The challenge

A global wealth management and investment banking company has taken a very modern approach to their cloud deployments, heavily using DevOps principles and embracing infrastructure as code.

Recently, the Company planned on releasing two new web applications to improve customer experience and value. The applications were developed as "cloud-native" to use all the benefits of cloud computing including elasticity, scalability and availability. As part of the rollout, the company wanted to review their security, and they were looking for ways to incorporate new tools and improvements where possible.

Change is the one constant in cloud as new features and services are being added at an unprecedented rate. It is best practice to continuously evaluate those changes, and when appropriate, use them to improve aspects of your architecture.

Announced at Re:invent 2018, AWS Security Hub gives customers a comprehensive view of the security of their entire AWS footprint. Once the product became GA, the Company wanted to incorporate it into their environment to improve their overall security posture. However, they wanted to do so in a programmatic way, in line with their adoption of infrastructure-as-code principles and their heavy use of Terraform. They also wanted, at a minimum, to apply CIS security benchmarks to their environment and integrate with AWS Security Hub.

The solution

WWT worked with the Company to design and develop the workflow to enable Security Hub, CIS Benchmarks and incorporate a larger set of AWS services to enhance security, visibility, notifications and integrations with existing systems across their current and expanding environment.

AWS CIS Benchmark Configuration

Design diagram

WWT and the Company's IT team generated Terraform code that created and applied all elements in the diagram above, provisioning and configuring AWS services. Some examples of services used and what was configured include:

AWS Organizations:

  • Used to enable Organization CloudTrail and Config.
  • SCP Policy was configured in Terraform to limit access to unused regions.

IAM:

  • IAM password policies configured for all accounts per CIS benchmark standards.

AWS Config:

  • Enabled in required regions for all accounts in the organization.
  • S3 Buckets had versioning enabled, access logging enabled, object-level logging enabled; default encryption was AES-256; lifecycle policies were used to transition to Intelligent-Tiering.
  • Tags Required and Encrypted Volumes Config Rules enabled in required regions for all accounts in organization.

AWS GuardDuty:

  • Enabled in required regions for all accounts in organization.

AWS CloudTrail:

  • Organizational trail was configured for all regions in Master account.
  • Log validation was enabled.
  • Logs were encrypted.
  • S3 Bucket had versioning enabled, access logging enabled, object-level logging enabled; encryption and lifecycle policies were used to transition to Intelligent-Tiering.
  • CloudTrail logs were delivered to centralized CloudWatch log group.
  • CloudWatch metric alarms for the CloudTrail Log Group were configured per CIS sections 3.1-3.14 and sent to SNS Topic in Tools account.

AWS Security Hub:

  • Enabled in required regions for all accounts in organization.
  • CIS AWS Foundations Benchmark configured as Compliance Standard.
  • Amazon GuardDuty integration is enabled for Security Hub.
  • CloudWatch Event Rule configured to send non-compliant findings from all accounts.
  • Security Hub manages Config rules in all accounts to validate CIS Benchmark standards.

AWS CloudWatch:

  • Additional CloudWatch event-based rules configured to supplement CIS Metric Alarms for all accounts in organization.
  • CloudWatch event-based rules deliver events via Lambda Function.

The outcome

By implementing the described design, the Company was able to successfully and securely launch their new application. In addition, they were able to improve the overall security posture of their entire AWS footprint across their infrastructure. By using automation and leveraging infrastructure as code, they can now apply the same security to any new applications or resources provisioned in the future.

Contributions by Maksim Poletaev

Technologies