© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
presented by
Robert Sternberg/Cloudreach
How to govern your AWS accounts successfully
What is (IT) governance?
Various definitions exist:
“A framework to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in
respect of their organizations”
● What might these obligations include?
What is (IT) governance?
Corporate obligations will include:
● Ensuring legal compliance● Ensuring data protection compliance● Ensuring regulatory compliance● Ensuring corporate reputation is maintained● Ensuring stakeholder value
• Budget management• Project costing, review and approval processes• Project management processes• Project lifecycle management (dev, UAT, go-live, retirement)
What has this got to do with the cloud?
● Cloudy PAYG, provision on demand model presents challenges to governance and corporate acceptance
● The key blockers for cloud adoption in large business are typically:• Accountability (The overarching who’s responsible for
what)• Cost Management (Shareholder value)• Security Management (Regulatory, Legal, Data
compliance and reputation)
Cloud and the ‘grey IT’
● Cloud makes it easy for lines of businesses to develop and run their own resources
● Paid by (and often expensed to) a credit card● Under the radar of corporate IT governance controls● Because it cuts out that pesky ‘red tape’● And makes governance nigh on impossible
Real world example
Publishing Company
● Aggregated their officially sanctioned AWS accounts and ‘grey IT’ accounts under the control of their central TechOps teams
● 7 Consolidated billing masters● > 100 linked accounts● > 10,000 instances● Multiple product teams per account● > $1m per calendar month spend● So who owns what and how do you manage that at scale?
Cost Estimation & Management
Focus on EC2/RDS instance spend
Key Elements of RDS/Instance spend
● Compute resource ● Disk resource/throughput● Network bandwidth
Product Pay only for what you use Pay only for what you provision
Elastic Compute Cloud and RDS
Network throughput EC2 Instance (compute resource)
Elastic Block Storage Throughput
Elastic Block Storage capacity
Snapshot storage capacity Guaranteed Elastic Block Storage IOPS
Estimate Spend in the Cloud
● Simple monthly calculator● Build your own tools - AWS Pricing API
Manage running cost in the Cloud
● AWS provides detailed Billing information to all customers
● Cost Management requires:
• Enabled Cost & usage/detailed billing reports to S3
• Established Consolidated Billing Hierarchy
• Suitable meta information (Tags) on each resource for cost allocation
• A good way to analyse and present and act on all the data.
AWS Resource tags
● Up to 10 user defined tags
● Strong foundation for scheduling and estate management
Tagging Best practices
● Resource tagging should demonstrate
• Identification: What is the resource for, what environment is this instance in, etc. ?
• Accountability: Who is responsible for the maintenance / security / costs associated with this instance?
• Cost allocation: Where do the costs associated with this resource lie?
• Automation: Scheduling, etc.
● A lack of appropriate tags can indicate unauthorised use
Example AWS Resource Tags
Tag Name Tag Value
Name AWS Resource dependent
Owner <email of the technical owner or organisation name>
BusinessOwner <email of the business owner or organisation name >
Environment Environment name
Possible values:[ dev, test, uat, stage, prod ]
Project Code of the project related to the instance
Lifetime Define a date until this resource should existFormat: dd/mm/yyyy
CostCenter Defines the cost center for the resource
StartAt Time an instance needs to be started (Format hh:mm)
StopAt Time an instance needs to be stopped (Format hh:mm)
Automation & Enforcement
● Can’t just have a tagging policy - Requires enforcement to be meaningful
● Can be enforced by putting in place a service line abstraction layer (enforce during provisioning)
● Need something else for ad-hoc and legacy infrastructure
● Solutions
• DIY using AWS Config & Lambda (more later on)
• 3rd Party tooling like CloudHealth
• MSP - with the right tooling, skills and expertise
Useful AWS ToolsAWS Cost Explorer
Useful AWS ToolsAWS Budgets
Access Management
Spot the difference
● Old-school access management
Spot the difference
● New-school access management
Cloudy access management
● Infrastructure as code● Code is web-hosted● Corporate Governance Nightmare!● Cloud acceptance requires capability to enforce, monitor and
demonstrate control of public cloud resource access management
➔AWS IAM to the rescue
How IAM Principals interactPrincipal Permissions
Jim ReadonlyAdministrator
FredEC2 AdminAdministratorViewBills
Chris ReadonlyCiewBills
Chris (assuming Scheduling role)
EC2Sched
Scheduler(EC2 Instance)
EC2Sched
IAM Best practices
1. Protect Account root credentials
● Root access protected by MFA● Root access should only be used as required for root-only account
admin● Root account programmatic keys should be disabled / deleted● IAM users / roles should be used for all other purposes
IAM Best practices
2. Use IAM named users & MFA
● If IAM user accounts are used, they should be if at all possible limited to named users
● Aids accountability and reduces probability of compromise of shared credentials
● All named user accounts should be protected by Multi-factor authentication (MFA)
IAM Best practices
3. Proper Credential Management
● Apply account-wide password policy• Strong password requirement
• Password cycling requirement
• Password history exception
• Require change on first login
● Programmatic access keys should only be granted as strictly required, and rotated
IAM Best practices
4. Proper Privilege assignment
● Least (practical) privilege: only assign permissions required to perform a task or access resources
● Assign and organize IAM users into groups to inherit common permissions - avoid per-user permissions
● Define IAM policy conditions, e.g MFA required, allowable IP addresses etc.
IAM Best practices
5. Avoid Service accounts:
● Avoid if at all possible!● If unattended programmatic access is required, use IAM Roles for
granting access from AWS resources• Credential cycling and limits access to authorised resources
● If roles cannot be used (program. access from outside AWS)• Interactive use: should be used via MFA and STS
• Non-interactive: limited to clearly identified service accounts (i.e. grouped) with least possible privileges
• Store keys in config or secure repo and NEVER upload to source management systems
MFA on programmatic access?
Finally - Federation Options
Compliance & Auditability
Demonstrating Compliance
● Access management policy in place and alerted against● Same with Perimeter Security● Is this enough to demonstrate compliance to a regulatory
body or auditor, e.g. in a PCI compliance audit?● Some regulations (e.g. SOX, 21 CFR Pt 11) require system
owner to demonstrate that the system and associated controls have remained in compliance and not been tampered with
AWS Compliance Tools
CloudTrail● Stores a record of almost all API calls made from the API,
CLI or console (which calls the API in the background)● Records stored as JSON objects in S3● Every call is recorded with details of the calling principal,
time of calling and result● Can be reviewed in CloudWatch
AWS Compliance Tools
AWS Config & Config Rules● Stores a record of configuration changes in major AWS
services such as EC2 and IAM.● Contains a record of change, time of change and principal
making change● Can use the console to monitor either timeline of individual
resource or current state of play● Can define compliance rules and trigger Actions
Continuous Infrastructure Compliance
Wrap Up
What have we covered?
● Cost estimation & management● Accountability● Access management● Compliance and auditability● Perimeter management● Threat management● Data security● ...
Not very ‘cloudy’?
● Governance is a fact of life in a corporate environment● The trick is finding the balance● By enforcing accountability and actively monitoring you are
enabling rather than preventing DevOps● Because the alternative is traditional business cases, 3 year
capacity estimations, forms and approval boards for every infrastructure change
When should governance be introduced?
When should governance be introduced?
● Day 1● Remember the Publishing company example?● 7 Consolidated billing masters● > 100 linked accounts● > 10,000 instances● Multiple product teams per account● > $1m per calendar month spend● They are now spending £1m retrospectively applying
governance to their estate to allow cost management and ensure compliance
Questions?
Thank you!www.cloudreach.com
@robmeister21