Your address will show here +12 34 56 78
thank you, 2021 Blog, AWS Governance, Governance360, Blog, Featured

How to achieve Auto-remediation and continuous compliance for Cloud Governance?

By on

January, 2021

- thank you, 2021 Blog, AWS Governance, Governance360, Blog, Featured

Compliance on the Cloud is an important aspect in today’s world of remote working. As enterprises accelerate the adoption of cloud to drive frictionless business, there can be surprises on security, governance and cost without a proper framework. Relevance Lab (RL) helps enterprises speed up workload migration to the cloud with the assurance of Security, Governance and Cost Management using an integrated solution built on AWS standard products and open source framework. The key building blocks of this solution are.


Why do enterprises need Compliance as a Code?
For most enterprises, the major challenge is around governance and compliance and lack of visibility into their Cloud Infrastructure. They spend enormous time on trying to achieve compliance in a silo manner. Enterprises also spend enormous amounts of time on security and compliance with thousands of man hours. This can be addressed by automating compliance monitoring, increasing visibility across cloud with the right set of tools and frameworks. Relevance Labs Compliance as a Code framework, addresses the need of enterprises on the automation of these security & compliance. By a combination of preventive, detective and responsive controls, we help enterprises, by enforcing nearly continuous compliance and auto-remediation and there-by increase the overall security and reduce the compliance cost.

Key tools and framework of Cloud Governance 360°
AWS Control Tower: AWS Control Tower (CT) helps Organizations set up, manage, monitor, and govern a secured multi-account using AWS best practices. Setting up a Control Tower on a new account is relatively simpler when compared to setting it up on an existing account. Once Control Tower is set up, the landing zone should have the following.


  • 2 Organizational Units
  • 3 accounts, a master account and isolated accounts for log archive and security audit
  • 20 preventive guardrails to enforce policies
  • 2 detective guardrails to detect config violations

Apart from this, you can customize the guard rails and implement them using AWS Config Rules. For more details on Control Tower implementation, refer to our earlier blog here.

Cloud Custodian: Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their public cloud accounts into one open-source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs and detailed reporting for Cloud Infrastructure. It integrates tightly with serverless runtimes to provide real time remediation/response with low operational overhead.

Organizations can use Custodian to manage their cloud environments by ensuring compliance to security policies, tag policies, garbage collection of unused resources, and cost management from a single tool. Custodian adheres to a Compliance as Code principle, to help you validate, dry run, and review changes to your policies. The policies are expressed in YAML and include the following.

  • The type of resource to run the policy against
  • Filters to narrow down the set of resources

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed Cloud Infrastructure, that’s both secure and cost optimized. It consolidates many of the ad hoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.



Security Hub: AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. It’s a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions like Cloud Custodian. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to an ITSM, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.




Below is the snapshot of features across AWS Control Tower, Cloud Custodian and Security Hub, as shown in the table, these solutions complement each other across the common compliance needs.


SI No AWS Control Tower Cloud Custodian Security Hub
1 Easy to implement or configure AWS Control Tower within few clicks Light weight and flexible framework (Open source) which helps to deploy the cloud policies Gives a comprehensive view of security alerts and security posture across AWS accounts
2 It helps to achieve “Governance at Scale” – Account Management, Security, Compliance Automation, Budget and Cost Management Helps to achieve Real-time Compliance and Cost Management It’s a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services
3 Predefined Guardrails based on best practices – Establish / Enable Guardrails We need to define the rules and Cloud Custodian will enforce them Continuously monitors the account using automated security checks based on AWS best practices
4 Guardrails are enabled at Organization level If an account has any specific requirement to either include or exclude certain policies, those exemptions can be handled With a few clicks in the AWS Security Hub console, we can connect multiple AWS accounts and consolidate findings across those accounts
5 Automate Compliant Account Provisioning Can be included in Account creation workflow to deploy the set of policies to every AWS account as part of the bootstrapping process Automate continuous, account and resource-level configuration and security checks using industry standards and best practices
6 Separate Account for Centralized logging of all activities across accounts Offers comprehensive logs whenever the policy is executed and can be stored to S3 bucket Create and customize your own insights, tailored to your specific security and compliance needs
7 Separate Account for Audit. Designed to provide security and compliance teams read and write access to all accounts Can be integrated with AWS Config, AWS Security Hub, AWS System Manager and AWS X-Ray Support Diverse ecosystem of partner integrations
8 Single pane view dashboard to get visibility on all OU’S, accounts and guardrails Needs Integration with Security Hub to view all the policies which have been implemented in regions / across accounts Monitor your security posture and quickly identify security issues and trends across AWS accounts in Security Hub’s summary dashboard


Relevance Lab Compliance as a Code Framework
Relevance Lab’s Compliance as a Code framework is an integrated model between AWS Control Tower (CT), Cloud Custodian and AWS Security Hub. As shown below, CT helps organizations with pre-defined multi-account governance based on the best practices of AWS. The account provision is standardized across your hundreds and thousands of accounts within the organization. By enabling Config rules, you can bring in the additional compliance checks to manage your security, cost and account management. To implement events and action based policies, Cloud Custodian is implemented as a complementary solution to the AWS CT which helps to monitor, notify and take remediation actions based on the events. As these policies run in AWS Lambda, Cloud Custodian enforces Compliance-As-Code and auto-remediation, enabling organizations to simultaneously accelerate towards security and compliance. The real-time visibility into who made what changes from where, enables us to detect human errors and non-compliance. Also take suitable remediations based on this. This helps in operational efficiency and brings in cost optimization.

For eg: Custodian can identify all the non tagged EC2 instances or EBS volumes that are not mounted to an EC2 instance and notify the account admin that the same would be terminated in next 48 to 72 hours in case of no action. Having a Custom insight dashboard on Security Hub helps admin monitor the non-compliances and integrate it with an ITSM to create tickets and assign it to resolver groups. RL has implemented the Compliance as a Code for its own SaaS production platform called RLCatalyst Research Gateway, a custom cloud portal for researchers.



Common Use Cases


How to get started
Relevance Lab is a consulting partner of AWS and helps organizations achieve Compliance as a Code, using the best practices of AWS. While enterprises can try and build some of these solutions, it is a time consuming activity and error prone and needs a specialist partner. RL has helped 10+ enterprises on this need and has a reusable framework to meet the security and compliance needs. To start with Customers can enroll for a 10-10 program which gives an insight of their current cloud compliance. Based on an assessment, Relevance Lab will share the gap analysis report and help design the appropriate “to-be” model. Our Cloud governance professional services group also provides implementation and support services with agility and cost effectiveness.

For more details, please feel free to reach out to marketing@relevancelab.com



0
2020 Blog, Governance360, Blog, Featured

AWS Security Governance for Enterprises “The Right Way”

By on

September, 2020

- 2020 Blog, Governance360, Blog, Featured

Based on AWS recommended best practices, this blog articulates governance and management at scale for customers on cloud security implementation covering the following themes

  • Designing Governance at Scale
  • Governance Automation
  • Preventive Controls
  • Detective Controls
  • Bringing it all together

Need for a matured and effective Cloud Security Governance
To achieve agility, compliance and security customers cannot rely on the manual processes and hence automation plays a key role. This mandates the need for an integrated model called “Governance at Scale” which focuses on Account Management, Security, Compliance Automation, Budget and Cost Management. This model help customers to be on fast track, while ensuring the workloads meet security and compliance requirements. Governance at Scale is an orchestration framework which includes enablement, provisioning and operations.


  • Account Management: Governance at Scale processes streamline account management across multiple AWS accounts and workloads in an organization through centralization, standardization and automation of account maintenance. This can be achieved through policy automation, identity federation and account automation.

  • Security and Compliance Automation: Governance at Scale practices consists of three main goals
    • Identity and Access Automation: Customers can access their workloads based on their roles privileges, as defined by the organizations policies. Access to new services can be added to an OU level and the changes will apply across all cloud accounts on that level.
    • Security Automation: To maintain a secure position at scale, security tasks and compliance assessments also require automation. Automation helps in reduced implementation efforts, as templates ensure that services and projects are secure and compliant by default. Customers can also be more responsive when a policy violation occurs.
    • Policy Enforcement: AWS guidance to achieve Governance at Scale helps you to achieve policy enforcement on AWS Regions, AWS services and resource configurations. Policies enforcement happens at different levels like Region, services and resource configurations and also at an organizational level or the resource level. Enforcement is based on roles, responsibilities and compliance regulations (such as HIPAA, FedRAMP and PCI/DSS).

  • Budget and Cost Management: This framework helps Organizations to proactively make decisions on budget controls and allocation across their organizations and primarily consists of budget planning and enforcement.
    • Budget Planning: This allows allocation and subdivide the available budget from a given funding source appropriately across the company by the financial owners. Financial dashboards provide real-time insights to the decision makers over the lifetime of the funding source.
    • Budget Enforcement: Budget enforcement can happen at each layer, department or project in an organization as these can have different budgetary needs and limits. The governance framework allows the organization for budget assignment and defines the threshold, while monitoring spending in real time and can proactively notify the relevant stakeholders and trigger enforcement actions.

Some of this Intelligent Automation includes

  • Restricting the use of AWS resources to those that cost less than a specified price.
  • Throttle new resource provisioning.
  • Shut down, end or deprovision AWS resources after archiving configurations and data for future use.

Implementing Governance at Scale with Ideal Landing Zone architecture


Key Process and Services to implement Governance at Scale Framework

AWS Control Tower: It is a native service used for setup and governing a secure, compliant, multi-account AWS environment, automated using AWS best practices blueprints. It’s multi-account structure enables aggregated centralised logging, monitoring and operations.

  • Establish and Enable Guardrails: AWS Control Tower includes guardrails, which are high-level policies that provide constant governance. It allows you to adopt original best practices on security across the AWS environment managed by Control Tower.
  • Automate Compliant Account Provisioning: Automate account provision workflow using Account Factory.
  • Centralize Identity and Access: By using AWS SSO, the service can centralize access and identity management which follows the standard best practices.
  • Log Archive Account: The log archive centralizes logs and provides a single source of truth for all the account activities. The account works as a repository for API activity logs and resource configurations from all accounts in the landing zone. It contains the centralized logging for AWS CloudTrail and AWS Config.
  • Audit Account: The audit account is a restricted account. It is designed to provide security and compliance teams read and write access to all accounts in your landing zone. It can be a main account for security services such as Amazon GuardDuty and AWS Security Hub.

Governance Lifecycle with Services: An integrated model covering AWS Config, AWS Systems Manager, Amazon GuardDuty and AWS Security Hub.

These services work together and play a crucial role in the Governance at Scale framework. Together, they allow your customers to

  • Define security rules and compliance requirements.
  • Monitor infrastructure against the rules and requirements.
  • Detect violations.
  • Get notifications in real time.
  • Take action in an effective and rapid manner.

AWS Config: This enables customers to assess, audit and evaluate their AWS configurations in real-time. It also monitors and records AWS resource configurations. It also automates the evaluation of recorded configurations against desired configurations.

AWS Systems Manager: This gives customers visibility with a unified user interface and allows them to control their infrastructure on AWS by automating operational tasks. With AWS Systems Manager, customers can

  • Group resources by application.
  • View operational data for monitoring and troubleshooting and take action on groups of resources.
  • Streamlines resource and application management.
  • Shortens the time to detect and resolve operational issues.
  • Simplifies operations and management of the infrastructure – securely at scale.

Amazon GuardDuty: It protects AWS accounts, workloads and data with intelligent-threat detection, monitoring of malicious activity, unauthorized behavior to protect AWS accounts and the workloads. It uses machine learning, anomaly detection and integrated threat intelligence to identify and prioritize potential threats.
Customers enable GuardDuty from the AWS Management Console, where it analyzes billions of events across multiple AWS data sources, such as AWS CloudTrail Event logs, Amazon VPC flow log and DNS logs. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable.

AWS Security Hub: This is the compliance and security center for AWS customers. Security Hub allows customers to centrally view and manage security alerts and automate security checks.
Security Hub automatically runs the account-level configuration and security checks based on AWS best practices and open standards. It consolidates the security findings across accounts and provider products and displays results on the Security Hub console. It also supports integration with Amazon CloudWatch Events. To automate remediation of specific findings, customers can define custom actions to take when a finding is received.


AWS Products Used


With AWS management and governance services, customers can improve their governance control and fast track their business objectives. However, solving these challenges are not straight and simple as many of the customers rely on a traditional IT management process which is manual and not scalable. Also, with lack of clarity on account management without clearly defined processes, they end up with multiple accounts provisioning and tracking becomes inefficient. This can also increase their security and financial risks. In some cases, due to these challenges, customers rely on third party tools or solutions which can further complicate and increase operational challenges.

Relevance Lab can help organizations to build or migrate existing accounts to a secured, compliant, multi account AWS environment enabled with automation to increase both operational and cost efficiency. The transition to this matured Governance at Scale framework can be implemented in four weeks using our specialised competencies, RLCatalyst automation framework and the Governance at Scale handbook.

For more details, please feel free to reach out to marketing@relevancelab.com



0
2020 Blog, Governance360, Blog, Command blog, Featured, RLAws Blogs

SECURE AND INTELLIGENT AWS CLOUD MANAGEMENT WITH CONTROL TOWER AND CUSTOMIZATION FOR CONTROL TOWER FEATURE

By on

June, 2020

- 2020 Blog, Governance360, Blog, Command blog, Featured, RLAws Blogs

For Large Enterprise and SMBs with multiple AWS accounts, monitoring and managing multi-accounts is a huge challenge as these are managed across multiple teams running too few hundreds in some organizations.


AWS Control Tower helps Organizations set up, manage, monitor, and govern a secured multi-account using AWS best practices.



Benefits of AWS Control Tower

  • Automate the setup of multiple AWS environments in few clicks with AWS best practices
  • Enforce governance and compliance using guardrails
  • Centralized logging and policy management
  • Simplified workflows for standardized account provisioning
  • Perform Security Audits using Identity & Access Management
  • Ability to customize Control Tower landing zone even after initial deployment

Features of AWS Control Tower

a) AWS Control Tower automates the setup of a new landing zone which includes,


  • Creating a multi-account environment using AWS Organizations
  • Identity management using AWS Single Sign-On (SSO) default directory
  • Federated access to accounts using AWS SSO
    • Centralized logging from AWS CloudTrail, and AWS Config stored in Amazon S3
  • Enable cross-account security audits using AWS IAM and AWS SSO

b) Account Factory


  • This helps to automate the provisioning of new accounts in the organization.
  • A configurable account template that helps to standardize the provisioning of new accounts with pre-approved account configurations.

c) Guardrails


  • Pre-bundled governance rules for security, operations, and compliance which can be applied to Organization Units or a specific group of accounts.
  • Preventive Guardrails – Prevent policy violations through enforcement. Implemented using AWS CloudFormation and Service Control Policies
  • Detective Guardrails – Detect policy violations and alert in the dashboard using AWS Config rules

d) 3 types of Guidance (Applied on Guardrails)


  • Mandatory Guardrails – Always Enforced. Enabled by default on landing zone creation.
  • Strongly recommended Guardrails – Enforce best practices for well-architected, multi-account environments. Not enabled by default on landing zone creation.
  • Elective guardrails – To track actions that are restricted. Not enabled by default on landing zone creation.

e) Dashboard


  • Gives complete visibility of the AWS Environment
  • Can view the number of OUs (Organization Units) and accounts provisioned
  • Guardrails enabled
  • Check the list of non-compliant resources based on guardrails enabled.

e) Customizations for Control Tower


  • Gives complete visibility of the AWS Environment
  • Trigger workflow during an AWS Control Tower Lifecycle event such as adding a new managed account
  • Trigger customizations to AWS Control Tower using user provided configuration changes

Steps to setup AWS CT


Setting up a Control Tower on a new account is relatively simpler when compared to setting it up on an existing account. Once Control Tower is set up, the landing zone should have the following.


  • 2 Organizational Units
  • 3 accounts, a master account and isolated accounts for log archive and security audit
  • 20 preventive guardrails to enforce policies
  • 2 detective guardrails to detect config violations

Steps to customize AWS CT
Customizations to a Control Tower can be done using an AWS CloudFormation template at OU and Account levels and service control policies (SCPs) at the OU level. The setup for enabling CT customizations is provided within an AWS CloudFormation template which creates AWS CodePipeline, AWS CodeBuild projects, AWS Step Functions, AWS Lambda functions, an Amazon EventBridge Event rule, an AWS SQS queue, an Amazon S3 or AWS CodeCommit repository to hold the custom resource package file.
Once the setup is done, customizations to AWS CT can be done as follows

  • 2 Organizational Units
  • Upload a custom package file to Amazon S3 or AWS CodeCommit repository
  • The above action triggers the AWS CodePipeline workflow and corresponding CI/CD pipeline for SCPs and CloudFormation StackSets to implement the customizations
  • Alternately when a new account is added, a Control Tower Lifecycle event triggers the AWS CodePipeline workflow via the Amazon EventBridge, AWS SQS and AWS Lambda


The next step is to create a new Organizational unit and then create a new account using the account factory and map it to the OU that was created. Once this is done, you can start setting up your resources and any non-compliance starts reflecting in the Noncompliant resources’ dashboard. In addition to this, any deviation to the standard AWS best practices would be reflected in the dashboard.


Conclusion
With many of the organizations opting for and using AWS cloud services, AWS Control Tower with the centralized management service and ability to customize the initially deployed configurations, offers the simplest way to set up and govern multiple AWS accounts on an ongoing basis securely through beneficial features and established best practices. Provisioning new AWS accounts are as simple as clicking a few buttons while agreeing to the organization’s requirements and policies. Relevance Lab can help your organization to build AWS Control Tower and migrate your existing accounts to Control Tower.

For a demo of Control Tower usage in your organization click here

For more details, please feel free to reach out to marketing@relevancelab.com



0