CISM AWS OVERVIEW

REALIZATION OF THE CHALLENGE

2012• More and more services moving off premises• Initial AWS setup January 2012

2013• How do we manage risk in this new paradigm?

BUILDING A STRATEGY

2014• Engagement with REDACTED• AWS Big Data training• Stand up of Hadoop to produce intelligence feeds• Expansion to replace loss of internal services• Stand up of VulnPryer

2015• Cloud First strategy for non-Confidential data• Automatic provisioning of training environments• AWS Certified Solutions Architect – Professional

CURRENT DEPLOYED WORKLOADS

• Hadoop ETL of log dataIP Parse• Short term (~30 day) log search and

visualizationELK• Vulnerability data processingVulnPryer• Historical (Dec 2014+) enriched log

analysisTimberslide• Security risk managementAtlas v.NEXT• Data analysis trainingRstudio Training• Static web pagesWeb Hosting

SERVICES

Networking• VPC• Route 53

Compute• EC2• Spot Instances• ELB• Reserved Instances

• Lambda

Storage & Content Delivery• S3• IA

• Glacier

Database• RDS (Postgres)

Management Tools• CloudWatch• CloudFormation• OpsWorks• Config• CloudTrail

Security & Identity• KMS• IAM• Inspector (Preview)

Analytics• EMR• Data Pipeline

Application Services• SES• SNS

KEY DESIGN PRINCIPLES

• Minimize hand-configured resources• Automated build processes

• Open development• Public GitHub as much code as

possible

• Continual integration• Linting (Done!), unit (In Progress),

integration tests (Future)

• Leverage managed services• RDS, but not ES ($$)

• Full cost transparency• Application specific costing• Infrastructure overhead

• Ephemeral nodes (cattle, not pets)

NETWORK STRUCTURE

• US-West-2 exclusive• Low cost• Access to all new AWS services

• Multi-AZ design• Three tiers of subnets

• Internet facing services (web servers, VPN termination points, etc.)• Outbound reaching services (private services requesting internet data)• Internal access only services (databases)• Access enforced via security groups and routing tables

STORAGE STRUCTURE

• Separate buckets for each app• REDACTED• Mandatory object encryption (SSE)• Event logging for selected buckets• Lifecycle rules

• Auto-migration of data to lower cost archives

• Auto-purge

• REDACTED

COMPUTE STRUCTURE

• OS types• Preferred – AWS Linux (RHEL variant)• Alternative – Ubuntu 14.04 LTS

• Common cookbooks across all OS flavors• Ensures consistent build process and common utilities• Deploys user accounts• Configures CloudWatch Log collection• Known state of nodes at all times

AUTH AND IAM STRUCTURE

AUTHENTICATION• MFA required (Google Auth)• Heavy use of instance roles• Cross-account access with vendors for

alert drops• Future

• STS Role Assumption• Move accounts to parent account

IAM• Groups• Password policy• Root account fully locked

down/out• IAM user setup for billing

access

INFRASTRUCTURE AS CODE

Chef Travis CI Coveralls GitHub Vagrant

Packer Cloud Formation

Appveyor (Future)

ACCESS METHODS

API ACCESS• AWS cli• PowerShell• Boto• Console

CloudTrail enabled globally with log integrity verification

SERVICE ACCESS• Preferred• REDACTED

• Alternate• REDACTED

EXTERNAL SERVICES

Slack• ChatO

ps

Breeze.pm

• Kanban

iDoneThis

• Low friction team status

PagerDuty

• Alerting

Heroku• PAAS

COST ACCOUNTING

• Tag all the Things!• Use of Project tag

• Detailed cost accounting• Heavy use of instance

storage• Spot instances for EMR jobs

(SOME) FUTURE PROJECTS

• Encrypted EBS boot volumes• More CloudFormation/Terraform• In-depth cost optimization• Move EMR to VPC only connectivity• Lambda & ECS• Refine network host segmentation• Wider deployment of CloudWatch Logs• AWS Inspector• VPC Flow logs• IdP integration