Infrastructure Auto-Remediation on AWS with 6pillars and AWS Well-Architected Integration
By Lorenzo Modesto, CEO – 6pillars
By Tony Trinh, Sr. Partner Solutions Architect – AWS
The AWS Well-Architected Framework defines six pillars of cloud best-practices: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and the most recent addition, Sustainability.
Applying the Well-Architected Framework, Amazon Web Services (AWS) users can conduct several types of architectural reviews, including the AWS Foundational Technical Review (FTR) that is required for AWS Software Partner-hosted solutions.
The FTR extends three of the six Well-Architected pillars into specific controls around Operational Excellence, Security, and Reliability. This helps establish a sufficiently high bar to ensure an approved AWS Partner-hosted solution delivers a comprehensively well-architected experience for customers.
Key AWS service and infrastructure best-practices in the areas of support, identity and access management (IAM), logging, vulnerability management, application, network, protection of data at rest, protection of data in transit, and disaster recovery make up these special FTR controls.
In this post, we will explore how automation delivers efficiencies around discovery, completion, and creation of the assets required to complete an FTR, and more specifically how automating the remediation of risk (auto-remediation) can be leveraged to:
- Achieve best-practice faster.
- Allow an AWS Partner to safely benefit from a virtuous circle of ever-increasing best-practice.
- Benefit from continuous compliance with leading international standards as a differentiator.
- Deliver material operational gains.
- Fast-track an AWS Partner’s FTR journey.
6pillars.io is an AWS Select Tier Services Partner and member of the Well-Architected Partner Program. It’s also an AWS Level 1 MSSP Competency Partner that leverages a combination of AWS-native services, open-source projects, and proprietary patent-pending IP to provide customers with fully customizable, non-destructive automation to support their journey through the FTR process.
6pillars’ flagship product, AUTOMATE+, is fully integrated with the AWS Well-Architected Tool. This led to many improvements and refinements that have advanced automation for a range of AWS services.
Achieving Best Practice Faster and Safer
Cloud best practice should be the goal of every customer, but it’s not just a badge or certification—best-practice configuration of each AWS service provides a foundation that mitigates risk for all workloads.
Multiple AWS services such as AWS Security Hub and AWS Config can be used to check and report on best-practice controls. Upon check completion, risk remediation can be performed manually to minimize impact to performance, availability, or accessibility of existing workloads.
However, these checks make it possible to implement automation, and ultimately auto-remediation, which essentially fast-tracks best-practice configuration.
Furthermore, automation safeguards have improved over the last few years to ensure automation doesn’t impact existing workloads. These safeguards (as depicted in Figure 1) are still evolving but already include:
- Auto-deployment vs. alert only (deployment by human intervention).
- Choices between one-off remediation and ongoing auto-remediation.
- Enforcing approval for remediation, which can be toggled off for full auto-remediation.
- Remediation at different granularity levels (bucket, security group).
- Auto-remediation toggling for each control, allowing incremental adoption, or grouping of multiple or all controls.
- Grouping of control/auto-remediation into “destructive” and “non-destructive.” The “non-destructive” safeguards ensure there is no way the automation can (accidentally) impact the current workloads or development staff.
Figure 1 – AUTOMATE+ automation safeguards and configuration.
Once automation is implemented, even across non-destructive controls such as those associated with logging, alarms, and log file validation, it opens the door to continuous compliance with cloud best practice and an ever-growing number of compliant standards.
The level of compliance required of multiple standards has increased over time and is set to become more stringent. International standards like SOC 2 Type 2 and the latest version of PCI-DSS (4.0) now require proof of compliance over a time period, thereby being the first to require continuous compliance.
There are essentially only three ways to achieve continuous compliance:
- Eliminate changes from an environment, account, or workload.
- Source a dedicated team with the appropriate tools, skills, and follow-the-sun availability.
- Leverage automation, including auto-remediation.
Out of which, continuous compliance through automation is not only the most cost-effective choice, it can be a competitive advantage for a business.
For example, compliance required as part of a procurement process can be a painful overhead and hurdle to winning new customer. Automation (including auto-remediation) can eliminate this pain and help businesses demonstrate to prospective customers a continuous commitment to best practice
Cybersecurity skills shortages are a global challenge that threatens to worsen as bad actors become more sophisticated and motivated by their past successes.
While higher education, reskilling, and upskilling programs support long-term cybersecurity resourcing goals, automation is required to break the nexus of what’s required to mitigate security issues that are on the rise.
Another key area where automation can deliver significant operational gains is in the consistency of incident response. On the contrary, one engineer’s manual response to an incident may vary based on their health, focus, and even mood. This individual inconsistency is multiplied across teams which rely on a variety of individuals.
Finally, automation reduced costs by freeing up existing staff so they can perform higher value work for the business.
Fast-Tracking the FTR Journey
It’s encouraging to note that integrations with the AWS Well-Architected Tool have grown over the years to include a number of AWS Software Partners’ solutions.
Some of these solutions offer automated discovery and even completion of the Well-Architected Review. However, they constitute only the initial steps of what’s possible when automation is leveraged to the fullness.
Meanwhile, 6pillars’ AUTOMATE+ represents a giant leap with automation of every step in the FTR process, which drives efficiencies and material improvements in best-practice posture.
Figure 2 – AUTOMATE+ integrates with the AWS Well-Architected Tool.
AUTOMATE+ can now deliver auto-creation of test workloads, auto-discovery of posture and compliance, auto-filling of answers in both the Well-Architected Tool, especially around FTR controls and auto-remediation of non-compliant controls, and auto-generating associated reports, before finally auto-generating the required reports.
Figure 3 – 6pillars’ AUTOMATE+ Well-Architected FTR tab.
Automation has matured to the point where it’s ready to support customers’ growing sophistication and appetite for efficiency.
To that end, 6pillars’ dedication to automation-first and integration with AWS-native tools enables our mutual customers to deploy automation of AWS best practices quickly, safely, and cost-effectively. This drives significant benefits to customers seeking to adhere to multiple compliance standards.
On top of that, through the integration with the AWS Well-Architected Tool, 6pillars’ AUTOMATE+ can deliver required artefacts for a Foundational Technical Review (FTR) within minutes. This greatly accelerates FTR completion time for independent software vendors (ISVs) who seek to become AWS-validated Software Partners.
6pillars – AWS Partner Spotlight
6pillars.io is an AWS Select Tier Services Partner and member of the Well-Architected Partner Program. 6pillars’ flagship product, AUTOMATE+, is fully integrated with the AWS Well-Architected Tool.