SlideShare une entreprise Scribd logo

AWS Governance at Scale_AWSPSSummit_Singapore

Amazon Web Services
Amazon Web Services

Own Your AWS

1  sur  28
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Ankush Chowdhary Principal Security Advisor (APJ) – AWS Worldwide Public Sector AWS Governance at Scale
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Is this a problem?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Governance continues to block or slow down Every customer is doing his or her own thing Multi-account best practices compound customer challenges Native tooling is inadequate for most large customers Less prescriptive guidance is available
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What does “enterprise cloud governance” really mean?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Typical enterprise AWS adoption • In highly federated organizations, AWS adoption flows from the bottom up • In parallel, central IT often begins mirroring the on-prem architecture in AWS • Governance approach should: • Meet organizational requirements • Scale • Allow direct use of approved AWS services and APIs Top down adoption Bottom up adoption
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. The Journey to Cloud Adoption • SpecificSystems • ManualGovernance LimitedAccounts • NumerousSystems • ManualGovernance Multiple Accounts • NumerousSystems • ManualGovernance SingleAccountOR
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Tradeoffs in AWS adoption approaches Cloudbroker • Prescribeslimited accessto AWS basedon catalog templates or via middleware • Suitable for meeting common requirements of less-technical internal users • Traditionally doesn’t allow developers to accesscloud APIs • Reliestoo much on manual processes Minimally encumberedAWSaccounts • Complete power of AWS;every “approved” feature available immediately • Native accessto the AWSConsole,CLI,API • Enablespowerful DevOpsCI/CDpipelines • Requiresacomprehensivefoundationfor managing access,security,collaboration • Requiresthe buildingorbuyingof asolutionthat can manageaccess,budget,compliance of manyAWSaccounts
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What are the key areas to consider? Entrypoints Methods of accessto the cloud environment CentralServices Commonservicesaccessibleby cloud tenants Networking Enterprise networking strategy for intra-AWSAccount communication and ingress/egress control Connectionsto On-Premise Resources Enablingaccessbetween on-premise and cloud resources SecurityServices Central log aggregation and analysis CertificationandAccreditation Strategy(SSPs) Methodology to reach ATOfast with a repeatable process Governanceof CloudAccounts Toolsfor account management, budget enforcement, compliance automation +Access to AWSCLI,API, Console © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Common governance challenges Ø How do I determine the current state of all cloud users and control their access across my enterprise? Ø How do maintain adherence to IT budgets in a pay-per-use model? Ø How do I know that deployments and operations are compliant with relevant legal, regulatory, and/or contractual policies?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Three principles of Governance@Scale Align AWS accounts with a common interface. Standardize and streamline provisioning, maintenance, and access control policies for many AWS accounts and workloads Prevent AWS accounts and workloads from exceeding budget Accelerate security authorizations, provide continuous monitoring and configuration management, and enforce security controls
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Design for Account Management @ Scale Company X Dept. A Project 1 Project 2 Project 3 Dept. B Project 4 Project 5 Dept. C Project 6 Account Management • Use AWS Organizations • Use a consolidated admin AWS account • Automate AWS account provisioning • Implement “single sign-on” through federation • Use Compliance Quick Starts and Landing Zones as a starting point
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Design for Cost Enforcement @ Scale Company X Dept. A Project 1 Project 2 Project 3 Dept. B Project 4 Project 5 Dept. C Project 6 Cost Enforcement • Use automation to map AWS accounts to org. structure • Use automation for cost management/enforcement • Provide near real-time budget projections so stakeholders are aware of current AWS spend
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Design for Compliance Automation@ Scale Company X Dept. A Project 1 Project 2 Project 3 Dept. B Project 4 Project 5 Dept. C Project 6 Compliance Automation • Pre-approve standard security configurations to decrease efforts up to 50% • Automate deployment of accounts consistent with security policies • Pre-populate GRC tools with inherited and system specific controls • Perform continuous monitoring with GRC tools and alert security staff of configuration drift and/or vulnerabilities
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Use Case Step 1: John designs applications in AWS and needs a development environment. Step 2: John’s manager reviews his request and determines the boundaries the account must stay within. Governance@Scale Portal John’s Manager Approved Account Request Project Template 1 Project S3 Buckets Project EC2 Instances Approved AWS Account Type + Approved Monthly Budget $5,000 $1,000 + IAM Policies Approved Access Boundaries IAM Roles MFA Token SSP
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Use Case John designs applications in AWS and needs a development environment. Step 3: Automation creates accounts, provides security baselines, and starts monitoring spend. Governance@Scale Portal John can start developing Project S3 Buckets Project EC2 Instances Approved AWS Account Approved Monthly Budget $1,000 + IAM Policies Approved Access Boundaries IAM Roles MFA Token SSP
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Use Case John designs applications in AWS and needs a development environment. Step 4: System monitoring and actively enforcing AWS budget and security/compliance in real-time. Notify stakeholders with concerns. Governance@Scale Portal dfddd Project S3 Buckets Project EC2 Instances John’s AWS Account Approved Monthly Budget $1,000 IAM Policies IAM Roles MFA Token SSP John Real-Time Budget Enforcement Continuous Control Monitoring and Enforcement Alerts Stakeholders of overspend/security violations
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What are my solution options?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Solution Options Option 1: Use the governance@scale pattern and develop your own solution. q Develop a mature governance model that can be automated and tracked to enterprise security standards q Grow advanced understanding of APIs and AWS Services q Define and implement robust resource tagging for budget control q Governance@scale solution can be built using AWS native APIs and open source tools Option 2**: Sample AWS & Partner Solution CloudTamer or Cloud Conformity ü Robust account governance ü Automated budget enforcement ü Compliant baselines and guardrails Xacta from Telos Corporation ü Automated SSP artifact generation ü Preset security control justifications AWS Professional Services ü Customize CloudFormation Templates ü Enterprise Accelerator Engagements ü Apply AWS Cloud Adoption Framework
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Enterprise Cloud Governance – CloudTamer CloudTamer is comprehensive cloud management software that allows organizations to more easily scale their use of cloud services and resources from providers such as Amazon Web Services (AWS).
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Enterprise Cloud Governance – CloudTamer CloudTamer’s features include account governance, budget enforcement, and compliance automation. CloudTamer makes it easy for technical staff to create the resources they need and senior leadership to execute financial and compliance oversight responsibilities as cloud adoption grows.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Xacta® 360 and the Cloud Of-the-cloud, not just in the cloud • EA4C Content (inherit common controls) • AWS API integration to validate configuration of AWS services • EC2 support for scalability • Multiple cloud deployment options • SaaS | Private SaaS | AMI • Hybrid Support • Manage AWS workloads from on-prem • Manage on-prem assets from cloud “Xacta 360 does for the cloud what Telos has done for the enterprise since 2000.”
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Xacta® in Action – On-prem, In-cloud, Hybrid Xacta Managing Hybrid from on-prem Xacta Managing Hybrid from Cloud
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cloud Conformity – Multi Account Management Consolidated view across multiple AWS accounts 415+ AWS best practice checks run in real-time across all accounts Real-time threat detection, user activity & event log capturing every AWS event Integrations into preferred ticketing + communication channels (JIRA, Slack, etc.) Continuous Well-Architected Framework compliance
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cloud Conformity - Cost Optimization • Budget & cost fluctuation alerts • Cost saving Recommendations with optional auto-remediation • 60 customizable optimization algorithms • Real-time forecasting • Cost allocation reporting • Multi-account cost insights & visibility
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cloud Conformity – Security & Compliance Continuous governance monitoring against Well-Architected, CIS, PCI-DSS, HIPPA, GDPR compliance standards. 415+ AWS best practice/governance checks examples (right).
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Next Steps?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. How do I get there? • Build or buy a Governance@Scale solution that can grow with you. • Professional Services can help facilitate the design and help you build a solution based on your requirements. • Partner Solutions are available (CloudTamer, Cloud Conformity, Xacta® 360, Dome9, Turbot) • AWS Landing Zones can help baseline accounts • AWS Solutions Architects can help with designing a solution that fits your needs
Thank You

Recommandé

AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
Aws cloud watch
Aws cloud watchAws cloud watch
Aws cloud watchMahesh Raj
 
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...Amazon Web Services
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems ManagerCrishantha Nanayakkara
 
What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?Amazon Web Services
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services Amazon Web Services
 
Disaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudDisaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 

Recommandé

AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
Aws cloud watch
Aws cloud watchAws cloud watch
Aws cloud watchMahesh Raj
 
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...Amazon Web Services
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems ManagerCrishantha Nanayakkara
 
What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?Amazon Web Services
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services Amazon Web Services
 
Disaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudDisaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
AWS RDS
AWS RDSAWS RDS
AWS RDSMahesh Raj
 
AWS Certified Solutions Architect Professional Course S15-S18
AWS Certified Solutions Architect Professional Course S15-S18AWS Certified Solutions Architect Professional Course S15-S18
AWS Certified Solutions Architect Professional Course S15-S18Neal Davis
 
Basics AWS Presentation
Basics AWS PresentationBasics AWS Presentation
Basics AWS PresentationShyam Kumar
 
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
 
AWS Lambda
AWS LambdaAWS Lambda
AWS LambdaScott Leberknight
 
Advanced cost management strategies in AWS
Advanced cost management strategies in AWSAdvanced cost management strategies in AWS
Advanced cost management strategies in AWSAWS User Group Bengaluru
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and RecoveryAmazon Web Services
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud WatchzekeLabs Technologies
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
AWS ELB
AWS ELBAWS ELB
AWS ELBMahesh Raj
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Auto Scaling on AWS
Auto Scaling on AWSAuto Scaling on AWS
Auto Scaling on AWSAustinWebArch
 
AWS Storage and Content Delivery Services
AWS Storage and Content Delivery ServicesAWS Storage and Content Delivery Services
AWS Storage and Content Delivery ServicesAmazon Web Services
 
Aws overview (Amazon Web Services)
Aws overview (Amazon Web Services)Aws overview (Amazon Web Services)
Aws overview (Amazon Web Services)Jatinder Randhawa
 
Introduction to CloudFront
Introduction to CloudFrontIntroduction to CloudFront
Introduction to CloudFrontAmazon Web Services
 
Building-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWSBuilding-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWSAmazon Web Services
 
AWS Certified Cloud Practitioner Course S11-S17
AWS Certified Cloud Practitioner Course S11-S17AWS Certified Cloud Practitioner Course S11-S17
AWS Certified Cloud Practitioner Course S11-S17Neal Davis
 
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...Amazon Web Services
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Amazon Web Services
 

Contenu connexe

Tendances

Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
AWS Certified Solutions Architect Professional Course S15-S18
AWS Certified Solutions Architect Professional Course S15-S18AWS Certified Solutions Architect Professional Course S15-S18
AWS Certified Solutions Architect Professional Course S15-S18Neal Davis
 
Basics AWS Presentation
Basics AWS PresentationBasics AWS Presentation
Basics AWS PresentationShyam Kumar
 
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
 
Advanced cost management strategies in AWS
Advanced cost management strategies in AWSAdvanced cost management strategies in AWS
Advanced cost management strategies in AWSAWS User Group Bengaluru
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
AWS Storage and Content Delivery Services
AWS Storage and Content Delivery ServicesAWS Storage and Content Delivery Services
AWS Storage and Content Delivery ServicesAmazon Web Services
 
Aws overview (Amazon Web Services)
Aws overview (Amazon Web Services)Aws overview (Amazon Web Services)
Aws overview (Amazon Web Services)Jatinder Randhawa
 
AWS Certified Cloud Practitioner Course S11-S17
AWS Certified Cloud Practitioner Course S11-S17AWS Certified Cloud Practitioner Course S11-S17
AWS Certified Cloud Practitioner Course S11-S17Neal Davis
 

Tendances (20)

Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
 
AWS RDS
AWS RDSAWS RDS
AWS RDS
 
AWS Certified Solutions Architect Professional Course S15-S18
AWS Certified Solutions Architect Professional Course S15-S18AWS Certified Solutions Architect Professional Course S15-S18
AWS Certified Solutions Architect Professional Course S15-S18
 
Basics AWS Presentation
Basics AWS PresentationBasics AWS Presentation
Basics AWS Presentation
 
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
 
Advanced cost management strategies in AWS
Advanced cost management strategies in AWSAdvanced cost management strategies in AWS
Advanced cost management strategies in AWS
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and Recovery
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipeline
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
AWS 101
AWS 101AWS 101
AWS 101
 
AWS ELB
AWS ELBAWS ELB
AWS ELB
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Auto Scaling on AWS
Auto Scaling on AWSAuto Scaling on AWS
Auto Scaling on AWS
 
AWS Storage and Content Delivery Services
AWS Storage and Content Delivery ServicesAWS Storage and Content Delivery Services
AWS Storage and Content Delivery Services
 
Aws overview (Amazon Web Services)
Aws overview (Amazon Web Services)Aws overview (Amazon Web Services)
Aws overview (Amazon Web Services)
 
Introduction to CloudFront
Introduction to CloudFrontIntroduction to CloudFront
Introduction to CloudFront
 
Building-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWSBuilding-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWS
 
AWS Certified Cloud Practitioner Course S11-S17
AWS Certified Cloud Practitioner Course S11-S17AWS Certified Cloud Practitioner Course S11-S17
AWS Certified Cloud Practitioner Course S11-S17
 

Similaire à AWS Governance at Scale_AWSPSSummit_Singapore

Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...Amazon Web Services
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
DevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWSDevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWSTom Laszewski
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
Hybrid Cloud Customer Use Cases on AWS
Hybrid Cloud Customer Use Cases on AWSHybrid Cloud Customer Use Cases on AWS
Hybrid Cloud Customer Use Cases on AWSTom Laszewski
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Amazon Web Services
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Amazon Web Services
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...
Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...
Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Amazon Web Services
 
Migrate, Modernize, and Manage: Best Practices for a Cloud Migration
Migrate, Modernize, and Manage: Best Practices for a Cloud MigrationMigrate, Modernize, and Manage: Best Practices for a Cloud Migration
Migrate, Modernize, and Manage: Best Practices for a Cloud MigrationAmazon Web Services
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Amazon Web Services
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Amazon Web Services
 

Similaire à AWS Governance at Scale_AWSPSSummit_Singapore (20)

Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
Governance@scale - Governance of Multi-Account, Large-Scale AWS Environments ...
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...
 
Governance at Scale
Governance at ScaleGovernance at Scale
Governance at Scale
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
DevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWSDevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWS
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Implementing Governance@Scale
Implementing Governance@ScaleImplementing Governance@Scale
Implementing Governance@Scale
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
 
Hybrid Cloud Customer Use Cases on AWS
Hybrid Cloud Customer Use Cases on AWSHybrid Cloud Customer Use Cases on AWS
Hybrid Cloud Customer Use Cases on AWS
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...
Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...
Enterprise DevOps: Begin with Production-Ready Migration (ENT217-R1) - AWS re...
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
Migrate, Modernize, and Manage: Best Practices for a Cloud Migration
Migrate, Modernize, and Manage: Best Practices for a Cloud MigrationMigrate, Modernize, and Manage: Best Practices for a Cloud Migration
Migrate, Modernize, and Manage: Best Practices for a Cloud Migration
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
 
Breaking Down the 'Monowhat'
Breaking Down the 'Monowhat'Breaking Down the 'Monowhat'
Breaking Down the 'Monowhat'
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS Governance at Scale_AWSPSSummit_Singapore

  • 1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Ankush Chowdhary Principal Security Advisor (APJ) – AWS Worldwide Public Sector AWS Governance at Scale
  • 2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Is this a problem?
  • 3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Governance continues to block or slow down Every customer is doing his or her own thing Multi-account best practices compound customer challenges Native tooling is inadequate for most large customers Less prescriptive guidance is available
  • 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What does “enterprise cloud governance” really mean?
  • 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Typical enterprise AWS adoption • In highly federated organizations, AWS adoption flows from the bottom up • In parallel, central IT often begins mirroring the on-prem architecture in AWS • Governance approach should: • Meet organizational requirements • Scale • Allow direct use of approved AWS services and APIs Top down adoption Bottom up adoption
  • 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. The Journey to Cloud Adoption • SpecificSystems • ManualGovernance LimitedAccounts • NumerousSystems • ManualGovernance Multiple Accounts • NumerousSystems • ManualGovernance SingleAccountOR
  • 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Tradeoffs in AWS adoption approaches Cloudbroker • Prescribeslimited accessto AWS basedon catalog templates or via middleware • Suitable for meeting common requirements of less-technical internal users • Traditionally doesn’t allow developers to accesscloud APIs • Reliestoo much on manual processes Minimally encumberedAWSaccounts • Complete power of AWS;every “approved” feature available immediately • Native accessto the AWSConsole,CLI,API • Enablespowerful DevOpsCI/CDpipelines • Requiresacomprehensivefoundationfor managing access,security,collaboration • Requiresthe buildingorbuyingof asolutionthat can manageaccess,budget,compliance of manyAWSaccounts
  • 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What are the key areas to consider? Entrypoints Methods of accessto the cloud environment CentralServices Commonservicesaccessibleby cloud tenants Networking Enterprise networking strategy for intra-AWSAccount communication and ingress/egress control Connectionsto On-Premise Resources Enablingaccessbetween on-premise and cloud resources SecurityServices Central log aggregation and analysis CertificationandAccreditation Strategy(SSPs) Methodology to reach ATOfast with a repeatable process Governanceof CloudAccounts Toolsfor account management, budget enforcement, compliance automation +Access to AWSCLI,API, Console © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g
  • 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Common governance challenges Ø How do I determine the current state of all cloud users and control their access across my enterprise? Ø How do maintain adherence to IT budgets in a pay-per-use model? Ø How do I know that deployments and operations are compliant with relevant legal, regulatory, and/or contractual policies?
  • 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Three principles of Governance@Scale Align AWS accounts with a common interface. Standardize and streamline provisioning, maintenance, and access control policies for many AWS accounts and workloads Prevent AWS accounts and workloads from exceeding budget Accelerate security authorizations, provide continuous monitoring and configuration management, and enforce security controls
  • 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Design for Account Management @ Scale Company X Dept. A Project 1 Project 2 Project 3 Dept. B Project 4 Project 5 Dept. C Project 6 Account Management • Use AWS Organizations • Use a consolidated admin AWS account • Automate AWS account provisioning • Implement “single sign-on” through federation • Use Compliance Quick Starts and Landing Zones as a starting point
  • 12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Design for Cost Enforcement @ Scale Company X Dept. A Project 1 Project 2 Project 3 Dept. B Project 4 Project 5 Dept. C Project 6 Cost Enforcement • Use automation to map AWS accounts to org. structure • Use automation for cost management/enforcement • Provide near real-time budget projections so stakeholders are aware of current AWS spend
  • 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Design for Compliance Automation@ Scale Company X Dept. A Project 1 Project 2 Project 3 Dept. B Project 4 Project 5 Dept. C Project 6 Compliance Automation • Pre-approve standard security configurations to decrease efforts up to 50% • Automate deployment of accounts consistent with security policies • Pre-populate GRC tools with inherited and system specific controls • Perform continuous monitoring with GRC tools and alert security staff of configuration drift and/or vulnerabilities
  • 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Use Case Step 1: John designs applications in AWS and needs a development environment. Step 2: John’s manager reviews his request and determines the boundaries the account must stay within. Governance@Scale Portal John’s Manager Approved Account Request Project Template 1 Project S3 Buckets Project EC2 Instances Approved AWS Account Type + Approved Monthly Budget $5,000 $1,000 + IAM Policies Approved Access Boundaries IAM Roles MFA Token SSP
  • 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Use Case John designs applications in AWS and needs a development environment. Step 3: Automation creates accounts, provides security baselines, and starts monitoring spend. Governance@Scale Portal John can start developing Project S3 Buckets Project EC2 Instances Approved AWS Account Approved Monthly Budget $1,000 + IAM Policies Approved Access Boundaries IAM Roles MFA Token SSP
  • 16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Use Case John designs applications in AWS and needs a development environment. Step 4: System monitoring and actively enforcing AWS budget and security/compliance in real-time. Notify stakeholders with concerns. Governance@Scale Portal dfddd Project S3 Buckets Project EC2 Instances John’s AWS Account Approved Monthly Budget $1,000 IAM Policies IAM Roles MFA Token SSP John Real-Time Budget Enforcement Continuous Control Monitoring and Enforcement Alerts Stakeholders of overspend/security violations
  • 17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What are my solution options?
  • 18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Solution Options Option 1: Use the governance@scale pattern and develop your own solution. q Develop a mature governance model that can be automated and tracked to enterprise security standards q Grow advanced understanding of APIs and AWS Services q Define and implement robust resource tagging for budget control q Governance@scale solution can be built using AWS native APIs and open source tools Option 2**: Sample AWS & Partner Solution CloudTamer or Cloud Conformity ü Robust account governance ü Automated budget enforcement ü Compliant baselines and guardrails Xacta from Telos Corporation ü Automated SSP artifact generation ü Preset security control justifications AWS Professional Services ü Customize CloudFormation Templates ü Enterprise Accelerator Engagements ü Apply AWS Cloud Adoption Framework
  • 19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Enterprise Cloud Governance – CloudTamer CloudTamer is comprehensive cloud management software that allows organizations to more easily scale their use of cloud services and resources from providers such as Amazon Web Services (AWS).
  • 20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Enterprise Cloud Governance – CloudTamer CloudTamer’s features include account governance, budget enforcement, and compliance automation. CloudTamer makes it easy for technical staff to create the resources they need and senior leadership to execute financial and compliance oversight responsibilities as cloud adoption grows.
  • 21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Xacta® 360 and the Cloud Of-the-cloud, not just in the cloud • EA4C Content (inherit common controls) • AWS API integration to validate configuration of AWS services • EC2 support for scalability • Multiple cloud deployment options • SaaS | Private SaaS | AMI • Hybrid Support • Manage AWS workloads from on-prem • Manage on-prem assets from cloud “Xacta 360 does for the cloud what Telos has done for the enterprise since 2000.”
  • 22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Xacta® in Action – On-prem, In-cloud, Hybrid Xacta Managing Hybrid from on-prem Xacta Managing Hybrid from Cloud
  • 23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cloud Conformity – Multi Account Management Consolidated view across multiple AWS accounts 415+ AWS best practice checks run in real-time across all accounts Real-time threat detection, user activity & event log capturing every AWS event Integrations into preferred ticketing + communication channels (JIRA, Slack, etc.) Continuous Well-Architected Framework compliance
  • 24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cloud Conformity - Cost Optimization • Budget & cost fluctuation alerts • Cost saving Recommendations with optional auto-remediation • 60 customizable optimization algorithms • Real-time forecasting • Cost allocation reporting • Multi-account cost insights & visibility
  • 25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cloud Conformity – Security & Compliance Continuous governance monitoring against Well-Architected, CIS, PCI-DSS, HIPPA, GDPR compliance standards. 415+ AWS best practice/governance checks examples (right).
  • 26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Next Steps?
  • 27. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. How do I get there? • Build or buy a Governance@Scale solution that can grow with you. • Professional Services can help facilitate the design and help you build a solution based on your requirements. • Partner Solutions are available (CloudTamer, Cloud Conformity, Xacta® 360, Dome9, Turbot) • AWS Landing Zones can help baseline accounts • AWS Solutions Architects can help with designing a solution that fits your needs