AWS Managed Services Streamline Secure Innovation

Starting with a secure foundation

With Woven Planet’s AWS accounts all centrally managed, the two teams began the project by streamlining the management account and incorporating security best practices. Specifically, the two teams tightened security around AWS roles and IAM users. Following the principle of least privilege, the teams ensured that only necessary access and permissions to the management account were granted. As a part of the process, escalated permissions were also greatly reduced.

In addition, the teams built a highly secure CI/CD structure utilizing AWS CodePipeline to follow a woven defined threat model to counter potential in-house system compromises by ensuring resources are securely delivered into the management account.

Redefining organizational units for high security

In addition to technological approaches to security, the Woven Planet security team proposed and implemented a new organizational structure to reinforce the segregation between production, development and staging. This provided additional logical divisions in how AWS accounts are dispersed in the organization.

The teams implemented AWS service control policies (SCPs)—organization policies that help manage permissions—creating boundary level security. The new organizational structure also takes advantage of AWS Organizations features within services like AWS CloudTrail, AWS Config, AWS CloudFormation StackSets and more.

These features work as a catalyst to automate and roll out centralized controls with less development overhead as they provide a simple, secure and effective framework. This, in turn, enables the team’s engineers to plug in the various automation pipelines. For example, the team can now roll out stack sets to the entire organization or a subset of the organizational unit using AWS CloudFormation’s managed deployment model service as a part of its organization feature set.

Achieving continuous compliance

With best practices established, the next phase of the project was to define and develop secure CI/CD pipelines including:

• Management account pipeline to deploy infrastructure as a code (IaC) to the AWS management account.
• SCP pipelines to deploy AWS SCPs to the management account; the team also developed an SCP pipeline to deliver and test SCPs before they are deployed using an AWS provided simulation tool called AWS IAM Policy Simulator.
• StackSets pipelines that deploy IaC as stack sets to the management account. The team delivers secure in-house solutions as stack sets using a StackSets pipeline. StackSets is an AWS CloudFormation-based service that allows stacks to be rolled out across accounts and organizational units to selected regions in tandem. For example, the team delivered a system that ensures all the Amazon Simple Storage Service (Amazon S3) buckets within the organization are protected using the Amazon S3 Public Block Access settings. This system ensures that Amazon S3 Public Block Access settings are consistent with the organization standard which reduces the probability of an Amazon S3 bucket data security breach.

With pipelines built, the teams turned their attention to maintaining continuous security compliance with SCPs and conformance packs deployed as StackSets. (A conformance pack is a collection of AWS Config rules and remediation actions, deployable as a single entity in an account or across AWS Organizations.)

With hundreds of AWS accounts, it is important to ensure the resources deployed into AWS Organizations are secure. To do so, the teams defined security standards using AWS Config which helps Woven Planet define specific rules; based on these rules, the teams can mark resources as compliant or non-compliant. Using AWS Config conformance packs, , NTT DATA helped deploy multiple configuration rules, that must be followed for compliance, to ensure that resources deployed into accounts meet Woven Planet operational and security objectives.

To make sure Woven Planet has a framework for deploying these security compliance checks, the team created a conformance pack deployment design where configuration rules are deployed as conformance packs. The packs cover compliance for various domains including networking, encryption, identity and access, and unsafe publishing.

While it’s difficult to remediate resources manually, many of the config rules deployed using conformance packs also support auto remediation. The team wrote AWS Lambda functions to achieve auto remediation and send notifications whenever a resource is identified as being non-compliant as per the deployed config rules. The remediation feature acts as a confidence booster among the engineers as many critical non-compliance behaviors are auto remediated by the system, helping monitor and control the non-compliance rate.

Monitoring and managing compliance with AWS CloudTrail

A log of all events across all accounts in the organization is enabled in the management account which rolls out the standard AWS CloudTrail settings. This way, when a new account is created, the team does not have to enable AWS CloudTrail separately. Moreover, the team utilizes the AWS Organizations feature to make sure the organization trail is auto enabled whenever a new member account is added. This helps ensure consistency to AWS CloudTrail settings across accounts. All AWS CloudTrail logs are centrally managed in an Amazon S3 bucket in a separate audit account.

To ensure Amazon S3 public access compliance, the team rolled out a strict Amazon S3 public access lock using the AWS CloudFormation StackSet delivery framework. Now, any account added to the organization has an AWS Lambda solution deployed into it which disables Amazon S3 public access settings at the account level. This serves to disallow public access to Amazon S3 buckets, proactively addressing an area of major security concern.

Last, the teams worked together to build in a budget compliance check. The solution tracks spend across organizational units and will alert when a sandbox account crosses a certain threshold, helping Woven Planet ensure continuous compliance to budget constraints. The teams also built a notification system that sends a personalized Slack alert to account owners when a budget threshold is breached. This provides a sense of awareness and discipline while making sure innovation is not interrupted.

Benefits

Woven Planet can now securely deliver to each of its AWS accounts, knowing they are well protected and consistent with Woven Planet’s operational and security objectives. In addition, continuous compliance assists Woven Planet in ensuring standardization across AWS Organizations, giving the company central control over cloud security best practices. Woven Planet can achieve all this while empowering engineer self-service that enables them to deploy accounts as needed, enabling them to innovate at market speed.