Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enabling Governance, Compliance, and
Operational and Risk Auditing Using AWS
Management Tools
E N T 3 2 3
N o v e m b e r 3 0 , 2 0 1 7
S i d G u p t a , C I S S P
S r . P r o d u c t M a n a g e r , A W S C o n f i g
AWS re:Invent

What to expect from the session
• Overview of governance and compliance
• The challenge
• Introduction to AWS Management Tools
• Governance and Compliance Use Cases
• Q&A

What is governance and compliance?
Governance is the oversight role and the process by which
companies manage and mitigate business risks
Compliance ensures that an organization has the process and
internal controls to meet the requirements imposed by the
governance body

Steps to implement governance
To effectively use IT in enabling an organization to achieve its governance
and compliance goals, you need to:
• Define—what IT is supposed to do
• Discover—what IT resources exist
• Monitor—what IT is doing
• Respond—to “changes to” and “non-compliance of” IT resources

The challenge
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed

AWS enables you to do both
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed
With AWS you can programmatically:
• Define provisioning and configuration of
resources
• Continuously discover new resources and
changes to existing resources
• Monitor resources and operations for
compliance
• Manage, report on, and respond to
changes to your resources

Define provisioning of resources
v AWS CloudFormation
v AWS Service Catalog
Discover and gain visibility
v AWS CloudTrail
v AWS Config, Config Rules
Manage EC2 instances
v Amazon EC2 Systems Manager
Monitor, report, and respond to changes
v Amazon CloudWatch
Introducing AWS Management Tools

Governance Use Case
• How do I ensure that
my developers
provision AWS
resources in an orderly
and predictable
fashion?

AWS CloudFormation
AWS CloudFormation is a service that provides a common language for you to
describe and provision all your infrastructure resources for your cloud environment.
Template AWS CloudFormation Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback

Additional governance during provisioning
• How do I enable self-service for my business units so that they
can quickly deploy approved IT services?
• How do I make sure that every resource that gets provisioned is
tagged with a cost-center?
• How do I control the size of the resources being provisioned by
employees in my enterprise?

AWS Service Catalog
• AWS Service Catalog allows organizations to create and manage catalogs
of IT services.
• Built on AWS CloudFormation, it enables users to quickly deploy the
approved IT services they need in a self-service manner without access to
the underlying services in AWS.
Organizations Developers
Control
Standardization
Governance
Agility
Self-service
Time to market

AWS Service Catalog demo
• WordPress site with launch constraints

v AWS CloudTrail

AWS CloudTrail
• Increase visibility into your user and resource activity
• Discover and troubleshoot security and operational issues by recording
activity that occurred
• Simplify your compliance audits by automatically recording and storing
activity logs

Examples:
• Gain visibility into root credential use
• Detect access to sensitive data from unauthorized networks or IP
addresses
• Troubleshoot misconfigured permissions for applications
AWS CloudTrail common use cases

• Continuous Recording & Continuous Assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant with your policies
AWS Config & Config Rules
Changing resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized

Governance Use Case
• How do I identify S3 buckets that are publicly readable and
writeable?

AWS CloudTrail and AWS Config demo
• Using AWS CloudFormation StackSets, provision a Config Rule
across multiple accounts and regions
• Using the Config Rule, identify the S3 buckets that are world
writeable
• Use AWS CloudTrail to view the API events

Governance Use Case
• Does my AWS environment comply with best practices (e.g. CIS
AWS benchmark)?

v AWS CloudTrail
v EC2 Systems Manager

Governance Use Case
• How do I audit which applications are installed on my EC2
instances?
• How do I ensure that certain blacklisted applications are not
installed on my EC2 instances?

EC2 Systems Manager:
Inventory & State Manager
Inventory—Provides visibility into the software catalog and
configuration for your Amazon EC2 instances and on-premises
servers
State Manager—Define and maintain consistent configuration
of operating systems and applications running in your data
center or in AWS

Amazon EC2 Systems Manager:
State Manager and Inventory demo
• Use State Manager to schedule inventory collection every 30 minutes,
update SSM agent once a week
• Set up a Config Rule to detect FTP software installed on our instances

Governance Use Case
• How do I centrally manage secret keys, DB connection
strings?
• How do I manage my Windows AMIs centrally, and make it
easier for my developers to get the latest Windows AMI?

Parameter Store
• Critical information stored securely within your environment
• Integrates with AWS Identity and Access Management (IAM), AWS KMS,
AWS CloudTrail and AWS CloudFormation
• Re-use across your AWS configuration and automation workflows
• Reference parameters from:
• Other Amazon EC2 Systems Manager capabilities (Run Command,
Automation, State Manager, etc.)
• Other AWS services (Amazon ECS, AWS Lambda, etc.)
Centralized store to manage your configuration data, including plain-
text data or secrets, encrypted through AWS Key Management
Service (AWS KMS)

Parameter Store demo
• Let’s retrieve the latest Windows AMI from parameter store
and use it in a AWS CloudFormation template

Governance Use Case
• How do I view the security patches installed on my EC2
instances?
• How can I execute commands across all EC2 instances
without requiring my engineers to SSH into the instance?

EC2 Systems Manager: Patch Manager
Patch Manager—Automated tool that helps you simplify your
Windows and Linux operating system patching process

EC2 Systems Manager: Run Command
Remotely and securely manage servers or virtual
machines at scale running in your data center or in
AWS
• Use Document to execute a script or just run a command
• Execute commands across multiple instances simultaneously
• Support for AWS and on-premises infrastructure
• Rate Control and Error Control
• AWS native

Patch Manager and Run Command demo
• Check the patch baseline of our Linux development environment
• Use the Run command to update a Java application on all of our Linux
instances

v AWS CloudTrail
v AWS Config
v EC2 Systems Manager
v CloudWatch

Log and respond to changes with
Amazon CloudWatch
• CloudWatch Events delivers a near real-time stream of system
events
• Create rules to match events and route them to one or more target
functions or streams

Governance Use Case
• How do I ensure that services like AWS CloudTrail and AWS
Config are not accidentally disabled?

v AWS CloudTrail
v EC2 Systems Manager : Inventory, State Manager, Parameter Store, Run
Command, Patch Manager
v CloudWatch
Summary: AWS Management Tools

Customers who use AWS Management Tools

Thank you!

Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017

Similar to Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Enabling Governance, Compliance, and Operational and Risk Auditing with AWS Management Tools - ENT323 - re:Invent 2017