SlideShare una empresa de Scribd logo
1 de 77
Descargar para leer sin conexión
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance automation:
Set it up fast, then code it your way
Raisa Hashem
DevOps Security Specialist
AWS
G R C 3 3 0 - R
Jonathan Rault
Principal Security Consultant
AWS
Note: AWS account required; we will be coding in Python
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Welcome and
thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
3 goals
for today
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use managed capabilities
to get value fast and benefit from the AWS pace of innovation
1
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customize by writing an AWS
Config rule
and enjoy with the RDK
2
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Know your remediation paths
and leverage automation
3
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed capabilities
Start with
• Compliance standards with AWS Security Hub
Augment with
• Managed rules with AWS Config rules
• Remediation actions on AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance standards with AWS Security Hub
• Available*: CIS AWS Foundations Benchmark
• Findings are contextualized
• Best practices for remediation
• Powered (in majority) by AWS Config rules
Compliance
standards
AWS Security
Hub
*As of June 2019
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance standards with AWS Security Hub
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance standards with AWS Security Hub
Link to an AWS Config rule
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
• Available*: 86 managed rules
• Flexible (i.e., several compliance checks in 1
managed rule, using “input parameters”)
• Configure remediation actions using AWS Systems
Manager automation documents
Managed
rule
AWS Config
rules
*As of June 2019
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab 1
Launching a Security Hub standard and a managed AWS Config rule
Instructions: https://tinyurl.com/aws-compliance-automation
Note: Use N. Virginia (us-east-1) as AWS Region
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managed rules with AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
EC2
AWS
CloudTrail
Amazon
S3
…
(Others)
Rules
Compliance-as-code
Verify
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Compliance-as-code
Verify Amazon
EC2
AWS
CloudTrail
Amazon
S3
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config
Keep the inventory of AWS resources, including
• How they are configured
• How they are related to one another
• How the configurations and their relationships have changed over time
Main components of AWS Config
• Record continuous configurations (via configuration recorder)
• Store snapshots and trigger Amazon SNS topics (via delivery channel)
• Determine compliance against the configurations specified (via rules)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
Config
Compliance-as-code
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
EC2
AWS
CloudTrail
Amazon
S3
…
(Others)
AWS
Config
Snapshot
Compliance-as-code
Snapshot
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Change triggers
And send the
configuration item
Compliance-as-code
Snapshot
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Change triggers
And send the
configuration item
Compliance-as-code
Snapshot
Rule 1 on AWS::CloudTrail::Trail
Rule 2 on AWS::S3::Bucket
Rule 3 on AWS::EC2::InternetGateway
Rule 4 on AWS::S3::Bucket
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules receive what exactly?
Introduction to configuration item
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
JSON, absolutely!
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2017…",
"configurationStateID": “….",
"configurationItemStatus": "OK",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-………",
"accountId": "123456789012",
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02..",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"relatedEvents": [
"06c12a39-eb35-11de-ae07-db69edbb1e4",
],
Metadata
Common attributes
Related events
Relationships
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
JSON, absolutely again!
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2017-02-……",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
}
],
"volumeType": "standard"
}
Current configuration
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why are we talking about
configuration item again?
Because it allows you to handle the speed of innovation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Change triggers
And send the
configuration item
Compliance-as-code
Snapshot
Rule 1 on AWS::CloudTrail::Trail
Rule 2 on AWS::S3::Bucket
Rule 3 on AWS::EC2::InternetGateway
Rule 4 on AWS::S3::Bucket
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Change triggers
And send the
configuration item
Compliance-as-code
Snapshot – 26 services, 75 resources types (*)
Rule 1 on AWS::CloudTrail::Trail
Rule 2 on AWS::S3::Bucket
Rule 3 on AWS::EC2::InternetGateway
Rule 4 on AWS::S3::Bucket
Managed rules – 86 out-of-the-box rules (*)
(*) as of June 2019
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about your other
requirements?
Introduction to custom rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example
Verify that all AWS Identity and Access Management (IAM) users are
using multi-factor authentication (MFA)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Change triggers
And send the
configuration item
Compliance-as-code
Snapshot – 26 services, 75 resources types (*)
Rule 1 on AWS::CloudTrail::Trail
Rule 2 on AWS::S3::Bucket
Rule 3 on AWS::EC2::InternetGateway
Rule 4 on AWS::S3::Bucket
Managed rules – 86 out-of-the-box rules (*)
(*) as of June 2019
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Change triggers
And send the
configuration item
Compliance-as-code
Snapshot – 26 services, 75 resources types (*)
Rule 1 on AWS::CloudTrail::Trail
Rule 2 on AWS::S3::Bucket
Rule 3 on AWS::EC2::InternetGateway
Rule 4 on AWS::S3::Bucket
Managed rules – 86 out-of-the-box rules (*)
Let’s pretend that
“MFA on IAM users” is not
a managed rule…
(*) as of June 2019
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Let’s create an “MFA on
IAM users” rule with
custom rules!
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom rules
• Is another type of AWS Config rule
• Provides flexibility
• Call an AWS Lambda function
• Include the codified logic to verify a configuration comply with the
expectation
• Require PutEvaluation API to be understood by AWS Config rules
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
1 AWS Lambda
function per custom
ruleAmazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
1 AWS Lambda
function per custom
ruleAmazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
1 AWS Lambda
function per custom
rule
Receive IAM user information, but
nothing on MFA
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summon the power of
AWS Lambda!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
1 AWS Lambda
function per custom
ruleAmazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
Read additional configuration(s) via
describe() call 1 AWS Lambda
function per custom
ruleAmazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
Read additional configuration(s) via
describe() call
Report the result
via PutEvaluation()
1 AWS Lambda
function per custom
ruleAmazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab 2
Write a rule checking for MFA on an IAM user
Instructions: https://tinyurl.com/aws-compliance-automation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Question:
What will happen
to the rule evaluations
if the MFA is removed?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Answer:
Nothing = No update
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
Read additional configuration(s) via
describe() call
Report the result
via PutEvaluation()
1 AWS Lambda
function per custom
ruleAmazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…
(Others)
Rules
Snapshot
Managed rules
Change triggers
And send the
configuration item
Compliance-as-code
Custom rules
Run
Send the configuration item
Send the parameters
Read additional configuration(s) via
describe() call
Report the result
via PutEvaluation()
1 AWS Lambda
function per custom
rule
Time triggers
No configuration
item is sent
Amazon
EC2
AWS
CloudTrail
Amazon
S3
AWS
Config
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Triggers for rules
Choosing periodic and/or configuration changes
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
Config
Configuration change trigger
Periodic trigger
1 putEvaluation()in the rule code
Configuration item is in the AWS
Lambda event
No configuration item is sent to
AWS Lambda
1 putEvaluation()per resource
that you evaluate in the rule code
1 AWS Lambda function is triggered per
resource tracked
1 AWS Lambda function only is triggered
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use case Recommendation
AWS Config is tracking this resource type. Configuration change
AWS Config is tracking this resource, and you want a
daily review.
Configuration change
and Periodic
AWS Config is not tracking this resource. Periodic
Choosing the right trigger(s)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing the right trigger(s)
Use case Recommendation
AWS Config is tracking this resource type Configuration change
AWS Config is not tracking this resource. Periodic
AWS Config is tracking this resource, and time
matters.
Configuration change
and Periodic
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing the right trigger(s)
Use case Recommendation
AWS Config is tracking this resource type Configuration change
AWS Config is not tracking this resource Periodic
AWS Config is tracking this resource, and time
matters.
Configuration change
and Periodic
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing the right trigger(s)
Use case Recommendation
AWS Config is tracking this resource type Configuration change
AWS Config is not tracking this resource Periodic
AWS Config is tracking this resource, and time
matters
Configuration change
and Periodic
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab 3
Convert your rule into a periodic rule
Instructions: https://tinyurl.com/aws-compliance-automation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules
Remediation
EC2 CloudTrail S3
…
(Others)
Correct
Systems Manager
automation
Manual
trigger
Change
Getting started in a
managed way
(manual)
1
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules
Remediation
Amazon
CloudWatch
Events
EC2 CloudTrail S3
…
(Others)
Correct
Systems Manager
automation
Security Hub
Compliance
change
Manual
trigger
Change
Triggers
Compliance
change
Getting started in a
managed way
(manual)
1
Getting started in a
managed way
(auto)
2
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting started in a
managed way
(auto)
2
Rules
Remediation
Amazon
CloudWatch
Events
EC2 CloudTrail S3
…
(Others)
Correct
Systems Manager
automation
Security Hub
Systems Manager
OpsCenter
Compliance
change
Manual
trigger
Change
Triggers
Compliance
change
Manual
trigger
Ticket
More flexibility
(manual)3
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
More flexibility
(manual)3
Rules
Remediation
1 AWS Lambda
function per event
Amazon
CloudWatch
Events
Send
events
EC2 CloudTrail S3
…
(Others)
Correct
Systems Manager
automation
Security Hub
Systems Manager
OpsCenter
Compliance
change
Manual
trigger
Change
Triggers
Compliance
change
Manual
trigger
Ticket
More flexibility
(auto)4
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules
Remediation
1 AWS Lambda
function per event
Amazon
CloudWatch
Events
Send
events
EC2 CloudTrail S3
…
(Others)
Correct
Systems Manager
automation
Security Hub
Systems Manager
OpsCenter
Compliance
change
Manual
Trigger
Change
Triggers
Compliance
change
Manual
trigger
Ticket
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab 4 (on your own time)
Create a remediation for your rule
Instructions: https://tinyurl.com/aws-compliance-automation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
More flexibility
(auto)4
Rules
Lab 4
1 AWS Lambda
function per event
Amazon
CloudWatch
Events
Send
events
EC2 CloudTrail S3
…
(Others)
Correct
Systems Manager
automation
Security Hub
Systems Manager
OpsCenter
Compliance
change
Manual
trigger
Change
Triggers
Compliance
change
Manual
trigger
Ticket
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Committed to open source
Get the code of additional rules (52 custom rules)
https://github.com/awslabs/aws-config-rules
Rule development kit
https://github.com/awslabs/aws-config-rdk
Multi-account/multi-region engine to manage your rules
https://github.com/awslabs/aws-config-engine-for-compliance-as-code
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use managed capabilities
to get value fast and benefit from the AWS pace of innovation
1
2
Customize by writing an
AWS Config rule
and enjoy with the RDK
3 Know your remediation paths
and leverage automation
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
asraisa@amazon.com
jrault@amazon.com

Más contenido relacionado

La actualidad más candente

Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Amazon Web Services
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Amazon Web Services
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...Amazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Amazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Amazon Web Services
 
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019 Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019 Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Amazon Web Services
 
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019 AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019 Amazon Web Services
 
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...Amazon Web Services
 
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...Amazon Web Services
 
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...Amazon Web Services
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitAmazon Web Services
 

La actualidad más candente (20)

Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
 
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019 Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
 
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019 AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
 
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
 
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
 
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS Summit
 

Similar a Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS re:Inforce 2019

Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Amazon Web Services
 
Control your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsControl your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsAmazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Amazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...Amazon Web Services Japan
 
AWSome Day MODULE 5 - Autoscaling and Next Steps
AWSome Day MODULE 5 - Autoscaling and Next StepsAWSome Day MODULE 5 - Autoscaling and Next Steps
AWSome Day MODULE 5 - Autoscaling and Next StepsAmazon Web Services
 
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksAmazon Web Services
 
AWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdf
AWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdfAWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdf
AWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdfAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...
How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...
How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...Amazon Web Services
 
AWSome Day - AWS Federal Pop-Up Loft
AWSome Day - AWS Federal Pop-Up LoftAWSome Day - AWS Federal Pop-Up Loft
AWSome Day - AWS Federal Pop-Up LoftAmazon Web Services
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by designRichard Harvey
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統Amazon Web Services
 
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...Amazon Web Services
 

Similar a Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS re:Inforce 2019 (20)

Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
 
Control your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsControl your cloud environment with AWS management tools
Control your cloud environment with AWS management tools
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
 
AWSome Day MODULE 5 - Autoscaling and Next Steps
AWSome Day MODULE 5 - Autoscaling and Next StepsAWSome Day MODULE 5 - Autoscaling and Next Steps
AWSome Day MODULE 5 - Autoscaling and Next Steps
 
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech Talks
 
AWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdf
AWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdfAWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdf
AWSome Day Online Conference 2019 - Module 1 AWS Cloud Concepts.pdf
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...
How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...
How Qantas is Scaling Cloud Operations with AWS Systems Manager - AWS Summit ...
 
AWSome Day - AWS Federal Pop-Up Loft
AWSome Day - AWS Federal Pop-Up LoftAWSome Day - AWS Federal Pop-Up Loft
AWSome Day - AWS Federal Pop-Up Loft
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統
 
AWS Outposts Update
AWS Outposts UpdateAWS Outposts Update
AWS Outposts Update
 
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance automation: Set it up fast, then code it your way Raisa Hashem DevOps Security Specialist AWS G R C 3 3 0 - R Jonathan Rault Principal Security Consultant AWS Note: AWS account required; we will be coding in Python
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Welcome and thank you!
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 3 goals for today
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use managed capabilities to get value fast and benefit from the AWS pace of innovation 1
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Customize by writing an AWS Config rule and enjoy with the RDK 2
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Know your remediation paths and leverage automation 3
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed capabilities Start with • Compliance standards with AWS Security Hub Augment with • Managed rules with AWS Config rules • Remediation actions on AWS Config rules
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance standards with AWS Security Hub • Available*: CIS AWS Foundations Benchmark • Findings are contextualized • Best practices for remediation • Powered (in majority) by AWS Config rules Compliance standards AWS Security Hub *As of June 2019
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance standards with AWS Security Hub
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance standards with AWS Security Hub Link to an AWS Config rule
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules • Available*: 86 managed rules • Flexible (i.e., several compliance checks in 1 managed rule, using “input parameters”) • Configure remediation actions using AWS Systems Manager automation documents Managed rule AWS Config rules *As of June 2019
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab 1 Launching a Security Hub standard and a managed AWS Config rule Instructions: https://tinyurl.com/aws-compliance-automation Note: Use N. Virginia (us-east-1) as AWS Region
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Managed rules with AWS Config rules
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EC2 AWS CloudTrail Amazon S3 … (Others) Rules Compliance-as-code Verify
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Compliance-as-code Verify Amazon EC2 AWS CloudTrail Amazon S3
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config Keep the inventory of AWS resources, including • How they are configured • How they are related to one another • How the configurations and their relationships have changed over time Main components of AWS Config • Record continuous configurations (via configuration recorder) • Store snapshots and trigger Amazon SNS topics (via delivery channel) • Determine compliance against the configurations specified (via rules)
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config Compliance-as-code
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EC2 AWS CloudTrail Amazon S3 … (Others) AWS Config Snapshot Compliance-as-code Snapshot
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Change triggers And send the configuration item Compliance-as-code Snapshot Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Change triggers And send the configuration item Compliance-as-code Snapshot Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Rule 4 on AWS::S3::Bucket Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Rules receive what exactly? Introduction to configuration item
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. JSON, absolutely! "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2017…", "configurationStateID": “….", "configurationItemStatus": "OK", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-………", "accountId": "123456789012", "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02..", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "relatedEvents": [ "06c12a39-eb35-11de-ae07-db69edbb1e4", ], Metadata Common attributes Related events Relationships
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. JSON, absolutely again! "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2017-02-……", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" } ], "volumeType": "standard" } Current configuration
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why are we talking about configuration item again? Because it allows you to handle the speed of innovation
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Change triggers And send the configuration item Compliance-as-code Snapshot Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Rule 4 on AWS::S3::Bucket Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Change triggers And send the configuration item Compliance-as-code Snapshot – 26 services, 75 resources types (*) Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Rule 4 on AWS::S3::Bucket Managed rules – 86 out-of-the-box rules (*) (*) as of June 2019 Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What about your other requirements? Introduction to custom rules
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Example Verify that all AWS Identity and Access Management (IAM) users are using multi-factor authentication (MFA)
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Change triggers And send the configuration item Compliance-as-code Snapshot – 26 services, 75 resources types (*) Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Rule 4 on AWS::S3::Bucket Managed rules – 86 out-of-the-box rules (*) (*) as of June 2019 Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Change triggers And send the configuration item Compliance-as-code Snapshot – 26 services, 75 resources types (*) Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Rule 4 on AWS::S3::Bucket Managed rules – 86 out-of-the-box rules (*) Let’s pretend that “MFA on IAM users” is not a managed rule… (*) as of June 2019 Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Let’s create an “MFA on IAM users” rule with custom rules! Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom rules • Is another type of AWS Config rule • Provides flexibility • Call an AWS Lambda function • Include the codified logic to verify a configuration comply with the expectation • Require PutEvaluation API to be understood by AWS Config rules
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules 1 AWS Lambda function per custom ruleAmazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters 1 AWS Lambda function per custom ruleAmazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters 1 AWS Lambda function per custom rule Receive IAM user information, but nothing on MFA Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Summon the power of AWS Lambda!
  • 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters 1 AWS Lambda function per custom ruleAmazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call 1 AWS Lambda function per custom ruleAmazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation() 1 AWS Lambda function per custom ruleAmazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab 2 Write a rule checking for MFA on an IAM user Instructions: https://tinyurl.com/aws-compliance-automation
  • 53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Question: What will happen to the rule evaluations if the MFA is removed?
  • 54. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Answer: Nothing = No update
  • 55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why?
  • 56. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation() 1 AWS Lambda function per custom ruleAmazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 57. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. … (Others) Rules Snapshot Managed rules Change triggers And send the configuration item Compliance-as-code Custom rules Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation() 1 AWS Lambda function per custom rule Time triggers No configuration item is sent Amazon EC2 AWS CloudTrail Amazon S3 AWS Config
  • 58. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Triggers for rules Choosing periodic and/or configuration changes
  • 59. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config Configuration change trigger Periodic trigger 1 putEvaluation()in the rule code Configuration item is in the AWS Lambda event No configuration item is sent to AWS Lambda 1 putEvaluation()per resource that you evaluate in the rule code 1 AWS Lambda function is triggered per resource tracked 1 AWS Lambda function only is triggered
  • 60. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use case Recommendation AWS Config is tracking this resource type. Configuration change AWS Config is tracking this resource, and you want a daily review. Configuration change and Periodic AWS Config is not tracking this resource. Periodic Choosing the right trigger(s)
  • 61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing the right trigger(s) Use case Recommendation AWS Config is tracking this resource type Configuration change AWS Config is not tracking this resource. Periodic AWS Config is tracking this resource, and time matters. Configuration change and Periodic
  • 62. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing the right trigger(s) Use case Recommendation AWS Config is tracking this resource type Configuration change AWS Config is not tracking this resource Periodic AWS Config is tracking this resource, and time matters. Configuration change and Periodic
  • 63. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing the right trigger(s) Use case Recommendation AWS Config is tracking this resource type Configuration change AWS Config is not tracking this resource Periodic AWS Config is tracking this resource, and time matters Configuration change and Periodic
  • 64. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab 3 Convert your rule into a periodic rule Instructions: https://tinyurl.com/aws-compliance-automation
  • 65. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 66. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Rules Remediation EC2 CloudTrail S3 … (Others) Correct Systems Manager automation Manual trigger Change Getting started in a managed way (manual) 1
  • 67. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Rules Remediation Amazon CloudWatch Events EC2 CloudTrail S3 … (Others) Correct Systems Manager automation Security Hub Compliance change Manual trigger Change Triggers Compliance change Getting started in a managed way (manual) 1 Getting started in a managed way (auto) 2
  • 68. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Getting started in a managed way (auto) 2 Rules Remediation Amazon CloudWatch Events EC2 CloudTrail S3 … (Others) Correct Systems Manager automation Security Hub Systems Manager OpsCenter Compliance change Manual trigger Change Triggers Compliance change Manual trigger Ticket More flexibility (manual)3
  • 69. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. More flexibility (manual)3 Rules Remediation 1 AWS Lambda function per event Amazon CloudWatch Events Send events EC2 CloudTrail S3 … (Others) Correct Systems Manager automation Security Hub Systems Manager OpsCenter Compliance change Manual trigger Change Triggers Compliance change Manual trigger Ticket More flexibility (auto)4
  • 70. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Rules Remediation 1 AWS Lambda function per event Amazon CloudWatch Events Send events EC2 CloudTrail S3 … (Others) Correct Systems Manager automation Security Hub Systems Manager OpsCenter Compliance change Manual Trigger Change Triggers Compliance change Manual trigger Ticket
  • 71. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab 4 (on your own time) Create a remediation for your rule Instructions: https://tinyurl.com/aws-compliance-automation
  • 72. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. More flexibility (auto)4 Rules Lab 4 1 AWS Lambda function per event Amazon CloudWatch Events Send events EC2 CloudTrail S3 … (Others) Correct Systems Manager automation Security Hub Systems Manager OpsCenter Compliance change Manual trigger Change Triggers Compliance change Manual trigger Ticket
  • 73. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 74. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Committed to open source Get the code of additional rules (52 custom rules) https://github.com/awslabs/aws-config-rules Rule development kit https://github.com/awslabs/aws-config-rdk Multi-account/multi-region engine to manage your rules https://github.com/awslabs/aws-config-engine-for-compliance-as-code
  • 75. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 76. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use managed capabilities to get value fast and benefit from the AWS pace of innovation 1 2 Customize by writing an AWS Config rule and enjoy with the RDK 3 Know your remediation paths and leverage automation
  • 77. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. asraisa@amazon.com jrault@amazon.com