Building an AWS Onramp: Maintaining Guardrails for Self-Service AWS

More than 130 teams at Morningstar use AWS in some capacity. To encourage teams to follow security best practices our central cloud team had to get creative. We set firm guardrails yet offer a self-service ownership. First, we will review the foundations of a strong account set up and network security based on the AWS Shared Responsibility Model. With that strong foundation in place, we will review how the cloud team enables application teams to take ownership for security best practices. Empowered builders are fully understand their AWS environments and share knowledge across teams. Rigid IAM policies can inhibit innovation. We encourage developers to understand AWS and security best practices.

Finally, we will review how to scale the guardrails to the entire organization and nudge teams to follow security best practices.

We centrally ensure cloud security through two scanning systems: event based and time based scanners. Scanners use custom scripts, Lamdba functions, jira tickets, and SES. Currently we report on public S3 buckets, resources without backups, unpatched instances, and non-standard AMIs. This talk will delve into our scanner architecture as well as how we enforce cloud security across business units. This balance of a self-service approach with automated security checks enables teams to quickly adopt AWS but stay secure.