SlideShare a Scribd company logo

How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017

Amazon Web Services
Amazon Web Services

As Chick-fil-A became a cloud-first organization, their security team didn't want to become the bottleneck for agility. But the security team also wanted to raise the bar for their security posture on AWS. Robert Davis, security architect at Chick-fil-A, provides an overview about how he and his team recognized that writing code was the best way for their security policies to scale across the many AWS accounts that Chick-fil-A operates. The use of DevSecOps within Chick-fil-A led to the creation of a set of account bootstrapping tools, auditing capabilities, and event-based policy enforcement. This session goes over these tools and how they were built on AWS.

1 of 39
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How Chick-fil-A Embraces DevSecOps on AWS A n d r e w B a i r d , S o l u t i o n s A r c h i t e c t , A W S R o b e r t D a v i s , S e c u r i t y A r c h i t e c t , C h i c k - f i l - A S I D 3 0 6 N o v e m b e r 2 9 , 2 0 1 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction • Bold Statements • Tools to Start With • Services to Start With • The Chick-fil-A DevSecOps Story
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The security-focused software developed runs as a part of ongoing operations for your applications/organization • Automated • Embedded in process • Always-on • An extension of your team Introduction to DevSecOps (in one slide) OPSDEV SEC + + • The software developed is explicitly focused on security • Threats • Policies • Identity and Access Control • And more • Develop software • Follow same processes and standards as application development • Tools • Quality • Change management
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold Statements
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(ish) Statement Your team must write code in order to be practicing DevSecOps
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(er) Statement If your application teams are practicing DevOps or embracing automation on AWS and you are not practicing DevSecOps, your security policies are a bottleneck
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(est) Statement If your applications run on AWS and you’re not practicing DevSecOps, your security bar is not high enough
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where Should You Start?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Taking the First Step Choose a higher level programming language to standardize on Factors to consider: • Skills already existing on your team • Interpreted as opposed to compiled (Hint: choose an interpreted language for DevSecOps) • Available SDKs/tools (especially the AWS SDK) Prescription (not the only choice): Python – https://aws.amazon.com/sdk-for-python/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reach for Low-Hanging Fruit First Python SDK (boto3) AWS CLI AWS API Amazon CloudWatch Amazon EC2 Systems Manager AWS Config AWS CloudTrail AWS Identity and Access Management S3 Bucket Policies Security Groups Amazon VPC AWS CloudFormation Code with: Build with: Focus on: AWS Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. It’s Dangerous to Go Alone… Take These •AWS CIS Foundation Benchmark: • https://github.com/awslabs/aws-security-benchmark •Cloud Custodian (OSS from Capital One): • https://github.com/capitalone/cloud-custodian •AWS Config Rules Repository: • https://github.com/awslabs/aws-config-rules •AWS Security Blog: • https://aws.amazon.com/blogs/security/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Journey to AWS C h i c k - f i l - A
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Strategy • Multi-account for workload segmentation and smaller blast radius • Over 50 accounts and growing • Security account with assume role rights into other accounts • Controls should be repeatable and scriptable • Leverage python (ex: boto3) and AWS CLI everywhere possible • Event driven security and compliance • Serverless where possible
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Strategy Challenges L e v e r a g i n g D e v S e c O p s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges • Account creation • CLI/SDK access • Visibility • Auditability • Developer enablement
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenets of DevSecOps Automation • No humans required to stay in compliance Event-driven • Actions occur and response is taken immediately Serverless • Allows security team to develop capabilities quickly Enabling agility without compromising security • Puts control in developers’ hands
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Creation L e v e r a g i n g D e v S e c O p s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Creation If we want to leverage multiple AWS accounts, we must make it easy to create new accounts • Started as a manual process • Scripted using Python and Selenium • Starting point: https://github.com/intuit/aws_account_utils • Organizations – thank you, AWS! • Integrate with ServiceNow to allow self-service
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create AWS Account (Before Organizations) • 500+ lines of Python code • Web browser version issues • Small changes to Web forms break the entire process • Not easy to run in a headless mode • Credit card needed • Human verification needed via phone call
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. import boto3 email = ‘test@test.com’ alias = ‘testalias’ organizations = boto3.client('organizations') create_id = organizations.create_account( Email=email, AccountName=alias, IamUserAccessToBilling='ALLOW’)['CreateAccountStatus'] status = organizations.describe_create_account_status(CreateAccountRequestId=create_id['Id'])['Cre ateAccountStatus'] if status[’State’] == ‘SUCCEEDED’: print “Account created” Create AWS Account (Organizations)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Templated Security • Looked at AWS CloudFormation first • Python script run as part of account creation • Create standard VPC • Includes network ACLs and standard security groups • Create standard set of IAM federated roles • Create security audit role • Set IAM user password policies • Enable AWS CloudTrail • Set up Amazon CloudWatch event rules • Register account with security AWS account register
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLI/SDK Access L e v e r a g i n g D e v S e c O p s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account CLI Access If we want to leverage multiple AWS accounts, we must make it easy to access accounts • Python script to generate sts creds for CLI/SDK access • Starting point: • https://aws.amazon.com/blogs/security/how-to-implement- federated-api-and-cli-access-using-saml-2-0-and-ad-fs/ • MFA enabled by way of federation • No long-lived IAM creds on developer machines
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLI Access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Visibility L e v e r a g i n g D e v S e c O p s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Visibility If we want to leverage multiple AWS accounts, we must make it easy to see into all accounts Single page app with resources listed from all accounts • Quickly search for IAM users across the org • Get count of resource types across the org (EC2 instances, RDS instances, IAM users, and so on) API Gateway to Lambda for app logic • Assume role into every account • Collect data on relevant resources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accounts Overview
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Single Account View
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditability L e v e r a g i n g D e v S e c O p s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Auditability If we want to leverage multiple AWS accounts, we must make it easy to audit all accounts Resource compliance rule engine • Check all EC2 instances for noncompliance • Public IP • Check IAM users for noncompliance • Check all S3 buckets for global access • Runs daily, but can be run on-demand in our compliance portal
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Auditability • Lambda functions run via CloudWatch Events Schedule • Data stored in Amazon S3 as JSON object per account • Data can be visualized in the compliance portal • Can run on demand in portal • Still building rule engine
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit Report
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enablement L e v e r a g i n g D e v S e c O p s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Enablement If we want to leverage multiple AWS accounts, we must make it easy to enable developers to be secure by default • Event-driven security • Simple CloudFormation template across accounts • Part of AWS account creation process • All “interesting” AWS API calls are checked for compliance issues/concerns • Non-remediated alerts flow into incident response tools and audit/compliance portal • Integrates into Slack and email for communications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Integration
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Credit CloudCustodian Squirrelbin Intuit – https://github.com/intuit/aws_account_utils AWS Security Blog - https://aws.amazon.com/blogs/security
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

Recommended

Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
Amazon Web Services
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Amazon Web Services
 

Recommended

Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
Amazon Web Services
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Amazon Web Services
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
Amazon Web Services
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Amazon Web Services
 
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
Amazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
Amazon Web Services
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
Amazon Web Services
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
Amazon Web Services
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and Authorization
Amazon Web Services
 
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
Amazon Web Services
 
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Amazon Web Services
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at Scale
Amazon Web Services
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Amazon Web Services
 

More Related Content

What's hot

Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
Amazon Web Services
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Amazon Web Services
 
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
Amazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
Amazon Web Services
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
Amazon Web Services
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
Amazon Web Services
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and Authorization
Amazon Web Services
 
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
Amazon Web Services
 
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Amazon Web Services
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 

What's hot (20)

Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
 
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and Authorization
 
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
ENT223_Leveraging the AWS Cloud Adoption Framework to Build Your Cloud Action...
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 

Similar to How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017

ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at Scale
Amazon Web Services
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Amazon Web Services
 
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Amazon Web Services
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
Amazon Web Services
 
What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017
Amazon Web Services
 
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
Amazon Web Services
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
Amazon Web Services
 
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdfDEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
Amazon Web Services
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
Amazon Web Services
 
I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...
I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...
I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...
Amazon Web Services
 
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Amazon Web Services
 
DEV203_Launch Applications the Amazon Way
DEV203_Launch Applications the Amazon WayDEV203_Launch Applications the Amazon Way
DEV203_Launch Applications the Amazon Way
Amazon Web Services
 
MCL306_Making IoT Smarter with AWS Rekognition.pdf
MCL306_Making IoT Smarter with AWS Rekognition.pdfMCL306_Making IoT Smarter with AWS Rekognition.pdf
MCL306_Making IoT Smarter with AWS Rekognition.pdf
Amazon Web Services
 
MCL306_Making IoT Smarter with AWS Rekognition
MCL306_Making IoT Smarter with AWS RekognitionMCL306_Making IoT Smarter with AWS Rekognition
MCL306_Making IoT Smarter with AWS Rekognition
Amazon Web Services
 
Introduction to the Serverless Cloud
Introduction to the Serverless CloudIntroduction to the Serverless Cloud
Introduction to the Serverless Cloud
Amazon Web Services
 
ABD317_Building Your First Big Data Application on AWS - ABD317
ABD317_Building Your First Big Data Application on AWS - ABD317ABD317_Building Your First Big Data Application on AWS - ABD317
ABD317_Building Your First Big Data Application on AWS - ABD317
Amazon Web Services
 
Getting started with AWS
Getting started with AWSGetting started with AWS
Getting started with AWS
Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Amazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 

Similar to How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017 (20)

ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at Scale
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
 
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
 
What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017What's New in Serverless - SRV305 - re:Invent 2017
What's New in Serverless - SRV305 - re:Invent 2017
 
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdfDEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...
I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...
I Want to Analyze and Visualize Website Access Logs, but Why Do I Need Server...
 
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
DEV203_Launch Applications the Amazon Way
DEV203_Launch Applications the Amazon WayDEV203_Launch Applications the Amazon Way
DEV203_Launch Applications the Amazon Way
 
MCL306_Making IoT Smarter with AWS Rekognition.pdf
MCL306_Making IoT Smarter with AWS Rekognition.pdfMCL306_Making IoT Smarter with AWS Rekognition.pdf
MCL306_Making IoT Smarter with AWS Rekognition.pdf
 
MCL306_Making IoT Smarter with AWS Rekognition
MCL306_Making IoT Smarter with AWS RekognitionMCL306_Making IoT Smarter with AWS Rekognition
MCL306_Making IoT Smarter with AWS Rekognition
 
Introduction to the Serverless Cloud
Introduction to the Serverless CloudIntroduction to the Serverless Cloud
Introduction to the Serverless Cloud
 
ABD317_Building Your First Big Data Application on AWS - ABD317
ABD317_Building Your First Big Data Application on AWS - ABD317ABD317_Building Your First Big Data Application on AWS - ABD317
ABD317_Building Your First Big Data Application on AWS - ABD317
 
Getting started with AWS
Getting started with AWSGetting started with AWS
Getting started with AWS
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How Chick-fil-A Embraces DevSecOps on AWS A n d r e w B a i r d , S o l u t i o n s A r c h i t e c t , A W S R o b e r t D a v i s , S e c u r i t y A r c h i t e c t , C h i c k - f i l - A S I D 3 0 6 N o v e m b e r 2 9 , 2 0 1 7
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction • Bold Statements • Tools to Start With • Services to Start With • The Chick-fil-A DevSecOps Story
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The security-focused software developed runs as a part of ongoing operations for your applications/organization • Automated • Embedded in process • Always-on • An extension of your team Introduction to DevSecOps (in one slide) OPSDEV SEC + + • The software developed is explicitly focused on security • Threats • Policies • Identity and Access Control • And more • Develop software • Follow same processes and standards as application development • Tools • Quality • Change management
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold Statements
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(ish) Statement Your team must write code in order to be practicing DevSecOps
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(er) Statement If your application teams are practicing DevOps or embracing automation on AWS and you are not practicing DevSecOps, your security policies are a bottleneck
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bold(est) Statement If your applications run on AWS and you’re not practicing DevSecOps, your security bar is not high enough
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where Should You Start?
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Taking the First Step Choose a higher level programming language to standardize on Factors to consider: • Skills already existing on your team • Interpreted as opposed to compiled (Hint: choose an interpreted language for DevSecOps) • Available SDKs/tools (especially the AWS SDK) Prescription (not the only choice): Python – https://aws.amazon.com/sdk-for-python/
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reach for Low-Hanging Fruit First Python SDK (boto3) AWS CLI AWS API Amazon CloudWatch Amazon EC2 Systems Manager AWS Config AWS CloudTrail AWS Identity and Access Management S3 Bucket Policies Security Groups Amazon VPC AWS CloudFormation Code with: Build with: Focus on: AWS Lambda
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. It’s Dangerous to Go Alone… Take These •AWS CIS Foundation Benchmark: • https://github.com/awslabs/aws-security-benchmark •Cloud Custodian (OSS from Capital One): • https://github.com/capitalone/cloud-custodian •AWS Config Rules Repository: • https://github.com/awslabs/aws-config-rules •AWS Security Blog: • https://aws.amazon.com/blogs/security/
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Journey to AWS C h i c k - f i l - A
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Strategy • Multi-account for workload segmentation and smaller blast radius • Over 50 accounts and growing • Security account with assume role rights into other accounts • Controls should be repeatable and scriptable • Leverage python (ex: boto3) and AWS CLI everywhere possible • Event driven security and compliance • Serverless where possible
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Strategy Challenges L e v e r a g i n g D e v S e c O p s
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges • Account creation • CLI/SDK access • Visibility • Auditability • Developer enablement
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenets of DevSecOps Automation • No humans required to stay in compliance Event-driven • Actions occur and response is taken immediately Serverless • Allows security team to develop capabilities quickly Enabling agility without compromising security • Puts control in developers’ hands
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Creation L e v e r a g i n g D e v S e c O p s
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Creation If we want to leverage multiple AWS accounts, we must make it easy to create new accounts • Started as a manual process • Scripted using Python and Selenium • Starting point: https://github.com/intuit/aws_account_utils • Organizations – thank you, AWS! • Integrate with ServiceNow to allow self-service
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create AWS Account (Before Organizations) • 500+ lines of Python code • Web browser version issues • Small changes to Web forms break the entire process • Not easy to run in a headless mode • Credit card needed • Human verification needed via phone call
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. import boto3 email = ‘test@test.com’ alias = ‘testalias’ organizations = boto3.client('organizations') create_id = organizations.create_account( Email=email, AccountName=alias, IamUserAccessToBilling='ALLOW’)['CreateAccountStatus'] status = organizations.describe_create_account_status(CreateAccountRequestId=create_id['Id'])['Cre ateAccountStatus'] if status[’State’] == ‘SUCCEEDED’: print “Account created” Create AWS Account (Organizations)
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Templated Security • Looked at AWS CloudFormation first • Python script run as part of account creation • Create standard VPC • Includes network ACLs and standard security groups • Create standard set of IAM federated roles • Create security audit role • Set IAM user password policies • Enable AWS CloudTrail • Set up Amazon CloudWatch event rules • Register account with security AWS account register
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLI/SDK Access L e v e r a g i n g D e v S e c O p s
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account CLI Access If we want to leverage multiple AWS accounts, we must make it easy to access accounts • Python script to generate sts creds for CLI/SDK access • Starting point: • https://aws.amazon.com/blogs/security/how-to-implement- federated-api-and-cli-access-using-saml-2-0-and-ad-fs/ • MFA enabled by way of federation • No long-lived IAM creds on developer machines
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLI Access
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Visibility L e v e r a g i n g D e v S e c O p s
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Visibility If we want to leverage multiple AWS accounts, we must make it easy to see into all accounts Single page app with resources listed from all accounts • Quickly search for IAM users across the org • Get count of resource types across the org (EC2 instances, RDS instances, IAM users, and so on) API Gateway to Lambda for app logic • Assume role into every account • Collect data on relevant resources
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accounts Overview
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Single Account View
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditability L e v e r a g i n g D e v S e c O p s
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Auditability If we want to leverage multiple AWS accounts, we must make it easy to audit all accounts Resource compliance rule engine • Check all EC2 instances for noncompliance • Public IP • Check IAM users for noncompliance • Check all S3 buckets for global access • Runs daily, but can be run on-demand in our compliance portal
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Auditability • Lambda functions run via CloudWatch Events Schedule • Data stored in Amazon S3 as JSON object per account • Data can be visualized in the compliance portal • Can run on demand in portal • Still building rule engine
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit Report
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enablement L e v e r a g i n g D e v S e c O p s
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Enablement If we want to leverage multiple AWS accounts, we must make it easy to enable developers to be secure by default • Event-driven security • Simple CloudFormation template across accounts • Part of AWS account creation process • All “interesting” AWS API calls are checked for compliance issues/concerns • Non-remediated alerts flow into incident response tools and audit/compliance portal • Integrates into Slack and email for communications
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Integration
  • 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Credit CloudCustodian Squirrelbin Intuit – https://github.com/intuit/aws_account_utils AWS Security Blog - https://aws.amazon.com/blogs/security
  • 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!