Upload
amazon-web-services
View
851
Download
5
Embed Size (px)
Citation preview
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sid Gupta (CISSP)
Sr. Product Manager, AWS Config
June 6, 2017
Automated Compliance and
Governance with AWS Config and
AWS CloudTrail
Chayan Biswas
Sr. Product Manager, AWS Config
What to expect from the session?
• Governance and Compliance – should I care? (yes)
• Why automate?
• Overview of CloudTrail and Config
• Use cases and examples
What is Governance and Compliance?
Governance is the oversight role and the process by which
companies manage and mitigate business risks.
Compliance ensures that an organization has the process
and internal controls to meet the requirements imposed by
the governance body.
Do I need Cloud Governance?
• Cloud introduces few fundamental changes to traditional IT
- Provision IT resources via self-service, APIs
- Pay-as-you-go pricing
- Dynamic scaling
- Resources maybe short lived
• Lack of policy and process consistency could negate the benefits of
being in the cloud
Steps to ensure Governance and Compliance
• Understand your IT environment
• Document all compliance requirements
• Design and implement controls to meet the
organization’s compliance requirements
• Identify and document controls owned by outside parties
• Verify that all control objectives are met
Why automate?
• Hard to keep track of
resource inventory
• Numerous compliance
requirements (CIS
benchmarks, PCI, HIPAA)
• Continuous assessment
• Growth is good, but it
comes with its challenges
* CIS Benchmarks
AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―
Range of capabilities
Provision
Speed
Infra. as code
Templatize
Agility
Self-service
Delineated access
privilege
Guardrails
Control
AlarmAuto
Correct
Visibility
AuditTrouble-
shoot
AWS CloudFormation AWS Service Catalog AWS CloudTrail AWS Config Amazon CloudWatch
We’ll focus on..
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―
What is CloudTrail?
AWS CloudTrail
Amazon CloudWatch
S3 Bucket
Management Console
CLI
SDK
AWS resourcesTroubleshoot
Monitor, alarm
and React
Archive and audit
What is CloudTrail?
• Records API calls made on your AWS account
• Delivers logs for audits and compliance
• Provides visibility into account activity (API, console
logins etc.)
• Troubleshoot with look up capability
• Alarm and take actions with Amazon CloudWatch
• New! S3 Data Events: Get object-level API activity
Common Use Cases
• Compliance Aid
• Security Analysis
• Data Exfiltration
• Operational Troubleshooting
AWS Config
Record changing
resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
AWS Config
• Continuous recording of configuration
• Inventory of AWS resources, includes deleted
• View resource relationships
• New! OS level patches, installed applications, network
configuration with EC2 Systems Manager
• Check compliance with desired configuration using rules
• Pre-built rules by AWS, Custom rules using AWS Lambda
• Configuration and Compliance change notifications
• Compliance dashboard
• GitHub repo: Community sourced rules
Common Use Cases
• Continuous monitoring
• Continuous assessment
• Audit and Compliance
• Change management
• Operational troubleshooting
Demo Scenario (Gain visibility into the cloud )
Use CloudTrail to lookup API activity for a specific user,
view activity details and configuration changes via AWS
Config integration
Demo scenario (Automating governance & compliance)
Notify the Cloud Admin if there exist any EC2 Security
Groups that allow unrestricted access to port 22 (SSH)
Demo Scenario (Instance level software configurations)
Use EC2 SM to setup inventory collection and use Config
to get a complete trackable history of:
• OS updates/patches
• Installed applications
• Network configuration etc.
Continuously assess compliance with Config rules.
Auto-remediate the issue when an EC2 Security Group that allows
unrestricted access to port 22 (SSH) is detected by revoking the
ingress rule.
Lambda
function
Amazon
SNS
Amazon EC2
Security Group:
0.0.0.0/0 Port 22 AWS
Configusers
Internet
Demo scenario (Automating governance & compliance)
Automatically turn on CloudTrail logging if it has been
disabled
Demo scenario (Automating governance & compliance)
Summary
CloudTrail and Config provide:
• Broad and deep visibility for security and compliance
• Governance and Compliance as code
• Enable: standardization, self-service, and automation
Find out more here:
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/config/
Management tools:
https://aws.amazon.com/products/management