Page 1
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chayan Biswas, Sr. Product Manager, AWS
Eric Gifford, Security Architect, Cambia Health Solutions
Brad Davidson, Security Engineer, Cambia Health Solutions
November 30, 2016
Automating and Scaling Infrastructure
Administration with AWS Management Tools
DEV317
Page 2
What to Expect from the Session
• Walkthrough common use cases
• Apply AWS Management Tools
• How-tos, demos and working examples
• Learn to un-bottleneck: maintain develop agility!
Page 3
The protagonists
IT Admin “Adam” Developer “Daisy”
• Control
• Visibility
• Security
• Auditability
• Compliance
• Agility
• Accessibility
• Innovation
• Simplicity
Page 4
By the time we are done…
Page 5
Portfolio of management tools
AWS CloudFormation AWS Service Catalog AWS CloudTrail
AWS Config Amazon CloudWatch
Page 6
Range of capabilities
Provision
Speed
Infra. as code
Templatize
Agility
Self-service
Delineated access
privilege
Guardrails
Control
AlarmAuto
Correct
Visibility
AuditTrouble-
shoot
AWS CloudFormation AWS Service Catalog AWS CloudTrailAWS ConfigAmazon CloudWatch
Page 7
Daisy needs a dev stack
Asks for a dev stack Provisions
AWS Management Console
CLI
SDK
Page 8
Adam needs to provision 100(0)s of stacks
Provision
Provision
Provision
….
Page 9
AWS CloudFormation
• Infrastructure as code
• Create templates of your infrastructure
• Version control, replicate and update
• Use existing tools for development & management
• YAML (!JSON): Descriptive, human-readable
Page 10
AWS CloudFormation
JSON YAML
Page 12
Agility and self-service
Provision
Speed
Infra. as code
Templatize
Agility
Self-service
Delineated access
privilege
Page 13
Creates portfolio
Adds constraints
and grant access
1
4
5
Portfolio
Browse Products
6Launch ProductsAWS CloudFormation
template
Creates
product3Authors template2 ProductX ProductY ProductZ
7Deploys
stacks
EventsEvents
8
8
AWS Service Catalog
Create custom
products
& grant access
Use a
personalized
portal to find and
launch services
Page 14
AWS Service Catalog
• Self-serve!
• Approved resources/architectures
• Separate permissions – provision vs. access
• Control usage based on projects/departments
• Tag resources at creation
Page 16
Using AWS management services
Monitor, troubleshoot
and audit
Approved IT Services
Browse and Launch
API Calls
Provision
Metrics, alarms
and events
Configuration
and checks
Use
and update
Page 17
Visibility & audit
Guardrails
Control
AlarmAuto
Correct
Visibility
AuditTrouble-
shoot
Page 18
AWS CloudTrail
AWS CloudTrail
Amazon CloudWatch
S3 Bucket
Management Console
CLI
SDK
AWS resourcesTroubleshoot
Monitor, alarm
and React
Archive and audit
Page 19
AWS Config
• Continuous recording
• Inventory of AWS resources
• New and deleted resources
• Configuration change and compliance notifications
• Config Rules: Visibility -> Awareness, Action
Page 20
AWS Config Rules
• Check configuration changes
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Dashboard
• Compliance results
• Identify offending changes
• GitHub repo: Community sourced rules
Page 21
AWS Config and Config Rules
Record changing
resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
Page 23
Control and auto-correct
Guardrails
Control
AlarmAuto
Correct
Visibility
AuditTrouble-
shoot
Page 25
Control and auto-correct
Guardrails
Control
AlarmAuto
Correct
Visibility
AuditTrouble-
shoot
Page 27
Fix an EC2 security group
Page 28
Fix an EC2 security group
Page 29
Amazon CloudWatch
• Logs
Monitor & Store logs from EC2 Instances
• Metrics
Statistics on key resources
• Alarms
Initiate actions when thresholds are crossed
• Events
React to a stream of events
Page 31
Re-starting AWS Config
Page 32
IT Admin “Adam” Developer “Daisy”
Page 33
DEV317- Automating and Scaling Infrastructure
Administration with AWS Management Tools
Presenters:
Eric Gifford – Security Architect
Brad Davidson – Security Engineer
© 2014 Cambia Health Solutions, Inc.
Our story
Page 34
3434
Our cause
• Cambia - Born from an inspired idea
• Catalyst -> transform healthcare
• Person-focused and economically sustainable
• Embracing cloud innovation to provide personalized and intuitive experiences
• On AWS: Web applications, micro-services, data lake, data science capabilities
© 2016 Cambia Health Solutions, Inc.
Page 35
3535
Cloud security and automation principles
• Embrace HIPAA-compliant Cloud and DevOps
• Automation: reduce deviations and risk
• Leverage the shared responsibility model by aligning to serverlessand managed services
• Build guardrails, not gates!
• Continuously monitor
© 2016 Cambia Health Solutions, Inc.
Page 36
3636 © 2016 Cambia Health Solutions, Inc.
Page 37
3737
Continuously monitor cloud environments
λ functions to detect non-compliance:
1) MFA disabled
2) Unauthorized region
3) CloudTrail disabled
4) VPC flow logs disabled
and more…
© 2016 Cambia Health Solutions, Inc.
Page 38
3838
A good start?
Pros
• Simple
• Independent λ functions
Cons
• Customization in each λ
• Lack of context in CloudTrail events
How to address this?
Keep building!
© 2016 Cambia Health Solutions, Inc.
Page 39
3939
Decouple & scale
• Move to a 3-tier Lambda
• Design for:
• Efficiency
• Context
• Flexibility
© 2016 Cambia Health Solutions, Inc.
Page 40
4040 © 2016 Cambia Health Solutions, Inc.
Page 41
4141
Good enough?
Pros
• Enrich event data for granularity
• Centralize policy/signature database
• Optimize λ for speed
Cons
• Complex to use, support, and maintain
• Need for regression testing
How to turn over to Ops and let them operate?
Keep building!
© 2016 Cambia Health Solutions, Inc.
Page 42
4242
What’s next for us?
• UI to manage policies, dashboard for reporting
• “Simulation mode” (aka dry run)
• Keep enrichment db current
• Integration with ticketing systems
• Apply secure configurations at creation
• VPC Flow Logs + Threat intel?
© 2016 Cambia Health Solutions, Inc.
Page 43
4343
Demo time!
© 2016 Cambia Health Solutions, Inc.
Page 44
AWS management tools partners
Page 45
Thank you!
@ChayanSpeaks
ChayanAtAWS
Page 46
Remember to complete
your evaluations!