Customer Stories / Software & Internet

2023
Meta Logo

Improving Security and Gaining Project Visibility Using AWS Config with Meta

Learn how Meta, in the software and internet industry, created a solution on AWS to provide default security for global teams.

Improved development speed

across teams using AWS

Solved

for uniform threat detection

Achieved

scalable, secure-by-design security and compliance

Sped up

experimentation and custom workload building for developers

Overview

Global technology company Meta wanted to institute scalable, standardized security protocols to help its hundreds of development teams focus on serving billions of worldwide users. As the company migrated more workloads to the cloud, it needed to create common threat detection, team visibility, and an access model that could incorporate in-house security technologies alongside the built-in security of Amazon Web Services (AWS).

Meta set out to build a secure-by-design solution—one that includes security throughout the implementation of each activity and process—to achieve common threat detection, access management, and permission management across its teams using AWS. By building secure-by-design, Meta sped up its development of custom workloads, saved at least a million dollars a year on costs, and achieved scalable security and threat detection.

Government continuity

Opportunity | Using AWS Config to Create a Secure-by-Design Solution for Meta

Meta was founded as Facebook Inc. in 2004, and the company owns Facebook, WhatsApp, and Instagram, as well as other products and services, and has more than 3.6 billion active users. Meta has close to 1,000 AWS accounts and over 100 workloads ranging from artificial intelligence workloads to running websites, all done in the cloud. The company has a robust internal infrastructure to support its applications, but for some custom workloads, its developers needed the cloud.

In April 2020, Meta created its Cloud Foundation team, a centralized management team for the large variety of workloads. A major goal of Meta’s Cloud Foundation team was to provide service and product developers with the same experience, whether developing on internal infrastructure or AWS. Meta started its AWS journey while it worked to standardize purposeful security for developers regardless of their workloads.

To gain visibility into diverse developer workloads, Meta uses AWS Config, which continually assesses, audits, and evaluates the configurations and relationships of resources on AWS, on premises, and on other clouds. Using AWS Config, the company validates the configuration of its resources. Meta wanted to create a secure-by-design framework to handle threat detection, security, and compliance across these diverse teams and did so in a four-step process using AWS. “We solve a lot of security needs for all our users by default, which saves them a lot of time,” says Ekansh Grover, security engineer and tech lead for the Cloud Foundation Platform Team at Meta.

kr_quotemark

Running infrastructure and publishing applications on AWS makes the development faster for custom workloads.”

Ekansh Grover
Security Engineer and Tech Lead for the Cloud Foundation Platform Team, Meta

Solution | Solving Security Needs While Speeding Up Development Using AWS

The first step was to establish requirements based on compliance needs and AWS workloads. Meta used AWS Config to understand the workloads and compliance needs across teams and determine what security controls to use and implemented the AWS Shared Responsibility Model. Under this model, AWS is responsible for the underlying infrastructure of the cloud, and Meta’s Cloud Foundation team provides security by default tooling. Meta’s cloud users are then responsible for using that tooling when creating application code. In other words, AWS is responsible for security of the cloud, and Meta is responsible for security in the cloud.

The second step was to build a secure environment. Meta is responsible for its own compliance, which varies based on region and goes through multiple audits each year. The company is responsible for using the right AWS tools to meet compliance and pass those audits. Meta also set up encryption requirements for its data.

The third step was to establish an enforcement mechanism to meet the established requirements, which involved using service control policies and standard templates. Meta also uses Amazon GuardDuty, a threat-detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. “Using Amazon GuardDuty gives us what we are looking for with threat detection,” says Grover. “We can easily switch it on to gain useful output and near-real-time threat detection. We use it for all our AWS accounts.”

The fourth step was to implement validation checks. Meta uses AWS Config rules to detect vulnerable configurations for resources in the cloud. With security baked in, the company can focus its efforts on using AWS services alongside its own infrastructure. One example is the company’s use of AWS Identity and Access Management (IAM) to securely manage identities and access to AWS services and resources. “We use AWS IAM in addition to our own single sign-on provider, which gives developers the seamless experience of accessing the cloud as they have for internal Meta infrastructure,” says Grover.

Meta saves time because developers can spin up resources without worrying about meeting security protocols. For example, with Meta’s internal project Supernova, which helps the company with content moderation worldwide, Meta cut development time in half. Meta also goes through security audits for workloads around the world. Because of the secure-by-design solution, the company can pass these audits quickly. “Running infrastructure and publishing applications on AWS makes the development faster for custom workloads,” says Grover. The Cloud Foundation team at Meta solves access management, threat detection, and bug detection for its users, saving time for developers and costs for the company. By also using Right Sizing, the process of matching instance types and sizes to workload performance and capacity requirements at the lowest possible cost, Meta saves a least a million dollars per year.

Outcome | Pairing AWS Services and Internal Tools

Meta is working to be more proactive with its security protocols, ingesting security logs from AWS into its internal systems for greater visibility. The company’s end goal is for there to be no difference for developers deploying on internal infrastructure versus deploying on AWS. The company plans to improve coverage of operating system images in the cloud for better default visibility and bug detection. Meta also wants to build more proactive security to layer on top of its current threat detection in the cloud. “When developers build on AWS, our end goal is for it to look exactly like building on internal infrastructure,” says Grover. “The North Star for my team is making it seamless so that developers don’t even realize they’re deploying in the cloud.”

About Meta

Formerly known as Facebook Inc., Meta is a multinational, California-based technology conglomerate that serves 3.6 billion users globally. The company owns social technologies such as Facebook, Instagram, and WhatsApp, among other products and services.

AWS Services Used

AWS Config

AWS Config continually assesses, audits, and evaluates the configurations and relationships of your resources on AWS, on premises, and on other clouds.

Learn more »

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Learn more »

AWS Identity and Access Management (IAM)

With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.

Learn more »

Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.