Page 1
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENTLev er ag in g a C lo u d P o l i cy F r amew o r k - F r o m Ze r o t o We l l G o v e r n edV i k r a m P i l l a i , C h i e f A r c h i t e c tC l o u d H e a l t h T e c h n o l o g i e s
E N T 3 1 8
Page 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who is CloudHeal th Technologies?• Deep Domain Expertise
• $86 Million in Venture Capital Raised
• 600+ Direct Customers
• 1,500+ Channel Customers through
• 85+ Partners
• 200+ Employees
• Headquartered in Boston, MA
• Offices located in San Francisco,
Washington DC, London,
Amsterdam, Tel Aviv, Sydney & Singapore
Page 3
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
G lobal Customer Success
Page 4
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect f rom Sess ion
• Problem & Organizational Impact
• Solution: Cloud Policy Framework
• How CloudHealth implements the Cloud Policy Framework
• Governance as Code
• Examples (Security, Reliability, Cost/Performance)
• Next Steps
Page 5
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• AWS Cloud has enabled business transformation
• Pace of change is accelerating
Benef i t s of AWS
Page 6
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What i s the Problem?
• As you scale your AWS environment a thoughtful governance approach becomes more and more important
• Governance : People, criteria, processes, tools to ensure secure, effective, efficient use of IT resources
• Solved today: brute force
Page 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What i s the so lu t ion?
• Technology, not labor
• Continuous monitoring and action
• Capture Business rules
• Establish defined processes
• Automate business policies
• Adopt best practices
Page 8
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Journey to Governance
Governance
Management
Scaling
Adoption
Page 9
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establish Strategy• Decentralized Management• Central Governance
Focused team / expertise• Cloud Steward• Center of Excellence
Definition/Adoption• Definition and management of
policies • Communication and buy-in
Tooling• Capturing and Managing policies• Data integration
Runbook• Define Response • Automation of workflow
Reporting• Executive level health• Enterprise level adoption• Operational view for management
Dr iv ing Successfu l Governance
AGILITY CONTROL
Page 10
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Services• AWS Config & Config Rules• AWS CloudTrail• AWS CloudWatch• AWS Lambda • ...
Open Source Tools• Cloud Custodian
Custom Applications• Large investment• Typically incomplete• Continued commitment
Commercial Tools• Domain Specific (Security)• Broader Platforms
Current Solu t ion (BYOT)
Page 11
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chal lenges to BYOT• Data Integrations
• Extensibility
• Maintainability
• Capturing business priorities
• Adopting best practices
• Customizing for multiple targets
Page 12
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Se t Unique Pol ic ies per Environment
Production
Staging
QA
Research
Page 13
BU1 : BU2 :
Set Unique Policies per Line of Business
BU3 :
$400k $150k $1M
Page 14
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of Bes t Pract ice Pol ic ies to Consider
Financial management policies
Performance Management Policies
This image cannot currently be displayed.
Security and Incident Management Policies
Operational Governance Policies
This image cannot currently be displayed.
Asset & Configuration Management Policies
This image cannot currently be displayed.
Cost optimization Policies
Page 15
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Pol icy• Data being operated on
• A clearly defined condition
• Evaluation : True or False
• Actions to be taken
Page 16
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Execut ion Flow
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
Data Streams
Trigger
Evaluation Action
Rule
Page 17
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of pol icy : Inputs / Data Sources
Cloud Assets Metrics Logs Event
Page 18
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of pol icy : Tr iggers
Schedules Event-Based State-Driven
Page 19
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of Pol icy : Rules• Upon the occurrence of a trigger, perform some logic against the input data
• Composite with many clauses • (A OR B)• ((A OR B) AND C)
Page 20
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of Pol icy A c t i o n s & R e m e d i a t i o n
Email the owner of an asset Terminate EC2 Instance
Page 21
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance as Code• Need a centralized, programmatic approach
• Capture entire policy as a self-contained, descriptive unit• Data, Trigger, Condition, Action, Targets
• Portable and Universal
• Serves as system of record
Page 22
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Secur i ty
Recommendation
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
Page 23
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ensure Credent ia ls Unused for 90 Days or Greater are Disabled
Page 24
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Audi t
Page 25
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remedia t ion
Page 26
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 1 : CIS Unused Credent ia ls
Page 27
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Ident i ty & Source
Page 28
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Documenta t ion
Page 29
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Data Sources
Page 30
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Tr iggers
Page 31
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Condi t ion
Page 32
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Act ion
Page 33
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 2 : Wel l -Archi tec ted Framework
Page 34
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 2 : Wel l -Archi tec ted Framework
Page 35
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Source
Page 36
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tr igger
Page 37
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Condi t ion
Page 38
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Act ions
Page 39
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 3 : Custom Cost & Usage Pol icy
Page 40
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 3 : Custom Cost & Usage Pol icy
Page 41
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 3 : Custom Cost & Usage Pol icy
Page 42
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bes t Pract ices for Pol icy Author ing and ManagementIterate• Start with basic elements and add/evolve
Manage like any code• Use Version control to understand history and rollback
Leverage best practices• Implemented once and kept up-to-date
Share• Build a community library• Open repository (with reviews)
Page 43
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Repor t ing: Measur ing SuccessOperational
• Snapshot at time of violation (enough data to justify the occurrence of the event)• Kept for historical analysis
Business Unit• List of assets that are non-compliant with a given policy
• Grouped by owners
Executive/Health• BU level aggregate stats (# of assets out of compliance)
Page 44
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to Get S tar ted
• Establish strategy
• Define Governance Policies
• Adopt best practices
• Automate evaluation of policies
• Systematically become more aggressive in remediation over time
• Track and trend governance metrics
Page 45
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VISIT US AT BOOTH #1125
Come play our trivia game for a chance to win $2,500
T H A N K Y O U !