A DoD organization had unique challenges developing and deploying applications in multiple security domains (running workloads across AWS commercial regions, the Secret Region and C2S), which is a common pattern in the DoD. Over the last year, they have reorganized their technical team comprised of military service members, government employees and contractors to adopt the DevOps approach to software development. Developers and infrastructure teams are now closely aligned using agile methods including weekly sprints and daily standup meetings. They have embraced containerization and Kubernetes, as well as AWS native automation capabilities and partner tools, which enables them to develop and deploy across AWS commercial, Secret and C2S regions. They have a unique and time-sensitive application and mission requirements that required quick, iterative code releases. These methods and tool sets are somewhat unique in the DoD and they have acted as a pathfinder for adoption by the broader community.

1. P U B L I C S E C T O R
S U M M I T
WASH INGTON DC

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Secret Region: Lessons
Learned Around DevSecOps
Tyler Haley
Cloud Service Provider Lead
USSOCOM
2 9 5 5 0 7

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Intro and Overview
Our Journey To DevSecOps
Pipeline and Cloud Deployment
Lessons Learned
Q&A

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
“Who Dares, Wins.”
Sir David Stirling
British SAS Founder

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Team Overview
Cloud Service
Provider (CSP)
Platform CI/CD Internet Service
Provider (ISP)
Cross Domain
Solution (CDS)
Enterprise Logging
& Monitoring

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
What tools do we use?

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Our Journey to DevSecOps
Automation of Everything
Infrastructure as Code (IaC)
Infrastructure Provisioning (CloudFormation and Terraform)
Configuration Management (Ansible)
Container/Service Deployments (Helm)
AMI and Docker Image Creation
Service Reliability and Monitoring
Security from the Start
Policy As Code (HashiCorp Sentinel)
Pipeline Focused Software and Infrastructure Development

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Infrastructure as Code (IaC)
• Reusability, Reliability, and Convertibility
• How do you write code that works in IL2 and IL6?
• Single Source of Truth
• Source Control is your Development, Staging, and Production Environment
• Complimenting Tech Stack
• Selecting automation tools that enables you to leverage each other.
• Tools that are API driven

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Secret AWS Cloud

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Secret Region: The Hoops and Hurdles
• Initial Architecture Restrictions
• Region & Availability Zone Limitations
• Identity Access Management Federation & Multi-Factor Authentication
• Marketplace
• Temporary Absence of AWS Core Services like:
Amazon Route 53Amazon API GatewayAWS Lambda AWS Certificate Manager AWS OrganizationsAWS Storage Gateway

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Secret Region: The Hoops and Hurdles (Cont.)
• Unable to reuse 50% of our Deployment Code
• Cloud Native Services vs Open Source or Partner Tooling
• Quick Adoption is harder when you don’t have managed services like
• EKS
• Route 53
• ACM
• EFS
• CDN

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Lesson #1: Start Small
20/80 Rule
20% Planning – 80% Execution
Find Early Customer
Pick a Service Team and Application Team
Test Common Vendor Tools
Container Orchestration, Infrastructure Provisioners, Governance Enforcement

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Lesson #2: Initial Cloud Deployment
Identify Key Cloud Deployment Tooling Early On
Ensure your tools work
Technology on Internet (OSS or 1st Party) takes refactoring
Talk with Vendors
On-Premise Storage Provider, Networking, Cyber Security
Ensure you keep DevOps fundamentals at the core
Don’t sacrifice proper procedure in lack of tools/services

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Lesson #3: Use S3
Support Applications with S3 Backends
Applications that natively support S3 gives you
flexibility
Data Recovery and Storage Options
Design applications that leverage S3
Capabilities
Static Website Hosting
Amazon Simple
Storage Service
(S3)

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Lesson #4: Bring in Cyber
Keep Cyber Teams Involved
Help Educate
Encourage/Invite to Architecture
Meetings
Traditional Security Models vs Cloud
Models
Leverage Cloud Native Security Services
Governance at Speed
Amazon CloudWatch AWS CloudTrail AWS Config AWS WAFAWS Key
Management
Service

16. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Tyler Haley
haleyts@jdi.socom.mil

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T