aws re:invent 2017 | cloudhealth tech session

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS re:INVENTLev er ag in g a C lo u d P o l i cy F r amew o r k - F r o m Ze r o t o We l l G o v e r n edV i k r a m P i l l a i , C h i e f A r c h i t e c tC l o u d H e a l t h T e c h n o l o g i e s

E N T 3 1 8


Who is CloudHeal th Technologies?• Deep Domain Expertise

• $86 Million in Venture Capital Raised

• 600+ Direct Customers

• 1,500+ Channel Customers through

• 85+ Partners

• 200+ Employees

• Headquartered in Boston, MA

• Offices located in San Francisco,

Washington DC, London,

Amsterdam, Tel Aviv, Sydney & Singapore


G lobal Customer Success


What to Expect f rom Sess ion

• Problem & Organizational Impact

• Solution: Cloud Policy Framework

• How CloudHealth implements the Cloud Policy Framework

• Governance as Code

• Examples (Security, Reliability, Cost/Performance)

• Next Steps


• AWS Cloud has enabled business transformation

• Pace of change is accelerating

Benef i t s of AWS


What i s the Problem?

• As you scale your AWS environment a thoughtful governance approach becomes more and more important

• Governance : People, criteria, processes, tools to ensure secure, effective, efficient use of IT resources

• Solved today: brute force


What i s the so lu t ion?

• Technology, not labor

• Continuous monitoring and action

• Capture Business rules

• Establish defined processes

• Automate business policies

• Adopt best practices


Journey to Governance

Governance

Management

Scaling

Adoption


Establish Strategy• Decentralized Management• Central Governance

Focused team / expertise• Cloud Steward• Center of Excellence

Definition/Adoption• Definition and management of

policies • Communication and buy-in

Tooling• Capturing and Managing policies• Data integration

Runbook• Define Response • Automation of workflow

Reporting• Executive level health• Enterprise level adoption• Operational view for management

Dr iv ing Successfu l Governance

AGILITY CONTROL


Amazon Services• AWS Config & Config Rules• AWS CloudTrail• AWS CloudWatch• AWS Lambda • ...

Open Source Tools• Cloud Custodian

Custom Applications• Large investment• Typically incomplete• Continued commitment

Commercial Tools• Domain Specific (Security)• Broader Platforms

Current Solu t ion (BYOT)


Chal lenges to BYOT• Data Integrations

• Extensibility

• Maintainability

• Capturing business priorities

• Adopting best practices

• Customizing for multiple targets


Se t Unique Pol ic ies per Environment

Production

Staging

QA

Research

BU1 : BU2 :

Set Unique Policies per Line of Business

BU3 :

$400k $150k $1M


Types of Bes t Pract ice Pol ic ies to Consider

Financial management policies

Performance Management Policies

This image cannot currently be displayed.

Security and Incident Management Policies

Operational Governance Policies


Asset & Configuration Management Policies


Cost optimization Policies


Anatomy of a Pol icy• Data being operated on

• A clearly defined condition

• Evaluation : True or False

• Actions to be taken


Po l icy Execut ion Flow





Data Streams

Trigger

Evaluation Action

Rule


Components of pol icy : Inputs / Data Sources

Cloud Assets Metrics Logs Event


Components of pol icy : Tr iggers

Schedules Event-Based State-Driven


Components of Pol icy : Rules• Upon the occurrence of a trigger, perform some logic against the input data

• Composite with many clauses • (A OR B)• ((A OR B) AND C)


Components of Pol icy A c t i o n s & R e m e d i a t i o n

Email the owner of an asset Terminate EC2 Instance


Governance as Code• Need a centralized, programmatic approach

• Capture entire policy as a self-contained, descriptive unit• Data, Trigger, Condition, Action, Targets

• Portable and Universal

• Serves as system of record


Example: Secur i ty

Recommendation

1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)


Ensure Credent ia ls Unused for 90 Days or Greater are Disabled


Audi t


Remedia t ion


Example 1 : CIS Unused Credent ia ls


Po l icy Ident i ty & Source


Po l icy Documenta t ion


Po l icy Data Sources


Po l icy Tr iggers


Po l icy Condi t ion


Po l icy Act ion


Example 2 : Wel l -Archi tec ted Framework


Data Source


Tr igger


Condi t ion


Act ions


Example 3 : Custom Cost & Usage Pol icy


Bes t Pract ices for Pol icy Author ing and ManagementIterate• Start with basic elements and add/evolve

Manage like any code• Use Version control to understand history and rollback

Leverage best practices• Implemented once and kept up-to-date

Share• Build a community library• Open repository (with reviews)


Governance Repor t ing: Measur ing SuccessOperational

• Snapshot at time of violation (enough data to justify the occurrence of the event)• Kept for historical analysis

Business Unit• List of assets that are non-compliant with a given policy

• Grouped by owners

Executive/Health• BU level aggregate stats (# of assets out of compliance)


How to Get S tar ted

• Establish strategy

• Define Governance Policies

• Adopt best practices

• Automate evaluation of policies

• Systematically become more aggressive in remediation over time

• Track and trend governance metrics


VISIT US AT BOOTH #1125

Come play our trivia game for a chance to win $2,500

T H A N K Y O U !