AWS re:Invent 2023
Governance and Security with Infrastructure as Code Dop209

Title

AWS re:Invent 2023 - Governance and security with infrastructure as code (DOP209)

Summary

  • Eric Beard and Kevin DeJong from AWS, along with Damian Silbergleith from GoDaddy, discussed the importance of balancing speed and security in cloud deployments.
  • They emphasized the benefits of Infrastructure as Code (IaC) for consistent deployments and the application of developer tooling to infrastructure.
  • AWS CloudFormation and AWS Cloud Development Kit (CDK) were highlighted as key tools for automating delivery pipelines and ensuring deployment safety and security.
  • The concept of "safety at speed" was introduced, showcasing how Amazon achieves numerous deployments with high security.
  • Multi-account architectures and sandbox accounts for developers were recommended for better security and cost management.
  • The speakers discussed the importance of automation in DevOps and how IaC is crucial for automating all aspects of infrastructure management.
  • Kevin DeJong introduced tools like CDK NAG, CloudFormation Guard, CFN Lint, and CodeWhisperer for validating and securing IaC.
  • CloudFormation hooks were presented as a way to validate resources before creation, update, or deletion.
  • Damian Silbergleith shared GoDaddy's journey in building a next-generation cloud governance system called Stack Safeguard, leveraging CloudFormation hooks and CDK.
  • GoDaddy's Stack Safeguard system was designed to increase developer productivity while maintaining cloud security and compliance.
  • The session concluded with an invitation for feedback and further discussion.

Insights

  • The adoption of IaC allows for rapid, consistent, and secure cloud infrastructure deployment, which is critical for organizations looking to innovate quickly without compromising on security.
  • AWS CloudFormation and CDK are powerful tools that enable developers to define infrastructure in code, allowing for automated and repeatable deployments.
  • The use of sandbox accounts and a multi-account architecture can improve security by isolating resources and reducing the blast radius of potential security incidents.
  • Tools like CDK NAG, CloudFormation Guard, CFN Lint, and CodeWhisperer help developers identify and fix security and compliance issues early in the development lifecycle, embodying the "shift-left" security approach.
  • CloudFormation hooks provide a server-side mechanism to enforce compliance and security policies before infrastructure changes are applied, ensuring that only approved changes are deployed.
  • GoDaddy's implementation of Stack Safeguard demonstrates a real-world application of AWS tools to create a governance system that empowers developers while enforcing security and compliance.
  • The collaboration between AWS and its customers, such as GoDaddy, leads to the development of features and services that address specific enterprise needs, showcasing the value of customer feedback in product evolution.
Goldman Sachs the Journey to Zero Downtime Fsi310Ground Station Digitalization with Sdrs in the Cloud Aes303