Using automation to drive continuous-compliance best practices - SEC208 - New York AWS Summit

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Using automation to drive continuous- compliance best practices Derek Higgins Lead Cloud Engineer Northwestern Mutual S E C 2 0 8

2. Views, thoughts, and opinions expressed in this presentation belong solely to the author and not necessarily to the author’s employer, organization, committee, or other group or individual.

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Use case: Why are we doing this? For large financial institutions, there are challenges with maintaining compliance and best practices across 100+ AWS accounts and a diverse set of development teams Northwestern Mutual adheres to several regulatory bodies and laws at federal and state levels, including (but not limited to) • NYDFS • FINRA • HIPAA • NAIC • SEC • OCC

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Approach to security Directive • Guardrails • CIS benchmarks • Tagging policy • Patching policy Preventative • Static code analysis • AWS Organizations SCP • Multiple AWS accounts • Least privilege Detective • Centralized logging • AWS Config • Amazon GuardDuty • Amazon Macie Reactive • Serverless • Centralized management • Targeted notifications

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why so many AWS accounts? • Logical boundary • Limit blast radius • Easily manage user access • Least privilege • Categories • Business unit • Environment • Application

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Reactive framework Centralized set of AWS Lambda functions that enforces governance and best practices • Modify or delete resources on creation or modification to meet compliance needs • Enable encryption • Enable logging • Etc. • Notify developers and account owners of changes • Notifications based on tag designations • Slack, PagerDuty, and email integrations • Provide a standard way to build reactive functions

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Process Amazon CloudWatch event CloudWatch event forwarded to a central account Trigger AWS Lambda Check exceptions Check if remediation needs to happen Remediate Notify Log

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Anatomy of a reactive function Amazon CloudWatch events and CloudWatch event bus • All events within AWS Organizations are forwarded to a central account for processing • Triggers AWS Lambda function in the central account for a specific action

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Anatomy of a reactive function • Lambda function • Lambda layers—used to share common libraries for interfacing with exceptions and notifications

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Anatomy of a reactive function AWS Systems Manager Parameter Store • Share function information • Common configuration items

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Exceptions • Exceptions are managed in code • Security team can use pull requests for approval • YAML file is entered into Amazon DynamoDB table through pipeline resource_name: IAM_WILDCARD resource_type: IAM account: 111111111 rule_name: IamPolicyWildcardActionRule start_time: 01/01/2019 00:00:00 end_time: 05/29/2019 23:59:59 team_email: example@example.com userid: example1234 description: My assume role policy needs * permissions on the EC2 resource to gather all available metadata

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Notifications • Targeted notifications • Resource tags • Account metadata table • Incident response team • Cloud platform team • Integration with • Slack • PagerDuty • Email • Escalation on notification depending on severity • Use of CloudWatch event to read tags from resources

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Transaction log Records all changes that a function would have taken • Action taken • Rule name • Time of remediation • Triggering event • Who was notified Metrics Look for trends in remediation to see if other controls or training are needed

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Function generator • Yeoman template https://yeoman.io/ • Standard set of functions to keep code readable and consistent between rules • Unit test stubs • GitLab pipeline • Auto-generation of AWS Serverless Application Model (AWS SAM) templates https://docs.aws.amazon.com/serverless-application- model/index.html • Standardization on Python for code

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS SAM template • AWS Lambda function • CloudWatch event trigger • CloudWatch alarm for error reporting • SSM Parameter Store for role creation • Required IAM actions • IAM role name

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Role deployment with AWS CloudFormation StackSets Dynamically created AWS CloudFormation StackSets • Is derived from values in Parameter Store • Deploys IAM roles that are required for functions to each account in AWS Organizations • Currently runs daily to pick up any new accounts that are created

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Role deployment with AWS CloudFormation StackSets Pull all values from parameter store Use parameter values and jinja2 template to generate AWS CloudFormation template Query AWS Organizations for account info Deploy StackSet to central account Using account info from AWS Organizations create stack instances in every account StackSet instances create all the roles needed for each function to preform actions in that account

32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Role deployment with AWS CloudFormation StackSets Resources: {% for role in roles %} {{ role['ResourceName'] }}: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: - "arn:aws:iam::123456789102:role/{{ role['RoleName'] }}" - "arn:aws:iam::123456789102:role/{{ role['RoleName'] }}" Action: - "sts:AssumeRole" - Effect: Allow Action: sts:AssumeRole Principal: Service: lambda.amazonaws.com Path: "/" RoleName: "{{ role['RoleName'] }}" Policies: - PolicyName: "{{ role['RoleName'] }}Policy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: {% for action in role['Actions'] %} - {{ action }} {% endfor %} Resource: "*" {% endfor %}

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned CloudWatch events might trigger the Lambda function too quickly Use Amazon SQS delay queues to introduce small delays Targeted notifications to development teams were necessary Include instructions on how to fix the issues Running rules in Notification or Alerting mode helped Allow people to put in exceptions for existing resources before enforcing

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why did we do this? Targeting multiple notification channels Most tools had a single integration Exceptions processing was not centralized and was hard to manage Difficult to manage and audit Rules had to be deployed to every account Difficult to monitor and troubleshoot

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What’s next? Rules, rules, rules Updates to our notification system—adding more context around the alerts Leadership dashboards—more metrics Integration with AWS Security Hub

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Defense in depth • Preventative controls • Code analysis in pipeline • AWS Organizations SCPs • Detective controls • AWS Config • Amazon GuardDuty • Amazon Macie

Using automation to drive continuous-compliance best practices - SEC208 - New York AWS Summit

Esté a ler uma amostra.

Confira estes a seguir

Using automation to drive continuous-compliance best practices - SEC208 - New York AWS Summit

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Using automation to drive continuous-compliance best practices - SEC208 - New York AWS Summit (20)

Mais de Amazon Web Services (20)