© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

presented by

Robert Sternberg/Cloudreach

How to govern your AWS accounts successfully

What is (IT) governance?

Various definitions exist:

“A framework to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in

respect of their organizations”

● What might these obligations include?

What is (IT) governance?

Corporate obligations will include:

● Ensuring legal compliance● Ensuring data protection compliance● Ensuring regulatory compliance● Ensuring corporate reputation is maintained● Ensuring stakeholder value

• Budget management• Project costing, review and approval processes• Project management processes• Project lifecycle management (dev, UAT, go-live, retirement)

What has this got to do with the cloud?

● Cloudy PAYG, provision on demand model presents challenges to governance and corporate acceptance

● The key blockers for cloud adoption in large business are typically:• Accountability (The overarching who’s responsible for

what)• Cost Management (Shareholder value)• Security Management (Regulatory, Legal, Data

compliance and reputation)

Cloud and the ‘grey IT’

● Cloud makes it easy for lines of businesses to develop and run their own resources

● Paid by (and often expensed to) a credit card● Under the radar of corporate IT governance controls● Because it cuts out that pesky ‘red tape’● And makes governance nigh on impossible

Real world example

Publishing Company

● Aggregated their officially sanctioned AWS accounts and ‘grey IT’ accounts under the control of their central TechOps teams

● 7 Consolidated billing masters● > 100 linked accounts● > 10,000 instances● Multiple product teams per account● > $1m per calendar month spend● So who owns what and how do you manage that at scale?

Cost Estimation & Management

Focus on EC2/RDS instance spend

Key Elements of RDS/Instance spend

● Compute resource ● Disk resource/throughput● Network bandwidth

Product Pay only for what you use Pay only for what you provision

Elastic Compute Cloud and RDS

Network throughput EC2 Instance (compute resource)

Elastic Block Storage Throughput

Elastic Block Storage capacity

Snapshot storage capacity Guaranteed Elastic Block Storage IOPS

Estimate Spend in the Cloud

● Simple monthly calculator● Build your own tools - AWS Pricing API

Manage running cost in the Cloud

● AWS provides detailed Billing information to all customers

● Cost Management requires:

• Enabled Cost & usage/detailed billing reports to S3

• Established Consolidated Billing Hierarchy

• Suitable meta information (Tags) on each resource for cost allocation

• A good way to analyse and present and act on all the data.

AWS Resource tags

● Up to 10 user defined tags

● Strong foundation for scheduling and estate management

Tagging Best practices

● Resource tagging should demonstrate

• Identification: What is the resource for, what environment is this instance in, etc. ?

• Accountability: Who is responsible for the maintenance / security / costs associated with this instance?

• Cost allocation: Where do the costs associated with this resource lie?

• Automation: Scheduling, etc.

● A lack of appropriate tags can indicate unauthorised use

Example AWS Resource Tags

Tag Name Tag Value

Name AWS Resource dependent

Owner <email of the technical owner or organisation name>

BusinessOwner <email of the business owner or organisation name >

Environment Environment name

Possible values:[ dev, test, uat, stage, prod ]

Project Code of the project related to the instance

Lifetime Define a date until this resource should existFormat: dd/mm/yyyy

CostCenter Defines the cost center for the resource

StartAt Time an instance needs to be started (Format hh:mm)

StopAt Time an instance needs to be stopped (Format hh:mm)

Automation & Enforcement

● Can’t just have a tagging policy - Requires enforcement to be meaningful

● Can be enforced by putting in place a service line abstraction layer (enforce during provisioning)

● Need something else for ad-hoc and legacy infrastructure

● Solutions

• DIY using AWS Config & Lambda (more later on)

• 3rd Party tooling like CloudHealth

• MSP - with the right tooling, skills and expertise

Useful AWS ToolsAWS Cost Explorer

Useful AWS ToolsAWS Budgets

Access Management

Spot the difference

● Old-school access management

Spot the difference

● New-school access management

Cloudy access management

● Infrastructure as code● Code is web-hosted● Corporate Governance Nightmare!● Cloud acceptance requires capability to enforce, monitor and

demonstrate control of public cloud resource access management

➔AWS IAM to the rescue

How IAM Principals interactPrincipal Permissions

Jim ReadonlyAdministrator

FredEC2 AdminAdministratorViewBills

Chris ReadonlyCiewBills

Chris (assuming Scheduling role)

EC2Sched

Scheduler(EC2 Instance)

EC2Sched

IAM Best practices

1. Protect Account root credentials

● Root access protected by MFA● Root access should only be used as required for root-only account

admin● Root account programmatic keys should be disabled / deleted● IAM users / roles should be used for all other purposes

IAM Best practices

2. Use IAM named users & MFA

● If IAM user accounts are used, they should be if at all possible limited to named users

● Aids accountability and reduces probability of compromise of shared credentials

● All named user accounts should be protected by Multi-factor authentication (MFA)

IAM Best practices

3. Proper Credential Management

● Apply account-wide password policy• Strong password requirement

• Password cycling requirement

• Password history exception

• Require change on first login

● Programmatic access keys should only be granted as strictly required, and rotated

IAM Best practices

4. Proper Privilege assignment

● Least (practical) privilege: only assign permissions required to perform a task or access resources

● Assign and organize IAM users into groups to inherit common permissions - avoid per-user permissions

● Define IAM policy conditions, e.g MFA required, allowable IP addresses etc.

IAM Best practices

5. Avoid Service accounts:

● Avoid if at all possible!● If unattended programmatic access is required, use IAM Roles for

granting access from AWS resources• Credential cycling and limits access to authorised resources

● If roles cannot be used (program. access from outside AWS)• Interactive use: should be used via MFA and STS

• Non-interactive: limited to clearly identified service accounts (i.e. grouped) with least possible privileges

• Store keys in config or secure repo and NEVER upload to source management systems

MFA on programmatic access?

Finally - Federation Options

Compliance & Auditability

Demonstrating Compliance

● Access management policy in place and alerted against● Same with Perimeter Security● Is this enough to demonstrate compliance to a regulatory

body or auditor, e.g. in a PCI compliance audit?● Some regulations (e.g. SOX, 21 CFR Pt 11) require system

owner to demonstrate that the system and associated controls have remained in compliance and not been tampered with

AWS Compliance Tools

CloudTrail● Stores a record of almost all API calls made from the API,

CLI or console (which calls the API in the background)● Records stored as JSON objects in S3● Every call is recorded with details of the calling principal,

time of calling and result● Can be reviewed in CloudWatch

AWS Compliance Tools

AWS Config & Config Rules● Stores a record of configuration changes in major AWS

services such as EC2 and IAM.● Contains a record of change, time of change and principal

making change● Can use the console to monitor either timeline of individual

resource or current state of play● Can define compliance rules and trigger Actions

Continuous Infrastructure Compliance

Wrap Up

What have we covered?

● Cost estimation & management● Accountability● Access management● Compliance and auditability● Perimeter management● Threat management● Data security● ...

Not very ‘cloudy’?

● Governance is a fact of life in a corporate environment● The trick is finding the balance● By enforcing accountability and actively monitoring you are

enabling rather than preventing DevOps● Because the alternative is traditional business cases, 3 year

capacity estimations, forms and approval boards for every infrastructure change

When should governance be introduced?

When should governance be introduced?

● Day 1● Remember the Publishing company example?● 7 Consolidated billing masters● > 100 linked accounts● > 10,000 instances● Multiple product teams per account● > $1m per calendar month spend● They are now spending £1m retrospectively applying

governance to their estate to allow cost management and ensure compliance

Questions?

Thank you!www.cloudreach.com

@robmeister21