cloud security for everyone · development: only allow t3 instances all accounts: prevent disable...
TRANSCRIPT
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud security for everyone: Multi-account strategy
S E C 1 1
Byron Pogson
Solutions Architect
Amazon Web Services
Gavin Orlicki
CTO
tic:toc
Alan McLeod
CTO
FYI Docs
Pepper as a Service (the other PaaS)
Our architecture today
AWS Cloud
Development
Test
Production
Security Logs
Security Tools
Build Tools
Improvements
Desired outcomes
Development: only allow T3 instances
All accounts: Prevent disable on logging
First stepsMaster
AWS OrganizationsAWS Identity and Access
Management
Service Control
Policy
Legacy
Development
Test
Production
Security logs
Security tools
Build tools
AWS Single Sign-On
Desired outcomes
Security account
Security
Security Logs
Security
AWS CloudTrail
Amazon GuardDutyAWS Security Hub
Legacy
Development
Test
Production
Build Tools
Master
AWS OrganizationsAWS Identity and Access
ManagementAWS Single Sign-On
Desired outcomes
Shared accounts
Developer
Security
Build tools
ToolsSecurity
Legacy
Development
Test
Production
Operations
Master
AWS OrganizationsAWS Identity and Access
ManagementAWS Single Sign-On
Security Logs AWS CloudTrail
Amazon GuardDutyAWS Security Hub
Desired outcomes
Workload accounts
Development
Operations
Security
Build tools
Development
ToolsSecurity
Test
Test
Production
Production
Developer
Master
AWS OrganizationsAWS Identity and Access
ManagementAWS Single Sign-On
Security Logs AWS CloudTrail
Amazon GuardDutyAWS Security Hub
Desired outcomes
Baselines
New account
Security
Baseline
Security roles AWS Security Hub
New account
Security roles AWS Security Hub
Master
AWS OrganizationsAWS Identity and Access
ManagementAWS Single Sign-On
New account
Security roles AWS Security Hub
Security Logs AWS CloudTrail
Amazon GuardDutyAWS Security Hub
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Starting from scratch
Gavin Orlicki
S E C 1 1
CTO
tic:toc
A Fintech that delivers financial SaaS products to help lending organisations better service their customers with smarter and faster financial validation.
Project team consisting of 12 members across 2 squads:
• 8 developers
• 4 testers
• Enterprise architect
Existing architecture:
Application architecture:
AWS Lambda
Amazon API Gateway AWS WAF
Amazon Simple Storage
Service
Amazon DynamoDB Amazon RDS
Amazon CognitoAmazon CloudFront
Master
AWS OrganizationsAWS Identity and Access
Management
Security Logs
Build tools
Shared services
AWS CloudTrail Amazon GuardDuty AWS Security Hub
XAI - Stage
Dev/Test
Analytics
Bunker
Prod
Analytics
XAI - Dev XAI - UAT
XAI - Prod
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Starting from scratch
Gavin Orlicki
S E C 1 1
CTO
tic:toc
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Migrating from a single account
Alan Mcleod
S E C 1 1
CTO
FYI Docs
@alanmcleod
The world’s most automated document
management platform
Document
AutomationEmail management CRM
Document Workflow
Search and retrieval
Task management
Job management
Client collaboration
Process automation
FYI Docs – previous architectureAWS
Development
Security Logs
Build tools
AWS Identity and Access
Management
AWS CloudTrail Amazon GuardDuty
Pre-Prod
ProductionAmazon Simple Email
Service
FYI Docs – multi-account strategyMaster
Development
Security Logs
Build tools
Development
Shared services
AWS OrganizationsAWS Identity and Access
Management
AWS CloudTrail Amazon GuardDuty
Pre-Prod
Pre-prod
Production
Production
Development
original (legacy)
Amazon Simple Email
Service
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Migrating from a single account
Alan Mcleod
S E C 1 1
CTO
FYI Docs
@alanmcleod
Possible future accounts
Approaches
AWS Control Tower
VS
AWS
CloudFormation
AWS
Organizations
AWS Identity and
Access Management
AWS
Security Hub
Build your own
Thank you!
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Byron Pogson
[email protected]@BrainwaveFactor
Gavin Orlicki
Alan McLeod
[email protected]@alanmcleod