AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with AWS Management Tools...
-
Upload
amazon-web-services -
Category
Technology
-
view
101 -
download
1
Transcript of AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with AWS Management Tools...
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chayan Biswas, Sr. Product Manager, AWS
Eric Gifford, Security Architect, Cambia Health Solutions
Brad Davidson, Security Engineer, Cambia Health Solutions
November 30, 2016
Automating and Scaling Infrastructure
Administration with AWS Management Tools
DEV317
What to Expect from the Session
• Walkthrough common use cases
• Apply AWS Management Tools
• How-tos, demos and working examples
• Learn to un-bottleneck: maintain develop agility!
The protagonists
IT Admin “Adam” Developer “Daisy”
• Control
• Visibility
• Security
• Auditability
• Compliance
• Agility
• Accessibility
• Innovation
• Simplicity
Portfolio of management tools
AWS CloudFormation AWS Service Catalog AWS CloudTrail
AWS Config Amazon CloudWatch
Range of capabilities
Provision
Speed
Infra. as code
Templatize
Agility
Self-service
Delineated access
privilege
Guardrails
Control
AlarmAuto
Correct
Visibility
AuditTrouble-
shoot
AWS CloudFormation AWS Service Catalog AWS CloudTrailAWS ConfigAmazon CloudWatch
AWS CloudFormation
• Infrastructure as code
• Create templates of your infrastructure
• Version control, replicate and update
• Use existing tools for development & management
• YAML (!JSON): Descriptive, human-readable
Agility and self-service
Provision
Speed
Infra. as code
Templatize
Agility
Self-service
Delineated access
privilege
Creates portfolio
Adds constraints
and grant access
1
4
5
Portfolio
Browse Products
6Launch ProductsAWS CloudFormation
template
Creates
product3Authors template2 ProductX ProductY ProductZ
7Deploys
stacks
EventsEvents
8
8
AWS Service Catalog
Create custom
products
& grant access
Use a
personalized
portal to find and
launch services
AWS Service Catalog
• Self-serve!
• Approved resources/architectures
• Separate permissions – provision vs. access
• Control usage based on projects/departments
• Tag resources at creation
Using AWS management services
Monitor, troubleshoot
and audit
Approved IT Services
Browse and Launch
API Calls
Provision
Metrics, alarms
and events
Configuration
and checks
Use
and update
AWS CloudTrail
AWS CloudTrail
Amazon CloudWatch
S3 Bucket
Management Console
CLI
SDK
AWS resourcesTroubleshoot
Monitor, alarm
and React
Archive and audit
AWS Config
• Continuous recording
• Inventory of AWS resources
• New and deleted resources
• Configuration change and compliance notifications
• Config Rules: Visibility -> Awareness, Action
AWS Config Rules
• Check configuration changes
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Dashboard
• Compliance results
• Identify offending changes
• GitHub repo: Community sourced rules
AWS Config and Config Rules
Record changing
resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
Amazon CloudWatch
• Logs
Monitor & Store logs from EC2 Instances
• Metrics
Statistics on key resources
• Alarms
Initiate actions when thresholds are crossed
• Events
React to a stream of events
DEV317- Automating and Scaling Infrastructure
Administration with AWS Management Tools
Presenters:
Eric Gifford – Security Architect
Brad Davidson – Security Engineer
© 2014 Cambia Health Solutions, Inc.
Our story
3434
Our cause
• Cambia - Born from an inspired idea
• Catalyst -> transform healthcare
• Person-focused and economically sustainable
• Embracing cloud innovation to provide personalized and intuitive experiences
• On AWS: Web applications, micro-services, data lake, data science capabilities
© 2016 Cambia Health Solutions, Inc.
3535
Cloud security and automation principles
• Embrace HIPAA-compliant Cloud and DevOps
• Automation: reduce deviations and risk
• Leverage the shared responsibility model by aligning to serverlessand managed services
• Build guardrails, not gates!
• Continuously monitor
© 2016 Cambia Health Solutions, Inc.
3737
Continuously monitor cloud environments
λ functions to detect non-compliance:
1) MFA disabled
2) Unauthorized region
3) CloudTrail disabled
4) VPC flow logs disabled
and more…
© 2016 Cambia Health Solutions, Inc.
3838
A good start?
Pros
• Simple
• Independent λ functions
Cons
• Customization in each λ
• Lack of context in CloudTrail events
How to address this?
Keep building!
© 2016 Cambia Health Solutions, Inc.
3939
Decouple & scale
• Move to a 3-tier Lambda
• Design for:
• Efficiency
• Context
• Flexibility
© 2016 Cambia Health Solutions, Inc.
4141
Good enough?
Pros
• Enrich event data for granularity
• Centralize policy/signature database
• Optimize λ for speed
Cons
• Complex to use, support, and maintain
• Need for regression testing
How to turn over to Ops and let them operate?
Keep building!
© 2016 Cambia Health Solutions, Inc.
4242
What’s next for us?
• UI to manage policies, dashboard for reporting
• “Simulation mode” (aka dry run)
• Keep enrichment db current
• Integration with ticketing systems
• Apply secure configurations at creation
• VPC Flow Logs + Threat intel?
© 2016 Cambia Health Solutions, Inc.