In this session, learn how AWS helps customers effectively manage and govern their infrastructure and resources, simplifying compliance and improving efficiency when completing operational tasks. Come hear Anik Mazumder, principal infrastructure architect at Intuit, speak about his company’s experience. We also share some of the latest innovation from AWS Config in this space, and we cover recent releases in AWS management and governance services.

1. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Simplify compliance and improve
operational efficiency with AWS
Sid Gupta
Sr. Product Manager,
AWS Config
S V C 3 0 2
Anik Mazumder
Principal Infrastructure Architect,
Intuit

2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Agenda
• Managing and governing infrastructure with AWS
• Using resource inventory for effective governance
• Role of AWS Config
• Customer case study: Intuit
• Recent launches
• Demos

3. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Our environment is challenging to operate in today
Resources devoted to
maintenance instead of
innovation
Functional silos and IT
procurement cycles slow
down innovation
Best effort security
operations may not be
sufficient

5. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
The challenge of governance vs. agility
• Define
• Discover
• Monitor
• Manage
• Report
• Respond
• Produce
• Adapt
• Innovate
Agility
Governance

6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
• Define
• Discover
• Monitor
• Manage
• Report
• Respond
• Enable
• Provision
• Operate
• Produce
• Adapt
• Innovate
Agility
Governance
Improve business agility while maintaining control
• Produce
• Adapt
• Innovate
Agility

7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS management and governance services
Improve business agility while maintaining governance control
Enable Provision Operate
AWS Trusted Advisor
AWS Budgets
AWS Cost and Usage report
AWS Cost Explorer
AWS Service Catalog
AWS CloudFormation
AWS OpsWorks
AWS Marketplace
AWS ControlTower (Preview)
AWS Landing Zone
AWS Organizations
AWS Well-ArchitectedTool
Amazon CloudWatch
AWS CloudTrail
AWS Systems Manager
AWS Config

8. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

9. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Inventory management
• What resources currently exist in my account?
• What is the latest configuration state of my resources?
• What relationships exist between my resources?
• What configuration changes occurred in the last week?
• Which resources in my account have encryption disabled?

10. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Configuration compliance
• Are my resources configured based on best practices?
• Do my resources comply with PCI, HIPAA, or other regulatory requirements

11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
In summary, resource inventory collection
✓ Supports governance initiatives
✓ Helps simplify compliance

12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Which system traditionally performs these functions on-premises?
A configurationmanagement database (CMDB)

13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
A traditional CMDB doesn’t work for cloud resources
• Resources are dynamic in the cloud (automatic scaling, Spot Instances, etc.)
• Real-time discovery of resources is necessary
• Configuration changes need to be recorded instantly
• Real-time evaluation of configuration compliance is necessary
• APIs are needed to integrate with other systems
• Real-time notifications are necessary for configuration and compliance changes

14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
You need a real-time configuration auditor
in the cloud

15. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS Config = Configuration auditor in AWS

16. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Audit & compliance
Maintain a history of all configuration changes for audits
Verify that configuration changes do not violate policies
Security intelligence
Security incident/breach analysis
Identifying vulnerable resources
Operational governance
DevOps compliance (e.g., evaluate CI/CD pipeline configuration)
Cost optimization (e.g., stop unused resources)
Integration with ITSM/CMDB
Integration with asset/inventory management systems
Change management, incident management
Common use cases

17. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Supported services: 26 AWSservices and 72 resource types
Amazon API Gateway
Amazon CloudFront
Amazon CloudWatch
Amazon DynamoDB
Amazon Elastic Compute Cloud
Amazon Elastic Block Store
Amazon Redshift
Amazon Relational Database Service
Amazon S3
Amazon S3 bucket attributes
Amazon Virtual Private Cloud
AWS Auto Scaling
AWS Certificate Manager
AWS CloudFormation
AWS CloudTrail
AWS CodeBuild
AWS CodePipeline
AWS Elastic Beanstalk
AWS Identity and Access Management
AWS Lambda function
AWS Service Catalog
AWS Shield
AWS Systems Manager
AWS WAF
AWS X-Ray
Elastic Load Balancing

18. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Anik Mazumder
Principal Infrastructure Architect,
Intuit

19. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Agenda
▪ About Intuit
▪ Use cases
▪ Change tracking
▪ Cloud inventory & metadatacollection
▪ Policy management

20. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS footprint
▪ Over 1,800 AWS accounts
▪ Over 75 major production workloads
▪ Close to 40K EC2 instances
▪ Over 90K Lambda functions
▪ Over 12 PB of Amazon S3 data
▪ AWS Config enabled in every account as part of account creation process

21. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Change tracking
▪ What changed in any resource?
▪ How do I know what changed for my application?
▪ How do I map dependency between resources?
▪ Querying AWS APIs provides only point in time snapshots of assets
▪ Introduces additional load and complexities
AWS Cloud
IntuitMetadata Service
Multiple accounts
Amazon
ES
AWS
Lamdba
AWS
Step
Functions
Currentstate → Collects metadata and Inventorybutdoes not track changes

22. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Simplifying change tracking with AWS Config
▪ No need to poll AWS APIs and periodically consolidate resource data using a
complex system of Lambda functions and AWS Step Functions
▪ Complete resource inventory collection using AWS Config snapshots
▪ Quick snapshot of resources under AWS Config and change timelines using
Aggregator
▪ Dependency mapping between resources
▪ Instant notification of changes to resources using CloudWatch Events
integration

23. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Change tracking
Build a system for consolidating history of changes to AWS inventory based on
AWS Config
AWS
Config
AWS Cloud
Amazon
CloudWatch
Central account
CloudWatch
Events
Multiple accounts
Amazon
CloudWatch
AWS
CloudTrail
Central
account

24. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Use case: Cloud metadata (cont.’d)
AWS Config
AWS CloudTrail
IntuitMetadata Service
Amazon
Elasticsearch
Service
AWS
Lambda
AWS
Step
Functions
▪ Leverage change tracking
▪ Federate and cache infrastructure and business metadata

25. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Use case: Change portal
▪ UI to view changes to applications / systems

26. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Policy management
▪ How do I define infrastructure policies?
▪ How do I enforce policies across thousands of accounts?
▪ How can I track changes in compliance status?
▪ How do I remediate violations?

27. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Policy management: Current state
Centralized policy management integrated into existing framework
Monitoring
Notification
Centralized deployment
Policy classification
Bundling & target
selection
Policy Lambda
CloudTrailCloudWatch
Targetaccount

28. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Policy management using AWS Config rules
▪ Integrated state management
▪ With managed rules, no need to manage Lambda functions at the target
account
▪ Instant feedback of compliance state change through CloudWatch Events
integration
▪ Better control of remediation actions using Systems Manager Automation
documents.
▪ With custom rules, ability to deploy complex compliance logic
▪ Integrated compliance dashboard with AWS Config rule aggregator

29. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Policy management with AWS Config rules
AWS Config-based centralized policy management integrated into existing
framework
AWS Config rule
Policy Lambda
CloudTrailCloudWatch
Systems Manager
Automatondocs
Remediation
Lambda

30. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

31. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
New feature: Advanced query
• Configuration attribute-based queries against current state metadata
• Single endpoint to query metadata across AWS services
• Uses a subset of structured query language (SQL) SELECT syntax
• Sample queries available out-of-the-box
• Available at no additional cost for AWS Config customers
• Available in all AWS commercial regions and the AWS GovCloud (US) regions

32. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Advanced query: Use cases
• Inventory management
Identify resources that meet a specific criteria (e.g., EC2 instances of size “xlarge”; MySQL databases
running an old version)
• Cost management
Identify unused resources (e.g., EBS volumesthat are not in use)
• Change management
Understand impact of a change (e.g., view resources related to a security group)
• Security management
Identify resources that may be vulnerable (e.g., view all RDS DB instances that are publicly accessible)

33. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Getting started
Enable AWS Config in your account.01
In the AWS Config console, go to Resources > Advanced query.02
Run a sample query, or write your own.03

34. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

35. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I TS UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
“The newAWS Config ‘advanced query’ feature enables ustobuild powerfultools that
provide better insight intoour infrastructure. With hundreds of microservices deployed in
multiple regions, having in-depth visibility intothe relationships between the thousands
ofAWS resources weuse isextremely helpful for resource discovery, diagnostics, and
auditing purposes. The advanced query feature provides acentralized location andan
easy-to-use tool toobtain the critical details weneed about ourAWSinfrastructure.”
Bradley Segobiano,
Software Engineer, Genesys PureCloud
Customer testimonial

37. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Remediation with AWS Config rules
• Managed experience to remediate noncompliant resources
• Managed AWS Config rules come with recommended remediation actions
• Select from a list, or create your own action using Systems Manager Automation
documents
• Invoke remediation upon noncompliance of resources either through the console or
use the APIs
• Pricing is based on usage of Systems Manager Automation documents
• Available in all AWS commercial regions and AWS GovCloud (US-West)

38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Getting started
Select a managed AWS Config rule in your account.01
Add a remediation action.02
Invoke the action manually through the console or API.03

39. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

40. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Demo video

41. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Additional resources
http://tinyurl.com/yyj92a7y
http://tinyurl.com/y5q3gxdz
http://tinyurl.com/yxgo6f9b
http://tinyurl.com/y2vu9aq5

42. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Conclusion
• Inventory management and configuration compliance are key pillars for effective cloud
governance
• Traditional CMDBs don’t do the job
• AWS Config is your configuration auditor for the cloud
• Use the advanced query and AWS Config rules remediation capabilities

43. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

44. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Other new releases in AWS management and governance
Use service control policies to set permission
guardrails across accounts with AWS
Organizations
Amazon Comprehend is now integrated with
AWS CloudTrail
AWS OpsWorks for Chef Automate and AWS
OpsWorks for Puppet Enterprise now
support AWS CloudFormation
AWS Systems Manager now supports on-
premises instance management for large
hybrid environments
Amazon Aurora Serverless publishes logs
to Amazon CloudWatch
AWS RoboMaker now supports new
languages, tagging, and AWS
CloudFormation
For more details: https://aws.amazon.com/new/#management-and-governance

45. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Thank you!
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Sid Gupta
sidgup@amazon.com
Anik Mazumder
Intuit

46. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I TS UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.