Learning Objectives:
- Reduce the complexity of governance
- Embed compliance in the development process
- Learn about AWS Management Tools
As your cloud operations evolve, complexity of governance, compliance, and risk auditing of your AWS account increases. With AWS Config and AWS CloudTrail you can automate your controls and compliance efforts so that they scale with your cloud footprint. You can discover resources that exist in your account, capture changes in configurations, and create alerts for out-of-compliance events.In this session, we will help you use AWS Config, AWS CloudTrail, and other AWS Management Tools to automate configuration governance so that compliance is embedded in the development process.
2. What to expect from the session?
• Governance and Compliance – should I care? (yes)
• Why automate?
• Overview of CloudTrail and Config
• Use cases and examples
3. What is Governance and Compliance?
Governance is the oversight role and the process by which
companies manage and mitigate business risks.
Compliance ensures that an organization has the process
and internal controls to meet the requirements imposed by
the governance body.
4. Do I need Cloud Governance?
• Cloud introduces few fundamental changes to traditional IT
- Provision IT resources via self-service, APIs
- Pay-as-you-go pricing
- Dynamic scaling
- Resources maybe short lived
• Lack of policy and process consistency could negate the benefits of
being in the cloud
6. Steps to ensure Governance and Compliance
• Understand your IT environment
• Document all compliance requirements
• Design and implement controls to meet the
organization’s compliance requirements
• Identify and document controls owned by outside parties
• Verify that all control objectives are met
7. Why automate?
• Hard to keep track of
resource inventory
• Numerous compliance
requirements (CIS
benchmarks, PCI, HIPAA)
• Continuous assessment
• Growth is good, but it
comes with its challenges
* CIS Benchmarks
11. What is CloudTrail?
AWS CloudTrail
Amazon CloudWatch
S3 Bucket
Management Console
CLI
SDK
AWS resources
Troubleshoot
Monitor, alarm
and React
Archive and audit
12. What is CloudTrail?
• Records API calls made on your AWS account
• Delivers logs for audits and compliance
• Provides visibility into account activity (API, console
logins etc.)
• Troubleshoot with look up capability
• Alarm and take actions with Amazon CloudWatch
• New! S3 Data Events: Get object-level API activity
13. Common Use Cases
• Compliance Aid
• Security Analysis
• Data Exfiltration
• Operational Troubleshooting
18. Demo Scenario (Gain visibility into the cloud )
Use CloudTrail to lookup API activity for a specific user,
view activity details and configuration changes via AWS
Config integration
21. Demo scenario (Automating governance & compliance)
Notify the Cloud Admin if there exist any EC2 Security
Groups that allow unrestricted access to port 22 (SSH)
24. Demo Scenario (Instance level software configurations)
Use EC2 SM to setup inventory collection and use Config
to get a complete trackable history of:
• OS updates/patches
• Installed applications
• Network configuration etc.
Continuously assess compliance with Config rules.
27. Auto-remediate the issue when an EC2 Security Group that allows
unrestricted access to port 22 (SSH) is detected by revoking the
ingress rule.
Lambda
function
Amazon
SNS
Amazon EC2
Security Group:
0.0.0.0/0 Port 22 AWS
Configusers
Internet
Demo scenario (Automating governance & compliance)
36. Summary
CloudTrail and Config provide:
• Broad and deep visibility for security and compliance
• Governance and Compliance as code
• Enable: standardization, self-service, and automation
Find out more here:
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/config/
Management tools:
https://aws.amazon.com/products/management