services
 

What's hot (20)

Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Cloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdf
Cloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdfCloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdf
Cloud Choices- Quantifying the Cost and Risk Implications of Cloud.pdf
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
 
Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.
 
AWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_SingaporeAWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_Singapore
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理
 
State of the Union : Security
State of the Union : SecurityState of the Union : Security
State of the Union : Security
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 

Similar to DevopsDays Geneva 2020 - Compliance & Governance as Code

Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Amazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
Cobus Bernard
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Amazon Web Services
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Amazon Web Services
 
AWS Data Analytics on AWS
AWS Data Analytics on AWSAWS Data Analytics on AWS
AWS Data Analytics on AWS
sampath439572
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Amazon Web Services
 
APN_Live_20190722_Introduction_to_SA
APN_Live_20190722_Introduction_to_SAAPN_Live_20190722_Introduction_to_SA
APN_Live_20190722_Introduction_to_SA
Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Amazon Web Services
 
Architecting security and governance across your AWS environment
Architecting security and governance across your AWS environmentArchitecting security and governance across your AWS environment
Architecting security and governance across your AWS environment
Amazon Web Services
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
Serverless-First Function: Serverless application security
Serverless-First Function: Serverless application securityServerless-First Function: Serverless application security
Serverless-First Function: Serverless application security
RobSutter2
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
Amazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
Amazon Web Services
 
AWS Well-Architected: Build Better Architecture, Better Business
AWS Well-Architected: Build Better Architecture, Better BusinessAWS Well-Architected: Build Better Architecture, Better Business
AWS Well-Architected: Build Better Architecture, Better Business
DevOps.com
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Amazon Web Services
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWS
Nathan Case
 

Similar to DevopsDays Geneva 2020 - Compliance & Governance as Code (20)

Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
AWS Data Analytics on AWS
AWS Data Analytics on AWSAWS Data Analytics on AWS
AWS Data Analytics on AWS
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
 
APN_Live_20190722_Introduction_to_SA
APN_Live_20190722_Introduction_to_SAAPN_Live_20190722_Introduction_to_SA
APN_Live_20190722_Introduction_to_SA
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Architecting security and governance across your AWS environment
Architecting security and governance across your AWS environmentArchitecting security and governance across your AWS environment
Architecting security and governance across your AWS environment
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Serverless-First Function: Serverless application security
Serverless-First Function: Serverless application securityServerless-First Function: Serverless application security
Serverless-First Function: Serverless application security
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
AWS Well-Architected: Build Better Architecture, Better Business
AWS Well-Architected: Build Better Architecture, Better BusinessAWS Well-Architected: Build Better Architecture, Better Business
AWS Well-Architected: Build Better Architecture, Better Business
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWS
 

More from jeromevdl

Message-Driven Architecture on AWS
Message-Driven Architecture on AWSMessage-Driven Architecture on AWS
Message-Driven Architecture on AWS
jeromevdl
 
Do more with less code in serverless
Do more with less code in serverlessDo more with less code in serverless
Do more with less code in serverless
jeromevdl
 
Do more with less code in a serverless world
Do more with less code in a serverless worldDo more with less code in a serverless world
Do more with less code in a serverless world
jeromevdl
 
Softshake 2017 - Développer un chatbot Alexa
Softshake 2017 - Développer un chatbot AlexaSoftshake 2017 - Développer un chatbot Alexa
Softshake 2017 - Développer un chatbot Alexa
jeromevdl
 
Chatbots buzzword ou nouvel eldorado
Chatbots   buzzword ou nouvel eldoradoChatbots   buzzword ou nouvel eldorado
Chatbots buzzword ou nouvel eldorado
jeromevdl
 
Management projet vs management produit
Management projet vs management produitManagement projet vs management produit
Management projet vs management produit
jeromevdl
 
Softshake - Offline applications
Softshake - Offline applicationsSoftshake - Offline applications
Softshake - Offline applications
jeromevdl
 
My Android is not an iPhone like any others (Mdevcon 2014)
My Android is not an iPhone like any others (Mdevcon 2014)My Android is not an iPhone like any others (Mdevcon 2014)
My Android is not an iPhone like any others (Mdevcon 2014)
jeromevdl
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java tools
jeromevdl
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
jeromevdl
 
Devoxx France 2013 : Musclez vos apps android avec les outils du monde java
Devoxx France 2013 : Musclez vos apps android avec les outils du monde javaDevoxx France 2013 : Musclez vos apps android avec les outils du monde java
Devoxx France 2013 : Musclez vos apps android avec les outils du monde java
jeromevdl
 
Jug Lausanne Android Janvier2013
Jug Lausanne Android Janvier2013Jug Lausanne Android Janvier2013
Jug Lausanne Android Janvier2013
jeromevdl
 
Metroide
MetroideMetroide
Metroide
jeromevdl
 

More from jeromevdl (13)

Message-Driven Architecture on AWS
Message-Driven Architecture on AWSMessage-Driven Architecture on AWS
Message-Driven Architecture on AWS
 
Do more with less code in serverless
Do more with less code in serverlessDo more with less code in serverless
Do more with less code in serverless
 
Do more with less code in a serverless world
Do more with less code in a serverless worldDo more with less code in a serverless world
Do more with less code in a serverless world
 
Softshake 2017 - Développer un chatbot Alexa
Softshake 2017 - Développer un chatbot AlexaSoftshake 2017 - Développer un chatbot Alexa
Softshake 2017 - Développer un chatbot Alexa
 
Chatbots buzzword ou nouvel eldorado
Chatbots   buzzword ou nouvel eldoradoChatbots   buzzword ou nouvel eldorado
Chatbots buzzword ou nouvel eldorado
 
Management projet vs management produit
Management projet vs management produitManagement projet vs management produit
Management projet vs management produit
 
Softshake - Offline applications
Softshake - Offline applicationsSoftshake - Offline applications
Softshake - Offline applications
 
My Android is not an iPhone like any others (Mdevcon 2014)
My Android is not an iPhone like any others (Mdevcon 2014)My Android is not an iPhone like any others (Mdevcon 2014)
My Android is not an iPhone like any others (Mdevcon 2014)
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java tools
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
 
Devoxx France 2013 : Musclez vos apps android avec les outils du monde java
Devoxx France 2013 : Musclez vos apps android avec les outils du monde javaDevoxx France 2013 : Musclez vos apps android avec les outils du monde java
Devoxx France 2013 : Musclez vos apps android avec les outils du monde java
 
Jug Lausanne Android Janvier2013
Jug Lausanne Android Janvier2013Jug Lausanne Android Janvier2013
Jug Lausanne Android Janvier2013
 
Metroide
MetroideMetroide
Metroide
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 

DevopsDays Geneva 2020 - Compliance & Governance as Code

  • 1. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Compliance & Governance as code DevopsDays Geneva 2020 AWS Solutions Architect Jérôme Van Der LindenBashar Al-Fallouji AWS Solutions Architect
  • 2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2 Agenda • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • Remediation … as code • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • ILoveChurros • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • IfYouCanReadThis • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules • YouGotBetterEyesThanMe • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • Remediation • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Governance • Norms & Processes • Risk Management • ITSM • ITIL • Compliance • Assets • CMDB • Rules • Remediation • GreatAcronym • Regulations • Dregulation • ACRO • NYME • Buzzword • Assets • CMDB • Rules
  • 3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3 If only we had more time…
  • 4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 The professional adventures of Leon
  • 5.
  • 6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6 Every BIG story has a humble beginning…
  • 7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7 Every BIG stories have a humble beginning… AWS Cloud Amazon EC2 Amazon RDS MySQL DNS Storage (S3)Amazon EC2
  • 8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8 Initial state
  • 9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Frontend Dev Test Staging Prod Backend Dev Test Staging Prod AWS Account(s) at Unicorn Rentals
  • 10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10 AWS Account as a Perimeter Security/Resource Boundary Service Limits Billing Separation
  • 11.
  • 12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12 Why sometimes one isn’t enough? AWS Account as a Perimeter Many Teams Isolation Security Controls Business Process Billing
  • 13. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13 Frontend Dev Backend Analytics AI/ML AWS Accounts at Unicorn Rentals (simplified)
  • 14. Image Source: https://pixabay.com/fr/photos/bureau-personnes-accus%C3%A9-accusant-2539844/ Product Owner + Business Analyst “Can you open the service for yesterday ?” “It is not yet deployed, we don’t have the permission to create an instance.” “We need to do pen tests before.” “I did not receive any ticket to do so…”
  • 15. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15 Governance Provision Operate Stability Security & Compliance Agility Experiment Be productive Deliver faster
  • 16. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16 DevSecOps Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Assurance artifacts Security Automation Test, measure, and monitor Culture Process
  • 17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints Security Operations Compliance • Lead change • Audits & assurance • Protection of workloads, shared services, interconnects • MSB definition • Cloud security operations Product & Platform Teams • MSB customization • Application/Platform infrastructure • Security development lifecycle Enterprise Security Shared Responsibility in the Enterprise
  • 18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  • 19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19 Enable Governance at Scale Set up a landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  • 20.
  • 21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21 What is a landing zone? • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H
  • 22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations Centrally govern and manage AWS accounts and resources Control access and permissions Share resources across accounts Manage and define your organization and accounts Audit, monitor, and secure your environment for compliance Centrally manage costs and billing
  • 23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23 AWS Organizations Organization Member account Master account Organizational unit (OU) Administrative root (of an Organization) Service control policy (SCP) Organization OU (BU1) OU (BU2) OU (ADM) ROOT
  • 24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24 What accounts should I create? Core Accounts Security AWS Organizations : Master Account Shared Services Network Log Archive Dev Pre-Prod Team/BU/Project/… Accounts Prod Team Shared Services Network Path Developer Sandbox Developer Accounts Data Center Orgs: Account management Log Archive: Logs centralization Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  • 25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Actions & Conditions Map Enterprise Roles AWS CloudTrail Enabled Baseline requirements for all accounts
  • 26.
  • 27. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27 AWS Control Tower AWS Control Tower Account Management Guardrail Enforcement Landing Zone AWS Landing Zone AWS Organizations AWS Organizations
  • 28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28 Enable Governance at Scale Set up a landing zone Centralize identity and access Manage continuously Automate compliant account provisioning Establish guardrails
  • 29. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29 AWS Service Catalog UsersAdministrators Standardize Control Govern Agility Self-Service Time to Market Allows organizations to create and manage catalogs of IT services and software on AWS Users can quickly deploy approved IT services in a self-service manner.
  • 30. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30 AWS Service Catalog üConstrains üSecurity controls üParameter validation üIAM assignment üTag enforcement Standardizes best practices CloudFormation or Terraform AWS Product/Service AWS Marketplace third-party products Customer- Created AWS- Based Solution AWS Service Catalog Admin
  • 31.
  • 32. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32 Enable Governance at Scale: Preventive Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrails
  • 33. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33 Preventive Guardrails with Service Control Policies (SCPs) • Enables to control which AWS service APIs are accessible • Define the list of APIs that are allowed – Whitelisting • Define the list of APIs that must be blocked – Blacklisting
  • 34.
  • 35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35 Inventory resources – the importance of Tags • Operational support • Resource management • Cost & Usage allocation • Enable cost and usage reporting and alerting • Automation • Trigger automation events • Control & compliance • Attribute based access control
  • 36. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36 Inventory resources – Build a Tagging strategy Define a tagging taxonomy Publish a tagging dictionary Define the “rules of the game” Enforce rules lob=[HR|Fin|…] cost-center=[C2309|…] owner=project-lead@comp.com application=Titan name=Titan-Backend-Database env=[dev|test|prod] version=2.0.1 confidentiality=[Confidential|… …|Public] BusinessTechnicalSecuAuto Confidentiality Opt-in/Opt-out
  • 37. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37 Catch up untagged resources with Resources Groups Editor
  • 38.
  • 39. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39 Automate: On-Create Tagging with CloudFormation VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: '10.42.0.0/16’ Tags: - Key: Name Value: '10.42.0.0/16’ - Key: CostCenter Value: ‘C3409’ - Key: Environment Value: ‘prod'
  • 40. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40 Enforce Tagging with Service Control Policies { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRunInstanceWithNoCostCenterTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Null": { "aws:RequestTag/CostCenter": "true" } } } ] }
  • 41. From: Hans Zummer <Hans.Zummer@unicorn-rentals.ch> Date: Monday, 3 February 2018 at 11:00 To: “Leon” <leon@unicorn-rentals.ch> Subject: SSH Access to our servers I’ve been told by one of my security engineers that the VM daniela-0042 has SSH open to the world! Can you tell me what happened ? Regards, Hans Head of Security
  • 42. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42 Capture and analyze activity with AWS CloudTrail Capture Record activity as CloudTrail events Act Trigger actions when important events are detected Store Retain events logs in secure S3 bucket Review Analyze recent events and logs with Amazon Athena or CloudWatch Logs Insights
  • 43. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43 Investigate a resource configuration change with CloudTrail
  • 44. That’s nice but can how can you DETECT IT FASTER and AVOID this TO HAPPEN AGAIN? Re: SSH Access to our servers
  • 45. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45 Enable Governance at Scale: Detective Guardrails Set up a landing zone Automate compliant account provisioning Centralize identity and access Manage continuously Establish guardrail s
  • 46. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46 R u l e Configuration management R u l e R u l e
  • 47. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47 Configuration management with AWS Config • Continuous recording and continuous assessment service • Tracks configuration changes to AWS resources • Alerts you if the configuration is non-compliant with your policies • Automated remediation of non-compliant resources • Control and manage custom resources AWS ConfigChanging resources Normalized Config rules Amazon SNS Topic CloudWatch Events AWS Systems Manager Automation AWS API Endpoint
  • 48. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48 Detect non-compliance with AWS Config Rules • Config Rules represent the ideal configuration settings • Config Rules are triggered on each resource configuration change • AWS provides more than 120 managed Rules • Ex: Approved AMIs, Enforce Tags, EBS Volumes encrypted, RDS multi-AZ, CloudTrail enabled, MFA Enabled, S3 Public Read prohibited, … 120+AWSConfigManagedRules • … and Restricted SSH
  • 49. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49 Remediate to non-conformity with AWS Systems Manager Automation • Automate common and repetitive IT operations and management tasks • 60+ Predefined ”Documents” (or Playbooks) describe actions to perform • Ex: AttachIAMToInstance, CreateSnapshot, ResizeInstance, DisableS3BucketPublicReadWrite… • … and DisablePublicAccessForSecurityGroup
  • 50. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50 Enforce conformity with Config Rules and Systems Manager
  • 51. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51 Simplify compliance check with AWS Security Hub
  • 52. Compliance - Custom Rule Example Rule.Lambda.001 : “Any environment variable defined in a Lambda function must be encrypted using a Customer Master Key”
  • 56.
  • 57. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57 How to get started • Control Tower: Setup your multi-account AWS environment • https://aws.amazon.com/controltower/
  • 58. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58 How to get started • Define your Tagging Strategy and enforce it with policies • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
  • 59. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59 How to get started • Enable Security Hub and CIS AWS Foundations Compliance Checks • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html
  • 60. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60 How to get started • Enable AWS Config and setup Config Rules with Auto-Remediations • https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html • Quick start: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html • Build your own: https://github.com/awslabs/aws-config-rules & https://github.com/awslabs/aws-config-rdk
  • 61. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61
  • 62. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you ! http://bit.ly/2utnjM2