Governance at Scale as a Small Team Using AWS Organizations with Volkswagen Financial Services

VWFS provides services such as financing, leasing, insurance, and mobility solutions to its customers in a highly regulated financial services environment. When the MPS team began using AWS in 2017, it had to oversee the technology of dozens of developers working in accounts with disparate configurations. “We identified areas where we could do the heavy lifting for customers,” says Weissfuss. “We wanted to handle centralized security and compliance so that a product team only needs to take care of the security of its application.” For example, the MPS team enforces encryption of block storage and databases and manages identity and access centrally.

The MPS team was determined to find the sweet spot between, on the one hand, standardizing security controls for 1,600 accounts and more than 350 production workloads, and on the other hand giving engineers the freedom to develop products using the advantages of the cloud. “We want to provide our teams with all the tools they need, tied together with one identity provider to log on,” says Jan Christophersen, DevOps engineer at VWFS. “They need source code storage, a ticketing system, secrets management, and somewhere to put their application on AWS. We are eight engineers, so we must be efficient and automate everything that we can.”

The MPS team splits each of its workloads into four AWS accounts that represent different stages—development, integration, preproduction, and production—with centralized accounts for compliance, monitoring, and auditing. MPS defines central configurations, security mechanisms, audit requirements, and resource sharing across all VWFS accounts. The team uses more than 40 AWS services and applies the AWS Organizations service control policies (SCPs), a type of authorization policy for managing permissions in an organization and helping make sure that accounts stay within an organization’s access control guidelines.

The MPS team created a centralized dashboard to facilitate reports for security officers, a separate team that monitors for threats and vulnerabilities. To track resource changes across all 1,600 accounts, MPS uses AWS Config, which continually assesses, audits, and evaluates the configurations of resources on AWS, on premises, and on other clouds. MPS centralizes the creation, updating, and deletion of AWS Config rules across all AWS accounts, and it uses APIs from the AWS Organizations management account to enforce governance at scale.

For vulnerability management at scale, the team uses Amazon Inspector, an automated vulnerability management service. “That was the game changer for us,” says Weissfuss. “Now, we have everything automated. We’re using AWS to do a lot of heavy lifting with continual scaling, autoactivation, automatic code scanning—all of which lead to us being even more efficient.”

Amazon Inspector works seamlessly within AWS Organizations so that the MPS team can automatically onboard new AWS accounts, scan code, and view aggregated finding data from all VWFS accounts. Previously, vulnerability scanning was complex; it took days to pour through findings from each account to report to security officers. Using Amazon Inspector, the MPS team achieved a dramatic cut in mean time to remediation. For example, in December 2021, a vulnerability in the common open-source library Apache Log4j affected online services globally. “Because we were using Amazon Inspector, we could simply identify the vulnerability in minutes and remediate it in a short time,” Weissfuss says. “Teams at other companies using other technologies took days to identify affected resources.” Plus, VWFS estimates it saves hundreds of thousands of euros in licensing fees by using the Amazon Inspector pay-as-you-go model.

The MPS team also gains operational insights and automatically deploys software patches across large groups of instances using AWS Systems Manager, a secure management solution for resources on AWS and in multicloud and hybrid environments. Using AWS Systems Manager, teams can view a dashboard of information about resources across all AWS accounts. “The resolution time is way faster now,” says Weissfuss. “As an example, a zero-day bug recently affected 80 servers and 10 different product teams on three continents, and all the machines were fixed within 24 hours.”

To centralize findings while monitoring compliance, the MPS team uses AWS Security Hub, which performs security best practice checks, aggregates alerts, and facilitates automated remediation. By connecting AWS Security Hub to AWS Organizations, the MPS team can automatically activate it across all AWS accounts. Using AWS Security Hub, the team continuously aggregates and prioritizes alerts from AWS Config, Amazon Inspector, AWS Systems Manager, and other AWS services. It has accelerated account provisioning by 15–20 minutes per batch. Moreover, MPS employs a cloud native application protection platform built on CloudGuard by Check Point Software Technologies, an AWS Partner. This enhances the provisioning of contextual insights, empowering customers to enact proactive security measures and intelligent preventative strategies throughout the application lifecycle.