Más contenido relacionado La actualidad más candente (20) Similar a Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017 (20) Más de Amazon Web Services (20) Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Building the Largest Repo
for Serverless Compliance-as-Code
Gilles Baillet – Standard Chartered Bank – Head, Cloud and DevOps Architecture
Jonathan Rault – AWS – Security Lead APJC, Professional Services
Prashant Prahlad – AWS – Sr. Manager Product Management
S I D 2 0 5
N o v e m b e r 3 0 , 2 0 1 7
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Introduction to compliance-as-code
• Voice of the customer: Standard Chartered Bank
• Personas, goals, challenges, and solutions
• Your next three months
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Be Compliant
a.k.a. The state of meeting rules or standards
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer’s Point of View
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer’s Point of View
C h e ck list o f co n tr o l
re qu ire m e n t s
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer’s Point of View
C h e ck list o f co n tr o l
re qu ire m e n t s
A u dit p ro ce ss
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s Go Upstream!
Organizational perspective: four steps to compliance
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer-facing
Four Steps to Compliance
Analyze Define and
document
Checklist Audit
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer’s Point of View
Che c kl i st o f c o ntr o l
r e qui r e m e nts
A udi t p r o c e ss
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer’s Point of View
Sp r e adshe e t
A udi t p r o c e ss
Inf o Se c
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer’s Point of View
Sp r e adshe e t Inf o Se c
A udi to rQue sti o n nai r e
do c s/ sc r e e nsho ts
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges
E x p e r t i s e i s n o t
g i v e n t o a l l
T i m e - c o n s u m i n g
f o r e v e r y o n e
G e t - r e a d y - f o r -
t h e - a u d i t m i n d s e t
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Be Compliant-as-Code
a.k.a. The state of meeting rules or standards
via a programmatic test-driven approach
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Checklist
Audit
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Checklist Codified Checklist
Audit
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Checklist Codified Checklist
Audit Continuous Visibility
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer-facing
Four Steps to Compliance
Analyze Define and
document
Checklist Audit
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five Steps to Compliance with Code
Customer-facing
Analyze Define and
document
Checklist Continuous
Visibility
Codified
Checklist
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits
S c a l e c o n s i s t e n t l y
t o a l l c u s t o m e r s
F o c u s t i m e a n d
r e s o u r c e s o n v a l u e
P a r t o f
d a y - t o - d a y
23. “We are embarking on a journey to shape the future of banking while
creating a culture of innovation, efficiency and automation. We
are introducing global platforms, machine learning and bringing
forth intelligent technology. We want to lead this change and not
be led by it.”
Michael Gorriz
Group Chief Information Officer
30. Our Cloud Foundational Principles
Gall’s Law
“A complex system that works is invariably found to have evolved from a
simple system that worked. A complex system designed from scratch never works
and cannot be patched up to make it work. You have to start over with a working
simple system.”
- John Gall -
35. Use Case 1
Compliance-as-Code for storing customer data
§ Changes tracked via AWS CloudTrail
§ AWS Config
o Data encrypted at rest using KMS
o No public access to S3 buckets
o Principle of Least Privilege enforced
§ Extensible
36. Use Case 2
Compliance-as-Code for Internet Access
§ Changes tracked via AWS CloudTrail
§ AWS Config
o Data encrypted in transit using SSL
o Inbound access enforced via our Content Delivery Network
o Running Amazon Machine Image (AMI) up-to-date
§ Extensible
41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building the Largest Repo
of Compliance-as-Code
42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five Steps to Compliance with Code
Analyze Define and
document
Checklist Continuous
visibility
Codified
checklist
43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Six Steps to Compliance with Code
Analyze
Define and
document
Checklist
Continuous
visibility
Codified
checklist
Operate
and integrate
44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
C o m p l i a n c e - a s - c o d e
Six Steps to Compliance with Code
Analyze
Define and
document
Checklist
Continuous
visibility
Codified
checklist
Operate
and integrate
45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Input/Output of Compliance-as-Code
Checklist
Continuous
visibility
Codified
checklist
Operate
and integrate
C o m p l i a n c e - a s - c o d e
46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Checklist
Continuous
visibility
Codified
checklist
Operate
and integrate
C o m p l i a n c e - a s - c o d e
Input/Output of Compliance-as-Code
47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Input/Output of Compliance-as-Code
Checklist
Continuous
visibility
Codified
checklist
Operate
and integrate
C o m p l i a n c e - a s - c o d e
Joe Sec Toby Dev Greg Ops Mike App Tim Audit
48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Joe Sec
Acronym addict (CIS, GxP, TLS, etc.)
Has many obscure security certifications
Got the super-power of “not approved by compliance”
Ultimately responsible for security!
49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Needs to do the heavy lifting
Work harder not smarter because of inflexibility of
tools, and too any escalation
Meet Joe Sec
Challenges
Help app owner to do the right thing
Be out of the critical path
Goals
50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Joe Sec
Solutions3
51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Joe Sec
Training is available to get up to speed
• AWS re:Invent and videos
• Online and on-site
• Certifications
Solutions3
1
AWS Security Fundamental (3-hour online)
https://aws.amazon.com/training/course-descriptions/security-fundamentals/
52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Joe Sec
Solutions3
AWS Config is available in all AWS regions
• Continuously monitor configurations
• Record configuration changes
AWS Config: https://aws.amazon.com/config/
2
53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource inventory
54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource inventory
55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource inventory
56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource inventory
57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource details
58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource details
59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – Resource details
60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Joe Sec
Best practices are available
• AWS re:Invent and videos
• Two CIS Benchmarks for AWS
• AWS Whitepapers
Solutions3
3
CIS: https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/
61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
From Policy to
Dev-Readable Requirements
Define the use case and test cases for test-driven security
# Check that CloudTrail trails are encrypted, optionally with K key.
# Input parameter (optional): K – AWS KMS Customer Master Key ARN (overrides the
default of “None”)
# Description:
# Returns COMPLIANT if CloudTrail is encrypted and K is not specified
# Returns COMPLIANT if CloudTrail is encrypted with K and K is specified
# Returns NON-COMPLIANT if CloudTrail is encrypted, CloudTrail is not encrypted
with K and K is specified
# Returns NON-COMPLIANT if CloudTrail is not encrypted
62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Writing Test Case 101
1. Cover all permutations of inputs
2. Keep distinct coverage in the test cases
3. Think that human needs to fix it (at first)
4. Reasoning approach is the future, and the future is now
63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hoodies, Headphones, Espresso, Craft Breweries
Knows 20 programing languages with two years of
experience each (according to his resume)
Known for not liking meetings
Meet Toby Dev
Ultimately responsible for delivering code!
64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Not knowledgeable about security
Struggles often with non-precise requirements
Feels need to reinvent the wheel too often
Lots of console and/or home-backed scripts
Meet Toby Dev
Challenges
Freedom to be creative
Wants impact (and recognition) by doing awesome code
Goals
65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Toby Dev
Solutions2
66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Toby Dev
Solutions2
70+ compliance-as-code rules already available
• Cover several common controls
• Include test cases
• Verified by the community and AWS
• Integrate with AWS Config
AWS Managed Config Rules
Custom rules: https://github.com/awslabs/aws-config-rules
1
67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Toby Dev
NEW – Rule Development Kit
• Initiate your dev environment locally
• Initiate your dev environment in AWS
• Deploy rule and test from your IDE
Solutions2
2
Rule Development Kit: https://pypi.python.org/pypi/rdk
68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Greg “Ninja” Ops
Likes Michelin-starred restaurants
Affected by the phantom vibration syndrome
Perceived like Dad: old-fashioned but the first person
you call in case of emergency
Ultimately responsible for stability!
69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running more servers, means more workload
Not used to automation, can adapt but not build
from scratch
Meet Greg “Ninja” Ops
Challenges
More is less – including for being paged at 3a.m.
Goals
70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Greg “Ninja” Ops
Solutions2
71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Greg “Ninja” Ops
Solutions2
Run on serverless with AWS Lambda
• Event-driven
• Automated administration
• Integrated security model
• Bring your own code
AWS Lambda: https://aws.amazon.com/lambda/details/
1
L a m b d a
72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Greg “Ninja” Ops
Solutions2
NEW – Compliance-as-code engine available
• Multi-account
• 1-step deployment
• Serverless
• Code securely located in a segregated and
dedicated AWS Account
Github: https://github.com/awslabs/aws-config-engine-for-compliance-as-code
2
73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Finally, Meet…
Has to deal with checklist
and meetings with Sec team
Lack of clear guidance to
move forwardChallenges
Wants to go to prod ASAP
Goals
Mike App and Tim Audit
Seen more as the policeman
Must ask to get the information
Be a trusted advisor on doing
the right thing
74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet Mike App and Tim Audit
Solutions2
NEW – Compliance-as-code Engine available
• Multi-account, 1-step deployment,
Serverless, securely segregated Code
• Can be integrated in his DevOps pipeline
• Dashboard with actionable insights
• Store all historical compliance status/changes
• Dashboard for Compliance-as-code Analytics
Rest of 2
Github: https://github.com/awslabs/aws-config-engine-for-compliance-as-
code
75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
Compliance-as-code Engine
1. Dashboard for Compliance-as-code Analytics
2. One-step deployment in a new Application Account
3. Dashboard for Application Owner to gain insights
76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Adoption Framework – Security
CAF Security perspective – Guidance and
process for your security specific to AWS
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security
_Perspective.pdf
New – Compliance-as-code RuleSet from the
CAF Security recommendations
Github: https://github.com/awslabs/aws-config-engine-
for-compliance-as-code
77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workbook for PCI Compliance in AWS
PCI Qualified Security Assessor Company (QSAC)
Workbook – Partner with AWS on a Workbook for
PCI Compliance in the AWS Cloud
Link:
https://d1.awsstatic.com/whitepapers/compliance/AW
S_Anitian_Workbook_PCI_Cloud_Compliance.pdf
New – Compliance-as-code RuleSet from the
workbook’s recommendation
Github: https://github.com/awslabs/aws-config-
engine-for-compliance-as-code
78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In conclusion…
79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five Key Learnings
1. Get a dedicated Security member as part of the cloud team
2. Iterate on controls and provide solutions to your customers
3. Treat edge cases carefully
4. Devs like to have clear goals, stand up all together
5. Start with Cloud Native tools first
80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started: Next Three Months
Stand-up together at least twice a week (Dev-Sec-Ops)
Demonstrate visibility by POCing the engine with one available RuleSet
Get buy-in from the account owners
Sprint 1
(two weeks)
Deploy the engine in all your accounts
Select three relevant controls to be fixed, listen to feedback
Finish Sprint 2
Select three more controls to be fixed, listen to feedback
Start documenting iteratively your security baseline
Select three more controls to be fixed, listen to feedback
Train your Devs on the RDK
Sprint 2
Sprint 3
Sprint 4
Sprint 5
Sprint 6 Select the one control you know is hard
Build first exec metrics. Communicate broadly the results. Empower.
Plan your next three months
81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
P l e a s e f i l l o u t y o u r s u r v e y