Cloud transformation at an international insurance group
Development of a continuous compliance solution with weekly management reporting and dashboard functionalities for daily cloud operations
About the company
The customer is an internationally active insurance group that employs nearly 30,000 salaried employees worldwide and over 10,000 full-time representatives. With insurance premiums in the double-digit billion euro range, the company is one of the major primary insurers in Germany and Europe.
Challenges, suggested solution and results
The customer has its own enterprise-scaled environment with over 130 AWS accounts and 60 productive applications that are operated by agile DevOps teams. Yet the customer still needed a way to run compliance reports on its AWS accounts against a series of self-imposed policies or guardrails. The guardrails are a combination of AWS best practices, CIS benchmark rules, and self-imposed rules from a customer-specified policy. The client wanted to maintain the agility of the operations teams, yet still ensure that everyone adhered to the appropriate guardrails. A weekly report was to be submitted to the security council to ensure that projects are meeting the documented compliance rules. For example, a strong focus was placed on explicitly using the German AWS region to store and process data. Other rules were based on encryption, least privileges, and a robust IAM solution that monitors active users and login/password rotation.
Our solution suggestion
We have developed a Lambda step function that checks all customer AWS accounts against specific compliance rules (> 30 rules). This step function scales with the number of AWS accounts because we use AWS organizations to check the list of AWS accounts currently owned by the customer. The solution completely eliminates manual worksteps. New and deactivated accounts are detected without manual intervention.
The following examples of compliance checks were implemented:
- No resources outside of a specific AWS region.
- Only encrypted data carriers are used and deployed.
- Only encrypted RDS databases are used and provided.
- No exposed RDS databases are provided.
- No security groups are set up with exposed management ports for the public Internet.
- No S3 buckets are used without forced encryption.
- No active peering or VPN connections to accounts that are not part of the company (all should be loosely coupled via public endpoints).
- No IAM users outside of the central IAM AWS account.
- No old access keys.
- No inactive users.
- No load balancer with unencrypted endpoints (e.g. HTTP).
These checks are performed hourly by the Lambda step function and streamed in encrypted form to a central S3 bucket in a separate AWS account, then forwarded to one of the customer’s on-premises warehouses. No manual steps are required in this process. In addition, all files saved in the bucket were streamed via a Lambda function to AWS ElasticSearch for analysis and use in the daily operations of the Cloud Ops team (part of the local Cloud Competence Center – CCC). The dashboard is used daily to report compliance and verify that all projects meet all customer compliance and security requirements. The dashboard contains all listed compliance results. CloudTrail log files are also streamed to the ElasticSearch cluster via a Lambda function. This helps the Cloud Operations team to inspect problems between compliance violations and the API log (CloudTrail).
AWS as part of the solution
The solution that meets all of the customer’s requirements is based entirely on AWS services and was implemented without IaaS components. The AWS Config rules that we often use were not a good fit for this customer, since they only provide a very decentralized view of a very large enterprise environment (AWS Config rules per account with no central dashboard or alerting). A custom-built solution based on multiple AWS Lambda functions and ElasticSearch provided us with the solution and the result that the customer wanted at a very low price. The solution provided maximum transparency in the massive corporate environment.
All compliance checks documented by the customer were implemented and are monitored continuously. Weekly reporting was added in the process. All checks are streamed to a central dashboard (AWS ElasticSearch) without user interaction in order to perform daily compliance checks. All parts of the solution are fully managed and fully automated by AWS (Lambda, S3, ElasticSearch). New accounts for new applications are added automatically by the compliance logic without manual interaction. Important insights into application environments managed by smaller DevOps teams are provided from the start, without creating additional overhead barriers for the project teams.
More Case Studies
KWS and Skaylink promote a digital product portfolio
Securely into the cloud
Case study “Rent an AWS Cloud Engineer”
Let’s start the future together
Are you unsure where the digital journey should take you? Our experts will be happy to answer your questions without obligation!
Just fill out the form to the right and we will be in touch with you shortly.