Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Delivering infrastructure, security, and operations as code with AWS - DEM10-S - Chicago AWS Summit

1.888 visualizaciones

Publicado el

The move to AWS enables new application and architectural patterns that are in a continual state of change. The only way that your infrastructure, security, and operations can keep pace with these changes is with automation. In this session, we discuss the various automation tools you can use to first deploy the AWS infrastructure (as code), add the VM-Series to protect against threats (security as code), and then automatically update the policy based on Amazon GuardDuty or AWS Security Hub finding (operations as code). A brief demonstration concludes the session. This presentation is brought to you by AWS partner, Palo Alto Networks.

  • Sé el primero en comentar

Delivering infrastructure, security, and operations as code with AWS - DEM10-S - Chicago AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T INFRASTRUCTURE, SECURITY AND OPERATIONS “AS CODE” Kambiz Kazemi Consulting Engineer Palo Alto Networks
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T CLOUD AUTOMATION DRIVERS Agility, DevSecOps, Multi-cloud Palo Alto Networks Automation Capabilities Cloud Security Automation Stack Applying Cloud Security Automation Composable Automation Eco-system Distributable Security Cloud Adoption and Benefits
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NEED FOR AUTOMATION • Rapidly deploy new applications: Dev →Test → Prod • Improve security, increase agility, reduce effort to achieve business goals • Inject security into DevOps → DevSecOps App Network Security Infrastructure as Code Security as Code Ansible AWS CloudFormation Templates Terraform Provider for AWS Terraform Provider for PAN-OS Infrastructure & Ongoing Configuration “as code” Key Stakeholder Involvement Accelerate Adoption Automation
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ACCELERATE SECURE CLOUD DEPLOYMENTS Quick Reproducible Repeatable Scalable Deploy in minutes app1 app2 app3 Region1 Region2
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T CLOUD SECURITY AUTOMATION STACK Infrastructure Build-Out Terraform Cloud Templates (Infrastructure as Code) Security Layer Terraform Provider (PAN-OS) (Security as Code) Operations Terraform Integration (Automated Incident Response) Repeatable, Consistent, Agile, and Secure Other public clouds
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T INFRASTRUCTURE AS CODE: BUILD THE ENVIRONMENT Manual Process: slow, delayed and extended rollouts Infrastructure as Code: deployed in minutes, highly reproducible, agile Region 1 Region 2 Region 1 Untrust Security group VPC Untrust Security group VPC Trust Security group VPC Trust Security group VPC Untrust Security group VPC Untrust Security group VPC Trust Security group VPC Trust Security group VPC Untrust Security group VPC Untrust Security group VPC Trust Security group VPC Trust Security group VPC
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T INFRASTRUCTURE AS CODE: FIREWALL HUB WITH ALB’S • Fully automated • Blueprint developed and pushed out company wide • Huge cost savings • VM-Series natively integrated with cloud capabilities • Next: Automate build out of LOB (Line of Business) applications Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T SECURITY AS CODE: INTEGRATE LOB WITH FIREWALL HUB • Automate the creation of private link tunnels • Automate deployment of NAT and Security policies • Seamless integration: App + Security = business objectives • We can do more! • Next: Feed threat intel to VM- Series to block attacks from new sources. VPN Connection PrivateLink PrivateLink Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Application Load Balancer Ingress Ingress Ingress Ingress Ingress Application Load Balancer Network Load Balancer Network Load Balancer VPN GW VPN Connection PrivateLink PrivateLink Network Load Balancer Network Load Balancer VPN GW
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T OPS AS CODE: AMAZON GUARDDUTY INTEGRATION 1) Amazon GuardDuty sends security alerts to AWS CloudWatch Malicious IP address 2) Amazon CloudWatch event triggers a Lambda function Policy: Drop Session 4) DAG’s used in security policy to drop matching sessions. Dynamic Address Group 3) Register the malicious IP to a Dynamic Address Group (DAG) using the XML API. Amazon CloudWatch Lambda Function Amazon GuardDuty Untrust Security group VPC Untrust Security group VPC
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T SUMMARY & KEY TAKEAWAYS • Framework developed with real world use case and workflows • Collaboration based on inputs from customers and cloud providers • Readily available templates • Easy to adopt and use • Highly composable • Well defined integration pointsPalo Alto Networks VM-Series Infrastructure Templates Composable Cloud Security Cloud Success with Security Cloud Native Templates Cloud Native Tunnels Automation with Terraform Security Provider devsecops Extensible Foundation Pillars Beams Cupola
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DEMO: CLOUD SECURITY AT THE SPEED OF DEVOPS Firewall admin (Sec Team) Developer (App Team) 1. Push new app 3. Commit app security policy 4. Poll and pull changes 5. Push VM-Series policy using PAN-OS Terraform provider AWS CodeDeploy Repeat / Refine / Update 2. Deploy app 0. Infrastructure as code using Terraform templates web app root volume data volume Availability zone 1 Security group Auto Scaling group Security group
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speaker Name Contact information

×