More Related Content Similar to Delivering infrastructure, security, and operations as code with AWS - DEM10-S - Chicago AWS Summit (20) More from Amazon Web Services (20) Delivering infrastructure, security, and operations as code with AWS - DEM10-S - Chicago AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
INFRASTRUCTURE, SECURITY AND
OPERATIONS “AS CODE”
Kambiz Kazemi
Consulting Engineer
Palo Alto Networks
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
CLOUD AUTOMATION DRIVERS
Agility, DevSecOps, Multi-cloud
Palo Alto Networks
Automation Capabilities
Cloud Security
Automation Stack
Applying Cloud Security Automation
Composable Automation Eco-system
Distributable Security
Cloud Adoption and Benefits
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
NEED FOR AUTOMATION
• Rapidly deploy new applications: Dev →Test → Prod
• Improve security, increase agility, reduce effort to achieve business goals
• Inject security into DevOps → DevSecOps
App
Network
Security
Infrastructure
as Code
Security
as Code
Ansible
AWS CloudFormation
Templates
Terraform Provider
for AWS
Terraform Provider
for PAN-OS
Infrastructure & Ongoing
Configuration “as code”
Key Stakeholder
Involvement
Accelerate
Adoption
Automation
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
ACCELERATE SECURE CLOUD DEPLOYMENTS
Quick Reproducible
Repeatable Scalable
Deploy in minutes
app1
app2
app3
Region1
Region2
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
CLOUD SECURITY AUTOMATION STACK
Infrastructure Build-Out
Terraform Cloud
Templates
(Infrastructure as Code)
Security Layer
Terraform Provider
(PAN-OS)
(Security as Code)
Operations
Terraform Integration
(Automated Incident
Response)
Repeatable, Consistent, Agile, and Secure
Other public clouds
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
INFRASTRUCTURE AS CODE: BUILD THE ENVIRONMENT
Manual Process: slow, delayed and
extended rollouts
Infrastructure as Code: deployed in minutes, highly
reproducible, agile
Region 1
Region 2
Region 1
Untrust
Security group
VPC
Untrust
Security group
VPC
Trust
Security group
VPC
Trust
Security group
VPC
Untrust
Security group
VPC
Untrust
Security group
VPC
Trust
Security group
VPC
Trust
Security group
VPC
Untrust
Security group
VPC
Untrust
Security group
VPC
Trust
Security group
VPC
Trust
Security group
VPC
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
INFRASTRUCTURE AS CODE: FIREWALL HUB WITH ALB’S
• Fully automated
• Blueprint developed and pushed out company
wide
• Huge cost savings
• VM-Series natively integrated with cloud
capabilities
• Next: Automate build out of LOB (Line of Business)
applications
Application
Load Balancer
Application
Load Balancer
Ingress
Ingress
Ingress
Ingress
Ingress
Application
Load Balancer
Application
Load Balancer
Ingress
Ingress
Ingress
Ingress
Ingress
Application
Load Balancer
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
SECURITY AS CODE: INTEGRATE LOB WITH FIREWALL HUB
• Automate the creation of
private link tunnels
• Automate deployment of NAT
and Security policies
• Seamless integration: App +
Security = business objectives
• We can do more!
• Next: Feed threat intel to VM-
Series to block attacks from
new sources.
VPN
Connection
PrivateLink
PrivateLink
Application
Load Balancer
Application
Load Balancer
Ingress
Ingress
Ingress
Ingress
Ingress
Application
Load Balancer
Application
Load Balancer
Ingress
Ingress
Ingress
Ingress
Ingress
Application
Load Balancer
Network
Load Balancer
Network
Load Balancer
VPN GW
VPN
Connection
PrivateLink
PrivateLink
Network
Load Balancer
Network
Load Balancer
VPN GW
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
OPS AS CODE: AMAZON GUARDDUTY INTEGRATION
1) Amazon GuardDuty
sends security alerts to
AWS CloudWatch
Malicious
IP address
2) Amazon CloudWatch
event triggers a Lambda
function
Policy: Drop
Session
4) DAG’s used in
security policy to drop
matching sessions.
Dynamic Address
Group
3) Register the
malicious IP to a
Dynamic Address
Group (DAG) using the
XML API.
Amazon
CloudWatch
Lambda
Function
Amazon
GuardDuty
Untrust
Security group
VPC
Untrust
Security group
VPC
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
SUMMARY & KEY TAKEAWAYS
• Framework developed
with real world use case
and workflows
• Collaboration based on
inputs from customers and
cloud providers
• Readily available
templates
• Easy to adopt and use
• Highly composable
• Well defined integration
pointsPalo Alto Networks VM-Series
Infrastructure
Templates
Composable Cloud Security
Cloud Success with Security
Cloud Native
Templates
Cloud Native
Tunnels
Automation
with
Terraform
Security
Provider
devsecops
Extensible
Foundation
Pillars
Beams
Cupola
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
DEMO: CLOUD SECURITY AT THE SPEED OF DEVOPS
Firewall admin
(Sec Team)
Developer
(App Team)
1. Push new
app
3. Commit
app security
policy
4. Poll and pull
changes
5. Push VM-Series policy
using PAN-OS Terraform
provider
AWS
CodeDeploy
Repeat / Refine / Update
2. Deploy app
0. Infrastructure as code using
Terraform templates
web app
root volume
data volume
Availability zone 1
Security group
Auto Scaling group
Security group
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Speaker Name
Contact information