AWS re:Invent 2022
Governance and Security with Infrastructure as Code Dop314

Title

AWS re:Invent 2022 - Governance and security with infrastructure as code (DOP314)

Summary

  • Speakers: Eric Beard (AWS Solutions Architect) and David Hessler (DevSecOps Consultant, AWS ProServe).
  • Key Topics: Infrastructure as Code (IaC), AWS CloudFormation, AWS CDK (Cloud Development Kit), security, compliance, DevOps, and deployment in regulated environments.
  • Main Points:
    • AWS supports 98 security standards and compliance requirements.
    • IaC allows for consistent deployments and source code validation.
    • AWS CloudFormation is a server-side provisioning engine for infrastructure.
    • AWS CDK is an open-source framework for provisioning infrastructure with programming languages.
    • CDK philosophy focuses on reducing out-of-band changes and integrating infrastructure with application development.
    • DevOps at AWS starts with culture, breaking things down into microservices, automating everything, and owning the full lifecycle.
    • DevOps sagas are capabilities that describe AWS's experience in cloud operations.
    • Security controls are categorized into directive, preventative, detective, and responsive.
    • AWS Deployment Pipeline Reference Architecture (DPRA) helps shift security controls left and create faster feedback loops.
    • Tools like CDK NAG, CFN NAG, CloudFormation Guard, CodeWhisperer, CodeGuru, and others help developers follow best practices.
    • Post-deployment tools like CloudFormation drift detection and IAM Access Analyzer ensure ongoing compliance and security.

Insights

  • Infrastructure as Code (IaC) is a critical component for achieving governance and security at scale, especially in regulated industries.
  • AWS CloudFormation and AWS CDK are central to AWS's strategy for enabling customers to define and deploy infrastructure using code.
  • CDK Philosophy: The emphasis on reducing out-of-band changes and integrating infrastructure with application development suggests a trend towards more holistic and unified DevOps practices.
  • DevOps Sagas: AWS's approach to DevOps is comprehensive, integrating security into every aspect of the development lifecycle, which is a shift from traditional development practices.
  • Security Controls: The categorization into directive, preventative, detective, and responsive controls provides a structured approach to security, ensuring that it is embedded throughout the deployment pipeline.
  • AWS Deployment Pipeline Reference Architecture (DPRA): This architecture is designed to automate governance and create fast feedback loops, which is essential for maintaining high deployment frequencies without compromising security.
  • Tooling: AWS provides a suite of tools that integrate with the development lifecycle to ensure best practices are followed and to automate security and compliance checks.
  • Post-Deployment Security: AWS emphasizes the importance of ongoing security and compliance checks even after deployment, highlighting the need for continuous monitoring and governance in cloud environments.
  • Community and Open Source: AWS CDK's success as an open-source project and its reliance on community contributions reflect AWS's commitment to community-driven development and the value of open-source collaboration in the cloud ecosystem.
Goldman Sachs Using Policy as Code to Deploy New Apps in Minutes Cop313Graph Feature Engineering with Neo4j and Amazon Sagemaker Prt022