automatisierte kontrolle und transparenz in der aws cloud – autopilot für compliance ihrer cloud...
Post on 08-Feb-2017
536 Views
Preview:
TRANSCRIPT
AWS Enterprise Web Day
Automate control and transparency – put
compliance checks for your cloud resources on
autopilot
Philipp Behre
AWS Solutions Architect
pbehre@amazon.de
• A Culture of Innovation - Experiment Often & Fail Without Risk
• From PoC to Production – create new business opportunities
Project Teams
AgilitySelf-
service
Time-to-
market
Agility can lead to …
A strong IT Services Team enables innovation
IT Service Team
Compliance
Security
Access
Management
Auditing
and many more Change Management
Cloud
Operations
Control Visibility Compliance
IT Service Team Project Teams
Empower agile teams with standardized self-service
Create custom services
and grant access to developers
Use a personalized
portal to find & launch
services
Standardize and automate with AWS CloudFormation
creation order?
how long do I pause?
what errors can I recover from?
Instruction
Manual
Instruction
Manual
Instruction
Manual
Provisioning
Script(s)
what environment config and
utilities does my script depend on?
can my script be faster?
will this script work again?
how do I learn all of the AWS APIs?
TemplatizeVersion Control
Provision Replicate Update
An integrated approach to gain transparency
changechange
publishService
Catalog
notifies
Monitor
ChangeMonitors AWS
& application
initiates
notifies
Monitor Alert
monitors
Secures audit data
Captures all API
interaction
Capture
Audit
Logs
Durable
Storage
template
Create/Update
Validate
provision
Resource
stack
Select & provision
An integrated approach to gain transparency
AWS
ServiceCatalog
publish
AWS CloudTrail
Amazon S3
monitors
Secures audit data
Captures all API
interaction
AWS
CloudWatchalarm
Monitors AWS
& application
initiates
notifies
AWS Config
Catalog
(resources & changes)
notifies
changechange
template
Create/Update
Validate
provision
Resource
stack
Select & provision
Transparent changes
Continuous ChangeRecordingContinuously
Changing
Resources
History
Stream
Snapshot (ex. 2015-20-03)
AWS Config
Evidence for compliance
aws config-service get-resource-config-history
--resource-type AWS::EC2::VPC
--resource-id vpc-47fa0322
--earlier-time 2015-10-01
...
• Many compliance audits require access to the state of your systems
at arbitrary times (i.e., PCI, HIPAA)
• A complete inventory of all resources and their configuration
attributes is available for any point in time
Change management integration: Option 1
AWS
Account 1
Common S3 bucket
Common SNS topic
Adaptor is custom software to convert JSON into
CMDB’s format
BMC, HP,
Custom
CMDB
Ad
ap
tor
Data pipe into existing CMDB
AWS
Account 2
AWS
Account 3
Change management integration: Option 2
AWS
Config
BMC
HP
AP
I
Ad
ap
tor
Ad
ap
tor
Adaptor is custom software needed to convert JSON
into CMDB’s format
Use in federated form
AWS
Account 1
AWS
Account 2
AWS
Account 3
A cloud-based technology company transforming clinical research for life
sciences companies and patients who depend on them.
Infrastructure
Change Log
Audits
Regulatory
Compliance
Engine
Changes
Why should I do this
• Compliance: Helps knowing how things are configured…
• “We audit our logs already!” Every minute?
• “We don’t allow changes through IAM policies”: In all accounts/environments?
• ”We use a CI/CD to push all changes” Awesome...I'll push the changes using someone else's user account!
Why…again
Implement “Compliance Status” for easy overview• Use pre defined checks
• Create extended custom checks
• Fix the issue while checking
Evaluate/remediate changes/events in your account• Doesn’t replace log analysis (consider Machine Learning FTW)
• Protect against changes made by (un)authorized accounts
• Automatic remediation for critical events
• Do forensic on the fly
Always Log and Alert!
Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and
identifying offending changes
AWS Lambda ?
A compute service where you don’t have to think about:
• Servers
• Being over/under capacity
• Deployments
• Scaling and fault tolerance
• OS or language updates
• Metrics and logging
…but where you can easily
• Bring your own code… even native libraries
• Run code in parallel
• Create backends, event handlers, and data processing systems
• Never pay for idle!
NormalizeRecordChanging
ResourcesDeliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
Transparent changes – Am I still in compliance?
NormalizeRecordChanging
ResourcesDeliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
Rule R1: TaggedEC2
Rule R3: CloudTrail enabled
Rule R2: ProductionVolumesEncrypted
Transparent changes – act on them!
An Example …
I need to access this system now!
It can be quick … I will use this user
account we use for automation, to
change the security group
Instance
security group
Instance
security group
Tracks & monitors
Rule
?
Invoke
alertrevise change
Follow up
Risks
• You can now automatically mess up your
approved changes
• No proper alerting and follow-up on automatic
events
• Over/under complicated scripts
• No info on desired state
• Race the hacker…automation wars!
Creating a blueprint helps (simplified example)
Continuous / Event based
Config Rules
CloudWatchEvents
Is it region specific
Will action risk breaking
something
Yes: Call human
No: Lambda
Will enable add cost
Yes: Based on possible cost
limit call human
No/Minor: Set rules
Is there a source of truth
Config Rules: Check previous
• Caution on multiple events
CWE: Check tag/DDB
• Have default value
Action
Revert change based on above
Forensic
Is it human (or unknown source) or machine (CI/CD)
CI/CD: Create ticket (Jira etc)
Human: Should we
countermeasure/prevent?
Are they using MFA
• No: Add MFA (external Lambda)
Have they done this before (check DDB)
• Yes: Disable account/Keys
Alert
High: SMS/Page
Low: Email/tracking
system
Logging
Is it sensitive
Yes: Encrypt (KMS)
No: Cleartext
Always: Access control
Summary• AWS services support your organization to introduce, maintain,
and continuously improve governance processes for AWS resources and their usage.
• Used together they provide continuous transparency into changes, and allow auditing on changes and API interaction.
• Combined with your organization’s existing best practices, processes, and tools you can centrally control and govern your cloud environment without sacrificing the agility and flexibility of the cloud.
• Automate compliance checks to act on violating changes immediately and keep your infrastructure at a compliant state –always log, alert, and follow up with an appropriate process!!
top related