Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Simplify compliance & improve operational efficiency with AWS - SVC302 - Santa Clara AWS Summit.pdf

471 visualizaciones

Publicado el

In this session, learn how AWS helps customers effectively manage and govern their infrastructure and resources, simplifying compliance and improving efficiency when completing operational tasks. Come hear Anik Mazumder, principal infrastructure architect at Intuit, speak about his company’s experience. We also share some of the latest innovation from AWS Config in this space, and we cover recent releases in AWS management and governance services.

  • Sé el primero en comentar

Simplify compliance & improve operational efficiency with AWS - SVC302 - Santa Clara AWS Summit.pdf

  1. 1. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Simplify compliance and improve operational efficiency with AWS Sid Gupta Sr. Product Manager, AWS Config S V C 3 0 2 Anik Mazumder Principal Infrastructure Architect, Intuit
  2. 2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Agenda • Managing and governing infrastructure with AWS • Using resource inventory for effective governance • Role of AWS Config • Customer case study: Intuit • Recent launches • Demos
  3. 3. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  4. 4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our environment is challenging to operate in today Resources devoted to maintenance instead of innovation Functional silos and IT procurement cycles slow down innovation Best effort security operations may not be sufficient
  5. 5. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T The challenge of governance vs. agility • Define • Discover • Monitor • Manage • Report • Respond • Produce • Adapt • Innovate Agility Governance
  6. 6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T • Define • Discover • Monitor • Manage • Report • Respond • Enable • Provision • Operate • Produce • Adapt • Innovate Agility Governance Improve business agility while maintaining control • Produce • Adapt • Innovate Agility
  7. 7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS management and governance services Improve business agility while maintaining governance control Enable Provision Operate AWS Trusted Advisor AWS Budgets AWS Cost and Usage report AWS Cost Explorer AWS Service Catalog AWS CloudFormation AWS OpsWorks AWS Marketplace AWS ControlTower (Preview) AWS Landing Zone AWS Organizations AWS Well-ArchitectedTool Amazon CloudWatch AWS CloudTrail AWS Systems Manager AWS Config
  8. 8. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  9. 9. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Inventory management • What resources currently exist in my account? • What is the latest configuration state of my resources? • What relationships exist between my resources? • What configuration changes occurred in the last week? • Which resources in my account have encryption disabled?
  10. 10. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Configuration compliance • Are my resources configured based on best practices? • Do my resources comply with PCI, HIPAA, or other regulatory requirements
  11. 11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T In summary, resource inventory collection ✓ Supports governance initiatives ✓ Helps simplify compliance
  12. 12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Which system traditionally performs these functions on-premises? A configurationmanagement database (CMDB)
  13. 13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T A traditional CMDB doesn’t work for cloud resources • Resources are dynamic in the cloud (automatic scaling, Spot Instances, etc.) • Real-time discovery of resources is necessary • Configuration changes need to be recorded instantly • Real-time evaluation of configuration compliance is necessary • APIs are needed to integrate with other systems • Real-time notifications are necessary for configuration and compliance changes
  14. 14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T You need a real-time configuration auditor in the cloud
  15. 15. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Config = Configuration auditor in AWS
  16. 16. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Audit & compliance Maintain a history of all configuration changes for audits Verify that configuration changes do not violate policies Security intelligence Security incident/breach analysis Identifying vulnerable resources Operational governance DevOps compliance (e.g., evaluate CI/CD pipeline configuration) Cost optimization (e.g., stop unused resources) Integration with ITSM/CMDB Integration with asset/inventory management systems Change management, incident management Common use cases
  17. 17. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Supported services: 26 AWSservices and 72 resource types Amazon API Gateway Amazon CloudFront Amazon CloudWatch Amazon DynamoDB Amazon Elastic Compute Cloud Amazon Elastic Block Store Amazon Redshift Amazon Relational Database Service Amazon S3 Amazon S3 bucket attributes Amazon Virtual Private Cloud AWS Auto Scaling AWS Certificate Manager AWS CloudFormation AWS CloudTrail AWS CodeBuild AWS CodePipeline AWS Elastic Beanstalk AWS Identity and Access Management AWS Lambda function AWS Service Catalog AWS Shield AWS Systems Manager AWS WAF AWS X-Ray Elastic Load Balancing
  18. 18. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Anik Mazumder Principal Infrastructure Architect, Intuit
  19. 19. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Agenda ▪ About Intuit ▪ Use cases ▪ Change tracking ▪ Cloud inventory & metadatacollection ▪ Policy management
  20. 20. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS footprint ▪ Over 1,800 AWS accounts ▪ Over 75 major production workloads ▪ Close to 40K EC2 instances ▪ Over 90K Lambda functions ▪ Over 12 PB of Amazon S3 data ▪ AWS Config enabled in every account as part of account creation process
  21. 21. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Change tracking ▪ What changed in any resource? ▪ How do I know what changed for my application? ▪ How do I map dependency between resources? ▪ Querying AWS APIs provides only point in time snapshots of assets ▪ Introduces additional load and complexities AWS Cloud IntuitMetadata Service Multiple accounts Amazon ES AWS Lamdba AWS Step Functions Currentstate → Collects metadata and Inventorybutdoes not track changes
  22. 22. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Simplifying change tracking with AWS Config ▪ No need to poll AWS APIs and periodically consolidate resource data using a complex system of Lambda functions and AWS Step Functions ▪ Complete resource inventory collection using AWS Config snapshots ▪ Quick snapshot of resources under AWS Config and change timelines using Aggregator ▪ Dependency mapping between resources ▪ Instant notification of changes to resources using CloudWatch Events integration
  23. 23. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Change tracking Build a system for consolidating history of changes to AWS inventory based on AWS Config AWS Config AWS Cloud Amazon CloudWatch Central account CloudWatch Events Multiple accounts Amazon CloudWatch AWS CloudTrail Central account
  24. 24. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Use case: Cloud metadata (cont.’d) AWS Config AWS CloudTrail IntuitMetadata Service Amazon Elasticsearch Service AWS Lambda AWS Step Functions ▪ Leverage change tracking ▪ Federate and cache infrastructure and business metadata
  25. 25. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Use case: Change portal ▪ UI to view changes to applications / systems
  26. 26. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Policy management ▪ How do I define infrastructure policies? ▪ How do I enforce policies across thousands of accounts? ▪ How can I track changes in compliance status? ▪ How do I remediate violations?
  27. 27. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Policy management: Current state Centralized policy management integrated into existing framework Monitoring Notification Centralized deployment Policy classification Bundling & target selection Policy Lambda CloudTrailCloudWatch Targetaccount
  28. 28. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Policy management using AWS Config rules ▪ Integrated state management ▪ With managed rules, no need to manage Lambda functions at the target account ▪ Instant feedback of compliance state change through CloudWatch Events integration ▪ Better control of remediation actions using Systems Manager Automation documents. ▪ With custom rules, ability to deploy complex compliance logic ▪ Integrated compliance dashboard with AWS Config rule aggregator
  29. 29. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Policy management with AWS Config rules AWS Config-based centralized policy management integrated into existing framework AWS Config rule Policy Lambda CloudTrailCloudWatch Systems Manager Automatondocs Remediation Lambda
  30. 30. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  31. 31. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T New feature: Advanced query • Configuration attribute-based queries against current state metadata • Single endpoint to query metadata across AWS services • Uses a subset of structured query language (SQL) SELECT syntax • Sample queries available out-of-the-box • Available at no additional cost for AWS Config customers • Available in all AWS commercial regions and the AWS GovCloud (US) regions
  32. 32. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Advanced query: Use cases • Inventory management Identify resources that meet a specific criteria (e.g., EC2 instances of size “xlarge”; MySQL databases running an old version) • Cost management Identify unused resources (e.g., EBS volumesthat are not in use) • Change management Understand impact of a change (e.g., view resources related to a security group) • Security management Identify resources that may be vulnerable (e.g., view all RDS DB instances that are publicly accessible)
  33. 33. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Getting started Enable AWS Config in your account.01 In the AWS Config console, go to Resources > Advanced query.02 Run a sample query, or write your own.03
  34. 34. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  35. 35. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  36. 36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I TS UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. “The newAWS Config ‘advanced query’ feature enables ustobuild powerfultools that provide better insight intoour infrastructure. With hundreds of microservices deployed in multiple regions, having in-depth visibility intothe relationships between the thousands ofAWS resources weuse isextremely helpful for resource discovery, diagnostics, and auditing purposes. The advanced query feature provides acentralized location andan easy-to-use tool toobtain the critical details weneed about ourAWSinfrastructure.” Bradley Segobiano, Software Engineer, Genesys PureCloud Customer testimonial
  37. 37. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Remediation with AWS Config rules • Managed experience to remediate noncompliant resources • Managed AWS Config rules come with recommended remediation actions • Select from a list, or create your own action using Systems Manager Automation documents • Invoke remediation upon noncompliance of resources either through the console or use the APIs • Pricing is based on usage of Systems Manager Automation documents • Available in all AWS commercial regions and AWS GovCloud (US-West)
  38. 38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Getting started Select a managed AWS Config rule in your account.01 Add a remediation action.02 Invoke the action manually through the console or API.03
  39. 39. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  40. 40. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Demo video
  41. 41. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Additional resources http://tinyurl.com/yyj92a7y http://tinyurl.com/y5q3gxdz http://tinyurl.com/yxgo6f9b http://tinyurl.com/y2vu9aq5
  42. 42. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Conclusion • Inventory management and configuration compliance are key pillars for effective cloud governance • Traditional CMDBs don’t do the job • AWS Config is your configuration auditor for the cloud • Use the advanced query and AWS Config rules remediation capabilities
  43. 43. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  44. 44. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Other new releases in AWS management and governance Use service control policies to set permission guardrails across accounts with AWS Organizations Amazon Comprehend is now integrated with AWS CloudTrail AWS OpsWorks for Chef Automate and AWS OpsWorks for Puppet Enterprise now support AWS CloudFormation AWS Systems Manager now supports on- premises instance management for large hybrid environments Amazon Aurora Serverless publishes logs to Amazon CloudWatch AWS RoboMaker now supports new languages, tagging, and AWS CloudFormation For more details: https://aws.amazon.com/new/#management-and-governance
  45. 45. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Thank you! S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Sid Gupta sidgup@amazon.com Anik Mazumder Intuit
  46. 46. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I TS UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

×