AWS re:Inforce 2024
Patterns to Securely Manage Your Aws Services with Meta Grc321

Title: AWS re:Inforce 2024 - Patterns to securely manage your AWS services with Meta (GRC321)

Insights:

  • Meta's Mission and Tooling: Meta aims to connect the world and has developed tools to enable developers to deliver secure and private services globally.
  • AWS Organization Setup: Meta's AWS account lifecycle begins before account creation, involving a portal to collect detailed information about account usage, data storage, and network architecture.
  • Organizational Units (OUs): Meta uses OUs to logically deploy Service Control Policies (SCPs) across accounts, ensuring compliance and security at scale.
    • Staging: Initial setup phase for accounts, where policies and monitoring pipelines are deployed.
    • Main: Contains multiple OUs based on account use cases.
    • DMZ: Special OU for root access, used only when necessary and monitored closely.
    • Suspended: For abandoned or non-compliant accounts, cutting off API access to mitigate risks.
    • Lockdown: For incident response, blocking all network connections and access to AWS backend APIs.
    • Prod and Dev: Enforce infrastructure as code using Terraform and Cloud CLI, ensuring secure and reviewed deployments.
    • Sandbox: Temporary accounts for experimentation, with limited resource deployment to control costs.
  • Static and Dynamic SCPs: Meta employs both static and dynamically generated SCPs to enforce security and compliance, particularly for privacy standards across different countries.
  • Incident Response: Utilizes AWS services like GuardDuty, Config, and CloudTrail for detecting and responding to malicious activities, automating the process to move compromised accounts to lockdown.
  • Balancing Security and Innovation: Meta's custom tooling ensures compliance without hindering innovation, using real-time feedback to guide developers towards secure practices and cost optimization.

Quotes:

  • "Meta is on a mission to connect the world and to help accomplish that, they've built tooling to enable their developers to deliver secure and private services globally."
  • "OUs are just organization units which allow us to logically deploy SAP controls on a collection of accounts. It helps us scale our policies, helps us scale, be compliant at scale, helps us make sure our accounts are secured by default."
  • "DMZ is special. DMZ is free of every policy we put in this organization. DMZ is for use cases like where you need to use root."
  • "Lockdown is for incident response. If we detect something malicious going in an account, someone mining Bitcoin, a malicious actor from outside accessing an account, it goes to lockdown."
  • "We force the usage of Cloud CLI in every account in the green node. It helps us make sure accounts and resources are secure by default."
  • "Sandbox accounts are temporary. We allow usage for two weeks, and then they're gone. This helps us mitigate. This helps our users move faster, experiment faster, but also at the same time, we don't want to push that code in production."
  • "Meta is active across the world, different standards across every country. One of the craziest standards we have to deal with. Every service which can store or process data has to go through explicit approval from privacy."
  • "For incident response we have built a lot of tooling using managed AWS services like GuardDuty, Config, custom detections in CloudTrail, Health Events, third-party integrations using third-party tools."
  • "Speed is very important to us, moving fast is very important to us, but we still want to comply to privacy and compliance standards, so build our custom tooling using CloudTrail."
Outpacing Threats W Crowdstrike Anthropic Claude Amazon Bedrock Tdr202 SPersona Based Access to Enterprise Data for Generative Ai Apps Gai325