Governance at Scale

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Greg Share, Solutions Architect
April 12th, 2018
Governance @ Scale
Compliance Automation at AWS

Common governance questions
• How do I determine the current state of all cloud users and their
access rights across the enterprise?
• How do I ensure adherence to IT budgets in a pay-per-use model
• How do I ensure deployments and operations are compliant with
relevant legal, regulatory, and/or contractual policies?
• How do I ensure security posture is enforced across accounts and
workloads?
• WITHOUT REDUCING THE AGILITY OF THE CLOUD

Typical enterprise AWS adoption
• In highly federated organizations,
AWS adoption flows from the
bottom up
• In parallel, central IT often begins
mirroring the on-premises
architecture in AWS
• Governance approach should:
• Meet organizational requirements
• Scale
• Allow direct use of approved AWS
services and APIs
Top down
adoption
Bottom up
adoption

Tradeoffs in AWS adoption approaches
Minimally encumbered AWS accounts
• Complete power of the AWS platform;
every feature available immediately
• Requires the building or buying a
solution that can manage many AWS
accounts
• Account provisioning and budget
enforcement @scale can be automated
• Uniform security controls and
operations
Service catalog/cloud broker approach
• Prescribes limited access to the AWS
platform based on catalog templates
or via middleware
• Suitable for meeting common
requirements of less-technical internal
users
• Doesn’t allow developers to access
cloud APIs
• Doesn’t provide enough value or
flexibility in large enterprises

What’s your challenge as AWS adoption grows?
Amazon
S3
Project 1 AWS Account
Amazon
EC2
Amazon
S3
Amazon
EC2
Amazon
RDS
Stage 1
Specific Systems
Limited Accounts
Minimal Services
Stage 2
Numerous Systems
Multiple Accounts
Many Services
Amazon
S3
Amazon
EC2
Amazon
VPC
Amazon
S3
Amazon
EC2
Amazon
VPC
Amazon
EMR
Amazon
Kinesis
Amazon
Redshift
Amazon
S3
Project 4 AWS
Account
Amazon
EC2
Project 5 AWS
Account
Amazon API
Gateway
Amazon
SQS
Amazon
WorkSpaces
Amazon
ECS
AWS
Lambda
AWS Elastic
BeanstalkAmazon
S3
Amazon
S3
Project 6 AWS
Account
Amazon
EC2
Amazon
EMR
Amazon
Kinesis
Amazon
VPC

Governance is not a “one size fits all”
Higher-impact workloads are
more likely to be managed by
central or departmental IT
groups and will have more
security controls.
Lower-impact workloads still
have basic security controls,
but can be issued freely to
end users for test,
development, or low impact
research and production
workloads.Low High
High
Low
Availability
Confidentiality

Three principles of governance@scale
Account management
• Standardize and streamline provisioning, maintenance, and access control
policies for many AWS accounts and workloads
Cost enforcement
• Ensure AWS accounts and workloads do not exceed budget
Compliance automation
• Provide continuous monitoring, configuration management, and enforce
security controls

So…what does this look like?
Projects
Management
Upper Management
Senior Leadership
Executive CXO
VP
Director
Manager Manager
Director
Manager
VP
Director
Manager Manager
Project 1
Project 2
Project 3 Project 5 Project 6
Project 7
Project 8
$
$
$ $$
$
$
$ $ $
$
$$
$
$
$
$
$

How you get this security visibility
Projects
Data Analyst
Management
Senior Leadership
Executive CXO
VP
Director
Analyst Analyst
Director
Analyst
VP
Director
Analyst Analyst
Project 1
Project 2
Project 7
Project 8
P1:
P2:
P3:
P5:
P6:
P7:
P8:
25%:
0%:
75%:
0%:
35%:
65%:

Account management @scale
• Use a consolidated admin AWS account
• AWS Identity & Access Management (IAM) users live in this account
• IAM users assume roles to access other AWS accounts
• Enforce MFA for role assumption
• Automate AWS account provisioning
• Eliminate slow, error-prone manual provisioning
• Ensure AWS accounts are actively managed
• Incentivizes users from using other methods (personal, school, etc.) for AWS
experimentation.
• Implement “single sign-on” through federation
• Use enterprise accelerators as a starting point
• Policy assignment to IAM users/groups/roles
• Consolidated admin baseline
• Target account baseline

Consolidated Admin
AWS Account
IAM users
users stack security
baseline
stack
Automate provisioning of target accounts
Target AWS Account
admin
role
billing
role
read
only role
baseline
stack
Target AWS Account
admin
role
billing
role
read
only role
baseline
stack
Target AWS Account
admin
role
billing
role
read
only role
baseline
stack

Key configuration points to baseline accounts
AWS CloudFormation
Leverage Enterprise Accelerator Compliance “Quick Starts”
Amazon
CloudWatch
AWS Config
Config Rules
AWS CloudTrail
CloudWatch
Events
Manual configuration
Root MFA
Alternate contacts
IAM
Managed
Policies
Roles
Security questions
Amazon
VPC
VPC peering
Flow logs

Cost enforcement @scale
• Use automation to map AWS accounts to org. structure
• Aligns with current budget process and cost alignments
• Use automation for cost management/enforcement
• Actual spend vs. budget projections decision makers.
• Allow management to increase budgets
• Turn off resources to preserve budget
• Use dynamic IAM policies to throttle usage when budget thresholds
are met
• Provide near-real time budget projections so
stakeholders are aware of current AWS spend

Cost enforcement @scale
Projects
Management
Upper Management
Senior Leadership
Executive CXO
VP
Director
Manager Manager
Director
Manager
VP
Director
Manager Manager
Project 1
Project 2
Project 7
Project 8
$
$
$ $$
$
$
$$$$$
$$$$$
$ $ $$$$
$$$$$$ $$$$
$$$$$ $$$$

Cost enforcement @scale: metering
No alerts, no charge.
Smart agent won’t alert or charge when
instances are turned off to save money.
Seamlessly get logs and continue providing
protection when instances are turned back on.
OFF
ON

Compliance automation @scale
• Pre-approve standard security configurations to decrease RMF
efforts up to 50% and achieve faster ATOs (days vs. months/years)
• Automate deployment of accounts consistent with security policies
(NIST/HIPAA)
• Installing instance level account and security tools via Security Tools
• Pre-populate GRC tools with inherited and system specific controls
(ex Telos Xacta)
• Perform continuous monitoring with GRC tools and alert security
staff of configuration drift and/or vulnerabilities
• Send all AWS account log files to centralized data lake for security
analysis

Projects
Management
Upper Management
Senior Leadership
Executive CXO
VP
Director
Manager Manager
Director
Manager
VP
Director
Manager Manager
Project 1
Project 2
Project 7
Project 8
Compliance automation @scale

Security automation @ scale
Recommendation scan: Policy tailored to governance and workload
Deployed with repeatable generic code

Implement policies dynamically at runtime based on
workload tags.
Security automation @scale

Where do I go from here?
• Build or buy a governance@scale solution that can grow with you.
• Professional Services can help facilitate the design and help
you build a solution based on your requirements.
• Partner Solutions are available (CloudTamer by Stratus
Solutions )
• Incorporate and automate security and operations management
tools into infrastructure provisioning
• If you can’t automate third-party products with AWS, then they aren’t
built for AWS
• Security needs to have parity for enabling visibility for this
governance model

Thank You
Greg Share, gshare@amazon.co.uk

Governance at Scale

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Governance at Scale

Similar to Governance at Scale (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Governance at Scale