AWS Enterprise Web Day

Automate control and transparency – put

compliance checks for your cloud resources on

autopilot

Philipp Behre

AWS Solutions Architect

pbehre@amazon.de

The primary reason businesses are

moving so quickly to AWS and the cloud

#1: Agility

• A Culture of Innovation - Experiment Often & Fail Without Risk

• From PoC to Production – create new business opportunities

Project Teams

AgilitySelf-

service

Time-to-

market

Agility can lead to …

A strong IT Services Team enables innovation

IT Service Team

Compliance

Security

Access

Management

Auditing

and many more Change Management

Cloud

Operations

Control Visibility Compliance

IT Service Team Project Teams

Empower agile teams with standardized self-service

Create custom services

and grant access to developers

Use a personalized

portal to find & launch

services

Standardize and automate with AWS CloudFormation

creation order?

how long do I pause?

what errors can I recover from?

Instruction

Manual

Instruction

Manual

Instruction

Manual

Provisioning

Script(s)

what environment config and

utilities does my script depend on?

can my script be faster?

will this script work again?

how do I learn all of the AWS APIs?

TemplatizeVersion Control

Provision Replicate Update

An integrated approach to gain transparency

changechange

publishService

Catalog

notifies

Monitor

ChangeMonitors AWS

& application

initiates

notifies

Monitor Alert

monitors

Secures audit data

Captures all API

interaction

Capture

Audit

Logs

Durable

Storage

template

Create/Update

Validate

provision

Resource

stack

Select & provision

An integrated approach to gain transparency

AWS

ServiceCatalog

publish

AWS CloudTrail

Amazon S3

monitors

Secures audit data

Captures all API

interaction

AWS

CloudWatchalarm

Monitors AWS

& application

initiates

notifies

AWS Config

Catalog

(resources & changes)

notifies

changechange

template

Create/Update

Validate

provision

Resource

stack

Select & provision

…but how do I stay compliant

“Agility in the cloud is awesome !!!”

Time-to-market Lots of changes Lots of versions

Staying on top can be a challenge

Lots of changes

Compliance

Security

Access

Management

Auditing

OK

Staying on top can be a challenge

Lots of changes

Compliance

Security

Access

Management

Auditing

Transparent changes

Continuous ChangeRecordingContinuously

Changing

Resources

History

Stream

Snapshot (ex. 2015-20-03)

AWS Config

Evidence for compliance

aws config-service get-resource-config-history

--resource-type AWS::EC2::VPC

--resource-id vpc-47fa0322

--earlier-time 2015-10-01

...

• Many compliance audits require access to the state of your systems

at arbitrary times (i.e., PCI, HIPAA)

• A complete inventory of all resources and their configuration

attributes is available for any point in time

Analyze your logs!

Change management integration: Option 1

AWS

Account 1

Common S3 bucket

Common SNS topic

Adaptor is custom software to convert JSON into

CMDB’s format

BMC, HP,

Custom

CMDB

Ad

ap

tor

Data pipe into existing CMDB

AWS

Account 2

AWS

Account 3

Change management integration: Option 2

AWS

Config

BMC

HP

AP

I

Ad

ap

tor

Ad

ap

tor

Adaptor is custom software needed to convert JSON

into CMDB’s format

Use in federated form

AWS

Account 1

AWS

Account 2

AWS

Account 3

A cloud-based technology company transforming clinical research for life

sciences companies and patients who depend on them.

Infrastructure

Change Log

Audits

Regulatory

Compliance

Engine

Changes

Why not automate again?

Why should I do this

• Compliance: Helps knowing how things are configured…

• “We audit our logs already!” Every minute?

• “We don’t allow changes through IAM policies”: In all accounts/environments?

• ”We use a CI/CD to push all changes” Awesome...I'll push the changes using someone else's user account!

Why…again

Implement “Compliance Status” for easy overview• Use pre defined checks

• Create extended custom checks

• Fix the issue while checking

Evaluate/remediate changes/events in your account• Doesn’t replace log analysis (consider Machine Learning FTW)

• Protect against changes made by (un)authorized accounts

• Automatic remediation for critical events

• Do forensic on the fly

Always Log and Alert!

Config Rules

• Set up rules to check configuration changes recorded

• Use pre-built rules provided by AWS

• Author custom rules using AWS Lambda

• Invoked automatically for continuous assessment

• Use dashboard for visualizing compliance and

identifying offending changes

AWS Lambda ?

A compute service where you don’t have to think about:

• Servers

• Being over/under capacity

• Deployments

• Scaling and fault tolerance

• OS or language updates

• Metrics and logging

…but where you can easily

• Bring your own code… even native libraries

• Run code in parallel

• Create backends, event handlers, and data processing systems

• Never pay for idle!

NormalizeRecordChanging

ResourcesDeliver

Stream

Snapshot (ex. 2014-11-05)

AWS Config

APIs

Store

History

Rules

Transparent changes – Am I still in compliance?

NormalizeRecordChanging

ResourcesDeliver

Stream

Snapshot (ex. 2014-11-05)

AWS Config

APIs

Store

History

Rules

Rule R1: TaggedEC2

Rule R3: CloudTrail enabled

Rule R2: ProductionVolumesEncrypted

Transparent changes – act on them!

An Example …

I need to access this system now!

It can be quick … I will use this user

account we use for automation, to

change the security group

Instance

security group

Instance

security group

Tracks & monitors

Rule

?

Invoke

alertrevise change

Follow up

Risks

• You can now automatically mess up your

approved changes

• No proper alerting and follow-up on automatic

events

• Over/under complicated scripts

• No info on desired state

• Race the hacker…automation wars!

Creating a blueprint helps (simplified example)

Continuous / Event based

Config Rules

CloudWatchEvents

Is it region specific

Will action risk breaking

something

Yes: Call human

No: Lambda

Will enable add cost

Yes: Based on possible cost

limit call human

No/Minor: Set rules

Is there a source of truth

Config Rules: Check previous

• Caution on multiple events

CWE: Check tag/DDB

• Have default value

Action

Revert change based on above

Forensic

Is it human (or unknown source) or machine (CI/CD)

CI/CD: Create ticket (Jira etc)

Human: Should we

countermeasure/prevent?

Are they using MFA

• No: Add MFA (external Lambda)

Have they done this before (check DDB)

• Yes: Disable account/Keys

Alert

High: SMS/Page

Low: Email/tracking

system

Logging

Is it sensitive

Yes: Encrypt (KMS)

No: Cleartext

Always: Access control

Summary• AWS services support your organization to introduce, maintain,

and continuously improve governance processes for AWS resources and their usage.

• Used together they provide continuous transparency into changes, and allow auditing on changes and API interaction.

• Combined with your organization’s existing best practices, processes, and tools you can centrally control and govern your cloud environment without sacrificing the agility and flexibility of the cloud.

• Automate compliance checks to act on violating changes immediately and keep your infrastructure at a compliant state –always log, alert, and follow up with an appropriate process!!

Thank you!