dev ops - squirrodev ops c. aws pace of innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017...
TRANSCRIPT
![Page 1: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/1.jpg)
![Page 2: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/2.jpg)
@MargoCroninSenior Solutions ArchitectAmazon Web Services
Security Automation on AWS
![Page 3: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/3.jpg)
DEV OPSSec
![Page 4: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/4.jpg)
AWS Pace of Innovation
0
250
500
750
1000
1250
1500
2010 2012 2014 2017
Launches
1,430 new features/services launched in 2017
61159
516
1430
![Page 5: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/5.jpg)
Deployments at amazon.com
![Page 6: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/6.jpg)
Terminology Disclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=Security automation
![Page 7: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/7.jpg)
Terminology Disclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=Security automation
at scale
![Page 8: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/8.jpg)
A fundamental principle of DevOps is automation!
People make mistakes
People bend the rules People act with malice
Machines don’tstill
![Page 9: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/9.jpg)
4 steps to enable Security automation
at scale
![Page 10: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/10.jpg)
Step 1 Establish your level of Trust
![Page 11: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/11.jpg)
…. Select & configure your tools based on your level of Trust
0 100?
AWS KMSAWS Managed KeysAWS Secret ManagerAWS CloudHSM
Customer Managed KeysHardware Security Module
Customer Managed KeysAWS Key Management Service
Step 1 Establish your level of Trust….
TRUST
![Page 12: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/12.jpg)
0
Deploy Kubernetes NativelyYou manage:- Etcd- Worker nodes- Masters
TRUST
![Page 13: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/13.jpg)
Elastic Kubernetes Service- Kubernetes endpoint- Managed master nodes- Native integration with AWS
TRUST
![Page 14: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/14.jpg)
Photo by Jp Valery on Unsplash
![Page 15: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/15.jpg)
Elastic Kubernetes ServiceAPI endpoint authenticationEtcd volumes encrypted
TRUST
![Page 16: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/16.jpg)
More to Automate
TRUST
MoreAutomated
But no matter where you are on the trust scale, plan to integrate security automation
![Page 17: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/17.jpg)
Step 2Security by Design
![Page 18: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/18.jpg)
What to Expect from the Session
SecurityOwnership
![Page 19: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/19.jpg)
Security EpicsIdentity & Access
Mgt
Config & Vulner -ability
Analysis
Incidence Response
Infra-structure Security
Logging & Monitoring
Data Protection
Secure CI/CD
![Page 20: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/20.jpg)
Privacy by Design
- Every member of your team is a security owner
- Decompose Epics to functional stories
- Create security related acceptance criteria
- Same CI/CD pipeline to roll out security features
![Page 21: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/21.jpg)
Step 3What are you securing?
![Page 22: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/22.jpg)
![Page 23: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/23.jpg)
Step 3 What are you securing
1. Security of the CI/CD Pipeline• Access roles• Hardening build servers/nodes
2. Security in the CI/CD Pipeline• Artifact validation• Static code analysis
![Page 24: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/24.jpg)
CI/CD for DevOps
Version Control CI Server
Package Builder
Deploy ServerCommit to
Git/masterDev
Get / PullCode
Images
Send build report to DevStop everything if build failed
Distributed BuildsRun Tests in parallel
Staging Env
Test EnvCodeConfigTests
Prod Env
Push
Config InstallCreate
Artifact RepoDeployment templates for infrastructure
Generate
![Page 25: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/25.jpg)
Version Control CI Server
Package Builder
Promote ProcessBlock creds
From gitDev
Get / PullCode
Images
Log for audit
Staging Env
Test EnvCodeConfigTests
Prod Env
Audit/Validate
Config Checksum
ContinuousScan
CI/CD for DevSecOps
Send build report to SecurityStop everything if audit/validation failed
Deployment templates for infrastructure
Scan hook
![Page 26: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/26.jpg)
Infrastructure as CodeWrite, Version, Store, Deploy your Infrastructure as Code- AWS CloudFormation - Terraform
Mean Time To RecoverImmutable infrastructure
![Page 27: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/27.jpg)
Step 4Automate Responses
![Page 28: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/28.jpg)
Long Love
![Page 29: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/29.jpg)
Log Love
![Page 30: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/30.jpg)
Event Log Love
![Page 31: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/31.jpg)
Log Love
![Page 32: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/32.jpg)
What are you doing based on your logs?
![Page 33: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/33.jpg)
Putting it all together
Amazon CloudWatch
AWSCloudTrail
role
Your SaaS tools
AmazonSimple
Notification Service
Your security
team
AWS API AWS clouduser bucket
AWSLambda
![Page 34: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/34.jpg)
2
Use logging services to prevent as well as protect
Your security
team
Malicious IPs
Amazon CloudFront
AWS WAF bucket
Elastic Load Balancing
Web Servers
Amazon CloudWatch
stack
AWSLambda
1
3
4
![Page 35: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/35.jpg)
Ubiquitous logging:Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and upload to AmazonRedshift
Amazon EC2 instances
Analyze with standardBI tools
Archive to Amazon Glacier
AWS CloudTrail
Encrypted end to end!
![Page 36: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/36.jpg)
Ubiquitous logging: What are we looking for?
• Unused permissions• Overuse of privileged accounts• Usage of keys• Anomalous logins• Policy violations• System abuse….• Collect data once, many use cases
![Page 37: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/37.jpg)
4 Steps to enable security automation at scale
- Establish your level of Trust- Security by Design - Security of and in the CI/CD pipeline- Automated Responses
![Page 38: DEV OPS - SquirroDEV OPS c. AWS Pace of Innovation 0 250 500 750 1000 1250 1500 2010 2012 2014 2017 hes ... - AWS CloudFormation - Terraform Mean Time To Recover Immutable infrastructure](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7a1079661ae43ff66a67b/html5/thumbnails/38.jpg)
KEY TAKEAWAYS
Automation doesn’t sleep, eat, or need coffee in the morning
Security is not an “afterthought” Automate security at cloud scale