Disclaimer: Automated Transcript

00:00

Good afternoon or morning. We're kind of

00:03

in the middle right before lunch it is

00:05

awesome to be here my name is David

00:07

Boche and I am really excited about

00:10

talking to you today about governance I

00:12

was just talking to my colleague

00:14

yesterday and mentioned that it's only

00:17

two days in the conference but I'm

00:18

feeling all this energy I've been at the

00:20

booth for the last two days talking to

00:22

custom customer z' and new customers and

00:24

it's just incredibly energizing to be

00:28

around tens of thousands of people that

00:30

love this stuff that we do so normally

00:34

in your day to day life

00:35

you can't even explain what you do to

00:37

the person that you're meeting at a

00:38

dinner party and here everyone is in the

00:40

same field the majority vast majority of

00:43

us love this and we're doing it because

00:45

we have a passion for it and so it's

00:47

it's really my pleasure to speak to you

00:50

about the topic of governance today the

00:53

the main thing that I want to get across

00:57

in this talk is the power of governance

01:00

at scale for your large enterprise

01:04

before I jump into the talk

01:06

though I'll level said a little bit I

01:08

had kind of a little bit of a governance

01:10

adventure on my way here on the flight I

01:12

was boarding the plane and as I boarded

01:14

the plane the flight attendant asked me

01:16

to see my boarding pass and I said

01:18

that's okay I know where my seat is you

01:21

know you don't need to look guys he's

01:22

like no I want to make sure that you're

01:23

on the correct flight after all the TSA

01:27

checks and the gate checks and

01:28

all that stuff we had that one final

01:29

check at the entrance of the plane so

01:32

I'm gonna do a little like gate check

01:34

right now make sure all of you are on

01:36

the correct flight we're gonna be

01:38

talking for the next hour about

01:39

governance I'm gonna explain what it is

01:42

I'm going to then talk about that in

01:44

context of large-scale public cloud

01:46

adoption and what that means for that

01:49

use case and then I'll share with you

01:51

the maturity models that I see from a

01:54

day-to-day basis I have one of the

01:56

coolest jobs in the world I get not

01:58

quite as cool as Werner's but I do get

02:00

to meet on a week-to-week basis large

02:03

enterprises large government

02:05

organizations that are highly regulated

02:08

and really fundamentally want to look at

02:11

governance automation as a

02:13

to enable their cloud strategy I talked

02:16

to them I understand their problems I

02:17

identify their pain points I help them

02:19

orchestrate solutions for that and

02:21

always in the mindset of how

02:23

can we do this through automation and

02:25

not do it through manual processes I

02:28

then get to take all that information I

02:30

learn and turn around and work with by

02:33

far the best development organization

02:35

I've ever worked with and share those

02:38

requirements with them and then they

02:40

produce some amazing software for those

02:42

companies to use so it's a very cool job

02:44

I'm gonna share with you a lot of the

02:46

maturity models that I see in

02:47

large-scale public cloud adoption as it

02:49

comes to governance and kind of where

02:51

some of the pitfalls are and then a lot

02:55

of us are here because we love cloud we

02:57

love building things in the cloud and as

02:59

governance architects you probably want

03:01

to build this stuff yourself I have

03:04

built this stuff myself before are a lot

03:06

of members on our team have done that as

03:08

well we love it, it's a lot of fun so I'm

03:10

gonna walk through a solution

03:12

architecture for how you would go-ahead

03:13

and build your own automation for large

03:16

for large-scale cloud governance and

03:19

then I'll show you a demo of the way we

03:21

approach the problem looking at our

03:23

tools so if everybody's on the right

03:25

flight we'll go ahead and get started

03:27

the first thing I like to do in

03:28

describing governance and talking about

03:30

it is really frame it in the context of

03:32

something that we're all familiar with

03:34

and we're all familiar with governments

03:36

that's where the word governance came

03:37

from came from we are all citizens of

03:40

some government and those governments do

03:42

a great or not so great job of actually

03:45

providing governance for their citizens

03:47

let's talk about what we expect from our

03:50

government right first thing we expect

03:52

from our government is policy right we

03:54

want them to set rules and laws around

03:56

how the government is operated and what

03:59

the people can and can't do they also

04:01

want them to provide oversight so we

04:03

want them to police what's going on we

04:05

also want them to have judges that can

04:08

adjudicate the gray areas in that space

04:11

and then from a management standpoint

04:13

the government they want it we give them

04:16

tax dollars and then hopefully they

04:17

build infrastructure for us roads

04:19

bridges schools we need those things in

04:22

order to operate as a society and it's

04:24

it's generally better if there

04:26

some amount of government oversight into

04:29

how those services are provided we can

04:31

argue about if it's big government or

04:32

small government but there needs to be

04:33

some finally the thing that most people

04:36

think about when they think of cloud

04:38

governance is protection and that's same

04:41

thing for governments as a citizen of a

04:43

country you want to be protected from

04:45

external threats and internal threats

04:46

you want to be protected from your

04:48

neighbor doing bad things as well as

04:49

like foreign governments doing bad

04:50

things right finally we believe

04:52

fundamentally turbot fundamentally

04:54

believes and I do as well that an

04:56

element of good governance whether it's

04:58

government or IT governance is

05:00

transparency transparency of what are

05:03

the rules how are those rules being

05:04

applied or how are the people who are

05:06

adjudicating the rules approaching that

05:08

and what's the cost of them to do that

05:11

where is our tax dollars going where is

05:13

the spend going etc right so we believe

05:16

fundamentally that that transparency is

05:17

a huge part of it and all of these

05:19

things apply the next section we're

05:21

going to talk about all these things

05:22

apply to IT governance as well

05:24

especially in the cloud space we have

05:26

frameworks and policies NIT we have

05:29

auditors that come around and make sure

05:30

that people are following them we also

05:32

create infrastructure in terms of VP C's

05:35

in terms of you know networking logging

05:37

etc we also protect ourselves from

05:40

threats from people trying to steal our

05:42

data from insiders trying to do bad

05:44

things or from insiders doing stupid

05:46

things and hopefully through that

05:49

process you create transparency as well

05:51

into what you're doing how you're doing

05:53

it and who's doing what

05:55

what is that in service to I believe in

05:58

government and there's probably some

06:01

some governments that don't agree with

06:02

this but I believe the purpose of

06:04

governments and the purpose of that

06:05

government providing governance is to

06:07

provide freedom for citizens right

06:10

so if governance is working

06:12

appropriately people who are law-abiding

06:14

have freedom and can do what they need

06:16

to do without the government getting in

06:18

their way in the same way IT governance

06:21

should be designed to provide freedom

06:23

for the people that are using your

06:25

applications and building your

06:27

applications and analyzing data within

06:29

your environment so it's a data

06:30

scientist it's an end user it's an

06:32

application development team they're the

06:34

ones they're the citizens of this

06:36

environment right they're the ones that

06:37

we're covering over and

06:39

our job as governance architects is to

06:42

build things in a way that gives them

06:44

freedom how can I give them freedom and

06:46

have them do what they need to do so

06:49

that freedom is going to be best enjoyed

06:53

if it happens quickly right if in the

06:56

government scenario if you're falsely

06:57

accused of a crime and you're in jail

07:00

for seven years waiting for waiting for

07:02

your trial and then you're acquitted at

07:04

trial that probably doesn't feel like a

07:06

governance to you right you know you you

07:08

were finally acquitted everyone said

07:09

nothing you didn't do anything bad but

07:11

you were in jail for seven years waiting

07:13

awaiting adjudication speed of

07:15

governance especially an IT is

07:17

critically important and no and that is

07:19

fundamentally one of the major shifts

07:21

when we talk about cloud so let's talk

07:26

now about that same framing but what are

07:28

the unique challenges that cloud has for

07:32

governance practices right first one is

07:35

agility your business is moving to

07:38

public cloud moving to AWS moving

07:40

applications there because they want to

07:42

achieve agility maybe they want maybe

07:43

it's also there's also cost plays there

07:45

but fundamentally every single

07:47

enterprise that I've ever spoken to

07:48

their primary reason for moving the

07:50

cloud is to gain agility when I used to

07:53

work at a fortune 50 health care

07:55

services or healthcare services company

07:58

it took six to eight weeks to have a

08:03

VM delivered to an application team

08:06

right and this is not procurement time

08:08

this is there is already Hardware sittin

08:10

in the data center and someone needs to

08:12

procure a provision of VM on top of that

08:15

hardware and then give access to an

08:18

application team member six to eight

08:19

weeks

08:20

that's incredible well the reason that

08:21

is the reason that occurred is that

08:24

there were multiple manual processes

08:26

with queue times and those tickets were

08:28

went around between the various teams

08:30

that all had to interact with each other

08:31

and do that and so you have basically

08:33

this ticketing system and a flow and all

08:35

that happens now it feels it feels

08:38

actually I was just I was just at a

08:41

customer site and we were sitting there

08:42

trying to do something we're alive and

08:44

it was like six minutes and like we were

08:45

waiting for this Windows instance to

08:47

spin up and it was like this is taking

08:49

forever

08:49

right and it's like now like six to

08:51

eight minutes you have

08:53

to incense less time than that you know

08:55

like and then when you start talking

08:57

server list it's like instantaneous

08:58

right it's you're starting to measure

09:00

that in milliseconds when you do that

09:02

that agility equation do not forget that

09:04

the second one is expectations so as

09:06

governance professionals as security

09:08

professionals sitting in this

09:10

environment you have a huge amount of

09:12

expectations on you Amazon is publishing

09:14

best practices they release brand new

09:16

features this week that are brown

09:18

groundbreaking around security policy

09:22

that can be measured logically right and

09:26

and then you've got CAS publishing

09:29

standards you've got NIST you've got hip

09:31

you've got all these different

09:32

organizations that are essentially

09:33

saying here are the best practices for

09:35

doing these things and when you don't

09:36

follow them when you don't have them in

09:38

place when you do have an issue then

09:40

it's your problem it's not that

09:42

application team right it's it's gonna

09:44

come back to the governance professional

09:45

and say you could have known about this

09:47

you were at reinvent in 2019 you heard

09:49

all these things why didn't you

09:50

implement them right so the expectations

09:53

become your requirements those best

09:54

practices that are published because

09:56

they're known in the world are become

09:58

your requirements for your organization

09:59

and then the last piece is control

10:01

central IT has lost control of the

10:04

infrastructure right we no longer deploy

10:06

have those long lead times to deploy

10:08

things and it can't queue through the

10:09

environment so applications the the

10:12

application code itself can actually

10:15

spin up the infrastructure and in that

10:17

model the control is now on the

10:19

application team how they design their

10:21

application to scale within the cloud is

10:23

going to control what infrastructure is

10:25

deployed so all three of those things

10:26

are tightly coupled and and in some ways

10:30

we feel like they're kind of fighting

10:32

against each other but they're not

10:34

really and hopefully I can I can show

10:36

you that so let's talk for just a minute

10:39

and I'm gonna compare what we used to do

10:41

in IT governance to compare to what we

10:44

can do today so first thing is on the

10:46

rules right so we talked about rules we

10:48

used to have you know control frameworks

10:50

big documents of PDFs stored in a

10:53

document management system we trained

10:55

everybody we put it on there Geno's for

10:57

the year that they had to be trained

10:58

three times a year on our frameworks

10:59

they open up the document they look at

11:02

it the first page they closed it and

11:04

they check the box that they did the

11:05

training right

11:07

and then we give him some checklists

11:08

like we if you're more advanced maybe

11:09

you gave checklists and so now they have

11:11

checklist they can follow and make sure

11:12

that they're following those things

11:13

that's not possible in the cloud when

11:15

you move to public cloud in order to

11:18

automate the infrastructure of that you

11:20

need thousands of policies not just

11:22

policies like don't do bad things like

11:25

don't open up public buckets you need

11:27

policies like what's your subnet naming

11:29

scheme what is the host net name a

11:31

scheme for a new ec2 instance that spins

11:32

up what are your acceptable cider ranges

11:35

how do we prevent those cider ranges

11:36

from overlapping you need a policy

11:39

engine and you need policy code that can

11:41

look at all those things and

11:42

fundamentally make decisions about how

11:45

to automate right without and without

11:47

all those rules decided on you will

11:49

never be able to automate your

11:50

infrastructure you need to decide on

11:52

those rules upfront and you need to

11:53

capture them from an oversight

11:55

standpoint we talked about earlier if

11:57

you're in a you know normally what I've

12:00

seen in in large enterprise is that

12:01

people do an architecture review

12:03

generally a day before they have to

12:05

deploy to production and then and then

12:08

they kind of use that as a mechanism to

12:10

kind of get the security teams to give

12:11

them exceptions and then if you're lucky

12:14

if you're a high value ad application

12:16

you'll have an internal auditor come in

12:18

maybe once a year or once every other

12:19

year look at your application and see if

12:21

things are done as they were written

12:23

right that's not what you need to do in

12:26

cloud we need real-time event

12:28

correlation we need to be able to

12:31

respond to that creation of the

12:33

infrastructure that's happening in real

12:34

time that the application is controlling

12:35

and respond to that from a management

12:37

standpoint we have those Central

12:39

Services and IT operations that we could

12:41

queue through now we've got you know

12:43

automation around those platform

12:45

services in the infrastructure services

12:46

and protection is interesting as well

12:48

used to be we thought about protection

12:50

in terms of barriers right let's do the

12:52

physical security around our data center

12:54

let's do the perimeter security around

12:56

our network and we're in this like nice

12:58

bastion and and no one can no one can

13:03

get by our moat right and in the world

13:05

of cloud we're going to talk about this

13:07

a little bit more detail but you need

13:09

preventive and corrective controls that

13:10

are running in real time and looking at

13:13

your systems and deciding that you can't

13:15

protect the perimeter your perimeter is

13:16

now the entire internet what you have to

13:19

do is protect

13:20

to the individual assets that are

13:22

running within your environment and then

13:24

finally transparency my favorite a

13:26

favorite topic if you guys haven't

13:28

figured that out we used to update the

13:30

CMDB once if you're lucky when that

13:34

application deployed or was updated

13:35

right if you had a good architect he

13:38

checked to make sure that everyone

13:39

checked their information there their

13:41

architecture diagrams into service now

13:43

hopefully someone capture all the host

13:46

names of the servers that were launched

13:48

maybe someone updated the list of

13:50

software that was installed on those

13:51

servers if you were lucky right if you

13:53

were good

13:53

now you can programmatically you can

13:56

query api's and find out what's in your

13:58

environment that idea of having a static

14:01

CMDB that's updated upon change of your

14:03

application is completely out the window

14:06

you need a real-time cloud scale CMDB

14:08

you need to know every configuration

14:10

change that's happening whether it's

14:11

program happened programmatically or

14:13

happening via people that are taking

14:16

actions within your environment so I

14:21

really love this I really love this

14:23

quote but in order to one of the major

14:28

things that you're gonna have to decide

14:29

early on in your governance process this

14:31

is the major pillar that is going to

14:33

decide whether you accelerate quickly to

14:35

the cloud we took we had a speaker here

14:39

last year from a biopharma company they

14:42

went from $0 spend on AWS they wanted to

14:45

they made a decision to do a full

14:46

datacenter migration went from $0 need

14:48

to spend to $500,000 in aw I spend in

14:51

less than six months right and

14:53

fundamentally this next decision that

14:55

you make around this is going to decide

14:57

whether you are a fast adopter and and

14:59

quick adopter of the cloud or whether

15:01

you take a really long time in US and a

15:02

slow ramp-up to that everyone's gonna

15:04

get there it's just it's just how fast

15:05

you go and what I'm talking about is

15:07

multi account isolation a single most

15:10

important decision that you're gonna

15:11

make as part of your governance strategy

15:12

is do you do multi count isolation or

15:15

not and this is what I typically see

15:17

which is that early on and cloud

15:19

adoption you've got a cowboy someone on

15:22

your on your Rd team that goes and

15:24

swipes a credit card they build an

15:26

account they build an application that

15:28

gets a lot of buzz a lot of interest

15:30

from you know from the business and they

15:33

become a hero

15:34

and they've got their they've got their

15:36

AWS account out there and it's a soul

15:38

thing now they've created a lot of

15:40

interest in it

15:40

they've interested some other

15:42

application teams and doing that and

15:43

then they say hey come come work you can

15:45

you can have some space in my account

15:47

I've got I'll create you a new V PC or

15:49

you can come in my V PC right we can all

15:51

we can all share this together we'll be

15:52

happy roommates and we'll make that work

15:54

and then that starts to get old you

15:57

start to get two or three people into

15:58

that account they start to do lambdas

16:01

and they start to cross over or someone

16:03

is trying to fix their application and

16:04

they change the security group and then

16:06

they break they break someone else's

16:08

application and and what happens what

16:10

happens when they break someone else's

16:12

application if anyway I'm sure I heard a

16:15

lot of laughter in the audience as soon

16:16

as they break someone's application IT

16:19

comes in and says please stop you guys

16:21

are doing this all wrong we know exactly

16:23

how to do this we have a play book it's

16:25

called ITIL and now we're gonna roll it

16:27

out and we're gonna have services and

16:29

you guys are gonna basically say this is

16:31

what I need and you're gonna ask the

16:32

service team to deploy it and that

16:33

service team is gonna go deploy it for

16:35

you everyone's gonna be nice and neat

16:37

and clean our centralized teams are

16:39

gonna keep everybody from stepping on

16:40

each other's toes and this is as a

16:42

governance architect as a security

16:44

professional as a CTO this is the

16:47

primary point of decision-making that's

16:49

going to decide whether or not your

16:50

cloud accelerates or not because if you

16:51

do that model you will not be in a good

16:54

place you will be here in three years

16:56

only having moved a few workloads and

16:58

and not have the cloud adoption that not

17:02

have the benefit of the strategy that

17:04

you put in place we feel the right model

17:06

is to lean into multi account isolation

17:09

to gain a whole suite of benefits in

17:11

that process what multi account

17:13

isolation is is you isolate workloads

17:15

into different AWS accounts that's right

17:18

so every ADA booths account the same

17:21

account structure that separates

17:23

corporation a from corporation B now

17:25

separates application A from application

17:27

B even to the point of separating

17:29

application a test environment from

17:31

their production environment right even

17:33

to the point of separating application

17:35

a's micro-service one and microservice

17:37

two and microservice three into separate

17:39

accounts if you really want to get crazy

17:40

I think a device has some customers out

17:42

there that we've talked to that have

17:44

like 20,000 AWS accounts now

17:48

that's super scale in this model but

17:51

more accounts is better than no accounts

17:54

and the reasons of that right there's a

17:56

there's a bunch of reason so the first

17:57

one is that you can group resources

17:58

together grouping resources together

18:00

into accounts are a great way to manage

18:02

cost I can have all of my application

18:05

teams have separate accounts I can they

18:07

can have the costs of those accounts

18:09

charged back to them directly

18:10

you also limit the blast radius so if

18:13

something bad happens if you have a bad

18:15

actor come into the environment if

18:17

someone makes a change that cascades

18:19

then that blast radius is is limited how

18:23

many enemy seeds are see a show of hands

18:25

how many people today are currently

18:27

under change freeze year-end change

18:29

freeze in their on-premise environments

18:33

yeah about half for the people on the

18:37

video and and the rest of you will

18:40

probably be in your n change freeze in a

18:41

couple weeks so the reason that we have

18:44

year-end change freeze is because

18:46

businesses close their books public

18:49

companies need to provide financials to

18:51

the street at the end of the year and

18:53

they need to close their books quickly

18:54

and it's Christmas time and it's New

18:56

Year's and no one wants to be an IT and

18:59

be working and trying to get an ERP

19:01

system or another system up and running

19:03

at that time of the year right so we

19:05

implement these change freezes to

19:07

prevent cascading changes in the

19:09

environment now you have a developer

19:11

working on a new application that's

19:12

gonna drive new business basically told

19:15

that they can't deploy anything new to

19:17

their environment until January 5th or

19:19

January 15th right this is fundamentally

19:22

what we don't want to replicate in the

19:24

cloud if you put things together if

19:26

they're in the same environment you are

19:29

gonna run into that exact same change

19:30

problem and you're gonna be that you're

19:32

gonna have the same you're gonna have

19:34

the same lack of agility in the cloud

19:36

that you do on-premise and this also a

19:39

surprising thing people don't think

19:41

about this is account limits so AWS has

19:43

pretty sane account limits for new

19:45

accounts so if you're building an

19:47

application you can spin that up if

19:49

you're putting you know if you're

19:51

putting a 500 accounts there are 500

19:54

applications into a single account

19:55

you're going to hit every single AWS

19:58

account limit that exists now a lot of

20:00

those can be UPS you can call

20:02

port you can get an account limit raised

20:03

and get your API limits raised etc but

20:06

those there are some things that are

20:08

hard limits that you can't have raised

20:09

as well and then you have to work around

20:11

right so so by separating applications

20:14

into separate accounts you reduce that

20:16

noise by 95% you'll still have some big

20:20

applications that like bump into those

20:21

things and they can they can manage that

20:23

themselves but by and large all of your

20:25

dev accounts and most of your production

20:26

accounts will never need to ask for

20:28

account limits raises anymore then user

20:31

access accounts are great ways to

20:33

segregate user access in your

20:35

environment right so we had at how many

20:38

people were at reinforce last year okay

20:42

that's a pretty good number of people if

20:43

you were a reinforce we have a speaker

20:45

there one of our customers mcgraw-hill

20:47

education they have like 80

20:49

they have like 80 different to pizza

20:52

teams right they have those two pizza

20:54

dev teams they have 80 different of you

20:56

know 80 of them and they're all working

20:57

on different applications and different

20:58

stages of lifecycle development right

21:00

accounts are great ways to separate and

21:03

provide user access only to the

21:05

resources that those teams are working

21:06

on they can't see logs from other

21:08

applications they can't steal code from

21:09

our applications they can't break other

21:11

applications it's a great way to do user

21:13

access and then primarily though when

21:16

you think about this it is fundamentally

21:18

possible if you're just lifting shifting

21:20

from on-premise and bring a bunch of ec2

21:23

instances in to manage this through

21:24

tagging and other things but as soon as

21:26

your team's start to build cloud native

21:27

applications try and get four or five

21:30

development teams working on a lambda

21:32

based application all working in the

21:33

same account and then come talk to me

21:35

it's it's not it's possible but it's

21:37

it's a lot of overhead to manage it

21:39

the last point I'll do on multi account

21:42

isolation for all you regulated

21:44

companies is audibility right if you

21:46

have multiple applications running in

21:47

the same account and an auditor comes in

21:49

and they start looking at that

21:51

application and that application shares

21:53

logs or shares data or shares change

21:56

with other applications they immediately

21:58

can expand their their audit scope to

22:01

those other applications right so they

22:03

find a change that occurred within the

22:04

account and then they start tracing that

22:07

back and they find that's application B

22:09

application B now came in scope of that

22:11

audit right so you just increase your

22:13

audit risk by a factor of X depending on

22:16

how many applications you have in that

22:17

environment those are all great things I

22:21

fundamentally believe this is that

22:23

that's the that's the key to that's the

22:25

one key decision we're gonna talk about

22:27

another one here which is the maturity

22:29

model and which way we go so I see three

22:33

basic models for companies that are

22:35

adopting cloud they generally look at

22:37

control and agility as opposite ends of

22:39

the spectrum we either gonna have

22:41

control or we're going to provide

22:42

agility right a lot of companies are

22:45

stuck in this stuck in viability so you

22:47

just spend weeks or months or years

22:49

actually trying to figure out how to do

22:51

this stuff they come to reinvent they

22:53

get information they go back they put

22:55

together PowerPoint decks they share

22:56

them with each other they talk about

22:57

what they're gonna do they talk about

22:58

what they're gonna do more they talk

22:59

about what they're gonna do more they

23:00

never launch a single server they never

23:02

create a single account or maybe they

23:03

create a dev account and they play

23:04

around with it a bit but they don't

23:05

really do a lot right and then you have

23:07

other organizations that actually go yep

23:09

no we're gonna do this we're gonna roll

23:10

out ITIL and we're just going to move

23:12

all of our existing on-premise processes

23:14

out to the cloud because we know that

23:16

safe and secure and if we do that

23:18

there's not gonna be any questions we

23:19

don't have to change anything we just

23:21

roll all that out and so what you end up

23:22

with is an environment that's fairly

23:24

stagnant it's saying it's similar to

23:26

on-premise same processes etc you don't

23:29

have a lot of agility in that

23:30

environment and your business partners

23:32

start to get antsy when those business

23:34

partners start to get antsy you start to

23:35

see those rogue actors come out they

23:37

start building things swiping their

23:38

credit card doing stuff on the side

23:39

eventually one of them will do something

23:41

stupid and get in trouble and then IT

23:44

will come back in and they'll start

23:46

bringing those things in they'll they'll

23:47

they'll pull them out of there and then

23:49

they'll even go farther into the control

23:50

frame and you'll have even less agility

23:52

right the other model isn't really good

23:54

either right you have you end up having

23:55

you know IT basically just publishing

23:58

some best practices and then letting the

24:00

cloud teams go and do whatever they want

24:01

I have a large multinational company

24:03

that we work with that did this for five

24:05

years they ended up with 400 AWS

24:07

accounts all different teams no control

24:10

everybody using the same cider address

24:12

ranges using default be pcs you had some

24:15

teams that were super due diligent and

24:17

came and did all the research and did

24:18

everything right and you had other teams

24:19

that basically just started spinning

24:21

stuff up and not giving one care in the

24:23

world in terms of what they were doing

24:24

right and now they're trying to bring

24:26

all that back and as soon as you start

24:28

bringing that back

24:29

it doesn't feel good right it never

24:31

feels good there's something about the

24:33

human condition we hate having things

24:34

taken away from us and so no matter what

24:37

the benefit side of that is right you as

24:39

a governance team if you're doing this

24:40

late stage you're gonna you're gonna be

24:42

the guys that are saying no stop doing

24:44

what you're doing etc right so what's so

24:46

if those aren't the right ways what's

24:48

the right way well fundamentally

24:50

I think this is the magic trick that

24:53

nobody knows about or no one really

24:56

thinks about which is that we always

24:58

think of governance and we think of this

24:59

control and agility as being opposite

25:01

ends of the spectrum but the reality is

25:03

when done right when done through

25:05

automation the control aspects the

25:08

governance aspects are the actual thing

25:10

that sets your cloud free and

25:11

accelerates it to what it's doing right

25:13

because think about it if you do

25:15

governance right if you provide all

25:17

those five services through your

25:18

governance platform and you'll automate

25:20

it those developers can immediately

25:22

they're not worried about like the

25:23

five-minute server anymore they're

25:25

worried about the 5 minute account

25:26

everything is set up for them their VP C

25:29

is set up their logging is set up the

25:31

you know guard duty is set up cloud

25:32

trails are set up we're gonna talk about

25:33

some of the architecture of that

25:34

everything is in place and ready for

25:37

them to start building their application

25:38

you've just accelerated their project

25:40

timeline by an order of magnitude they

25:43

can they can go try something they can

25:44

fail quickly they can turn it all off if

25:46

it's done the magic trick here is that

25:48

the governance that we've been afraid to

25:51

put in place is actually the thing that

25:52

sets you free and allows you to

25:54

accelerate and execute your business

25:56

strategy so what is what it what are the

25:58

what are the capabilities of that right

25:59

so you need to have central logging

26:01

setup you need to have identity

26:03

Federation setup you need to start

26:06

writing some scripts you need to be

26:07

tagging resources you need to be you

26:09

know looking at the you know at the

26:12

environment how do I say you know how do

26:13

I set up guard duty how do I do that

26:14

consistently how do I you know how do I

26:16

make sure that cloud trails sending to a

26:18

central bucket etc etc you need to

26:21

create some boundary limits what can

26:22

people do and can't people do are they

26:24

allowed to use any region are they

26:25

allowed to use subsets of regions right

26:27

you got it you got to think about that

26:28

and then you want to start building some

26:29

checking scripts let me check what

26:31

they're doing let me see what they're

26:32

spinning up and make sure that they've

26:33

got encryption on then we make sure that

26:34

they've got data protection set and

26:36

they're backing up data also let's

26:40

record change right we talked about that

26:42

cloud scale CMDB

26:43

everything that's changing within

26:44

environment if we're checking it then we

26:46

can record that and we can see what's

26:47

happening and now we can start looking

26:50

at those events and triggering off of

26:52

them so now when someone spins up an ec2

26:53

instance we can kick off our lambda we

26:55

can see what's going on and and drive

26:57

that and then we can start notifying

26:59

people hey I saw that you created this

27:01

security group and you opened up SSH to

27:03

the default route that's not our policy

27:05

the automation put it back

27:07

hopefully that's an automated message

27:09

that they get exception management is

27:11

really interesting because an exception

27:13

management is the thing that most people

27:15

don't think about when they're doing

27:16

this I talked about having thousands of

27:19

policies for every policy that you write

27:21

you're gonna have multiple exceptions

27:23

for right so every policy will have an

27:26

exception there will be approved

27:27

exceptions in your environment

27:28

the most common overall overarching

27:31

policy for everybody in this room is

27:33

probably no public access to s3 right

27:35

but we probably all have website

27:37

accounts and they have public s3 buckets

27:40

to serve to you know to serve binary

27:42

objects it's a perfectly valid use case

27:44

that's a great use of the tool that is

27:46

an exception that needs to exist in your

27:48

environment and you will have thousands

27:49

of those exceptions and then you have to

27:51

have a way to manage them you have to

27:53

know who created the exception who

27:55

approved the exception when was it

27:56

created what are the what are the what's

28:01

the approval time frame for that right

28:03

is that exception go away after 90 days

28:05

was that a POC that we allowed somebody

28:07

to try out something and then we pull it

28:08

back those are things that you have to

28:10

manage and then finally the transparency

28:12

equation we need a dashboard we need a

28:14

way to share this information with our

28:16

stakeholders who are who are basically

28:17

funding this effort and be able to show

28:19

them what we're doing and we also need a

28:21

dashboard to our citizens right to our

28:23

application teams to our data scientists

28:25

so that they know what's going on as

28:26

well so at this point in time I think

28:32

the second major thing that you have to

28:33

think about a lot of pushback I get so I

28:35

was talked to 300 people in the last two

28:37

days at the booth and the major pushback

28:39

that I get is we don't need that because

28:41

we do everything through configuration

28:43

right so all of our architectures are

28:46

designs they're built into cloud

28:48

formation templates or terraform

28:50

templates they're checked into version

28:51

control we have architects looking at

28:52

them and building them and so we don't

28:54

really need to check all this stuff

28:55

behind the scenes because

28:56

no one can ever do anything in our

28:58

accounts right the only way to do

29:00

anything in our account is to go through

29:01

this whole process and I'm don't

29:03

dissuade anyone from that that is a

29:05

great use case it's a Nirvana of

29:06

infrastructure is code that we all

29:08

should aspire to get to however it

29:11

doesn't work for everything right so you

29:14

have the default configuration of a

29:16

brand new account right a lot of that

29:18

can be built as stacks but some of it

29:20

can't you have pre-existing accounts

29:22

right so you'll have those rogue users

29:24

that already have their AWS accounts and

29:26

then you'll also have mergers and

29:28

acquisitions when you get those mas and

29:29

then you have another entire

29:31

organization that comes into your

29:32

environment and you have a time crunch

29:34

of 90 days to get the M&A; done and you

29:36

have to bring them into your governance

29:37

platform right

29:39

you also have ad hoc configuration that

29:41

happens right

29:42

someone's trying to troubleshoot a

29:43

production issue and they jump into the

29:45

console and they change something you

29:46

have to deal with that you have

29:48

infrastructure is code right I have a

29:50

company that's doing IOT they are

29:52

providing an IOT service for other

29:53

businesses so people are logging into

29:55

their application on a minute-by-minute

29:57

basis and signing up for the service and

29:59

if they sign up for the service and they

30:00

check the box that says I want my data

30:02

isolated these guys spin up separate V

30:05

pcs separate databases separate

30:06

instances right the the application

30:08

architecture is is dynamically

30:10

responding based on the usage of the

30:13

application there's no way that you can

30:15

do that through configuration there's no

30:17

way that an architect could look at the

30:19

configuration of that application at the

30:21

beginning and say yep that looks good

30:22

right you need to be looking at it at

30:24

runtime and seeing how it's behaving

30:25

with the variables that were built into

30:27

it and then finally elevated access

30:30

right

30:31

most of our financial services customers

30:33

this is their main concern which is

30:35

regardless of how much control you have

30:37

there is somebody in your organization

30:38

that has access to your AWS

30:40

organization's account that can create

30:42

exceptions to your scps that can login

30:44

to those accounts and circumvent any

30:46

control that you have in place and do

30:47

something right and you need an

30:49

auditable mechanism to be able to tell

30:51

what they did when they did it why they

30:53

did it give them that access for a

30:55

limited amount of time tie that specific

30:57

access to a specific ticket that they

30:59

were working on and if it's not tied to

31:01

a specific ticket they're working on sit

31:02

down and have a conversation and to them

31:03

as to why they were logged in a super

31:05

user during at 2 a.m. on Thursday night

31:07

right so you

31:10

compliance is required regardless of the

31:13

maturity of your CI CD pipeline in your

31:15

in your architecture you need to have

31:17

both defense in depth so now that we've

31:21

talked about the requirements of of this

31:25

architecture of this governance platform

31:26

that we're going to build now let's walk

31:28

through the fun part let's walk through

31:29

an architecture so before we start

31:31

putting a single line of code in place

31:32

I'm gonna sit down we're gonna

31:34

whiteboard out what the actual

31:36

architecture will be to to create this

31:38

application so the first thing that

31:40

we're going to need is an AWS

31:42

organization right any best organization

31:44

is the foundation of what we're building

31:46

here we're going to create an old create

31:48

an organization or create a billing

31:49

account create a central logging account

31:52

and create a networking account central

31:55

networking account for our Direct

31:56

Connect sent our VPNs create an audit

31:58

account for the auditors to come in to

31:59

where all that data goes and if we're

32:02

doing single sign-on we'll probably have

32:04

a single sign-on account there might be

32:05

some other core service accounts that

32:06

you build into this as well just kind of

32:08

depends on the architecture that you're

32:09

doing you then have to make a lot of

32:11

decisions around I am am I going to use

32:13

programmatic users am I going to use

32:16

roles am I going to use combinations of

32:18

groups and users and roles to achieve

32:20

different control objectives right the

32:22

problem with doing one of those things

32:24

is that if you if you go into roles

32:26

you're either gonna have a lot of roles

32:28

that you manage in which people don't

32:29

like to do or you're gonna have roles

32:30

that are very broad in scope right and

32:33

then you have users that have a lot more

32:34

access than they need so you really have

32:36

to fundamentally decide between

32:37

fine-grained access for an individual

32:40

person or or fine-grained access for a

32:43

role and then have a lot of roles and we

32:46

need to make sure that we're gonna

32:47

obviously we want to track everything

32:49

that we're doing cloud trail is a

32:50

preeminent service every single API call

32:53

that you do on AWS goes through cloud

32:54

trail so we need to have that as well so

32:57

now we're developers now right we're a

33:00

governance team we used to write

33:02

documents and wiping and frameworks and

33:04

now we're gonna be writing code so we

33:05

need a code development environment

33:07

let's start looking at the Amazon SDKs

33:10

pick your favorite one I like Python our

33:12

developers like the SDK and then you

33:16

need a place to store that code so code

33:18

commit is a great repo get repo for that

33:21

that's private within your environment

33:22

and then we can

33:24

orchestrating some of this stuff

33:25

together we put our code into code

33:27

commit we then create a pipeline through

33:29

code deploy and then we get some cloud

33:30

formation templates and some lambdas and

33:32

lambdas out the other end that start

33:33

building the account structure that we

33:35

do this is the table stakes of doing

33:37

this on your own and building this this

33:40

infrastructure right so what are we

33:42

going to do

33:42

Oh first thing we'll do we'll set up a

33:44

dev app where we're going to test this

33:46

automation that we're building right so

33:47

we need a canary accounts that we can

33:49

actually build and we can test our

33:51

governance automation in that space

33:53

we're gonna connect that to AWS single

33:55

sign-on or our favorite single sign-on

33:57

of choice

33:58

we need to make sure that we're tracking

34:01

that we're using kms right and you know

34:03

Warner loves to wear the encrypt

34:04

everything t-shirt encryption is one of

34:07

the easiest lowest cost things that you

34:09

can do that adds a measure of security

34:10

so you have to decide hey I'm gonna make

34:12

people use customer manage keys and if I

34:15

do do I make sure they're rotated etc so

34:17

you have to make those decisions and

34:18

then build the automation for it

34:19

am I gonna hook all my accounts up to

34:21

guard duty and monitor all the API

34:23

activity through guard duty and then

34:25

writing the automation that invites

34:26

those new satellite accounts into your

34:28

organization and then sets up the guard

34:30

duty master slave environment we might

34:33

hook all that up into security hub so we

34:35

have visibility to it we definitely need

34:37

to turn on AWS config and configure oles

34:39

and look at some of the existing rules

34:41

and probably write a lot of our own on

34:43

top of that and then we start talking

34:46

about the you know ec2 instances if

34:48

you're a large enterprise you have a lot

34:50

of on-premise stuff you want to move

34:51

over to cloud you want to make sure that

34:52

stuff is patched SSM is a great tool for

34:55

interrogating what's on your instances

34:57

and then also patching them and then you

35:00

have all the dews default be pcs that

35:01

are sitting out there so the interesting

35:02

thing about default be pcs is that what

35:06

happens is you leave those default be

35:08

pcs in place and you want to build your

35:12

environment all in US East one you set

35:14

up all your direct connects us East one

35:15

you create all that a new user comes in

35:17

they get their new account they log into

35:19

AWS for the first time and they start

35:21

building stuff and they start putting

35:23

stuff into their V PC and two weeks

35:24

later they figure out that they just

35:26

built all that in USC stew because that

35:28

was the default setting on the browser

35:29

when they when they came in and they

35:31

didn't switch right so a really

35:32

important thing to do when you're when

35:34

you're bootstrapping an account is

35:35

deleting all the default VP sees you

35:37

need a script for

35:37

right and then you need scripts to stand

35:39

up your VP see what are your design

35:41

patterns for your VP C's what is the

35:43

t-shirt sizing for that right you

35:45

probably have a small medium large VP C

35:47

maybe you know a slash a slash 26 as a

35:51

small slash 24 is a large slash 22 or a

35:54

slash 24 is a medium and slash 22 is a

35:56

large you need to define the site or

35:58

ranges that are acceptable for that use

35:59

because you don't want these applications

36:01

teams stepping on each other site

36:02

arranges so you need to build that in

36:04

and then you need to connect that VPC to

36:07

your transit gateway right you had your

36:08

networking account that's where you ran

36:09

your direct connects to your VPN you're

36:11

now going to connect that V PC that you

36:13

did to your transit gateway so you have

36:15

your networking in place you have all

36:17

your security control plan in place

36:18

you've deleted all the default V pcs and

36:21

now you're really ready to get cooking

36:23

so I'm gonna on board an account what's

36:25

the first thing I need I need a database

36:26

of accounts right what are the accounts

36:28

that I have what are the metadata around

36:29

them what's the account tags what is the

36:32

what's the purpose of that account who

36:33

owns it etc so I need an account table

36:35

DynamoDB is a great tool you can quickly

36:38

create an account table it's no sequel

36:41

schema list so you can just kind of

36:43

continue adding data to it over time as

36:44

you find that you need new data and you

36:47

also need a place to store all of your

36:50

logs right so all of these lambda

36:51

functions that are running some of them

36:53

will work and some of them will not work

36:54

right you never know you might show up

36:56

on a Tuesday and Amazon announces a new

36:59

type of availability zone in Los Angeles

37:01

that has a different format than a

37:03

naming convention than every other

37:05

availability zone and it breaks some of

37:07

your regex in some of your lambdas and

37:08

so then you have to respond to that

37:10

right so you need a place to store your

37:12

log and configuration files so you can

37:15

see when things are working and when

37:16

things aren't working so now after all

37:19

that's ready we're ready to launch our

37:21

first production account we create that

37:22

account and we're gonna bend that to the

37:24

team as soon as I bend that to the team

37:26

they're gonna start building things

37:27

right and so I want to see what they're

37:29

building right I want to have visibility

37:31

I want to have that real-time access to

37:33

what's going on so I need to build an

37:35

event stream around that so I take that

37:37

cloud trail information so cloud trails

37:39

monitoring everything in their account

37:40

every time something changes an API

37:42

calls made I send that to cloud watch

37:44

cloud watch filters it there's I don't

37:47

care about everything I care about

37:48

certain events I filter the events in

37:50

cloud watch I send them to

37:51

and I put them on a queue right so I now

37:54

have a series of events that I've put on

37:55

a queue my lambdas picked that up and

37:57

now when someone launches an RDS

37:59

instance in a public subnet I know about

38:01

it and I can write a rule that says

38:03

that's not acceptable let's terminate

38:05

that instance and send that user a

38:07

message that they're not allowed to do

38:08

that that is the fundamental

38:10

architecture that you need you can then

38:12

start building bells and whistles on top

38:13

of it right the next set of data

38:17

elements that you're going to record are

38:18

what are the events what are the

38:19

notifications what are your policies

38:21

that you've written and then what are

38:23

the exceptions that you've written and

38:25

you probably need a relational database

38:26

for that or or is a great solution for

38:29

that as well you can also create some

38:31

visibility into your log files that

38:34

you're they're putting into s3 using

38:36

Athena

38:37

so all those log files you'll have you

38:39

literally have millions of log files

38:41

sitting there after a few months because

38:43

you're monitoring all these things in

38:44

the real-time events you'll have

38:46

millions of log files Athena is a great

38:47

way to kind of research and get

38:49

information and then you can use

38:50

something like that SES for sending

38:52

email notifications this is that

38:54

fundamental architecture that you need

38:55

to build in order to do that governance

38:58

at scale you can do this on your own it

39:01

is a lot of fun to build you'll learn a

39:03

lot along the way if you don't have time

39:06

to build that or you don't have the team

39:08

that has the expertise to build that

39:10

that can be tough because Amazon is

39:13

pushing a thousand changes a year just

39:15

this week like we went from 165 services

39:18

to like 175 services we'll probably be

39:21

in the 180s before the weeks over right

39:23

they have 16 regions and growing that is

39:26

a huge amount of change to absorb you

39:29

need a big team that's monitoring that

39:31

stuff and doing it when Amazon releases

39:33

a new service your job as a governance

39:35

architect is to evaluate it to say what

39:37

is the enterprise configuration of that

39:39

service and what are the guardrails that

39:40

I need around that service to make sure

39:42

if it's going to be used within my

39:43

environment or not so you need the team

39:46

in place in order to do that

39:47

how bot thinks about this is we think

39:51

about it in terms of creating that

39:53

freedom for the application teams making

39:56

sure that the cloud team has automated

39:59

guardrails giving the cloud team the

40:01

ability to specify their policies and

40:03

define them

40:05

the application teams that fundamentally

40:07

need to have self-service those

40:10

application teams we want them to

40:11

directly use the cloud we want them if

40:13

they like using the console let them use

40:15

the console if they want to use

40:16

terraform let them use terraform if they

40:18

want to use the CLI or the API is let

40:20

them use those things do not abstract

40:22

your users from the tools that they love

40:24

that will slow them down let them use

40:26

whatever tool but you've got to be

40:28

cognizant that you've got to run

40:30

alongside you've got to watch what

40:31

they're doing and you have to put

40:32

guardrails and boundaries in place of

40:33

what they can do to prevent them from

40:35

creating risk for the organization and

40:37

that's essentially what turbot does we

40:39

have the software that we were just

40:40

talking about a very similar

40:41

architecture to this that you can deploy

40:43

within one of your environments that

40:45

monitors all the activity across all of

40:47

your clouds are all of your all of your

40:49

clouds and all of your accounts and

40:52

kubernetes and the OS level we do that

40:55

in real time we ingest all that

40:57

information and then we do real-time

40:59

matching of your policy sets against

41:01

that data and tell you what's wrong and

41:03

give you the tools in place to

41:04

automatically remediate them so let me

41:07

just quickly drop over to a demo and

41:09

kind of show you how we do that

41:19

so this is the this is the turbot

41:22

console this is our web-based UI that we

41:26

provide to our citizens and let them see

41:29

what's going on so this is a governance

41:31

architect view but it can also be end

41:34

user and application team view a you

41:37

know a dashboard for you know your

41:39

management as well so I'm logged in here

41:43

to this reinvent demo account and I have

41:46

access to that account so that single

41:47

sign-on the federated identity that we

41:49

were talking about before I can simply

41:51

choose a role that I want to log in as

41:54

and then get an STS session out to AWS

41:57

so with that single click I was able to

42:00

authenticate to AWS with a time-limited

42:02

STS token I only have access for a

42:05

limited amount of time what's important

42:07

about that is that the users never have

42:10

access keys or credentials that they can

42:11

take with them and go home inside into

42:13

your environment in order to do in order

42:15

to log in they need to be on your

42:16

network because the software your your

42:19

cloud portal is essentially running on

42:21

your intranet so when those users go to

42:23

log in they have to be on your network

42:25

and they have to authenticate to that

42:27

environment before they can actually log

42:28

in and do anything right and that's

42:30

typically a federated identity right so

42:32

your login with sam'l you're logging in

42:34

with a DFS you're logging in with your

42:35

you know ad user credentials etc that's

42:38

how you get access to the environment

42:39

and then you can then get access I just

42:42

showed access in the console but this

42:44

works the same way the same STS sessions

42:46

work vended through the CLI as well as

42:50

through the API right so you can write

42:53

automation around this you don't have to

42:55

give out access keys and you don't have

42:58

to give out user credentials to any user

43:00

that's really important in terms of in

43:02

terms of securing your environment so

43:05

now when I'm in here as a user I can do

43:08

some things so I don't have I don't have

43:11

a bunch of scripts on so I'll just

43:13

create a few buckets here reinvents demo

43:18

0:03 if I get spell

43:28

and I will create the bucket and I'll

43:38

take a look at it

43:39

so you can see when I created that

43:41

bucket I basically created what we call

43:43

a naked bucket right so I didn't really

43:45

do any configuration to it I didn't add

43:47

any tags to it

43:48

I didn't any add any default encryption

43:50

I didn't add any versioning I was pretty

43:52

pretty bad steward of my environment on

43:56

the flip side though turbot knows about

43:58

that bucket right so

44:15

so turbot already discovered that bucket

44:17

existed why did that exist because we

44:19

use that architecture I was talking

44:20

about earlier cloud trail sent an event

44:22

through SNS back to sq sq turbot lambda

44:27

pick that up and basically said oh

44:29

there's a new bucket that was just

44:30

created right and now if I look at the

44:32

activity on that bucket I can see the

44:36

activity I can actually see all the way

44:40

down here less than a minute ago myself

44:44

as this persona Wade Watts logged in

44:47

created the bucket and then turbot

44:48

started working on it right and we have

44:50

a lot of policies that we do on bucket

44:52

first thing that we do is we ingest all

44:54

of the current configuration in the

44:55

bucket you can see that configuration

44:57

right here in this details page this is

45:00

a yam all configuration of all of the

45:02

things that exists on that bucket and

45:05

then we started to alarm why did we

45:09

alarm so let's look at let's look at

45:10

some of these alarms so first our we had

45:14

a couple alarms here first alarm is that

45:15

the tags weren't set correctly so I have

45:17

standards as an enterprise around how I

45:18

tag information and how I make that work

45:20

I also have standards around versioning

45:23

right so in this case I have versioning

45:25

set correctly are not set correctly so

45:28

versioning wasn't enabled and encryption

45:30

in transit wasn't enabled and probably

45:33

encryption and rest was enabled as well

45:34

so ya see default encryption at rest was

45:36

enabled now that triggers additional

45:39

lambdas that then go fix those things

45:41

right this is the key to to compliance

45:44

at scale if you are a governance team

45:47

and you have something that's scanning

45:49

your environment once a day and sending

45:50

you a list of a thousand things that are

45:52

wrong you are swamped right you are

45:54

never gonna be able to write that

45:55

application because you're gonna be

45:57

spending your entire time in email

45:58

basically conversing with those

46:01

application teams begging them to please

46:02

change their stuff and fix it right you

46:04

need auto Meishan that will

46:06

automatically fix it at the time that

46:07

they provision those resources so all

46:12

that happened within so if you look at

46:14

this 12:13 p.m. I created the bucket and

46:19

by 1214 p.m. we did that so if I go back

46:21

into the s3 management console and I now

46:24

refresh the bucket we can see

46:27

that I've set now turbot has set default

46:31

encryption AAS 256 it's set a bunch of

46:33

tags on the bucket oh and look it says

46:35

this is a bad tag environment can't be

46:37

blank right you need to have an

46:39

environment but turbot doesn't know what

46:40

environment this bucket is so let me

46:42

tell it that it is a prod bucket so I

46:49

just hold it it's a prod bucket oops I

46:52

click another one thing and then turbot

46:55

also enabled versioning for that bucket

46:57

now let's say for the sake of argument that

47:00

versioning is expensive it's not really

47:02

expensive but let's just say it's

47:04

expensive for my use case and I don't

47:05

want versioning on on development

47:07

environments right that's not something

47:09

that turbot has a built in guardrail for

47:11

so how do we how do we approach that

47:13

problem I'll go back to my view here I'm

47:17

gonna take a look at so this is so I'm

47:20

going to look at turbot policies now so

47:23

we're gonna go in here to policy type so

47:24

I'll go to AWS go to s3 bucket approved

47:32

oops sorry

47:33

bucket versioning and then I'll look at

47:38

the policies around bucket versioning so

47:40

I can see that I have I have one policy

47:42

here and it's what we call a calculated

47:44

policy a calculated policy is

47:47

interesting because it now gives your

47:49

governance team the ability to extend

47:51

the rules that we've already pre built

47:53

in so I can have a simple rule if I

47:55

wanted to if I wanted to create a simple

47:58

rule on this I could switch I could

48:01

switch the standard mode and I could

48:03

just say check that it's enabled or

48:05

enforce that it's enabled I could do

48:06

simple rules like that through the UI or

48:08

through terraform I can also go into

48:11

this calculator mode and this calculator

48:13

mode is really cool because what I can

48:16

do is well I don't need the I don't need

48:21

the example buggy you guys can tell I

48:22

can write a simple I can write a simple

48:25

graph QL query that looks at pulls in

48:28

the bucket tags for a bucket and then I

48:30

can look for a tag named environment and

48:32

if the environment is dev then I'll set

48:35

versioning to disabled otherwise I'll

48:36

set versioning to enabled right so

48:38

that's why versioning was initially

48:39

enabled the value of that tag

48:41

was bad tag and so that didn't match dev

48:43

so now that I know that that policy

48:45

exists and in place let's go back out

48:47

here and I'll update my tag to dev and

48:54

save it so now the tags dev and let's

48:59

see what happens on the bucket so again

49:02

that whole event stream is still taking

49:04

place when I update the tag that sends a

49:06

tagging event back through that same

49:08

tool chain and comes back you can see

49:12

that the bucket was updated oh so you

49:26

can see that the bucket was updated here

49:27

and I can actually see what was changed

49:30

so not only do I have visibility into

49:33

what's going on in my account but I have

49:35

line-item visibility into how that

49:37

configuration is changing over time so I

49:39

can literally see here more than that go

49:43

let's say bucket template change bucket

49:46

updated so I can literally see that I

49:50

changed that bucket the value of that

49:53

individual tag from dev to prod and we

49:55

have this granularity at every layer of

49:57

the infrastructure all the way down to

50:00

the OS level right and you can also see

50:03

now that because I've changed it turbo

50:05

also responded to it and set versioning

50:07

to suspend it so we'll just take a look

50:09

at that real quick so you guys can tell

50:10

that I don't have any magic up my sleeve

50:11

here so you can see versioning has been

50:13

disabled on the bucket without any

50:15

action on my own other than updating the

50:17

tag

50:17

now that's activity on a bucket it's

50:19

pretty simple to do let's look at

50:21

something that's a little bit more

50:22

advanced a little bit more a little bit

50:23

harder to actually to do and that is and

50:27

that is a ec2 instance at the host base

50:29

level so what i'm gonna do is i'm going

50:32

to go to SSM systems manager and i'm

50:39

going to use this awesome tool from AWS

50:40

called session manager and session

50:44

manager i'm going to start a session

50:45

this is going to allow me to to start a

50:49

session on one of these who've been to

50:51

instances that are running here and i'm

50:53

going to get an ssh session

50:55

what's really cool about session manager

50:56

is that it's using my federated identity

50:59

so if you remember I logged into turbot

51:01

with my enterprise federated identity

51:02

turbot then logged me in with a with a

51:04

time-limited SDS token into AWS and now

51:07

I'm authenticating at the instance level

51:09

in that same persona so I know my

51:12

federated identity from the enterprise

51:13

is logged into that server and every

51:16

action that I take in here is recorded

51:18

in cloud trail everything that I do is

51:20

recorded in cloud trail and this is

51:22

super small so hopefully there we go

51:26

all right so first thing I'm going to do

51:28

is wonder why that's not working let's

51:39

say you oh there we go all right so I'm

51:44

going to I'm typing but it's not doing

51:49

anything

51:56

rights all right I'm just gonna launch

52:00

session manager again I'll do this demo

52:03

instant so five maybe that was maybe

52:05

there was an issue there with those six

52:07

Oh actually this might be my might be my

52:10

internet connection that's waiting out

52:12

here all right so let's go to oh five

52:13

and start a session and we get a command

52:21

prompt to do all right so now hopefully

52:23

making this bigger doesn't screw it up

52:25

sudo su one two so I'm gonna switch over

52:30

to the abun two user so I log was logged

52:32

in as the SSM user I'm now on a bunch of

52:35

user I can see to eat in my home so I

52:37

can see that a little bit better so I

52:39

mean I'll do this when two instances I am

52:41

an administrator on this instance so I

52:43

have access to do things right I can sue

52:45

do so I'm going to do something bad here

52:47

I'm going to sue do two Etsy SSH SSH D

52:54

Kampf

53:08

oh there we go thank you I'll do I'll do

53:14

them make the vin people happy all right

53:16

so I'm now in sshd comp and I'm gonna

53:22

do a couple bad things I'm gonna say I

53:24

don't care let's permit empty passwords

53:26

and let's authorize let's see permit

53:33

route login so two things two things

53:37

that I want to do and I'm even gonna I

53:40

mean we're gonna gonna like go to the

53:41

extent of of just saying yeah I don't

53:45

care just permit route logging right so

53:50

I'll save that and I'll pop back out the

53:52

turbot so in the same way that we get

53:55

that event stream from cloud trail turbo

53:57

has a way to bootstrap OS query and be

54:00

able to send an event stream of all

54:01

actions that are taking place on your

54:03

host based OS s right so let's drill in

54:06

and find that if I'm in US East one

54:10

I'll go back here and we've got a couple

54:14

instances I didn't notice which instance

54:16

ID that was well we will we'll take a

54:24

look

54:32

so here's all the information that

54:36

turbot knows about that ec2 instance and

54:38

then I can actually look at the the

54:42

Ubuntu based host that's running on

54:44

there and I can see all the activity if

54:48

I want to look at something like if I

54:51

want to look at the resources and I want

54:52

to see all of the all the kernel modules

54:57

that are installed in this environment I

54:59

can do that I can also but I can also

55:05

set policies at this level right so I'm

55:07

not this host level of a filter policy

55:11

AWS I'm sorry all policy types Linux

55:21

services SSH SSH SSH config and we can

55:26

see here that I've got a bunch of things

55:28

that I can do so that permit empty

55:30

passwords it's a policy that we have

55:32

built into the system I can see what the

55:34

setting is for it for that as well if I

55:43

do a new setting here you can see that I

55:44

can enforce it into one or more

55:46

different modes or configurations within

55:48

the environment Souter BOTS had it

55:50

enough time it's discovered that we made

55:51

that change let's go back and take a

55:53

look at at the activity here

55:59

we're on 1010 51 and we're 1010 38 so

56:03

I'm just going to bounce back up here

56:27

there we go all right so I have that 10

56:30

10:31 so I can see that sshd was updated

56:32

I can see what was changed on that

56:35

environment and then I can respond to

56:37

that change and correct it in real time

56:38

so you can see here that turbot actually

56:41

corrected that back if I go back to my

56:43

Systems Manager window and I reopen you

56:47

can see that or maybe not

57:01

so you see permit empty passwords was

57:03

set back to no and if I actually scroll

57:05

to the end of this document I can go to

57:08

permits routes permits routes login

57:24

anyone know what the there we go

57:27

at the very end of the file turbot added

57:28

a permit route login no

57:30

so rather than override that setting

57:31

because I in comment we actually added

57:33

the setting at the end that overrode the

57:34

value right so within a few within a few

57:37

fifteen seconds after making the

57:39

configuration change sort about

57:40

identified the bad configuration and

57:42

then rolled it back and that's really

57:46

what I wanted to show you I'm gonna talk

57:48

a little bit I'm gonna switch back over

57:49

to the slides and just wrap up we what I

57:55

really wanted to share with you is that

57:57

we really love this stuff right we love

58:00

building it we love organizations that

58:02

are out there building it our best

58:04

customers are organizations that try to

58:05

write this stuff on them themselves we

58:08

have a platform that we feel can

58:09

accelerate your journey towards building

58:11

this type of automation within your own

58:13

environment and that platform is

58:16

deployed within your own account that

58:19

platform gives you robust capabilities

58:21

to detect change to prevent

58:23

configuration drift - correct - correct

58:26

configurations as you saw in the demo to

58:29

create transparency for your entire

58:31

environment you can search and find

58:32

resources across everything and to

58:34

really enable business agility to give

58:36

back to your team's the agility that

58:38

they saw it out for when they move to

58:40

the cloud initially so thank you so much

58:42

for your time today hopefully you've got

58:45

something out of this if you enjoy these

58:47

topics and you love talking about them

58:48

if you're building it yourself we would

58:50

love to talk shop with you and figure

58:51

out how you're tackling some of these

58:53

same challenges please drop by the booth

58:55

or I'll be available here after the

58:58

session for a few minutes to answer

58:59

questions I also have Bob Tordella and

59:01

a couple other team members that can

59:02

answer questions as well loved the

59:05

opportunity to come talk to you today

59:06

thank you all for your time and

59:08

attention

59:09

[Applause]