Contenu connexe
Similaire à AWS Governance at Scale_AWSPSSummit_Singapore
Similaire à AWS Governance at Scale_AWSPSSummit_Singapore (20)
Plus de Amazon Web Services
Plus de Amazon Web Services (20)
AWS Governance at Scale_AWSPSSummit_Singapore
- 1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Ankush Chowdhary
Principal Security Advisor (APJ) – AWS Worldwide Public Sector
AWS Governance at Scale
- 2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Is this a problem?
- 3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Governance continues to block or slow down
Every customer
is doing his or
her own thing
Multi-account best
practices compound
customer challenges
Native tooling is
inadequate for most
large customers
Less prescriptive
guidance is available
- 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What does “enterprise cloud
governance” really mean?
- 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Typical enterprise AWS adoption
• In highly federated organizations,
AWS adoption flows from the
bottom up
• In parallel, central IT often begins
mirroring the on-prem architecture
in AWS
• Governance approach should:
• Meet organizational requirements
• Scale
• Allow direct use of approved AWS
services and APIs
Top down
adoption
Bottom up
adoption
- 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
The Journey to Cloud Adoption
• SpecificSystems
• ManualGovernance
LimitedAccounts
• NumerousSystems
• ManualGovernance
Multiple Accounts
• NumerousSystems
• ManualGovernance
SingleAccountOR
- 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Tradeoffs in AWS adoption approaches
Cloudbroker
• Prescribeslimited accessto AWS
basedon catalog templates or via
middleware
• Suitable for meeting common requirements
of less-technical internal users
• Traditionally doesn’t allow developers to
accesscloud APIs
• Reliestoo much on manual processes
Minimally encumberedAWSaccounts
• Complete power of AWS;every
“approved” feature available immediately
• Native accessto the AWSConsole,CLI,API
• Enablespowerful DevOpsCI/CDpipelines
• Requiresacomprehensivefoundationfor managing
access,security,collaboration
• Requiresthe buildingorbuyingof asolutionthat can
manageaccess,budget,compliance
of manyAWSaccounts
- 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What are the key areas to consider?
Entrypoints
Methods of accessto the
cloud environment
CentralServices
Commonservicesaccessibleby cloud
tenants
Networking
Enterprise networking strategy for
intra-AWSAccount communication
and ingress/egress control
Connectionsto On-Premise
Resources
Enablingaccessbetween
on-premise and cloud resources
SecurityServices
Central log aggregation and analysis
CertificationandAccreditation
Strategy(SSPs)
Methodology to reach ATOfast with a
repeatable process
Governanceof CloudAccounts
Toolsfor account management, budget
enforcement, compliance automation +Access
to AWSCLI,API, Console
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
- 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Common governance challenges
Ø How do I determine the current state of all cloud users and control
their access across my enterprise?
Ø How do maintain adherence to IT budgets in a pay-per-use model?
Ø How do I know that deployments and operations are compliant with
relevant legal, regulatory, and/or contractual policies?
- 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Three principles of Governance@Scale
Align AWS accounts with a
common interface. Standardize
and streamline provisioning,
maintenance, and access control
policies for many AWS accounts
and workloads
Prevent AWS accounts and
workloads from exceeding budget
Accelerate security
authorizations, provide
continuous monitoring and
configuration management,
and enforce security controls
- 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Design for Account Management @ Scale
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
Account Management
• Use AWS Organizations
• Use a consolidated admin
AWS account
• Automate AWS account
provisioning
• Implement “single sign-on”
through federation
• Use Compliance Quick
Starts and Landing Zones as
a starting point
- 12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Design for Cost Enforcement @ Scale
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
Cost Enforcement
• Use automation to map
AWS accounts to org.
structure
• Use automation for cost
management/enforcement
• Provide near real-time
budget projections so
stakeholders are aware of
current AWS spend
- 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Design for Compliance Automation@ Scale
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
Compliance Automation
• Pre-approve standard
security configurations to
decrease efforts up to 50%
• Automate deployment of
accounts consistent with
security policies
• Pre-populate GRC tools
with inherited and system
specific controls
• Perform continuous
monitoring with GRC tools
and alert security staff of
configuration drift and/or
vulnerabilities
- 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Example Use Case
Step 1: John designs
applications in AWS and
needs a development
environment.
Step 2: John’s manager
reviews his request and
determines the
boundaries the account
must stay within.
Governance@Scale Portal
John’s Manager
Approved
Account Request
Project Template 1
Project S3
Buckets
Project EC2
Instances
Approved AWS Account Type
+
Approved Monthly Budget
$5,000 $1,000
+
IAM Policies
Approved Access Boundaries
IAM Roles MFA Token SSP
- 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Example Use Case
John designs
applications in AWS and
needs a development
environment.
Step 3: Automation
creates accounts,
provides security
baselines, and starts
monitoring spend.
Governance@Scale Portal
John can start
developing
Project S3
Buckets
Project EC2
Instances
Approved AWS Account
Approved Monthly Budget
$1,000
+
IAM Policies
Approved Access Boundaries
IAM Roles MFA Token SSP
- 16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Example Use Case
John designs applications
in AWS and needs a
development
environment.
Step 4: System
monitoring and actively
enforcing AWS budget
and security/compliance
in real-time. Notify
stakeholders with
concerns.
Governance@Scale Portal
dfddd
Project S3
Buckets
Project EC2
Instances
John’s AWS Account
Approved Monthly Budget
$1,000
IAM Policies IAM Roles MFA Token SSP
John
Real-Time Budget Enforcement
Continuous Control Monitoring and Enforcement Alerts Stakeholders of overspend/security
violations
- 17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What are my solution options?
- 18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Solution Options
Option 1: Use the governance@scale pattern
and develop your own solution.
q Develop a mature governance model
that can be automated and tracked to
enterprise security standards
q Grow advanced understanding of
APIs and AWS Services
q Define and implement robust
resource tagging for budget control
q Governance@scale solution can be
built using AWS native APIs and open
source tools
Option 2**: Sample AWS & Partner Solution
CloudTamer or Cloud Conformity
ü Robust account governance
ü Automated budget enforcement
ü Compliant baselines and guardrails
Xacta from Telos Corporation
ü Automated SSP artifact generation
ü Preset security control justifications
AWS Professional Services
ü Customize CloudFormation Templates
ü Enterprise Accelerator Engagements
ü Apply AWS Cloud Adoption Framework
- 19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Enterprise Cloud Governance – CloudTamer
CloudTamer is comprehensive cloud
management software that allows
organizations to more easily scale their use of
cloud services and resources from providers
such as Amazon Web Services (AWS).
- 20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Enterprise Cloud Governance – CloudTamer
CloudTamer’s features include account
governance, budget enforcement, and
compliance automation.
CloudTamer makes it easy for technical
staff to create the resources they need and
senior leadership to execute financial and
compliance oversight responsibilities as
cloud adoption grows.
- 21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Xacta® 360 and the Cloud
Of-the-cloud, not just in the cloud
• EA4C Content (inherit common controls)
• AWS API integration to validate configuration of AWS services
• EC2 support for scalability
• Multiple cloud deployment options
• SaaS | Private SaaS | AMI
• Hybrid Support
• Manage AWS workloads from on-prem
• Manage on-prem assets from cloud
“Xacta 360 does for the cloud what Telos has done for the enterprise since 2000.”
- 22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Xacta® in Action – On-prem, In-cloud, Hybrid
Xacta Managing Hybrid from on-prem Xacta Managing Hybrid from Cloud
- 23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Cloud Conformity –
Multi Account Management
Consolidated view across multiple AWS accounts
415+ AWS best practice checks run in real-time
across all accounts
Real-time threat detection, user activity & event
log capturing every AWS event
Integrations into preferred ticketing +
communication channels (JIRA, Slack, etc.)
Continuous Well-Architected Framework
compliance
- 24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Cloud Conformity - Cost Optimization
• Budget & cost fluctuation alerts
• Cost saving Recommendations with
optional auto-remediation
• 60 customizable optimization
algorithms
• Real-time forecasting
• Cost allocation reporting
• Multi-account cost insights & visibility
- 25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Cloud Conformity – Security & Compliance
Continuous governance monitoring against
Well-Architected, CIS, PCI-DSS, HIPPA, GDPR
compliance standards.
415+ AWS best practice/governance checks
examples (right).
- 26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Next Steps?
- 27. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
How do I get there?
• Build or buy a Governance@Scale solution that can grow with you.
• Professional Services can help facilitate the design and help
you build a solution based on your requirements.
• Partner Solutions are available (CloudTamer, Cloud
Conformity, Xacta® 360, Dome9, Turbot)
• AWS Landing Zones can help baseline accounts
• AWS Solutions Architects can help with designing a solution
that fits your needs