AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with AWS Management Tools (DEV317)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Chayan Biswas, Sr. Product Manager, AWS

Eric Gifford, Security Architect, Cambia Health Solutions

Brad Davidson, Security Engineer, Cambia Health Solutions

November 30, 2016

Automating and Scaling Infrastructure

Administration with AWS Management Tools

DEV317

What to Expect from the Session

• Walkthrough common use cases

• Apply AWS Management Tools

• How-tos, demos and working examples

• Learn to un-bottleneck: maintain develop agility!

The protagonists

IT Admin “Adam” Developer “Daisy”

• Control

• Visibility

• Security

• Auditability

• Compliance

• Agility

• Accessibility

• Innovation

• Simplicity

By the time we are done…

Portfolio of management tools

AWS CloudFormation AWS Service Catalog AWS CloudTrail

AWS Config Amazon CloudWatch

Range of capabilities

Provision

Speed

Infra. as code

Templatize

Agility

Self-service

Delineated access

privilege

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

AWS CloudFormation AWS Service Catalog AWS CloudTrailAWS ConfigAmazon CloudWatch

Daisy needs a dev stack

Asks for a dev stack Provisions

AWS Management Console

CLI

SDK

Adam needs to provision 100(0)s of stacks

Provision

Provision

Provision

….

AWS CloudFormation

• Infrastructure as code

• Create templates of your infrastructure

• Version control, replicate and update

• Use existing tools for development & management

• YAML (!JSON): Descriptive, human-readable

AWS CloudFormation

JSON YAML

Agility and self-service

Provision

Speed

Infra. as code

Templatize

Agility

Self-service

Delineated access

privilege

Creates portfolio

Adds constraints

and grant access

1

4

5

Portfolio

Browse Products

6Launch ProductsAWS CloudFormation

template

Creates

product3Authors template2 ProductX ProductY ProductZ

7Deploys

stacks

EventsEvents

8

8

AWS Service Catalog

Create custom

products

& grant access

Use a

personalized

portal to find and

launch services

AWS Service Catalog

• Self-serve!

• Approved resources/architectures

• Separate permissions – provision vs. access

• Control usage based on projects/departments

• Tag resources at creation

Using AWS management services

Monitor, troubleshoot

and audit

Approved IT Services

Browse and Launch

API Calls

Provision

Metrics, alarms

and events

Configuration

and checks

Use

and update

Visibility & audit

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

AWS CloudTrail

AWS CloudTrail

Amazon CloudWatch

S3 Bucket

Management Console

CLI

SDK

AWS resourcesTroubleshoot

Monitor, alarm

and React

Archive and audit

AWS Config

• Continuous recording

• Inventory of AWS resources

• New and deleted resources

• Configuration change and compliance notifications

• Config Rules: Visibility -> Awareness, Action

AWS Config Rules

• Check configuration changes

• Pre-built rules provided by AWS

• Custom rules using AWS Lambda

• Dashboard

• Compliance results

• Identify offending changes

• GitHub repo: Community sourced rules

AWS Config and Config Rules

Record changing

resources

AWS Config

Config Rules

History, Snapshot

Notifications

API Access

Normalized

Control and auto-correct

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

Control and auto-correct

Guardrails

Control

AlarmAuto

Correct

Visibility

AuditTrouble-

shoot

Fix an EC2 security group

Fix an EC2 security group

Amazon CloudWatch

• Logs

Monitor & Store logs from EC2 Instances

• Metrics

Statistics on key resources

• Alarms

Initiate actions when thresholds are crossed

• Events

React to a stream of events

Re-starting AWS Config

IT Admin “Adam” Developer “Daisy”

DEV317- Automating and Scaling Infrastructure

Administration with AWS Management Tools

Presenters:

Eric Gifford – Security Architect

Brad Davidson – Security Engineer

© 2014 Cambia Health Solutions, Inc.

Our story

3434

Our cause

• Cambia - Born from an inspired idea

• Catalyst -> transform healthcare

• Person-focused and economically sustainable

• Embracing cloud innovation to provide personalized and intuitive experiences

• On AWS: Web applications, micro-services, data lake, data science capabilities


3535

Cloud security and automation principles

• Embrace HIPAA-compliant Cloud and DevOps

• Automation: reduce deviations and risk

• Leverage the shared responsibility model by aligning to serverlessand managed services

• Build guardrails, not gates!

• Continuously monitor


3636 © 2016 Cambia Health Solutions, Inc.

3737

Continuously monitor cloud environments

λ functions to detect non-compliance:

1) MFA disabled

2) Unauthorized region

3) CloudTrail disabled

4) VPC flow logs disabled

and more…


3838

A good start?

Pros

• Simple

• Independent λ functions

Cons

• Customization in each λ

• Lack of context in CloudTrail events

How to address this?

Keep building!


3939

Decouple & scale

• Move to a 3-tier Lambda

• Design for:

• Efficiency

• Context

• Flexibility


4040 © 2016 Cambia Health Solutions, Inc.

4141

Good enough?

Pros

• Enrich event data for granularity

• Centralize policy/signature database

• Optimize λ for speed

Cons

• Complex to use, support, and maintain

• Need for regression testing

How to turn over to Ops and let them operate?

Keep building!


4242

What’s next for us?

• UI to manage policies, dashboard for reporting

• “Simulation mode” (aka dry run)

• Keep enrichment db current

• Integration with ticketing systems

• Apply secure configurations at creation

• VPC Flow Logs + Threat intel?


4343

Demo time!


AWS management tools partners

Thank you!

@ChayanSpeaks

ChayanAtAWS

Remember to complete

your evaluations!

AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with AWS Management Tools (DEV317)

Technology