Improving Security and Gaining Project Visibility Using AWS Config with Meta

Meta was founded as Facebook Inc. in 2004, and the company owns Facebook, WhatsApp, and Instagram, as well as other products and services, and has more than 3.6 billion active users. Meta has close to 1,000 AWS accounts and over 100 workloads ranging from artificial intelligence workloads to running websites, all done in the cloud. The company has a robust internal infrastructure to support its applications, but for some custom workloads, its developers needed the cloud.

In April 2020, Meta created its Cloud Foundation team, a centralized management team for the large variety of workloads. A major goal of Meta’s Cloud Foundation team was to provide service and product developers with the same experience, whether developing on internal infrastructure or AWS. Meta started its AWS journey while it worked to standardize purposeful security for developers regardless of their workloads.

To gain visibility into diverse developer workloads, Meta uses AWS Config, which continually assesses, audits, and evaluates the configurations and relationships of resources on AWS, on premises, and on other clouds. Using AWS Config, the company validates the configuration of its resources. Meta wanted to create a secure-by-design framework to handle threat detection, security, and compliance across these diverse teams and did so in a four-step process using AWS. “We solve a lot of security needs for all our users by default, which saves them a lot of time,” says Ekansh Grover, security engineer and tech lead for the Cloud Foundation Platform Team at Meta.

The first step was to establish requirements based on compliance needs and AWS workloads. Meta used AWS Config to understand the workloads and compliance needs across teams and determine what security controls to use and implemented the AWS Shared Responsibility Model. Under this model, AWS is responsible for the underlying infrastructure of the cloud, and Meta’s Cloud Foundation team provides security by default tooling. Meta’s cloud users are then responsible for using that tooling when creating application code. In other words, AWS is responsible for security of the cloud, and Meta is responsible for security in the cloud.

The second step was to build a secure environment. Meta is responsible for its own compliance, which varies based on region and goes through multiple audits each year. The company is responsible for using the right AWS tools to meet compliance and pass those audits. Meta also set up encryption requirements for its data.

The third step was to establish an enforcement mechanism to meet the established requirements, which involved using service control policies and standard templates. Meta also uses Amazon GuardDuty, a threat-detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. “Using Amazon GuardDuty gives us what we are looking for with threat detection,” says Grover. “We can easily switch it on to gain useful output and near-real-time threat detection. We use it for all our AWS accounts.”

The fourth step was to implement validation checks. Meta uses AWS Config rules to detect vulnerable configurations for resources in the cloud. With security baked in, the company can focus its efforts on using AWS services alongside its own infrastructure. One example is the company’s use of AWS Identity and Access Management (IAM) to securely manage identities and access to AWS services and resources. “We use AWS IAM in addition to our own single sign-on provider, which gives developers the seamless experience of accessing the cloud as they have for internal Meta infrastructure,” says Grover.

Meta saves time because developers can spin up resources without worrying about meeting security protocols. For example, with Meta’s internal project Supernova, which helps the company with content moderation worldwide, Meta cut development time in half. Meta also goes through security audits for workloads around the world. Because of the secure-by-design solution, the company can pass these audits quickly. “Running infrastructure and publishing applications on AWS makes the development faster for custom workloads,” says Grover. The Cloud Foundation team at Meta solves access management, threat detection, and bug detection for its users, saving time for developers and costs for the company. By also using Right Sizing, the process of matching instance types and sizes to workload performance and capacity requirements at the lowest possible cost, Meta saves a least a million dollars per year.