Hello, we're almost there. It's 4 31st day of reinventing. Thank you very much for joining us today. We're very excited to be here with you and talk about implementing end to end compliance on AWS featuring BMW. I know everybody's here to hear about BMW. So you, you'll get a chance to do that. Let me introduce myself real quick. My name is Andres Silva. I lead a team of specialist solutions architect for cloud operations at AWS and I have a couple of co presenters here that I want you to meet first Matteus. Go ahead.
Uh hello, everyone. My name is Matos. Ha. I work in the same team as Andreas. He's actually my manager. Uh and I'm the specialist, a working on called Ops called wolverines. Uh all this nice product and be here for four years based off the hot city of Dallas, Texas. Yes, Munich.
All right. Your mic wasn't working. Say that again. Say that again. Can you hear me now? Yeah. Now, now we can hear you. Go ahead.
Um yeah. No, we can hear you now. Yeah. Hi. My name is Jan Ko. I'm head of, of architecture at the BMW group from the currently quite called Munich. Yes. There you go.
Excellent. All right. Well, let's go ahead and get started as the title implies. We're gonna talk about end to end compliance. So we're gonna show you in this presentation why that is important. Well, first of all, we're gonna explain to you what that means or what we mean by it, why that is important and then we're gonna go over some strategies, tools features that can help you achieve that. So by the end of this presentation, you're gonna have a better idea of how you can implement end to end compliance in your environment. All right, this is the agenda that we're gonna follow. We're gonna define what we mean by end to end compliance. We're gonna briefly touch on what are some of the common challenges we hear from customers when we have conversations with customers around compliance, how to implement it. Um and we're gonna use um a framework to guide us through that conversation. That's gonna help us see all the important points that we need to touch on that. We're gonna have demos, there's gonna be a lot of demos. It's gonna be um uh pretty cool to see those demos, but we're gonna get a chance to uh hear from yens and the BMW group story, how they're doing this, how they're implementing in the end to end compliance is a very exciting story that uh we're excited to share with you also. And then at the end, we'll review some takeaways, things that you can do to continue learning uh and to continue um deepening your understanding of end to end compliance. So let's go ahead and get started.
So what do we mean by end to end compliance? Well, what we mean is that compliance um and the um related concepts um have to be part of every aspect of the journey of your workloads, not only when they are um let's say in production, but early in the development of that workload, um developers should be involved in, in good compliance or having that mindset, right? So when we, when we talk about end to end, we mean from the very beginning to the decommissioning and there are some requirements around compliance that have to be met when you decommission uh a workload and application. So that's what we mean, right? Um we mean that you need to implement that at every step of the way and in a few minutes, i'm gonna show you how that translates to how you operate your workloads.
So what are some of the challenges we hear from customers? Well, there's a nice quote there. I know what i want to find but how do i write it? And where do i start? Right? Um challenges like meeting global and regional regulatory requirements, you may have some requirements uh in europe and in that are different from the ones here in the us. Um, there's different regulatory requirements, hip hop pc i, there's many more. How do you meet those? What are the commonalities between those and how do you tackle those establishing operational best practices? Sometimes the, the thing is not necessarily around compliance itself but making sure that you are following best practices when you implement those things. Um, and the last one on that slide to the right, it's a very important one, right? Because you want to do all these things without impacting innovation. You want your uh teams to go fast, you want your teams to innovate and you know, there's this misconception that if you are compliant, if you are well governed, you cannot innovate. No, you can do both. And we have tools that can help you with that and we're gonna talk about that.
Now, how do we do it? So we're gonna use this flywheel, you know, we love flywheels at amazon, right? So we came up with a flywheel for this. So we're gonna use this flywheel to guide us to our conversation today. Uh how to implement, well, we're gonna talk about five points or five main um key things that you need to do. You need to determine author, deploy, detect remediate, right? And uh and determine is determining what, what, what things you need to do. Author, you start creating those control craft in them, then you have to deploy them and manage them, then you have to make sure you're detecting also and then you go to the remediate phase, we're gonna touch on each one of them uh and uh dive deep into them.
Let's start with, determine. Ok. The first thing you need to do is you need to understand what frameworks you need to be compliant with what best practices you're gonna implement uh to govern your environments. What does that mean? Well, i started thinking about this and the best way i can describe it is you gotta know the rules, you know, you gotta think about uh a sport, right? Like any sport, like football or basketball or baseball. If you wanna enjoy it, if you wanna play it, you have to know the rules and the rules for compliance are important. You have to understand um the regulatory landscape. How does it work on aws? You have to know what the share responsibility model is.
Show of hands, how many of you are familiar with the shared responsibility model? Very good. And that's the reason i didn't include a slide on that because we always do, right? But it is important and, and, and i wanna over emphasize that we understand the shared responsibility models. There are things that we are aws are responsible for compliance purposes and there are things customers are responsible for and you need to understand how that works. You need to roll the rules. I wish i had an easier way of telling you how to do this part, but you have to, there's no other way, right? You need to understand how these things work.
Um how many of you are familiar with aws artifact? Ok. So uh for those of you who don't know what it is, it's a managed platform that we provide, where you can extract, you can self-service the necessary documents or compliance that we produce for our part of the shared responsibility model, right? So if you're gonna be hipaa compliant, there are some requirements that we need to provide you some documentation that we need to provide you that where your workloads are operating, they're meeting the requirements that doesn't mean you're compliant. It means that now you have to do your part, but we are automatically or not automatically but self servicing those um documents to you. So now the rules um you know, get to know them, that's important.
The other thing is familiarize yourself with the different compliance frameworks. Of course, the ones that your organization needs to be concerned with, there's so many of them, right? But you need to understand them, you need to um learn about them. You need to understand uh what controls are part of it, how to map those controls to the infrastructure running. That's important also.
And the other thing i wanna talk about is you need to understand where you're at and ask yourself some questions. These questions are important and answering these questions is gonna help you guide you through the rest of the journey.
How do i evaluate my organization's compliance status? What tools am i gonna use? What things do i need to check? Right.
How do i ensure my developers consistently deploy compliant resources? Do you have ac i cd pipeline? Can you introduce steps in your cdc i pipeline to um proactively detect anything that doesn't meet regulatory requirements?
How do i track resources changes across my organization once things are deployed and they're changing? What tools do i use to track those changes and make sure they're compliant?
Who did what? And when in my in less environment, do i have an effective way of tracking that can i quickly do and search who launched? This is two instance or who created this bucket in this account. Can i do that effectively quickly?
How do i consistently deploy complaint rules across my organization? I mean, usually customers start with two accounts but very quickly it grows to 100 203 100 accounts. How do you do all this in a multi-account? And then multiply that multiregional environment.
What is my established process for fixing no non compliant resources detecting is important. Preventive is super important. Detective is super important but fixing things is super important also. And you need to automate that long gone are the days where you would find something that was noncom complainant and fix it manually because think about the scale of an emr cluster, an eks cluster where you have so many resources launching and terminating constantly. If something is noncom complainant, it has to be automated, you have to be able to detect it quickly and fix it. So that is very important that you ask these questions along with those questions.
It is important that we understand the different types of control behaviors. And there's three main type of control behaviors. Detective. What does that mean? Well, once something has already been deployed, created, modify, being able to quickly detect that the change is non compliant, that's a detective. control preventive is something that you do. Um to disallow actions usually do with permissions, service control policies where you don't allow somebody to do something that violates um a control. And as you can see down there, it could be the first one, detective could be compliant or non compliant. Preventive is always compliant because you're not gonna allow the individual to do that. And then we have proactive, what does that mean? Well, it means that you scan a research before their provision. We're gonna see a demo of that today here, you need to implement some sort of mechanism that even before a resource is deployed, we can scan it, we can validate it and prevent its creation its deployment, right? So that is another um important uh control behavior that we need to understand.
Now that sets the base, the foundation of the important things we need to know before i get started. Now, how do i get started? Well, i'm gonna invite my good friend matthus so he can talk to us about that very much andreas.
Uh so this is the question, right? How i got to start with this? So our recommendation is to start with uh i breast contact tower. So i breast contact tower is the easiest way to set up and govern um much account environment, right? Because it comes out of the box uh that practice and also blueprints to in on top of the motor account environment. So you're gonna have controls, manage controls deployed by, are you gonna go a little bit deeper on that today? Uh and those controls are on top of organization units. So any type of accounts that you have under that organization unit is gonna be subject for that particular manage control.
Moreover, you want to make sure also that you are creating new accounts and those cards will be born with the compliance controls that you might have. So quota has an automated way to create these accounts and also be born with this uh controls last but not least quota also has the dashboard for compliance status across the board. You're gonna be able to see where my research are not compliance also, which type of regions that i have, you know, research are not compliance so on and so forth and also take notifications and do something about it, take actions as well.
So going a little bit further with quota controls, matching with what andrea just said, quota also has three types of controls. Uh today we have 450 plus. Actually, you just launched digital sovereignty. So we have more than 500 right now controls, managed by control talk. So this is out of the box control
So you don't need to do basically nothing. You just need to enable those controls on top of organization. I'm gonna show that in a second.
So we, but we do have preventive detective and proactive controls and preventive controls in quo tower, our organization as cs very powerful, gonna prevent any action uh you know, before or a actually not allowing to, you do anything regarding that specific rule.
We also have config rules and security hub controls. We gonna spend a little bit of time off that control, but those are detective controls.
Moreover, we have proactive controls, we've called formation hooks and i'm gonna show you a demo in a second how that works as well.
Um speaking spe specifically about this security hub and detection piece, we launch this year. Um we invent 2023 an integration with security hub and this is part of the 100 and 80 controls that is uh a chunk of the iwr foundation security best practice and what this integration does is actually creating a new standard.
So when you deploy a control in a specific account and you go into the account in the security hub dashboard, you're gonna see that new control, that new standard called service manage standard deployed by the west quant tower.
And the interesting piece of this, it is there's also drift detractions on, you know, on top of that. So, quantas are we waiting for a status report from security hub in a daily basis? So if you don't have it or something that occur outside of quo tower or security hub, quanta tower will create a drift in that particular control.
And then you're gonna receive a notification uh afterwards. So you do, you do and do something about it. This is very important. So you as a you know it um person, you wanna make sure that you all your, all your controls are compliance and you are established across the board.
So let's see how that works in a second. So this is the control that i have at to dashboard. So this control is an api rest uh cache data should be encrypted at rest. And i know this control, it is actually uh the owner for this control is actually secure hub because i can see it on the left side that is a secure control owner, secure hub.
So when i enable this control in a ou uh if i don't have secure hub in the account, that is subject for that control contact will enable secure hub for me. So that is integrations that's working on it.
And then if i go into the security hub in that particular account, i'll be able to see something like this where, you know, it's collecting the data, you know, based on the control that i have in a few seconds, you're gonna see a standard, a new standard and also the security score.
So this drift detections is very important to understand how you can be compliance across the board. And also in order to avoid any type of drift detraction, you always should, you know, enable controls using contour tower dashboard or also the api s that we offer in order to avoid any type of drift detection moving over to detection.
Now it's about conflict. config is gonna be our main start of this presentation because config it is um our core service for compliance and what is config essentially do doing for me, it is assessing out and evaluate it, address research and also third parties research as well.
And config allow me to automate the evaluation recording configuration by against a desired configuration that i want and we call that config group.
So let's see if i have a a rule in my environment, let's say every single bucket should be private in the exact moment that i create a bucket or you know a modify bucket. Um config will evaluate that and if it is non compliance, gonna raise a non compliance um configuration, put that as a no compliance in the room.
So config is so core for our compliance thing that i, i want to go out a little bit further. So when you started the journey about your compliance, uh first things first, you need to make sure that you have control to. But uh you also can understand a little bit more regarding the config and how config works.
So the first competence concept that i want to talk about is about the recording. So config recording is actually where we track every single change in our a br research. Every time that the recording is, is tracking the resource and occurs something changes or our resource is changed. Recording will create, it will generate a configuration item which is called c i on top of that.
Every time they recorded generate those cis the conflict rules which are part of our compliance um journey will consume that c i and then evaluate against the desire against the, the compliance rules that you might have and built on top of that layer, we have a bunch of aws service.
So you see we have security hub, we have conto tower for sure. Uh we just launched in abreast trust advisor uh doing checks with config. And what is the importance of this, the importance of this that you need to understand that in order to meet to have the benefits on the top level layer for those services i need to have config enable, we're gonna talk about how you make sure to deploy configure across the board in a second as well.
Go a little bit further. Let's talk about proactive controls. We talk about uh prevented, we talk about detective. We're also gonna talk about proactive proactive controls on the breast control tower. It is deployed by called formation. Hooks and hooks are essentially uh inspecting the configuration of my the breast research before they are actually being provisioned.
So if the non compliance research are found, either breast formation will return as a failure or depending on how the failure mode is, it's gonna also return as a warning, but it's very important that we will not be deployed whatsoever.
Ok. So let's see how that works in a second. Yeah, there we go. My laptop was sleepy. That's why. So i have my dashboard right here with my call confirmation environment. And as you can see, we have a bunch of those controls out of the box. You see 521 as we speak.
If you go to control behavior, you can filter to proactive and you can filter either and by some service for instance two and i have all the proactive controls that i want to to enable. Uh i'm gonna grab one specifically that we already have enabled in one of my accounts.
So this specific control say that is required i bs volume to be configured through an easy two launches needs to be encrypted. So the interesting thing here. First of all, enable this control is very easy, right? I just need to enable in a few seconds. I choose the ou and of course, every single account that i have under the ou will be uh subject for this control.
But it is interesting because i, if i go to artifacts, i'll be able to see the logic of this control, which is a called formation of war. We're gonna talk a little bit about that how that works in a second. And i can see also samples of non compliance and also compliance, uh confirmation templates for this particular control.
So if i change it here in a second, so the account that i have this enable, so i have my sandbox account pulling up, i'm gonna open call formation and i have already a dep a deployment here where i had a hook, you know, first of all the template itself, it is the same rule, right that i just told you, but you see the flag encrypted, i have as a false as an intended, right? Because the rule said that i should be encrypted when i'm doing easy to launch it.
So i'm trying to deploy a confirmation what i get right. What i get this hook over there, you see. So here time i i'll be able to see that was a failure and i know why was failure because that specific rule that i have in place, you know, i uh i have also the fix. You see, i can just put as true and then the confirmation will pass through.
So right over there is how call confirmation hook works and you can proactive uh making sure that your developers are putting compliance code in your environment.
Ok? Awesome. Uh going a little bit on over on our fly wheel. So we talk about determining and you should start with going to the tower. Nice. What about if your business needs go a little beyond contact tower and also the controls contact to have out of the box. You should think about altering your own policies, right? You should think about doing your custom policies.
So uh show hands who know about config can also do custom policies. Nice. Yeah. So config has an ability to we we do have managed controls on config manage uh uh rules on config, but we also have the capability to do custom, we can do that using lambda and cus using call formation guard.
And the interesting piece on config and config rules. It is i just talk as of today as of right now on config being detected, right? I'm gonna detect something but guess what we launched back in r last year because it can also be proactive, right?
So the idea is the same, right? I'm gonna identify nofi resource prior to the creation of the specific resource. And the interesting thing here, this is fits very perfectly. In the c i cd pipeline because i can basically create a start evaluation of my research. I can get the evaluation of my research and i can see if it is compliance or not compliance and the rule that you created can work as both as detective or also as a proactive.
So with that concept in mind, you know, i i want to talk about a, a very well known a concept in the market which is shift life. So shift lab, it is the process for tracking no compliance code in the early stage of your software development cycle and only focus on oo on on compliance, wanna make sure that you are implementing control in the early stage to identify status before the research are actually improvision.
So by following this path, you know, the the soft the software team, your development team will be, you know, able to see undetected security issues that are gonna raise the bar for your security compliance and your security posture.
Moreover, you also gonna be able to give your developer fast feedback of the things that they did wrong and also how to fix it and and they need to fix in order to be compliant, you know, with your own standards.
So previously um customers will test this pipeline. This this research identifies only this non-compliance resource like waiting until the end of this wasting time effort, money, right? Uh for something that can put, you know, in the early studies.
So we want to start to move into the s shift left culture by implementing those proactive controls to check the the compliance status of your code in the early stages.
With that in mind, how can i do this on a bra? So how formation work? It is an open source tool that we have as a policy as a code that you programmatically making sure that you create rules and then you can implement it with the custom rules. And we offer also many rules on com.
And the first qr code, it is the github ripple that we have available. And also the second one is a couple of custom rules that we created. You can, you can use those and confirmation hook. It is um a domain specific language at esl and can evaluate any type of jason and also yam o format uh which means that it is not limited to call formation with.
So terraform uh terraform plans, they are from state files. Cobern files can also be uh subject for uh confirmation word. And here an example uh very simple example, but show how easy to write a confirmation word in this example. Right there. I'm evaluating an a ac two to be uh instance type. Actually, i want to be in a specific allow list that con config parameters.
It is a keyboard that i can pass any type of parameters that i want. So. Right. Right. Off the bat, i can see the benefits there. First of all, there is no lamb there, there is no undefeated half lifting that i need to manage, i think will do all for me permission in assumed roles.
So you're not gonna handle any type of errors. Uh secondly, it's very easy to altering. I'm gonna show that how, how you do it in a second and also very easy to deploy the policies intended. It is very easy to understand as you can see that specific rule. Uh it is very easy to understand how that works the log and it is a policies.
Ok? So how that works. Let me show you see, i got, i got good in the second one. Uh so i want to switch to my, so i have um a template right here and if i want to validate this template against a rule that i created, so this is a formation template, uh an example and i have this rule again, very easy to understand
I'm just making sure that encryption is on uh that I'm, you know, reducing the limits uh regarding the size. I also want to make sure that a specific availability zone, it is uh on for that particular template. So what I can do it is well, how past is because what, what can I do? It is to create ac fm guar valdes, right? And I can pass my templates and also the rules again, I'm passing right there, only one room, but I can put a lot of a lot of statements in a single room and then evaluate a bunch of policy in the in the months, right? And and then I'm gonna use a template and also show the summary in this case right there. Let me open a little bit bigger. It failed. Why? Because my template is going against my rules. I have, I can see right there that is a property that was expecting to encryption to be on in the, in the second place. I also have availability zones that it should be, you know, in a specific availability zone. But I'm using in this case us two a. So I need to fix it.
The interesting part here it is, I'm running in my local machine, right? So meaning that your developer, your developer team can download in your workstation cfn wire right now and you, if you have, you should have by the way, a repo with all this wire rules and you can download these rules in, in for instance, in their uh workstation and they can work and check in their own workstation. And then they make sure before they actually push through the code for the c I cd pipeline, you gotta make sure they are compliance or not compliance based on the rules that you wrote it as a security as a compliance person.
Moreover, um this, this is only in my local machine but i can automate it, right? How I'm gonna use config I can use config as a proactive rule. So I'm gonna show that in a second. So I have a whole a rule right here. This was, this is a managed rule that are implemented by guard is a proactive, is sns encryption. Uh k ms, right? I want to make sure that it's a k ms key and what can i do? It is on the, on the c i cd pipeline, i i can put another step which or andre has already mentioned this is failed by intended, by the way, that's the idea, right? It's compliance is failing. So i can put another step using for instance, code view. And in that code view, i can validate my rules that are using code. Let me show you how to do this.
So config has this this way to, to create an evaluation, right? There is a common on conflict called start resource evaluation and i need to pass a json file, which is the resource schema of that uh particular yellow file or json file that i'm trying to to deploy. And this is very easy to parse by the way. And then with that i i need to pass the p the type of the evaluation that i want to do. And in this case, i'm passing the profile because it's going to my account specifically when i do that, a resource evaluation will be create it. And if i grab that i do have aws get, i always forget the name of the research, evaluation summary research ig i see my p parameter with her file. Sorry. Oh, me a typo. I need to pass the thing service. There we go. I made a t versus evaluation id. Yeah. There we go. It was a typo there. I didn't find it. But as you can see, we're right over there, i created the evaluation using the proactive rule and then generate uh a research id. And then now i'm able to summarize what that was found in this case was succeed the evaluation, but it's actually a non compliance. Er so what can i do? It is grab the same structure, sorry, evaluation get and do aj q for instance, on that compliance over there, they say no compliance and then put on my another step on my c i cd pipeline in order to make sure that i deploy a non compliance or a compliance um a compliance template.
So right over there, i'm able to, to include this right? And the thing is we make sure that you are shifting lifting culture by adding these stamps in order to make sure that your developer uh is responsible to fix the problem. So shift left is about that. Uh i'm shift after the responsibility for home evaluate uh violates the policy to also remediate, right? They need to remediate in order to push for it. So adding this, you, you will make sure that your, that your c i cd pipeline will be compliance. Because by the end, if the code through the whole pipeline, you know, for sure, in the end, the code is compliant and everything that you know, you don't care necessarily about the enunciation of the service, right. You care if it is, you know, compliance or not doing this, you're gonna make sure that all the resources that you have by the end of that pipeline, it is compliance because pass for the whole rules that are implemented.
Ok. Moving to with the flying wheel, right? We talk about determining, we talk about uh creating uh altering, but we also need to talk about deployment. So first of 1st, 1st thing, first turn on config in every single account and also in region that you have. If you have con uh con tower already, you're good to go because conto tower works together with config like we said it, if you don't have control in our environment, you can use system manager uh quick setup and also call formation stack sets. And you can also use um te form to enable the call out here every single time that enable config send those logs to uh three bucket that is an centralized account for best practice purpose.
Uh cig also comes with aggregator. So there is two types of aggregator by individual accounts and also by whole organization and aggregator. It is where you're gonna be able to collect all the data in a single source, multiple accounts, multiple regions. And this is no additional charge as an aggregator. So you should use it in order to make sure that we are deploying across the board last but not least conformist specs.
So conformist specs are a single entity is actually yellow file that contains both um remediation actions and also houston and manage rules if you wish and support deployment through the whole uh aws organization. Uh you can customize those and very easy to work with aggregator and conformance pack. And we do have samples out of the box that you can use conformance packs. Uh you can use conformist packs in um in its industry standards. We have those available and also in uh s3 and diamond db.
Um for instance, best practice with that we'd like to call yens uh because it's very cool that i'm saying, but, you know, see from the source, this is for a customer saying how they face it, compliance needs and how they use it. The on top of that is another thing. So yens, thank you very much.
Yeah, thank you, matteus. Um first of all, i mean, who of you owns a bmw? Nice, nice. Um what i just want to show you in, in my part of the presentation is, first of all, i mean, as you, most of, you know, bs bmw, we are really obsessed with delivering premium experiences for our customer. I mean, for the vehicle itself, it's quite easy. The ultimate driving machine as, as our claim is, but what makes a digital service um premium. And i mean, for us, it has several aspects. The first is um it should really make your drive more convenient. And one example is um if you drive in an i seven or a normal seven or a flagship, there is um amazon fire tv. And it's really amazing if you sit in the back seat of the vehicle and just enjoy watching fire tv, all the series movies and whatever from prime or in germany, you can watch bundesliga live stream. But that's also like another aspect is to provide to our customers really intelligent personalized services. And one instance is our intelligent personal assistant which will be presented in more detail. Um i think tomorrow or on wednesday and this is like where we use alexa to give our customers the chance to, to steer or to control the offering in the vehicle, the multimedia offering by voice, which is kind of a nice modality because you can focus on the street. I mean we will bring out next um next quarter. Um as i think the first oem the the chance or the feature in the vehicles like autonomous driving that you can really put your hands off the vehicle, uh sorry of the steering wheel. And um do some work or whatever. But in the meantime, um alexa is quite good to steal the vehicle. But how do you get like an intelligent and personalized services is by using and leveraging a massive amount of data while at the same time ensuring data privacy. And we use this with our backends hosted on aws, for instance, um our automated driving platform or cloud data hub or our connected vehicle platform, which i will describe in more detail. And a good example of this is our um route optimized for charging service, which i really like because it offers our customer an optimized route with his electric vehicle, depending on his driving style, depending on the traffic available charging stations and some other data. So you have to as a premium digital service for us is then a seamless great interplay between the vehicle and the connected back ends and this might sound easy, but it's really a challenging task as i will show you on the next page.
Almost 20 years ago. We introduced our first connected vehicles when we were the first automotive o to build in a sim card in the vehicle. So you could get um data inside the vehicle. Nowadays, we have 20 million vehicles fully connected in the field of those vehicles. 6 million are fully upgradable that is we can continuously update or upgrade new or existing features in the vehicle. And this number or these two numbers are benchmark in the automotive industry and these numbers are growing on a daily basis. All in all our fleet of the 20 million vehicles creates 12 billion requests a day. That is 100 and 40,000. Just in that second, i just spoke these 120 these 12 billion requests are processed by 1000 microservices and all in all, we generate a traffic of 100 and 10 terabytes per day. And we're quite proud that we have a liability of 99 not 95%. And these numbers sound already a little impressive. But in the next two or three years, we expect these numbers to triple on cluster architecture which will come out in two years has approximately three times the volume of this and the challenge and the task. My team of solution architects and developers are facing together with our 450 development teams worldwide is how can you ensure compliance at a level of this scale? How can we continuously optimize our back and how can we continuously raise the bar for back and regarding quality regarding reliability, sustainability while at the same time keeping an eye or even preferably cutting costs? And i'm pretty sure you all agree that this is something which you can only do with an automated workflow.
We started with using the normal trusted advisor aw scan workflow. So you use them, you measure your accounts, you hope that you learn something that you gain some insights. What is happening with all your accounts that you identify action items that you know, ok, this might be wrong. I can do this so to optimize the accounts, i mean, this is really trivial. There is nothing special. This is what basically a lot of people are doing. But i said there is a manual process and that not scalable. I mean, it is, it does work on the level of one de ops teams. But if you really want to take all of your back end on the level of an organizational unit, this doesn't really fly. So we had to automate this workflow and here is just an overview of some of the measures we did. I will just walk you through those measures in detail.
Let's start with the first step. I mean, if you just have a look at some of the rules mate showed, andre showed you really have to know the stuff you really have to know, you really have to understand what is behind this rule. So if you, if you have a finding you need to know, is this really critical? Do i really need to do something there for most of the rules? Yes, but even if some of the rules are important, there are some other rules which are even more important. For instance, an e an ebs on s3 which has um customer data and is not encrypted is really more, more of a higher priority than let's say in s3 with test data, synthetic data, which is not encrypted. So what we did is we went through all the rules, we added the documentation. What is this problem? How can you fix this? And we added a prioritization for the rules and delivered and, and provided this to all our development teams and this is already you just have to face um or you just have to think of the more teams you have, the less mature you are in the cloud, the more teams you have, which do not really know all the rules. And additionally, um the offering from aws is so big and it is growing every day that it's quite difficult to find a team where they have experts for things as for instance, kinesis s3 and maybe some other new service coming up. So what did this help us? It provided us a database, a knowledge database where the teams could have a look at and thus saved a lot of time browsing the internet for instance, stack overflow google or whatever. So this was step one in step two. We took again, trust advisor convict added this knowledge base with the prioritized rules and how to solve them and made a dashboard. This is again, not really that challenging. It just takes a lot of effort. It just takes a lot of will to do this on a regular basis to really work on, on continuously optimizing the documentation because if you find out that teams don't really understand this, you have to work to add more documents and what you can see here is a test account. I mean, we didn't provide like the, the real findings, but it, it helps you already to really focus on some issues and to see what is the most prioritizing issues i should tackle or what is the most occurring one
So this saves you time because you focus on the real issues. And in step three, since we had more time, since we were continuously checking our accounts, checking our findings, we identified some, some rules where we thought this is not really or that we could become better because if you just remember, trusted advisor is a collection of best practices. And config as ma told you, you got the chance to write your own rules and that's what we did.
And here's like one example, it's the gl language already mentioned on a quite a good example. SQS as you all know, comes in with a built in encryption. It's a server side description for us as, as customer. And I said um BMW, we are really, really, really bent on ensuring the data privacy on our customer. So for us, we said we have to do more, we have to make sure that we use um SQS with a customer manage. And the nice thing is already if you have a look at this rule that you're capable of checking two things at the same time.
So this gives us the possibility to enforce at a level of an organizational unit that everyone uses an SQS with a custom manage key. And as you can see, it's quite trivial to implement, it's quite easy to read and understand and has to maintain.
So if I can summarize our end to end workflow, as said, we started with Trust, Advise and Conflict to measure. So to have data, we can look at, we check those results, try to get insight, try to find out how can i become better as an organization, then we had some measures which we could tell the the ops teams. Hey, this is something you guys should work on. This is something you might optimize. So they had the chance to optimize their accounts.
Then we wanted to get more into automation. We want to improve the time for one iteration of the apply where you see that is why we added documentation to the rules. That's why we prior prioritize the rules. So the teams could focus on the real issues and not get lost in some issues which are not maybe that important.
Then we gave them the dashboard so they could, we could check or on a level of a de ops team and on an organization which are really the most pressing issues. And this already helped us to see which of the teams could need more support.
Then since we already were, were starting to fly. We already got automation. We said we have to continuously work to continuously extend our rule set so that we monitor more and more and more. That's why we instigated the process to identify some rules and to extend the rule set. And this is like the fly wheel we had and automated, which could ensure end to end compliance.
Now let me just summarize the benefits we have. First of all, it's a workflow for continuous optimization because we ritualized all of these simple steps. That's why we really have to fly. We're now pushing harder and harder and it's now moving by itself almost, we can support the dea ops teams because we can ease the governmental work flows. They have to do so they have more time to focus on the business logic to focus on the products which distinguish us from other competitors. And the last thing me and my team is we can ensure end to end governance at scale.
But before I come to the end, I want to show you something kind of a sneak p which we have been working on to even increase the fly will way faster because still we got one or two problems. I mean, you've seen before, if an expert like matteus knows the stuff, he can type it down, he can code the rules, he knows what he has to do, but this is not available in everything. So we thought there must be something where we can really try to automate this and we found something nice.
What you can see here is a snake pig of our in cloud in console cloud assistant. What we did is we started and we built a gene generative a i board which helps the team to get this flywheel really high up speed. And let me show you on one simple example which you all know it's quite trivial. It's really easy. It's an underutilized e two instance. It's totally easy to explain to everyone. You waste money, but to implement this is not that easy, you have to do some stuff.
So let me just show you the bot on this example, how it does work. You see, i can ask him what is the health of my account? And he tells me all of the different problems and what we do is you see, i can ask him, please help me, please explain to me why is a low utilization so interesting. And then he tells me the problem and he already writes down code in python or in terra form how i could fix it.
But and this is the big one. He not only programs this, i can also ask him do this, please directly. And in that case, i would tell him, please choose a smaller instance which is cheaper, saves us money. And the, and then the boss says, hey, i did it and then you can of course, ask him. Hey, great, you solve one of my problems. Now, how about the other problems?
And if you'd like to know more about this um on wednesday in francesca's vasquez keynote um jenny i from hype to impact will show something more about the bot.
Now, let me come to the end of my presentation. Um you saw how we can at bmw scale governance at scale for our cloud accounts. If you want to experience our products in real in reality, please come by in the industry space where we show the i seven with some with all of the features i just showed you today so you can experience for themselves. That was it from my behalf. I'll get back to you back to my tears. Thanks a lot.
Thank you very much. Appreciate it. That was exciting. Yeah, it was awesome. Right? Yeah. General chiba. Ok. So let's let's go to the end of the presentation. So flying wheel, go back to the flying wheel. We need to about, you know, after returning uh altering deploying we need to detect. So i'm gonna show very quickly how to detect our our environment.
So just want to cover uh two launches that we made yesterday regarding detection. Of course my session expired. Yep. And if i go here and config in in this environment, i can see now on top of aggregator, a new launch for compliance dashboard, i have this out of the box. Uh with aggregator, i can see no compliance resource. Uh this was launched yesterday together with inventory dashboard, i can see right now a couple of insightful information that i have and we launched also advanced query uh powered by generative of a i.
Now i can ask questions this on top of also aggregator like show me security groups with 422 open. And when i hit generate and with that plain english statement gonna convert into a sql syntax query that is advanced query and and then i'll be able to, you see, uh i'll be able to populate that and run right over that. So personas like auditor doesn't have any technical background will be able to easily search and investigate any type of non-compliance research with that future that was launched yesterday.
And with that, i will pass to back to andreas to finish with remediation. Thank you, mateo. It's excellent. Awesome. So the last point we want to cover in the flywheel is remediation. What do we mean by this? Well, once a resource uh has been deployed and is detected noncom plan, you just don't stand there and watch it, right? You wanna fix it, um you wanna fix it as soon as possible.
Now, granted not everything can be fixed immediately, some things could be um you have to, you know, be balanced, right? But i would say that 80% of things sometimes can be fixed automatically and then there's a 20% where you have to use your judgment. But if you think about it on a large scale uh infrastructure, um if you take care of 80% that's gonna simplify the work a lot, right? And then you can um address the la the last 20%.
There's two ways you can do this. We're gonna go over this very quickly. One is AWS Systems Manager, uh specifically the Automation p a piece of a to assistant manager which allows you to craft an automation or sequence of events. Uh for example, if a, if an s3 bucket is not encrypted, go and make it encrypted, you know, um you can tie automation straight to config rules as a remediation option the other way.
Oh by the way, i wanna mention that yesterday we launched something that makes um creating those automations a lot easier in systems manager. It's called Optics for Systems Manager and is a visual designer for automation documents. Check it out pretty, pretty cool.
The other way you can do it is with a lambda function. You can use uh a rule um that it's it when triggers is detected by eventbridge launches a lambda function. Um and then can do the, the automation itself, you can insert either lambda as you can see there or systems manage.
So to recap. Uh a little fly wheel here are the five main things you need to be concerned with for end to end compliance, determining authoring, deploy, detect and remediate.
Remember those questions that we presented at the beginning? Well, here are the key points about those questions.
How do I evaluate Control Tower detective rules?
How do I ensure developers consistently deploy proactive controls?
How do I track resources, change it across my organization, Control Tower Configure and Conformance Packs and uh how uh what did, what, who did what and when we have CloudTrail Config Resource Timeline and Advanced Query.
And last, how do I consistently deploy compliance rules across my organization? Control Tower, Config and Conformance Facts and the last one. This is the last one. What is my established process for fixing non-compliance resources, Systems Managers, Automation or Remediation.
Here are the key takeaways for our presentation today.
Consider using Control Tower to get started and establish detective and proactive controls, align control objectives to a security framework, use policy as code and enforce peer review. Use custom Config rules where Control Tower manage control is available. That's very important because you're always gonna have to extend that um to your specific an tillery to his specific needs.
Use Conformance Specs, use CloudFormation Guard policies for easier management, use preventive controls, use proactive controls. Those are all important.
What do we do next? Here are some cure codes. You can scan, take a picture of things you can continue learning uh with um end to end compliance. Please visit us at the kiosk in the village, AWS village. I have 10 seconds left and I want to use them to thank you all for being here today. Thanks Jens from BMW for sharing their story. We really appreciate it. Hopefully you learn something. Please complete the survey. Thank you very much.
扫一扫
1073
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
