AWS CDK and FedRAMP Compliance

Julia Jacobs

Senior Cloud Automation Engineer | Acxiom (IPG)

@jewelsjacobs | https://jjacobs2000.myportfolio.com/

Some Cloud things:

  • RackSpace
  • Heroku platform engineer at Salesforce
  • Azure BizSpark Startup program
  • AWS Associate Solutions Architect
  • AWS Community Builder

...see more at https://www.linkedin.com/in/juliajacobs/

Healthcare broker

  • Offers choice of healthcare providers with minimal / anonymous provided customer input.
  • Easy, friendly, non - invasive healthcare “shopping”.

MERN on Heroku

with Firebase OAuth to....

FedRAMP Complient Infrastructure

Offer tighter data integration with healthcare.gov APIs for better user experience and broader market reach

CMS.gov

Quick definition of FedRAMP from https://www.fedramp.gov/:

FedRAMP simplifies security for the digital age by providing a standardized approach to security for the cloud.

FedRAMP facilitates the shift from insecure, tethered, tedious IT to secure, mobile, nimble, and quick IT.

Architect consultant: Hire a DevOps person and deploy a NIST QuickStart Template

Me: Use a serverless framework, train and empower the developers to own the infrastructure with guidance from a mentor

The migration discussion....

✔︎

Talking serverless architecture to the audit consultants....

......experience based on 2012 type architecture

AWS CDK

  • Full Stack JS dev friendly: TypeScript with similar design patterns to React / Redux CommonJS, npm, etc.
  • Looked to be modular - will allow for separation of developer responsibilities and increasing knowledge, I.e. lambda modules, data modules, network modules, etc.
  • Better AWS infrastructure coverage than serverless framework (serverless.com) and no "Infrastructure as YAML"
  • Approved by CTO despite early adoption (Are you sure it's ok? Really? Are you still ok with this? How about now?)

AWS CDK Team + Community are AWESOME

The fun stuff....

  • Created some cool looking Architecture diagrams
  • Dug into AWS CDK docs, the github repo, did the tutorial
  • Created my first shiny new CDK app...

A three tiered infrastructure

Shifting from PaaS to IaaS

  • AWS Production environment cleanup
  • Security training
  • Review security controls with team
  • Create multi-account environments in AWS Organizations including Sandbox and separate environments for contractors
  • "Everything is audited" (deployment automation or documentation)

paradigm shift from PaaS product integration like Firebase, mLab and Heroku to AWS Shared Responsability model

FedRAMP Security Controls Baseline

Authentication

Firebase OAuth -> Amazon Cognito

Data

mLab MongoDB -> Heroku PostgreSQL -> PostgreSQL RDS

API and Services

GraphQL Server Koa Heroku -> GraphQL Server Koa ECS / Fargate

Static / Front End

React / Redux Heroku -> React / Redux Cloudfront

migration plan

But what about deployment automation?

Until CDK supported the injection of aws sdk api calls with the AwsCustomResource, I was not able to manage secrets in my CDK app.

 

AWS / Amazon was not GA when it came to CloudFormation support of CodePipeline, SecretsManager, Parameter Store, ECS, ECR and Cognito

With the support of the AWS CDK team and community interaction I was able to create a "multi-service",  multi-account pipeline

Custom CDK Modules

  • CodeBuild and CodePipeline status events to Github
  • Static site infrastructure
  • Infrastructure deletion protection

Open Enrollment

90% of revenue

Rapid call center expansion

High stress

Constant Website triage

Tight Website feature demands

 

 

 

The yearly period when people can enroll in a health insurance plan

November - December

Why are we doing this?

  • Focus shift to Marketing Tech / Analytics Products
  • Compliance not worth investment
  • "Cheaper to write code than work with Cloud products like GovCloud, Macie, DataMigration, etc"
  • Couldn't get out of startup firefighting mode to train
  • Not enough talent to support work involved
  • Couldn't compete with easier to use services - Sentry vs. CloudWatch, Circle CI / Github Actions vs. CodeBuild / CodePipeline

Where am I now?

  • Senior Cloud Automation Engineer for Public Cloud Dept in multi-billion dollar company
  • Custom security policy validation / evidence serverless application and infrastructure development in AWS
  • Enterprise LandingZone infrastructure
  • Consult on AWS products
  • AWS product teams