Operational Excellence for Identity & Access Management (SEC334) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operational Excellence for Identity
& Access Management
Sean MacDonald
Security Specialist TAM
AWS
S E C 3 3 4
Johnny Hanley
Enterprise Support Lead
AWS

Agenda
• Once upon a time
• The map
• Today’s chapter
• The adventure begins
• Happily ever after

Once upon a time …
Tell the story
Agility and short-term development cycles
Organizational governance ensuring proper security
Working in tandem
Lessons learned (why this is necessary)
Cloud enables the ability to iterate quickly
Cloud enables the ability to automate governance during the development cycle
Path forward (what we are proposing)
Guardrails, not gates
Developers + Security = BFFs

The map
Operational excellence
Perform operations as code
Anticipate failure
Learn from all operational failures
Security pillar best practices
Implement a strong identity foundation
Automate security best practices
Processes for event, incident, and problem management
Enable traceability
https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Requirements
1. Your own device for console access
2. An AWS account that you are able to use for testing, that is not used
for production or other purposes
3. Download the Lab Guide at https://bit.ly/2DxLXx6
https://s3.amazonaws.com/sec334labs/sec334labs/SEC334+Labs.pdf
4. Download 3 files from links in Lab Guide
5. Raise your hand if you need assistance

Today’s chapter
The main services in today’s story
AWS Organizations
AWS Config
AWS Identity and Access Management (IAM)
AWS Landing Zone (our hero)
Plot twists (decisions you need to make)
Architectural
Operational

The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security and
governance controls
Baseline accounts
and account
vending machine
Automated
deployment

AWS Landing Zone structure - basic
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store

Multi-account approach
AWS Organizations
No connection to DC
Service Control Policies
Consolidated billing
Minimal resources
Limited access
Data Center

Security
Core Accounts
AWS Organizations
Log Archive
Optional data center
connectivity
Security tools and audit
Cross-account read/write
Limited access
Data Center

Security
Core Accounts
AWS Organizations
Network
Log Archive
Managed by network team
Networking services
AWS Direct Connect
Limited access
Data Center

Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive
Connected to DC
DNS
LDAP/Active Directory
Shared Services VPC
Deployment tools
Golden AMI
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Data Center

Developer
Sandbox
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive
No connection to DC
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer Accounts Data Center

Developer
Sandbox
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive
Based on level of needed
isolation
Match your development
lifecycle

Developer
Sandbox
Dev
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive
Develop and iterate quickly
Collaboration space
Stage of SDLC

Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive
Connected to DC
Production-like
Staging
QA
Automated deployments

Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Connected to DC
Production applications
Promoted from Pre-Prod
Limited access

Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Grows organically
Shared to the BU/team
Product-specific common
services
Data lake
Common tooling
Common services

Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake

What you get with the AWS Landing Zone
• Framework for creating and baselining a multi-account environment
• Initial multi-account structure including security, audit, & shared service requirements
• An account vending machine that enables automated deployment of additional
accounts with a set of security baselines
Account Management
• User account access managed through AWS SSO federation
• Cross-account roles enable centralized management
Identity &
Access Management
• Multiple accounts enable separation of duties
• Initial account security and AWS Config rules baseline
• Network baseline
Security & Governance

Preventive Controls
Detective Controls
Remediation
Landing Zone – Control Types (Guardrail Types)
Prohibit user from disabling or deleting the baseline controls - SCP
Monitor resources and alert on non-compliance -Config rules
Take corrective action – AWS Lambda triggered from Config rules

The adventure begins
Creating guardrails
AWS Landing Zone
AWS Organizations
AWS Config
Applied governance
AWS Organizations
AWS Config
Handling estate drift
Amazon CloudWatch
AWS Lambda

Demo - Creating guardrails
Explore a deployed Landing Zone
Check Organizations configurations settings
Check CloudTrail configurations settings
Check IAM configuration settings
Goals accomplished with this lab
Enable traceability

The map (goals accomplished in demo)
Anticipate failure
Enable traceability

Lab 1—Applied governance
Enforce compliance using AWS Organizations
Create service control policies (SCP) to enforce compliance
Apply SCP to an account
Deploy restricted-SSH Config rule from console
Checks whether security groups disallow unrestricted incoming SSH traffic
Anticipate failure

Lab 1 (reference materials)
1. Download the lab 2 guide at https://bit.ly/2DxLXx6

The map (goals accomplished in lab 1)
Anticipate failure
Enable traceability

Lab 2—Handling estate drift
Deploy
Monitor CloudTrail Logs to detects changes, and notify via SNS
Monitor IAM for users elevating permissions via inline policy
Use CloudWatch events and a Lambda function to respond to events
Anticipate failure

Lab 2 (reference materials)
1. Download the lab 3 guide at https://bit.ly/2DxLXx6

The map (goals accomplished in lab 2)
Anticipate failure
Enable traceability

Removing lab resources
1. Download the lab teardown guide at https://bit.ly/2DxLXx6

Happily ever after
What we have built
Deployed a multi-account infrastructure based on AWS Well-Architected Framework
Created guardrails to enforce compliance
Created policies to apply governance
Created automation for handling estate drift
How it meets our objectives
Enable traceability

AWS Landing Zone Track: search: awslandingzone
Architecture:
SEC303: Architecting Security & Governance across your AWS Landing Zone (Session)
ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session)
Implementation:
ENT350: AWS Landing Zone Deep Dive (Chalk Talk)
SEC349: Governance at Scale (Chalk Talk)
ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session)
Workshops (First three are same content):
ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop)
SEC315: Enterprise Governance and Security - Build Your AWS Landing Zone (Workshop)
GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners)
SEC334: Operational Excellence for Identity & Access Management (Workshop)
Summary/Feedback:
SEC360: AWS Landing Zone Strategies (Chalk Talk)

Thank you!
Sean MacDonald Johnny Hanley
seanmacd@amazon.com tjhanley@amazon.com

Account Vending Machine
AWS
Service Catalog
Account Vending Machine (AWS Service Catalog)
• Account creation UI
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account Vending
Machine
AWS
Organizations
Security
AWS
Log Archive
AWS
Shared Services
AWS
AWS
New AWS

AWS Landing Zone pricing
No additional charge for the AWS Landing Zone solution.
Customers are responsible for the charges of the underlying
services (e.g., AWS Config Service, AWS CloudTrail, etc.).
Cost for the basic solution: ~$200 / month
Monthly cost for optional add-ons:
• Centralized logging solution: <$400
• Directory Connector: <$50
• AWS Managed AD plus Remote Desktop Gateway: ~$300

Learn More
Web page explains solution
benefits and structure
30-minute webcast overview
Link to form to have AWS follow
up to help you with solution
www.aws.amazon.com/answers/aws-landing-zone

Request AWS follow up
https://bit.ly/2Cv6Qsq

Operational Excellence for Identity & Access Management (SEC334) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Operational Excellence for Identity & Access Management (SEC334) - AWS re:Invent 2018

Similar to Operational Excellence for Identity & Access Management (SEC334) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Operational Excellence for Identity & Access Management (SEC334) - AWS re:Invent 2018