Discovery operates large scale AWS and Azure environments with over 100 AWS accounts and Azure Subscriptions. These accounts and subscriptions contain more than 1,000,000 configurable assets.
Discovery Cloud Security team developed an in-house solution similar to Scout2 and Cloud Custodian to perform AWS and Azure compliance check verifications. Discovery’s solution avoided mistakes of many other commonly in-house developed compliance solutions. It not only identified gaps in configuration and compliance but also actively routed, escalated and most importantly very well communicated policy violations to the stakeholders that were responsible for remediation. Stakeholder would receive their policy violations from a bot named Carlos. At first Carlos would be polite, asking users to remediate their policy violations and gradually become more threatening if they did not. Despite their brilliant implementation of Carlos, discovery team soon ran into two major issues.
- Because AWS and Azure were adding and updating new services so quickly, they had hard time keeping up with new policies to match these new services.
- They lacked solid, low friction exception handling process and this caused long email chains, aggravation and loss of productivity.
Cloudaware Modules Deployed
- Cloudaware CMDB
- Cloudaware Compliance Engine
- Cloudaware Incident Management
Cloudaware is a modular, SaaS based cloud management platform. Our CMDB uses collectors which in turn leverage AWS Config, AWS CloudTrail and service specific API calls to build complete inventory of all customer AWS infrastructure. Discovery used automatically generated CloudFormation StackSets and AWS Organizations where possible to create cross-account IAM role which allowed Cloudaware CMDB collectors to start harvesting information about current state of Discovery AWS infrastructure and populate CMDB.
In addition to supporting AWS, Cloudaware CMDB also supports Microsoft Azure and Google Compute cloud and provides integrations for VMWare. This allowed Discovery to create a single pane of glass for all of their infrastructure regardless of where it was hosted.
Particular area importance for Discovery was enforcing consistent tagging standards across their infrastructure. Using our Tag Analyzer which is part of the CMDB, Discovery was able to better understand and correct deviations in their tagging coverage.
Cloudaware Compliance engine is a collection of over 300 cloud configuration policies and is a superset of policies available from frameworks such as Scout2, Cloud Custodian by CapitaOne, CloudConformity, Cloudcheckr, Cloudhealth and many others.
Cloudaware Compliance Engine has several key differentiators from other similar solution available on the market.
- Extremely rich library of policies
- Multi-cloud policies
- Ability to author new and clone existing policies using Java programming language
- Customize policies for specific accounts, VPCs, etc.
- Ability to create policies that evaluate non-AWS attributes available in CMDB
- Reduce number of API calls made to AWS by collecting once and running evaluations against CMDB, not against AWS inventory.
- Integrate with 3rd party ticketing systems such as JIRA, ServiceNow, ServiceCloud, etc.
- Automate exception handling processes.
Sample policy interface:
Cloudaware Incident Management allows customers to route policy violations to the appropriate teams.
This feature proved critical to Discovery because using Cloudaware’s incident management API Discovery was able to integrate Compliance Engine with existing compliance bot they have used to communicate with stakeholders.
Incident Management module also provides sophisticated stateful integration with third party ticketing systems such as JIRA, ServiceNow, etc. and can not only open tickets but also close them and update them depending on the lifecycle of the violation.
Discovery decided to continue to use Carlos bot to communicate with stakeholders however now Carlos relied on Cloudaware Compliance Engine and Exception Handling processes to source the violations and handle exceptions.
Users continued to receive familiar emails from Carlos and he would still get angry if violations were not remediated within required timelines but now users could request exceptions.
- Increased compliance coverage from just EC2, S3 and IAM to all services leveraged by Discovery
- Leveraged existing stakeholder notifications that already proved effective and popular.
- Reduced administrative overhead by allowing users consistent and low friction process to request exemptions e.g. some S3 buckets are meant to be public after all.
- Eliminated issues with AWS API throttling during compliance checks because checks are ran against CMDB that in turn leverages CloudTrail and AWS Config to minimize “Describe*” API calls.
- One policy can now be applied to resources both in AWS and Azure
Find out more about Cloudaware here.