Title
AWS re:Invent 2023 - Fidelity Investments: Building a scalable security monitoring tool (FSI202)
Summary
- Fidelity Investments has been in the cloud for over five years, with 1,500+ AWS accounts and 8 million+ resources across various services.
- The security monitoring tool discussed is not just for monitoring but also for detecting, responding, and preventing security issues.
- The tool provides a single pane of glass for security needs, allowing real-time visibility and actions on resources.
- Key AWS services used include IAM, EKS, CloudTrail, CloudWatch, SQS, S3, RDS, and KMS.
- The tool uses a repository-based role management system called GRAP for centralized permission management.
- AWS Organizations is used as the source of truth for account labeling to ensure correct handling of resources.
- The tool uses RDS and SQL Alchemy for storing and querying data, allowing for saved views and severity levels for different environments.
- Template scanning is used as a preventative measure to ensure compliance before deployment.
- Reaction triggers and automation are used for real-time response to events in the cloud.
- The tool is customizable, allowing Fidelity to handle any security scenario.
- An example event demonstrates the tool's ability to detect and automatically remediate a public EC2 instance, including sending an educational email to the responsible engineer.
- The tool has led to efficient remediation at scale, increased security awareness, and real-time developer education.
Insights
- Fidelity Investments has achieved a high level of automation in cloud security, which is critical for managing a large number of resources and accounts.
- The use of a single pane of glass approach simplifies security management and ensures that security personnel have a comprehensive view of the security posture across all cloud resources.
- The emphasis on both preventative measures (template scanning) and reactive measures (reaction triggers and automation) indicates a mature approach to cloud security, where prevention and quick response are equally valued.
- The tool's ability to customize and create plugins for specific security scenarios shows the importance of adaptability in security tools to meet unique organizational needs.
- The educational component of the tool, which sends notifications directly to the engineers responsible for security events, demonstrates a proactive approach to security culture, aiming to reduce repeat incidents.
- The global nature of Fidelity's security team, with a follow-the-sun model, ensures continuous monitoring and response, which is essential for maintaining security in a cloud environment that operates 24/7.