Navigating the AWS Security Control Toolbox
Introduction
- This session provides an overview of three main AWS services that can be leveraged to establish a secure and well-governed environment: AWS Config, AWS Organization Policies, and CloudFormation Guard.
- The presenter is a Principal Solutions Architect focused on governance and compliance.
Key Challenges
The main challenges customers face in establishing proper security controls are:
- Feeling overwhelmed by the various options available
- Fragmentation of controls across different domains (security, cost optimization, etc.)
- Complexity in understanding how the various services work together
- Scaling governance across a growing cloud infrastructure
Governance Services
The key services covered in this session are:
-
Preventative Controls:
- Service Control Policies (SCPs): Enforce consistent access control to principles in the organization.
- Resource Control Policies (RCPs): Enforce consistent access control to resources in the organization.
- Declarative Policies: Enforce baseline configurations on resources.
-
Detective Controls:
- AWS Config Rules: Continuously evaluate resource configurations and detect changes.
- Security Hub: Aggregate findings from various security services and provide a centralized view.
-
Proactive Controls:
- CloudFormation Hooks: Run policy evaluations as part of infrastructure deployments to catch non-compliant configurations.
Demonstration
- A demonstration is provided showing how to use AWS Config to detect and remediate a non-compliant EC2 instance metadata version.
- The integration between AWS Config, Systems Manager, and Security Hub is highlighted, showcasing how these services work together to provide a comprehensive security solution.
Conclusion
- The session emphasizes the importance of balancing governance and control with enabling agility and innovation for customers.
- Attendees are encouraged to explore the AWS cloud operations community for further discussions on governance and compliance.
