United Providers Car Affiliation (USAA) is a San Antonio-based insurance coverage, monetary providers, banking, and FinTech firm supporting hundreds of thousands of navy members and their households. USAA has partnered with Amazon Internet Providers (AWS) to digitally remodel and construct a number of USAA options that assist maintain members secure and save members’ time and money.
Why construct an AWS account metadata resolution?
The USAA Cloud Program developed a centralized resolution for amassing all AWS account metadata to facilitate core enterprise capabilities, reminiscent of monetary administration, remediation of weak and insecure configurations, and alter launch processes for vital software and infrastructure modifications.
Firms with out centralized metadata options could have distributed paperwork and wikis that comprise account metadata, which needs to be up to date manually. Manually inputting/updating info typically results in outdated or incorrect metadata and, as well as, requires people to achieve out to a number of assets and groups to gather particular info.
USAA makes use of AWS Organizations and a sequence of GitLab initiatives to create, handle, and baseline all AWS accounts and infrastructure inside the group, together with id and entry administration, safety, and networking parts. Inside their GitLab initiatives, every deployment makes use of a GitLab baseline model that determines what model of the undertaking was provisioned inside the AWS account.
In the course of the creation and onboarding of latest AWS accounts, that are created for every software group and use-case, there may be particular information that’s used for monitoring and governance functions, and utilized throughout the enterprise. USAA’s Public Cloud Safety group took a possibility inside a hackathon occasion to develop the answer depicted in Determine 1.
- AWS account is created conforming to a naming conference and added to AWS Organizations.
Metadata tracked per AWS account consists of:
- AWS account title
- Factors of contact
- Line of enterprise (LOB)
- Value middle #
- Utility ID #
- Cloud governance report #
- GitLab baseline model
- Amazon EventBridge rule invokes AWS Step Capabilities when new AWS accounts are created.
- Step Capabilities invoke an AWS Lambda operate to drag AWS account metadata and cargo right into a centralized Amazon DynamoDB desk with Streams enabled to help automation.
- A personal Amazon API Gateway is uncovered to USAA’s inside community, which queries the DynamoDB desk and offers AWS account metadata.
After the answer was deployed, USAA groups leveraged the info in a number of methods:
- Consumer interface: a front-end user-interface querying the API Gateway to permit inside customers on the USAA community to filter and consider metadata for any AWS accounts inside AWS Organizations.
- Occasion-driven automation: DynamoDB streams for any modifications within the desk that might invoke a Lambda operate, which might examine the newest model from GitLab and the GitLab baseline model within the AWS account. For any outdated deployments, the Lambda operate invokes the CI/CD pipeline for that AWS account to deploy a standardized set of IAM, infrastructure, and safety assets and configurations.
- Incident response: the Cyber Risk Response group reduces mean-time-to-respond by growing automation to question the API Gateway to append points-of-contact, atmosphere, and AWS account title for customized detections in addition to Safety Hub and Amazon GuardDuty findings.
- Monetary administration: Inside groups have built-in workflows to their functions to question the API Gateway to return price middle, LOB, and software ID to help with monetary reporting and monitoring functions. This replaces manually reviewing the AWS account metadata from an inside and manually up to date wiki web page.
- Compliance and vulnerability administration: automated notification methods have been developed to ship consolidated stories to points-of-contact listed within the AWS account from the API Gateway to remediate non-compliant assets and configurations.
On this submit, we reviewed how USAA enabled core enterprise capabilities and groups to gather, retailer, and distribute AWS account metadata by growing a safe and extremely scalable serverless software natively in AWS. The answer has been leveraged for a number of use-cases, together with inside software groups in USAA’s manufacturing AWS atmosphere.