How To

Turbot Guardrails AWS demo

A demo of Turbot Guardrails console and AWS governance controls

Turbot Team
5 min. read - Mar 31, 2020
A demo of Turbot Guardrails console and AWS governance controls

Disclaimer: Automated Transcript

[00:00:01] Turbot's primary focus is around cloud governance and automating compliance, security, operations and cost controls within your public cloud environment. Turbot's main value prop is providing what we call guardrails that provide controls that will prevent your users from taking action that is unwarranted. It also can detect issues and automatically repair them in real-time. And so this is helping your application teams have more self-service within Amazon, Azure, Google and third party SaaS tools where they can have need of access to deploy, make changes and updates while Turbot's detecting all of the configuration drift and all the changes that are occurring in the background. And as those changes are occurring, Turbot will either have prevented a misconfiguration - if a developer tried to provision an Amazon S3 bucket that was publicly exposed, Turbot can expressly prevent that from happening. Or provisioning a certain image or an AMI or a certain instance type size, Turbot can block something that is not approved by the organization.

[00:01:21] On the other hand, we can also detect issues and not only just alarm when they do not meet policy for the company, but also if they are not adhering to industry best practices or security benchmarks like CIS, Center for Internet Security. But the power behind Turbot is not just to detect when something is wrong and report it. It's actually to correct it in real-time. And so our corrective controls or remediation controls would automatically fix the misconfiguration. And so an example would be if an application team maybe creates that S3 bucket and it's allowed, it's in the right region, it's privately exposed only to the resources in that account, so everything is good from the onset. However, it might be misconfigured like the wrong encryption, configuration or doesn't have versioning on the objects, doesn't have access logging applied or encryption in transit. So there might be other configurations that do not meet company policy and Turbot can automate the fixes. And so we can automatically apply the encryption standard, versioning the bucket policies, et cetera. So all that's happening behind the scenes. So Turbot is not an inline product, it actually works off events. So as application team members are making changes, we're capturing the Amazon CloudWatch events, the Azure Monitor Log activity, Google Stack Driver. Those are events or feeding into your Turbot Master that you host and manage and then Turbot taking programmatic action to correct anything it sees. On preventative controls or managing IAM rules and user policies to explicitly deny or block API registration or provider registration depending on the cloud environment. All of this is helping you elevate as a cloud team to focus on being more supportive to the application team while application teams have self-service and agility to provision and make changes for their own virtual infrastructure, but they're being managed within boundary conditions or guardrails in the environment.

[00:03:33] Turbot works with large enterprises as well as across different industries, different regions, all with very similar use cases, whether it's across health care or life sciences, aerospace and defense. Federal government agencies to telecom, to media, etc. All of them hit similar requirements to either accelerate their cloud strategy as they're just starting to get into the public cloud at scale. They're looking for an enterprise-wide best in class strategy to deploy any type of workloads in the cloud. They bring in Turbot to lay a foundation in place that's going to provide any type of controls across compliance, security, operations and costs. That's going to prevent, detect and correct. And so they can feel more confident putting any type of workload in the cloud from dev-test, the highly critical production workloads. And so that helps them move faster safely by migrating workloads. Turbot can help with the operations of those migrations. So as they land into the cloud, we can methodically isolate those workloads into safe landing zones so that fit for use environments for each of those applications or in their own cloud accounts, isolated with their own networking constructs as well as their own identity structures. And with that, we can automate best practices around well architected frameworks as an outcome of all of our remediation guardrails. We can always ensure that you're adhering to your internal controls framework or external security, best practices or compliance regulatory frameworks. And as an outcome of our policy and identity management, Turbot can also assist with the aggregation of identity management across multiple directories. We can manage time-based, role-based access controls and allows search for some interesting collaboration patterns or joint venture patterns to manage third parties in your environment with time-based access. So what we do is we are a huge governance platform, so thousands of policies that wrapper across the compliance of security, operations, and cost controls and at the core of our platform is a full-stack CMDB. It's a real time cloud configuration management database. It has real-time resource discovery. So as you add or associate an Amazon, Azure or Google project to Turbot, we automatically discover all the resources in the region immediately. We then start layering in policies and controls to start giving you context and awareness of how things are hitting against your policies. How well is in adherence to CIS benchmarks, but that happens immediately as you associated accounts at real-time discovery of everything that's out there across your regions, across your services. But as your users make changes in real-time, Turbot detects those issues, those changes or that configuration drift and reports that back to the CMDB for real-time updates that CMDB provides context to what those policies and controls are, what those user configurations and the audit trail is. It's fully searchable across our graphQL back end and so that you can search any of that metadata in real-time consistently across all your clouds.

[00:06:54] Now that CMDB is the feeder of information of context for the identity and the policy engine. And so from an identity and access management, we provide centralized identity and access management and directory management so that you can manage multiple directories against Turbot.

[00:07:12] We can aggregate your users and profiles in groups, associate them to different layers of your I.T. stack, whether it's your offering system, layer your ear, your cloud accounts like Amazon, Azure, Google, we can be the are back controls as well as the time-based access controls for time-based elevation and time based explicit grants of permissions to your users and your groups all against the whole hierarchy so that you can set users with permissions globally with inheritance down. You can do time-based exceptions to those permissions and those grants. We also have a whole policy engine. So there are thousands of pre-canned policies that you can select a point and click that will give policy enforcement whether it's a recommendation policy that will just set a default and then you can delegate authority down to your application teams to toggle those decisions. You can also set required policies in place that you can only make exceptions to the rule. So there's inheritance, there are exceptions, there's time-based policies, time-based exceptions. And all those policies and controls are reported back in Turbot for how well you're adhering to those policies against your resources, fully searchable real-time dashboards that you can slice and dice the information all updated in real-time with the CMDB. Now, that's our core of our CMDB to be an identity and a policy engine.

[00:08:40] And we've taken those engines and then built on top of that across Amazon and Azure and Google. So pre-canned policies and controls that set for those cloud environments as well as third party SaaS tools that we integrate with. So we're supporting hundreds of cloud services, thousands of identity actions, all to assist with managing this at scale in a multi-account model with self-service and automated governance. And so beyond the cloud layer of managing your cloud services with prevention and correction controls, you also have all the networking automation. So all of your cloud networking components from your virtual private cloud or virtual networks to your nationals or security groups or network security groups, your gateways associations, your express routes, all of your boundary conditions, configurations and routing could be managed in the concept of guardrails. You can explicitly enforce it centrally and lockdown people managing your networking.

[00:09:38] You can also delegate authority to your application teams to manage their own networking components but under boundary conditions. So you might enforce very specific security group rules, but it may allow certain teams or certain groups of team members to manage security groups within certain boundary conditions. So maybe they're allowed to open up security groups, but only to specific ports or two sources or destinations within your network. So Turbot can manage centralized enforcement to a delegated authority with automated governance wrapped around them. And that rings true also on the operating system layer. So Turbot can programmatically hard in your Windows and Linux machines based on your security policies and guardrails that you have in place.

[00:10:27] And that might be all the way from the image layer or even on the cloud service tier, like an easy instance or a virtual machine and Azure, and you're allowing or denying certain types of instances for its sizing or the images that are allowed to be used for provisioning all the way through the actual operating system layer itself. So automatically configuring environment variables, syncing in users and groups, marrying up UID and GID when it's in Linux, to sinking a SSH keys, managing the expiration of those keys to automatically ensuring patching across the environment as well. And so there's a whole slew of features that we can support you want for Windows and Linux in all of that's in real-time. So all the configuration drift that we explained earlier and Amazon, Azure and Google are also true on Windows and Linux. So all the changes that are happening, feedback into Turbot into the CMDB then you could take programmatic action through the policies that are stated in Turbot.

[00:11:28] Now, all these layers in the context of it could be operational costs focused. So, for example, from an operational standpoint, guardrails could be more focused around always ensuring that you have the right appropriate tags set. So the right key-value pairs across your Amazon, Azure or Google resources or down to your containers and making sure that they're tagged correctly. Turbot can be used then to search across all that because all that does tagging is in now on the sandy beaches. And I could search across those types consistently. Across your clouds, across your hosts. Those types of policies can feed in those type of tagging scenarios and contests can then feed in the policies to take nuanced actions or conditional logic, can then be brought in to why a policy might be set depending on the context of the tag or the context of the resource.

[00:12:21] From a cost standpoint, you might then use two robots and more prevent costly actions or to clean up waste in your environment. So talk about has a concept of active controls that can clean up anything that's aged so time lived or last modified, less used. And so there are more practical cost controls in our product to eliminate waste in your environment from a security and compliance angle that might be more around enforcing encryption standards on your resources, whether it's in transit or at rest, or helping more from a data protection like ensuring backups, but then locking it down for no one. Altering those backups and retaining them on your retention policies. From a compliance standpoint, it might be ensuring those controls because they're in adherence to a third party or an external best-practice standard or your internal controls framework. But Turbot can not only just be used for that prevention correction in transit, but we also do software configuration management, so all these policies we have pre-canned in the product. But you can also use Turbot to deploy your infrastructure as code stacks so you can layer in your own terraform stacks and then Turbot can continuously enforce those stacks and manage state automatically through our CMDB. We can also be a feedback loop for your developer. So if you use infrastructure as code like terraform or cloud formation or arm templates etc, you can still do that outside of terabyte. You could deploy to the cloud. However you see fit with the console, SDK supply or infrastructure as code turbo will be a feedback loop for your developers to know when they're doing something wrong, but that's whether it's a feedback for helping them improve their stack so they don't hit up against guardrails or could be helping them simplify their stacks because Turbot is taking care of the configuration for them. They don't need to define that separately in code. All of that is completely extendable. So whether you're using our pre-camp policies, using our calculated policies to using terraform within our stack conditions, or you're extending our platform and writing your own guardrails, Turbot can help you and multiple different levels for software configuration management.

[00:14:46] Now how it works. So Turbot by default for an enterprise deployment, you can host and manage Turbot in your own Amazon account. So we are Well-Architected Framework, highly available self-healing, auto-scaling, fully reside in this one Amazon account, there are no virtual appliances elsewhere across your clouds. So it's one central command that you can host and manage. We're often set up as an intranet application, so it's internal-facing. Us as a company, Turbot as a company, would have zero rights into your environment so there's no punch in your environment, so it could be solely contained. Turbot can work through your intranet talking to the public cloud and points all through proxies or outbound internet filtering. Whatever is your deem fit for any other type of internet application on your network.

[00:15:40] So Turbot can be hosted and managed by you, but we could host and manage Turbot, it's just different support levels. So if you didn't want to host to manage an Amazon account or manage our software, Turbot can host that for you. There's other different distribution models we can talk to you about, but the deployment is that it would be hosted in an Amazon account. It would then have cross-account trust to any of the Amazon, Azure or Google projects that you associate to it. So in an Amazon world, that's an IAM cross-account role in Azure. It's an application I.D. and Google, it's a client I.D. It's essentially just system accounts or a system role that's being leveraged by turn out programmatically. So you can associate that to Turbot, we can then programmatically manage the environment with the CMDB in the policy and identity engine as discussed earlier. All of this is helping you with one central area to manage policies and identities across your clouds, across a multi-account subscription and projects.

[00:16:44] This is helping you minimize the blast radius so that you have a model to effectively isolate your applications into their own cloud accounts and so that you can feel more confident, comfortable managing at scale a multi-cloud and a multi-account model. And that's because we're giving you a very consistent way to manage not only the CMDB in discovering the drift in one consistent audit trail that's searchable across, but also a policy engine that has the same definitions across Amazon, Azure, Google, Windows, Linux, Cuban Eddies, and third party SaaS tools and a hierarchy that fits all of that into one consistent model. So this gives you the ability to set policies like Amazon S3 bucket encryption could be set for Amazon SSE across all of your Amazon S3 buckets. So you might set that at the top layer that then that policy inherits down the hierarchy to all of your buckets. Or you might say, well, you know, SSE is enforced everywhere except this one S3 bucket and account.

[00:17:54] You can set time based policy so you could say why enforce encryption everywhere for the next hour? Or for the year or forever? You can do time-based exceptions as well. So you can say, well, I enforce encryption everywhere except in US-East-1 one in account A for the next six hours. So any of that type of point and click being able to set things to enforce you can also set things to just check, which means it just alarms or you can completely skip it for a certain area or scope. So you might have dev environments or sandbox environments that don't enforce anything. Maybe they just alarm or maybe they just skip that type of policy. Where other accounts you might have very explicit enforcements that are required in the cloud team can only make exceptions to the rule. So very flexible with thousands of pre-canned policies, consistent definitions across your third parties or your entire stack. That's true on the identity side. So it's the same type of hierarchy that you're defining, any type of folder structure with nested folders, to then define multiple parts of your organization, whether that definition is coming from Amazon orgs or DCP organizations or Azure tenant in your management groups or you're defining that individually in Turbot. You can define whatever hierarchy that you set. And from there you're setting policies and also identities across that. And so in this example, you can hook up or you can integrate one or many directories. So LDAP-based directories like Open LDAP Active Directory. It could be and/or any SAML type of directory, whether that's onto ping identity as your ADHD ADFS, Google authentication, you know, internet to ship all any of those types of directories. We fully support we could do a one way or bilateral trust. When we have that trust set up, we can do syncing of users. So we can do AD lookups. We can sync users in, we can manage their profiles in their activeness.

[00:19:59] You can manage multiple directories and we can pool those directories together. We can find profiles. You can set those directories at different layers of your hierarchy. So you might have your global active directory up top so that your internal teams can then be granted access to anywhere in your hierarchy. You might be trusting a third party system, implement or managed service providers and just trust their directory to one specific account. However, you want to manage your directories - and Turbot can be an aggregate - you can then also use Turbot to manage role-based access controls. So they might be able to set a policy where you have Bob from Active Directory. He's an Amazon S3 Read-only, he's an Azure storage power user, he's a Linux administrator across all my accounts. Or maybe Bob's just the Linux admin on this one particular virtual machine for the next two hours.

[00:21:04] So that whole engine there, of defining very consistent back control across your clouds can then be set across anywhere within your organization. Even down to a per resource freeze, like an operating system. You can activate those so you can approve them immediately. You can then expire them so never to very specific timeframes. You can pre-approve access to be then activated at a later time so you can do time-based pre-approval, time-based elevation of an active permission. So a number of different scenarios that should satisfy any of your identity and access management needs. [1225.1]

If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!