Deutsche Börse Manages Assets Across Cloud Providers and Maintains Compliance Using AWS Config

Deutsche Börse runs and operates financial trading markets in Germany and other parts of Europe, as well as in Asia and North America. The company is a market infrastructure provider, with nearly 4,000 of its more than 10,000 employees involved in information technology. Previously, it ran all its data centers on premises and monitored long-running assets, such as servers with a lifespan of several years, using an on-premises solution. However, as the company began building out its cloud infrastructure across several cloud providers, its existing asset management system could no longer support its needs for security compliance monitoring.

“We are a regulated business,” says Christian Tueffers, senior cloud architect at Deutsche Börse. “We need to know what our assets are, how they are configured, and whether they are compliant with security rules and guidelines.” As such, the company needed a solution that would pull data from its cloud environments into a consolidated asset management system that would provide a convenient view of its entire asset catalog.

In early 2021, Deutsche Börse began developing this new solution on AWS. The company chose AWS Config because the service automatically supports AWS resources while also letting Deutsche Börse register custom resource types. This feature helps the company view and track all its assets across multiple cloud providers in one place. “The underlying data model of AWS Config is solid and very powerful,” says Tueffers. “We can onboard custom resources and use the built-in timeline function to track changes.” AWS Config has become the primary tool for monitoring its virtual machines, serverless functions, managed databases, object storage, and networking components from AWS and other cloud providers.

Using AWS Config, Deutsche Börse can continuously monitor and audit the compliance of all its resources. While the service gathers data directly for the company’s AWS resources, it also stores data from other cloud providers. To gather that data, Deutsche Börse uses Amazon Simple Queue Service (Amazon SQS), a fully managed message queuing service for microservices, distributed systems, and serverless applications. Then, the company uses AWS Lambda, which lets users cost effectively run event-based code for virtually any type of application or backend service, to process the data and push it to AWS Config.

With these services, Deutsche Börse has a near-real-time view of its resources, whereas its previous system didn’t share information until the following day. “AWS Config is the beating heart of this project,” says Moritz Sundarp, cloud platform engineer at Deutsche Börse. Amazon API Gateway—a fully managed service that makes it simple for developers to create, publish, maintain, monitor, and secure APIs at any scale—and Lambda functions pull data from AWS Config to the company’s asset management user interface. “For the first time, the product teams can see all the assets across multiple cloud and on-premises environments in one view,” says Tueffers. “Before that, they had to go into different cloud service providers or even into different AWS accounts.” This consolidated view has made day-to-day operations—such as finding assets and asset owners more quickly—simpler for Deutsche Börse’s operational teams and has improved their productivity.

Using AWS Config also helps Deutsche Börse store the configuration history of its resources, which lets the company review its security compliance with ease. Additionally, the advanced query feature in AWS Config lets the company check the state of all resources on the service through a single endpoint. For example, Deutsche Börse uses AWS Config to ensure that mandatory tags are applied to cloud services. These tags are required for billing purposes but also to maintain, for regulatory purposes, clear asset ownership. The service facilitates Deutsche Börse’s continuous evaluation of the compliance of those resources. “We can also display that compliance information in the user interface so that users can see which of their resources comply with which rules,” says Sundarp.

Deutsche Börse plans to use AWS Config rules to define specific security baselines and continue fine-tuning the compliance requirements of individual assets, further simplifying its security compliance monitoring. “We have the ability to identify whether the resources are compliant with these baselines,” says Tueffers. “And that is something regulators like to see.”

Having developed a new asset management solution and improved its ability to maintain security compliance, Deutsche Börse is confident in its future on AWS. “We take pride in being a front-runner in adopting the cloud and AWS,” says Tueffers. “AWS is very stable and delivers high performance. There are always challenges out there with compliance, but on the cloud, we can overcome them.”