As organizations shift from traditional on-premise or dedicated hosted solutions to public cloud providers like Amazon Web Services (AWS), many are trying to determine the best way to govern how they operate in this new model. How does the organization maintain control, or governance, over access, cost, and security while still allowing teams to be agile and deliver at velocity?
In this short series, we will look at ways to address governance at different ends of the scale. We will start by looking at small scale AWS deployments and then into larger scale deployments. In addition, we will dig deeper into a few of the available tools and services.
Many organizations, whether small or large, may initially start with a few users and a few AWS accounts. It is easy to get a handle on governance when you are working at this small scale. However, things start to get harder as you move to 10, 100, or 1000+ accounts, with just as many users and groups trying to access different accounts. This typically leaves a mesh of different access needs between the various users, groups, and accounts.
Let’s examine some different ways of managing access, monitoring costs, and adding security monitoring at different scales. There are many ways to tackle these challenges, as well as several best practices and security recommendations. One thing to keep in mind is that all these methods can be used at any scale; it just changes the complexity and level of work to get the job done. Every organization needs to determine what is best for their deployment and situation.
Governance on a Small Scale
In this first installment, we will look at small-scale deployments. This would be a few AWS accounts and a small number of users. With a few users and accounts, it is easy to keep track of what is happening with the accounts and the workload(s) running in them. It may be easy enough to manually configure and monitor everything within the account or use any of the many tools and services to automate the job.
Identity and Access Management (IAM)
On a small scale, users can easily be created and managed at the AWS account level via the AWS management console. Multi-factor authentication, account password settings, and standard AWS IAM Roles and Policies should be used to their full potential. Best practices would also recommend that the master user account for the AWS account be properly locked down or only used in an emergency.
From an automation standpoint, the CLI or any of the various SDKs can be used to write scripts to create, manage, or audit IAM configurations.
With a small number of accounts, it is easy to manually track and manage cost via the Billing interface in the AWS console. Enhanced billing tools such as Cost Explorer, Budgets, Reports, and Consolidated Billing can be enabled to provide more details on spend, but it is still a manual review process.
The AWS Cost Optimization Trusted Advisor will make recommendations on several cost savings measures, such as underutilized or idle services, that can help reduce unnecessary AWS spend.
There is probably a good chance that some level of security management should be enabled on an organizations AWS account. How much is ultimately up to the organization, but there are a few built-in tools that can be employed.
- CloudTrail logging of management events is automatically enabled by default, but only 90 days is kept for free. Additional copies of logs or longer retention can be enabled at a cost. The AWS Console can be used to review and search through the CloudTrail results.
- Config Rules can be enabled on an account. There are many pre-defined security rules related Config Rules that are available, and custom checks can also be written. One thing to keep in mind is that Config Rules are region dependent and must be configured for each region where they are needed. Compliance status can be viewed in the console or via the AWS CLI. From an automation standpoint, Config changes can be sent to an AWS SNS topic for further processing or scripting can be used to collect and report on Config Rule compliance status.
- AWS Security Trusted Advisor reports on and makes recommendations for many different account level security settings. Again, the AWS Console can be used to view the results.
- At the workload level, AWS Inspector, Systems Manager, and Web Application Firewall (WAF) can be used to provide workload-specific security tools.
As an easy step, AWS recently released a new compliance related AWS Quick Start (https://aws.amazon.com/quickstart/) based on the AWS Cloud Security Benchmark developed by the Center for Internet Security (CIS). The CIS Benchmark Quick Start deploys several resources via CloudFormation to perform different checks based on CIS’ recommendations. The Quick Start is region dependent and must be deployed in each applicable region. More details can be found on AWS’ CIS Benchmark Quick Start page: https://aws.amazon.com/quickstart/architecture/accelerator-cis-benchmark/.
One of the downsides of Config Rules and the AWS CIS Quick Start is that the results are account and region based. Additional coding or tools can be written or purchased to consolidate results. If not, results would have to potentially be pulled from multiple sources.
Wrapping Things Up
We looked at a few ways governance can be implemented on a small scale. This does not preclude using any of the many other methods or tools out there that can be used to solve governance issues within your organization. Sometimes the choices come down to a cost versus benefit for what you are doing in the Cloud. Other times, it will be based on your organization’s processes and policies.
In the next installment, we will look at how these same techniques work or don’t work on a larger scale. Organizations will have to address how they work at scale or use different techniques that may scale better.
Bob is a member of the CTO Architect Team at Sungard Availability Services. In his over 25 years of IT experience, he has touched just about every aspect of technology from desktops to large enterprise systems and everything that connects them together. His last 10 years has been focused on Information Security, including Red Team, Blue Team, technical controls, and managing security operations. Prior to Sungard Availability Services, Bob held several positions AT&T (formally USi) and TASC. Bob holds a B.S. in Electrical Engineering from Virginia Tech.