Date post: | 13-Apr-2017 |
Category: |
Internet |
Upload: | david-severski |
View: | 670 times |
Download: | 3 times |
CISM AWS OVERVIEW
REALIZATION OF THE CHALLENGE
2012• More and more services moving off premises• Initial AWS setup January 2012
2013• How do we manage risk in this new paradigm?
BUILDING A STRATEGY
2014• Engagement with REDACTED• AWS Big Data training• Stand up of Hadoop to produce intelligence feeds• Expansion to replace loss of internal services• Stand up of VulnPryer
2015• Cloud First strategy for non-Confidential data• Automatic provisioning of training environments• AWS Certified Solutions Architect – Professional
CURRENT DEPLOYED WORKLOADS
• Hadoop ETL of log dataIP Parse• Short term (~30 day) log search and
visualizationELK• Vulnerability data processingVulnPryer• Historical (Dec 2014+) enriched log
analysisTimberslide• Security risk managementAtlas v.NEXT• Data analysis trainingRstudio Training• Static web pagesWeb Hosting
SERVICES
Networking• VPC• Route 53
Compute• EC2• Spot Instances• ELB• Reserved Instances
• Lambda
Storage & Content Delivery• S3• IA
• Glacier
Database• RDS (Postgres)
Management Tools• CloudWatch• CloudFormation• OpsWorks• Config• CloudTrail
Security & Identity• KMS• IAM• Inspector (Preview)
Analytics• EMR• Data Pipeline
Application Services• SES• SNS
KEY DESIGN PRINCIPLES
• Minimize hand-configured resources• Automated build processes
• Open development• Public GitHub as much code as
possible
• Continual integration• Linting (Done!), unit (In Progress),
integration tests (Future)
• Leverage managed services• RDS, but not ES ($$)
• Full cost transparency• Application specific costing• Infrastructure overhead
• Ephemeral nodes (cattle, not pets)
NETWORK STRUCTURE
• US-West-2 exclusive• Low cost• Access to all new AWS services
• Multi-AZ design• Three tiers of subnets
• Internet facing services (web servers, VPN termination points, etc.)• Outbound reaching services (private services requesting internet data)• Internal access only services (databases)• Access enforced via security groups and routing tables
STORAGE STRUCTURE
• Separate buckets for each app• REDACTED• Mandatory object encryption (SSE)• Event logging for selected buckets• Lifecycle rules
• Auto-migration of data to lower cost archives
• Auto-purge
• REDACTED
COMPUTE STRUCTURE
• OS types• Preferred – AWS Linux (RHEL variant)• Alternative – Ubuntu 14.04 LTS
• Common cookbooks across all OS flavors• Ensures consistent build process and common utilities• Deploys user accounts• Configures CloudWatch Log collection• Known state of nodes at all times
AUTH AND IAM STRUCTURE
AUTHENTICATION• MFA required (Google Auth)• Heavy use of instance roles• Cross-account access with vendors for
alert drops• Future
• STS Role Assumption• Move accounts to parent account
IAM• Groups• Password policy• Root account fully locked
down/out• IAM user setup for billing
access
INFRASTRUCTURE AS CODE
Chef Travis CI Coveralls GitHub Vagrant
Packer Cloud Formation
Appveyor (Future)
ACCESS METHODS
API ACCESS• AWS cli• PowerShell• Boto• Console
CloudTrail enabled globally with log integrity verification
SERVICE ACCESS• Preferred• REDACTED
• Alternate• REDACTED
EXTERNAL SERVICES
Slack• ChatO
ps
Breeze.pm
• Kanban
iDoneThis
• Low friction team status
PagerDuty
• Alerting
Heroku• PAAS
COST ACCOUNTING
• Tag all the Things!• Use of Project tag
• Detailed cost accounting• Heavy use of instance
storage• Spot instances for EMR jobs
(SOME) FUTURE PROJECTS
• Encrypted EBS boot volumes• More CloudFormation/Terraform• In-depth cost optimization• Move EMR to VPC only connectivity• Lambda & ECS• Refine network host segmentation• Wider deployment of CloudWatch Logs• AWS Inspector• VPC Flow logs• IdP integration