Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS Summit

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT CLOUD AUTOMATION DRIVERS Agility, DevSecOps, Multi-cloud Palo Alto Networks Automation Capabilities Cloud Security Automation Stack Applying Cloud Security Automation Composable Automation Eco-system Distributable Security Cloud Adoption and Benefits

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT NEED FOR AUTOMATION • Rapidly deploy new applications: Dev 🡪 Test 🡪 Prod • Improve security, increase agility, reduce effort to achieve business goals • Inject security into DevOps 🡪 DevSecOps App Network Security Infrastructur e as Code Securit y as Code Ansible AWS CloudFormation Templates Terraform Provider for AWS Terraform Provider for PAN-OS Infrastructure & Ongoing Configuration “as code” Key Stakeholder Involvement Accelerate Adoption Automation

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT ACCELERATE SECURE CLOUD DEPLOYMENTS Quick Reproducible Repeatable Scalable Deploy in minutes app1 app2 app3 Region1 Region2

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT CLOUD SECURITY AUTOMATION STACK Infrastructure Build-Out Terraform Cloud Templates (Infrastructure as Code) Security Layer Terraform Provider (PAN-OS) (Security as Code) Operations Terraform Integration (Automated Incident Response) Repeatable, Consistent, Agile, and Secure Other public clouds

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT INFRASTRUCTURE AS CODE: BUILD THE ENVIRONMENT Manual Process: slow, delayed and extended rollouts Infrastructure as Code: deployed in minutes, highly reproducible, agile Region 1 Region 2 Region 1 Untrust Security group VP C Untrust Security group VP C Trust Security group VP C Trust Security group VP C Untrust Security group VP C Untrust Security group VP C Trust Security group VP C Trust Security group VP C Untrust Security group VP C Untrust Security group VP C Trust Security group VP C Trust Security group VP C

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT INFRASTRUCTURE AS CODE: FIREWALL HUB WITH ALB’S • Fully automated • Blueprint developed and pushed out company wide • Huge cost savings • VM-Series natively integrated with cloud capabilities • Next: Automate build out of LOB (Line of Business) applications Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT SECURITY AS CODE: INTEGRATE LOB WITH FIREWALL HUB • Automate the creation of private link tunnels • Automate deployment of NAT and Security policies • Seamless integration: App + Security = business objectives • We can do more! • Next: Feed threat intel to VM- Series to block attacks from new sources. VPN Connection PrivateLink PrivateLink Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Network Load Balancer Network Load Balancer VPN GW VPN Connection PrivateLink PrivateLink Network Load Balancer Network Load Balancer VPN GW

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT OPS AS CODE: AMAZON GUARDDUTY INTEGRATION 1) Amazon GuardDuty sends security alerts to AWS CloudWatch Malicious IP address 2) Amazon CloudWatch event triggers a Lambda function Policy: Drop Session 4) DAG’s used in security policy to drop matching sessions. Dynamic Address Group 3) Register the malicious IP to a Dynamic Address Group (DAG) using the XML API. Amazon CloudWatch Lambda Function Amazon GuardDuty Untrust Security group VPC Untrust Security group VPC

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT SUMMARY & KEY TAKEAWAYS • Framework developed with real world use case and workflows • Collaboration based on inputs from customers and cloud providers • Readily available templates • Easy to adopt and use • Highly composable • Well defined integration pointsPalo Alto Networks VM-Series Infrastructure Templates Composable Cloud Security Cloud Success with Security Cloud Native Templates Cloud Native Tunnels Automation with Terraform Security Provider devsecops Extensible Foundation Pillars Beams Cupola

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT DEMO: CLOUD SECURITY AT THE SPEED OF DEVOPS Firewall admin (Sec Team) Developer (App Team) 1. Push new app 3. Commit app security policy 4. Poll and pull changes 5. Push VM-Series policy using PAN-OS Terraform provider AWS CodeDeploy Repeat / Refine / Update 2. Deploy app 0. Infrastructure as code using Terraform templates web app root volume data volume Availability zone 1 Security group Auto Scaling group Security group

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT Thank you! SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speaker Name Contact information

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMITSUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey. !

Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS Summit

Esté a ler uma amostra.

Confira estes a seguir

Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS Summit

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS Summit (20)

Mais de Amazon Web Services (20)