AWS re:Invent 2022
Reimagining Multi Account Deployments for Security and Speed Nfx305

Title

AWS re:Invent 2022 - Reimagining multi-account deployments for security and speed (NFX305)

Summary

  • Netflix's cloud infrastructure security team, represented by Patrick Sanders and Joseph Kerr, shared their innovative approach to multi-account deployment in AWS.
  • Netflix has a massive multi-tenant primary AWS account with 7,000 microservices and 2.5 million workloads, which is unsustainable.
  • Previous multi-account migration attempts were burdensome, slow, and expensive.
  • Netflix's new approach involves creating a robust account lifecycle, minimal provisioning, and an account vending process that is automated and requires no human intervention.
  • The key innovation is decoupling an application's IAM role from its underlying cloud infrastructure, allowing for one account per application without the complexity of managing network and compute resources in each account.
  • Netflix uses an IMDS proxy to exchange a workload's identity for AWS credentials from a different account, enabling applications to operate with near admin permissions within their dedicated accounts.
  • This approach reduces the scope of application compromise, provides flexibility for infrastructure changes, and improves developer productivity.
  • The strategy is not a silver bullet and does not address all security concerns, such as network-based lateral movement or abuse of shared resources.
  • Netflix is preparing for a large migration and acknowledges the need to update tools and communicate with teams to ensure a smooth transition.

Insights

  • Netflix's approach to multi-account deployment emphasizes the importance of account isolation for security and operational efficiency.
  • The strategy of decoupling IAM roles from infrastructure resources is a significant departure from traditional AWS account management practices.
  • By minimizing the provisioning of resources in new accounts, Netflix can rapidly create and distribute accounts to applications, reducing the time and complexity typically associated with account setup.
  • The use of an IMDS proxy to serve credentials from a different account is an innovative solution to maintain compatibility with existing applications and avoid code changes.
  • Netflix's experience highlights the challenges of managing a large-scale AWS environment and the need for creative solutions to balance security, speed, and developer autonomy.
  • The talk underscores the importance of collaboration with AWS account teams and the value of sharing knowledge and experiences within the AWS community.
Reimagining Clinical Engagement Using Amazon Connect Prt305Reimagining the Home Experience with Cloud Native 5g Powered by Aws Tlc305