SECURING THE GLOBAL ENTERPRISE: UNLEASHING THE POWER OF AWS CONFIG FOR UNMATCHED IT GOVERNANCE

Client Profile

A global technology company offers various services and products to help businesses connect, secure, analyze, and leverage their data and applications. Their solutions encompass servers, storage systems, networking tools, containerization software, and consulting and support services.

Key Requirement & Challenges

The client was to establish a robust and automated solution to ensure the security and compliance of its AWS infrastructure across multiple regions and services. Specifically, the client needed a system that could:

Continuously monitor the configuration of AWS resources

Ensure compliance with internal security policies and industry standards

Automate remediation actions to address non-compliance

Efficiently manage exceptions and log events for auditing purposes

The client faced challenges with existing manual monitoring and enforcing compliance processes, which were time-consuming and prone to human error. They made maintaining a strong security posture in an agile cloud environment difficult.

Solution

Flentas has implemented an automated compliance and security control solution to address these challenges using AWS Config, AWS Lambda, Amazon DynamoDB, AWS Systems Manager (SSM), AWS EventBridge, and AWS Organizations. The solution was designed to:

1. Leverage AWS Config to monitor and record the configurations of AWS resources continuously.

2. Implement AWS Config Rules with custom Lambda functions to check compliance status against internal security standards that are not available as pre-defined AWS Config rules.

3. Use EventBridge Rules to trigger a Lambda Orchestrator based on compliance findings and resource tags, such as the auto_remediation tag, which indicates whether auto-remediation should be performed.

4. Execute Automated Remediation using AWS Lambda functions and SSM documents for resources tagged with auto_remediation = Y.

5. Initiate Manual Remediation Actions by generating Jira tickets through a detection flow Lambda function for resources tagged with auto_remediation = N.

6. Store Logs and Exceptions in Amazon DynamoDB for tracking auditing and troubleshooting purposes.

7. Create a Delegated Config Admin Account with an Organization-level Config Aggregator to centralize compliance monitoring and view all AWS account details in a single dashboard.

Components and Services

AWS Config: Monitors and records configurations of AWS resources and evaluates them against desired configurations.

AWS Lambda: Executes code in response to events. They are used for custom compliance checks, orchestration, remediation, and detection workflows.

Amazon DynamoDB: A NoSQL database service used to store log details, exception logs, and other metadata.

AWS Systems Manager (SSM): Used for automation and executing SSM documents for auto-remediation actions.

AWS EventBridge (formerly CloudWatch Events): Monitors events from AWS services and routes them to targets like AWS Lambda functions.

AWS Organizations: Helps manage and govern AWS accounts in a centrally managed manner.

AWS Config Aggregator: Collects configuration and compliance data from multiple AWS accounts and regions into one account.

Jira: A third-party ticketing system used to create tickets for manual intervention when auto-remediation is not enabled.

Business Impact