automated compliance and governance with aws config and aws cloudtrail - june 2017 aws online tech...

37
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sid Gupta (CISSP) Sr. Product Manager, AWS Config June 6, 2017 Automated Compliance and Governance with AWS Config and AWS CloudTrail Chayan Biswas Sr. Product Manager, AWS Config

Upload: amazon-web-services

Post on 21-Jan-2018

850 views

Category:

Technology


5 download

TRANSCRIPT

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Sid Gupta (CISSP)

Sr. Product Manager, AWS Config

June 6, 2017

Automated Compliance and

Governance with AWS Config and

AWS CloudTrail

Chayan Biswas

Sr. Product Manager, AWS Config

What to expect from the session?

• Governance and Compliance – should I care? (yes)

• Why automate?

• Overview of CloudTrail and Config

• Use cases and examples

What is Governance and Compliance?

Governance is the oversight role and the process by which

companies manage and mitigate business risks.

Compliance ensures that an organization has the process

and internal controls to meet the requirements imposed by

the governance body.

Do I need Cloud Governance?

• Cloud introduces few fundamental changes to traditional IT

- Provision IT resources via self-service, APIs

- Pay-as-you-go pricing

- Dynamic scaling

- Resources maybe short lived

• Lack of policy and process consistency could negate the benefits of

being in the cloud

AWS Shared Responsibility model

Steps to ensure Governance and Compliance

• Understand your IT environment

• Document all compliance requirements

• Design and implement controls to meet the

organization’s compliance requirements

• Identify and document controls owned by outside parties

• Verify that all control objectives are met

Why automate?

• Hard to keep track of

resource inventory

• Numerous compliance

requirements (CIS

benchmarks, PCI, HIPAA)

• Continuous assessment

• Growth is good, but it

comes with its challenges

* CIS Benchmarks

AWS Management Tools

― AWS CloudFormation

― AWS Service Catalog

― AWS OpsWorks

― EC2 Systems Manager

― Amazon CloudWatch

AWS CloudTrail ―

AWS Config ―

AWS Trusted Advisor ―

Range of capabilities

Provision

Speed

Infra. as code

Templatize

Agility

Self-service

Delineated access

privilege

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

AWS CloudFormation AWS Service Catalog AWS CloudTrail AWS Config Amazon CloudWatch

We’ll focus on..

― AWS CloudFormation

― AWS Service Catalog

― AWS OpsWorks

― EC2 Systems Manager

― Amazon CloudWatch

AWS CloudTrail ―

AWS Config ―

AWS Trusted Advisor ―

What is CloudTrail?

AWS CloudTrail

Amazon CloudWatch

S3 Bucket

Management Console

CLI

SDK

AWS resourcesTroubleshoot

Monitor, alarm

and React

Archive and audit

What is CloudTrail?

• Records API calls made on your AWS account

• Delivers logs for audits and compliance

• Provides visibility into account activity (API, console

logins etc.)

• Troubleshoot with look up capability

• Alarm and take actions with Amazon CloudWatch

• New! S3 Data Events: Get object-level API activity

Common Use Cases

• Compliance Aid

• Security Analysis

• Data Exfiltration

• Operational Troubleshooting

AWS Config

Record changing

resources

AWS Config

Config Rules

History, Snapshot

Notifications

API Access

Normalized

AWS Config

• Continuous recording of configuration

• Inventory of AWS resources, includes deleted

• View resource relationships

• New! OS level patches, installed applications, network

configuration with EC2 Systems Manager

• Check compliance with desired configuration using rules

• Pre-built rules by AWS, Custom rules using AWS Lambda

• Configuration and Compliance change notifications

• Compliance dashboard

• GitHub repo: Community sourced rules

Common Use Cases

• Continuous monitoring

• Continuous assessment

• Audit and Compliance

• Change management

• Operational troubleshooting

Visibility & Audit

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

Demo Scenario (Gain visibility into the cloud )

Use CloudTrail to lookup API activity for a specific user,

view activity details and configuration changes via AWS

Config integration

Control and Alarm

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

Demo scenario (Automating governance & compliance)

Notify the Cloud Admin if there exist any EC2 Security

Groups that allow unrestricted access to port 22 (SSH)

Compliance change notification via SNS

Demo Scenario (Instance level software configurations)

Use EC2 SM to setup inventory collection and use Config

to get a complete trackable history of:

• OS updates/patches

• Installed applications

• Network configuration etc.

Continuously assess compliance with Config rules.

Control and Auto-Correct

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

Auto-remediate the issue when an EC2 Security Group that allows

unrestricted access to port 22 (SSH) is detected by revoking the

ingress rule.

Lambda

function

Amazon

SNS

Amazon EC2

Security Group:

0.0.0.0/0 Port 22 AWS

Configusers

Internet

Demo scenario (Automating governance & compliance)

Code snippet: Fix an EC2 security group

Code snippet: Fix an EC2 security group

But who watches the watcher?

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

Automatically turn on CloudTrail logging if it has been

disabled

Demo scenario (Automating governance & compliance)

Code snippet: Turn on CloudTrail

Customers who use CloudTrail and Config

Summary

CloudTrail and Config provide:

• Broad and deep visibility for security and compliance

• Governance and Compliance as code

• Enable: standardization, self-service, and automation

Find out more here:

https://aws.amazon.com/cloudtrail/

https://aws.amazon.com/config/

Management tools:

https://aws.amazon.com/products/management