►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
cncf
community
and
thank
you
for
the
opportunity
to
share
how
to
verify
your
Cloud
security
configuration
with
Paladin
cloud.
My
name
is
Steve
Hall
I'm,
the
co-founder
and
CTO
of
Paladin
Cloud.
You
can
reach
me
on
that.
Linkedin
address
down
here
in
the
lower
left
hand
corner
you
can
check
out
our
our
GitHub
repo.
We
are
100
open
source
Solution
on
Paladin
Cloud
CE,
give
us
a
star
if
you
check
it
out
and
you
like
what
you
see.
A
So
before
we
get
into
how
we
actually
verify
Cloud
security
configuration.
Let's
talk
about
what
some
of
the
the
driving
factors
are,
that
drive,
Cloud
security
challenges
and
I've
I've
kind
of
put
these
things
in
three
buckets:
first,
one
being
complexity,
and
it's
interesting
to
use
the
word
complexity,
at
least
in
my
mind,
because
there's
kind
of
a
dichotomy
here
the
cloud
is
so
easy
to
use.
A
A
You
know
something
we
built
you
know
even
five
to
ten
years
ago,
might
be
one
monolithic
application
that
now
is
15
Services
across
150
instances
of
those
services
to
get
something
done
so
that
each
one
of
those
things
by
itself
becomes
a
security
challenge,
because
every
single
one
of
those
can
be
launched
very
quickly
very
easily
on
all
three
Cloud
big
cloud
providers,
but
at
the
same
time
you
may
want
to
enforce
certain
rules
like
https
over
HTTP
HTTP
things
certain
things
not
open
to
the
public,
even
though,
by
by
default
in
some
cases,
it's
really
easy
to
do
it
that
way.
A
So
there's
this
there's
this
ease
of
doing
things
that
creates
the
complexity,
but
it's
also
the
distributed
nature
and
and
the
sheer
volume
of
things
you
have
to
keep
track
of
that
become
part
of
the
challenge
for
your
your
average
devops
team.
Another
thing
is
just
visibility.
I
ran
a
rather
large
group
at
T-Mobile
and
when
you
start
having
tens
of
thousands,
hundreds
of
thousands
and
and
we've
even
talked
to
people
in
in
the
past
six
months,
that
hope
have
well
over
a
million
Assets
in
the
cloud.
A
How
do
you
keep
an
eye
on
all
those
when
they're
spread
across
maybe
a
hundred
accounts,
or
even
more,
depending
on
on
the
nature
of
of
the
customer?
So
just
seeing
what's
happening
in
the
cloud
becomes
a
challenge
onto
itself
and
then
there's
the
the
age-old
balance
of
velocity,
what's
more
important,
getting
the
latest
business
value
out
the
door
or
getting
your
security
or
unless
back
off
from
security.
A
Getting
your
NFR
is
correct,
and
this
this
onto
itself
creates
a
problem
because,
as
we
move
faster
in
the
cloud
as
automation,
the
promise
of
automation
starts
delivering
on
the
time
to
value
equation.
Guess
what
our
Business
Leaders
want
even
more
from
us
as
technology
and
when
they
want
more,
they
want
more
right,
and
so
things
start
getting
compressed,
and
you
start
getting.
A
You
know
dates
that
are
you
know
somewhat
difficult
to
achieve,
and
the
first
thing
that
goes
out
the
door
is
your
nfrs,
and
probably
one
of
the
first
things
in
the
nfrs
that
go
out
the
door
is,
is
Security
in
a
close
first
or
tie
for
first
would
be
your
hadr
stuff,
for
instance.
A
So
so
there
is
there's
some
challenges
for
these
Developers
for
sure.
So
how
do
we
help
the
developers
and
and
I
want
to
emphasize?
Who
we
is
here?
A
We
as
all
the
developers,
all
the
people
in
the
technology
World
the
technology
leaders,
because
we
we
do
have
this
fundamental
problem
as
I
talked
about
about
just
pure
velocity.
We
all
want
to
build
stuff
faster
and
it's
really
cool
when
we
achieve
that.
But
we
want
to
do
it
redundantly
we
want
to
do
it
securely.
A
We
want
to
do
it
safely,
okay,
so
how
I
believe
we
can
help
as
as
a
an
engineering
leader,
what
I
try
and
do
is
number
one
I
set
priorities
and
and
I
make
it
very
very
clear:
I
have
the
80
20
rules
where
I
always
start
with
every
delivery
team,
80
on
business
value
20
on
nfrs,
and
then
you
adjust
from
there.
As
you
start
trying
to
figure
out,
you
know:
do
we
have
a
weakness
in
security?
Is
our
hidr
strategy
wrong?
A
Are
we
actually
getting
the
right
visibility
purely
from
an
operational
standpoint,
even
logging,
depending
on
who
you
talk
to,
is
that
an
NFR
or
not?
Are
we
logging
properly?
All
these
things
need
done,
so
maybe
it's
a
70
30,
maybe
it's
a
60
40,
maybe
it's
a
90
10.
as
you
mature
with
your
development
organization.
A
The
other
thing
is
even
though
the
cloud
I
think
the
cloud
is
15
or
16
years
old.
Now,
AWS
came
out
about
15
years
ago,
I
think,
and
it's
got
fantastic
value.
I
me
personally,
I
started
using
it
immediately
because
I
I
saw
the
value
of
you
know.
Hey
look
at
AWS.
Has
all
these
Lego
bricks
I
don't
have
to
go
build
these
things.
A
I
can
just
start
using
them
as
quickly
as
possible,
but
there's
a
learning
curve
there
and
and
getting
massive
massive
developer
communities
moving
toward
those
things
and
I
call
them
communities,
because,
even
even
in
a
large
Enterprise
you
may
have
thousands
of
developers
and
and
maybe
even
tens
of
thousands
if
you
include
developers
sres
devops
the
testers,
if
you
include
the
security
Partners
you're
going
to
have
some
very,
very
large
organizations
there
and
they're
going
to
be
varied,
skilled
from
you
know
the
new
folks
who
you
can't
expect
them
to
know
everything
about
the
cloud
on
day,
one
to
the
people
who
have
been
operating
building
operating
the
cloud
for
years.
A
A
The
next
thing
is
really
collaboration,
so
we
moved.
We
all
know
in
the
the
last
decade
or
so
there's
been
this
massive
shift
toward
automation.
There's
been
a
massive
shift
toward
agile,
Technologies
and
away
from
waterfall
Technologies
and
there's
been
a
progression
from
you
know:
here's
the
developers,
here's
the
Ops,
let's
create
devops,
let's
bring
them
together
and
that's
reasonably
good.
A
You
know:
I've
I've,
seen
teams
that
you
know
literally
just
kind
of
have
a
shadow,
little
Dev
team
or
Ops
Team
sitting
over
there
and
then
even
when
you
get
into
SRE
they're
somewhat
operational,
but
but
they're
way
much
more
than
that.
So
don't
don't
get
mad
at
me,
SRE
folks,
out
there,
the
the
value
is
huge
there.
But
what
hasn't
happened
is
this
dream
of
devsecops
coming
together
and
I
I
drew
the
Venn
diagram
on
this.
A
This
Slide
the
way
I
did
because
we're
I
believe
we're
just
starting
that
I
I,
don't
talk
to
a
lot
of
of
cios
or
ctOS,
or
even
technology
leaders
that
truly
believe
security
and
devops
have
come
together
in
a
meaningful
way.
Where
they're
solving
problems
together,
they
still
exist
as
two
different
organizations,
a
little
bit
overlap,
but
still
a
lot
of
Silo,
okay
and
so
there's
there's
there's
a
problem
there.
A
So
my
conclusion:
when
I
look
at
this
is
hey,
we
need
better
tools.
The
cloud
is
changing
everything
you
know
in
in
the
old
days.
You
would
write
some
software
or,
let's,
let's
forget
about
writing
software
in
the
old
days.
When
you
wanted
to
do
some
in
the
data
center,
you
would
request
a
server
or
a
rack
or
something
you
would
plan
Your
Capacity,
and
then
you
request
it
and
an
organization
would
get
together
and
they'd
either
go
procure
all
the
equipment
you
needed
or
they
go
configure
it
for
you.
A
Then
they'd
write
tickets
to
go,
maybe
to
the
network
group
that
told
you
what
you
know
was
it
internal?
Is
it
in
this
this
zone
or
that
zone
and
where
is
it
out
there
in
the
world
right
and
that
would
take
sometimes
weeks,
sometimes
months.
A
You
know
today
you
just
go
on
and
you
launch
an
ec2
instance
put
it
behind
a
subnet
in
a
VPC
and
expose
it
to
what
you
want
to
do
it
and,
and
you
have
full
control
of
it,
but
you
it
takes
down
some
of
the
natural
barriers
that
the
slower
process
on-prem
the
safeguards
that
were
put
in
place
from
a
security
standpoint
and
our
security
tooling
hasn't
quite
caught
up
with
all
that.
Yet,
but
there's
Fantastic
Tools
out
there
and
they're
evolving
I
mean
almost
every
year.
A
It's
just
amazing
to
watch
a
lot
of
the
new
security
tools
that
are
are
coming
out.
The
door
and
the
the
other
thing
we
we
see
here
is
Broad
network
access,
as
we
were
talking.
I
was
mentioning.
You
know.
Somebody
set
up
your
network
in
the
old
days
I.
Even
though
I
don't
consider
myself
a
really
good
Network
guy
I
can
go
in
and
set
up
any
kind
of
network.
A
It
may
work
or
may
not
work,
but
I
can
go
configure
that
all
myself
in
AWS,
Azure
or
gcp,
even
though
I'm
not
expert
in
it,
and
even
though
some
of
the
stuff
I'm
not
entirely
sure
what
it
is
to
be
honest
with
you
and
and
that's
a
gap
in
my
learning.
So
even
leaders
have
have
gaps
in
what
some
of
this
stuff
is
and
then
finally,
we
we
have
getting
back
to
my
data
center
example
of
planning
or
capacity
and
everything
we
don't
do
that
anymore.
A
So
what
we
do
is
we
go
in
there
and
we
launch
a
few
ec2
instances
or
we
decide
we're
going
to
use
Lambda
and-
and
you
know
we
have
these
really
good
short
short-lived
functions
or
we
put
in
a
K8
stack
and
we
don't
worry
about
compute
at
all.
We
just
throw
everything
in
containers
and
go,
but
the
elasticity
and
the
rapid
elasticity
of
the
cloud
you
know
is,
is
not
something
that
that
regular
tools
can
handle
and
when
I
say
regular
tools.
A
So
I
I
was
thinking
about
this
and
and
it
I'm
sorry
I
had
to
put
the
fear
slide
in,
but
I
think
we
have
a
problem
and,
and
the
the
numbers
are
staggering,
I
mean
95
of
cloud
security
breaches
through
2022
will
come
from
customer
errors,
fueled
by
misconfigurations
myths
and
and
misunderstandings
I
mean
that's
a
Gartner
statement.
Do
you
look
at
threat
stack?
A
They
believe
that
73
percent
of
companies
have
at
least
one
critical
misconfiguration
right
now,
something
like
an
SSH
Port
open
to
the
internet
or
an
RDP
Port
open
to
the
internet,
or
maybe
sensitive
data
in
S3
bucket
open
to
the
internet
and
by
critical
they
mean
something
that
is
imminently
breachable,
which
kind
of
gets
to
the.
The
second
statement
in
here,
which
is
an
attacker,
can
typically
detect
a
cloud
configuration
vulnerability
within
10
minutes
of
deployment.
Think
about
that
10
minutes
they
can
figure
out.
A
All
they're
looking
for
is
a
crack
in
the
armor
so
that
they
can
get
inside
and
they
can
start
moving,
laterally,
the
the
biggest
and
worst
breaches.
When
you
read
about
them
at
least
from
the
public
information
it
is,
it
isn't
always
you
break
into
the
server.
What
happens?
A
But
but
the
forensics
of
this
stuff
is
very
interesting
and
even
in
security
I'm
going
to
pick
on
the
security
domain
here
a
little
bit.
A
lot
of
breaches
are
privileged
and
they're
quiet
and
we
don't
talk
about
them
and
we
don't
have
a
feedback
loop
to
help
us
all,
learn
from
them
and
there's
a
lot
of
reasons.
For
that.
Obviously,
you
know
companies
could
get
lawsuits
and
you
certainly
don't
want
to
advertise
how
somebody
got
into
your
servers,
but
the
ones
that
are
reportable.
A
A
We
are
in
the
security
posture
management
space
and
what
we're
really
looking
for
is
the
project
that
that
we
have
in
open
source
right
now
is
based
on
T-Mobile's
original
pac-bop
project
and
one
of
the
major
goals.
I
was
the
executive
sponsor
of
that
at
T-Mobile,
and
one
of
the
major
goals
from
the
very
beginning
that
we
wanted
to
achieve
was
what
we
called
actionable
intelligence.
We've
all
heard
that
developers
have
alert,
fatigue,
they're
too
much
information
being
thrown
at
them
from
too
many
different
tools.
A
That
sort
of
thing
we
didn't
want
to
be
yet
another
tool
that
just
threw
stuff
at
it.
We
at
least
wanted
to
attempt
to
get
the
violations
prioritized
attempt
to
get
the
the
users
focused
on
exactly
the
most
critical
and
then
work
on
the
highs
and
and
go
down
from
there.
So
the
the
key
to
me
in
in
a
lot
of
these
tools,
as
we
move
forward,
is
to
get
into
what
I
call
actionable
intelligence
agents.
A
A
So
let's
jump
into
our
demo
right
here,
so
I'm
already
logged
in
to
palette
and
Cloud
and
I'm
going
to
walk
through
just
some
major
features
here.
Just
to
give
everybody
a
feel
for
what's
happening
here,
reach
out
to
me
on
LinkedIn
anytime.
If
you
have
further
questions,
if
this
is
an
asynchronous
thing,
this
will
be
broadcast
I,
think
in
the
mid-october
time
frame.
A
So
you
can
see
up
here
in
the
right
upper
right.
We
have
an
admin
role,
I'm
logged
in
as
an
admin
right
now
and
we
have
two
basic
roles
in
the
product.
We
have
the
user
role
in
the
admin
role
and
the
admin
role
I'm
not
going
to
spend
too
much
time
on
this,
but
it
it
does
give
you
access
to
some
admin
functions.
A
Okay,
that
allow
you
to
configure
the
software
and
and
change
the
policy
and
rules.
The
criticality
of
the
policy
and
rules
you're
also
allowed
to
Grant
and
revoke
exceptions
within
this
Administration
role,
when
you're
in
the
user
role,
you're
just
a
read-only
consumer
of
all
this
information-
and
you
can
request-
you
can
request
your
your
exceptions,
but
you
cannot
Grant
yourself
an
exception.
A
So,
as
you
can
see
here,
the
the
overall
UI
we've
got
our
menu
along
the
left.
Here
we
have
this
thing
up
here
called
an
asset
group
and
an
asset
group
is
interesting,
and
what
we
do
here
is
we
use
this
to
slice
and
dice
our
cloud,
and
so
you
can
see
we
connect
to
AWS
and
our
this
is
my
Dev
environment
right
here.
So
you
can
see
there.
We
used
to
slice
and
dice
the
cloud,
and
we
also
use
this
we're
doing
in
the
dev
environment
test.
A
Sorry
I
forgot
to
mention
that
so
we're
on
a
just
100
test
data
is
what
we're
on.
So
some
of
these
numbers
will
look
interesting,
you'll,
say
wow,
that's
really
high
for
such
a
small
installation,
but
remember
we're
testing
both
the
positive
and
negative
cases
of
of
our
policy
24
7..
So
we
have
a
thousand
assets
in
AWS
we're
over
here.
Looking
at
Azure,
we
got
2800
in
Azure
and
we
have
about
40
in
gcp.
A
An
asset
group
is
also
these
three
come
right
out
of
the
box
with
the
product.
You,
as
a
user
of
this
thing,
can
then
create
your
own
asset
groups.
I've
Santos
has
created
and
all
Cloud
for
us,
and
so
basically,
what
he's
doing
is
saying
show
me
everything
from
AWS,
Azure
and
gcp
in
one
view,
so
I
don't
have
to
click
between
the
two
to
see.
What's
going
on
now,
that
is
like
a
very
broad,
very
large
asset
group.
You
can
also
go
the
other
direction.
A
You
can
do
a
depending
on
what
your
mandatory
tags
are.
We
we
have
somebody
using
this
thing
in
open
source
where
they
have
business
units
and
I.
Think
there's
seven
of
them,
and
so
they
do
a
asset
group
where
the
business
unit
equals.
You
know
one
unit
two
unit
three
through
unit
seven,
so
they
can
see
everything
associated
with
that
business
unit
and
these
things
do
cross
they're
they're
multi-cloud,
so
it
does
cross
AWS,
Azure
and
gcp.
A
So
they
get
this
one
aggregate
view
of
what's
happening
in
that
business
unit,
which
is
just
a
great
fantastic
way
of
doing
asset
groups,
but
we
also
collect
all
the
metadata
associated
with
a
resource,
and
so
you
can
create
an
asset
Group
by
by
looking
at
that
resource
and
any
of
the
metadata
can
become
a
filtering
criteria
for
for
creating
these
asset
groups.
So
I'm
going
to
stay
I'm
going
to
go
here
into
all
Cloud
just
because
it's
bigger
and
it
shows
everything
and
I
don't
have
to
switch
between
accounts.
A
You
can
see
up
here,
like
I,
said
actionable
intelligence.
What
we're
trying
to
do
here
is
your
critical
violations.
You
should
be
working
on
these
first.
Okay,
your
highs
next
mediums
next
lows.
What's
interesting
about
this,
is
we
We
Are?
We
almost
have
a
hundred
percent
coverage
of
the
CIS
benchmark
policies
or
Benchmark
standards
for
Azure,
AWS
and
gcp,
so
they're
all
in
here,
and
they
give
guidance
on
what
is,
is
high
and
critical,
that's
type
one
and
and
medium
and
low
and
I
think
that's
type.
Two
and
I
might
have
that
backwards.
A
A
If
you
go
in
here
again,
how
do
I
immediately
take
action?
I
can
dig
into
my
policy
violations
and
you
can
see.
We've
got
some
sha
support,
SS
SSH
ports
open
to
the
public,
and
we
have
some
RDP
ports
open
to
the
public.
We
have
some
allow
list
problems
in
here.
A
You
know
as
we
go
through
this
list,
there's
134
of
them.
We
have
some
icmp
open
to
the
public.
Here
you
know
and
again
the
the
team
is
going
through.
We
have
a
lot
of
ports
going
on
here,
they're
going
through
testing
right
now.
So
some
of
these
things
we
even
have
you
know
we
have
rules
related
to
encryption.
You
know,
is
your
EBS
volume
encrypted?
Yes
or
no?
That's
not
what
this
policy
is.
This
policy
is
checking.
Do
you
have
your
customer
managed
key?
A
Are
you
using
that
or
not
so
one
could
argue
whether
this
is
critical
or
not
because
you're
number
one,
it
obviously
passed
the
encryption
test
number
two:
how
bad
is
it
really
that
AWS
is
managing
your
keys?
So
so
you
may
choose-
and
you
can
configure
this,
but
you
may
choose
that
this
is
not
critical
and
this
is
a
high.
So
you
can
go
configure
that
over
here
in
our
rules
administrator,
so
you
can
see
what
each
one
of
these
policies
are.
A
We
give
a
brief
description
and
some
added
metadata
here,
so
we
we
also
fully
document
them
on
our
open
source
Wiki.
You
can
see
over
here
every
single
policy
and
rule
that
fails.
We
create
an
issue
ID
and
the
issue.
Id
is
it's
either
open
or
it's
closed
at
the
end
of
the
day?
So
if
we
go
look
at
this
issue
ID
you
can
see
that
we've
got
an
oracle,
Port
open.
You
can
see
a
description
of
that
if
I
clicked
on
this.
This
would
just
simply
go
to
the
view.
A
I
just
showed
you
I
know
this
is
on
on
Azure,
just
because
of
the
resource
ID.
They
have
very
long
strings
that
give
you
everything
from
the
subscription
to
the
endpoint
that
you're
looking
for
the
issue
was
found
on
720
they've.
Had
this
one
open
a
while
and
then
it
was
last
suspected
today-
and
this
is
where
I
was
talking
between
the
roles.
I'm,
an
admin
I
can
grant
an
exception
here.
A
user
would
have
the
ability
to
request
an
exception
at
this
point.
A
A
We
also
use
the
resource
IDs
specifically
from
the
cloud
provider,
so
you
can
look
that
up
at
any
time.
Here's
the
resource
ID
up
here.
This
also
gives
you
a
great
view
of.
There
are
12
policies
that
apply
to
this
resource
and
you
can
see
that
a
majority
of
them
are
failing,
which
is
clearly
not
good.
A
So,
let's
go
to
it.
Let's
go
to
a
better
test
here,
a
better
case
just
to
show
you
some
of
the
the
other
capabilities.
Let's
go
to
an
ec2.
Ec2
itself
has
20
policy.
You
can
see
that
it's
in
a
running
State.
You
can
see
that
four
things
are
failing
and
the
other
16
are
passing.
You
can
see
its
IP
address
and
whether
it's
public
or
private
or
both
you
can
see
it's
subnet,
it's
Ami.
What
type
of
machine
it
is
so
again,
then
this
is
the
metadata
that
I
talk
about
that.
A
Where,
where
collecting
for
every
single
resource
and,
of
course,
that
changes
per
resource,
you
can
see
a
little
policy
violation.
Donut
Bar
donut
graph
there
to
see
what's
going
on
and
then,
of
course,
you
can
see
related
assets.
Here's
your
Security
Group,
if
you
care
about
it,
here's
your
EBS
volume
in
case
you
care
about
it.
A
You
know
so
a
lot
lots
of
good
information
there
to
make
sure
you
can
get
to
the
the
root
cause
of
what
you
want
to
remediate
right
away,
and
we
should
talk
a
little
bit
about
remediation.
We
have
there's
effectively
three
ways
to
remediate
what
what
the
findings
are
in
here.
One
is
you
look
at
this
and,
of
course
you
go
and
ssj
support
is
open.
You
immediately
go
find
the
security
group
and
you
close
that
Security
Group
up
get
rid
of
that.
A
That
configuration
that's
one
way
to
do
it
and
then,
of
course,
if
you're
re,
if
you
really
believe
in
Automation
and
shift
left,
then
you
should
do
some
triage
investigation
of
how
did
that
get
open?
Was
it
open
during
run
time,
or
was
it
actually
configured
that
way
when
it
was
pushed
out
as
part
of
your
pipeline?
So
you'll
want
to
do
that
investigation.
So
that's
really
just
a
manual
effort
of
remediating
these
things.
A
Another
way
to
do
it
is
we
have
what
we
call
a
one-click
fix
and
the
one
click
fix
basically
exposes
this
thing
to
you
and
we
give
you
the
option
to
click
a
button
and
we'll
go
fix.
The
software
we'll
go
fix
it
for
you.
Now,
of
course,
that
has
ramifications
and-
and
it
requires
exit
elevator
privileges
to
do
that,
because
you're
changing
a
configuration
and
by
default
Paladin
Cloud
only
has
read-only
access
to
metadata
about
the
resources.
A
The
third
thing
and
I'll
cover
the
third
one
and
then
we'll
talk
about
how
we
do
it,
but
the
third
one
is
what
we
call
a
just
an
auto
fix,
in
which
case
you,
you
trust
the
software
to
go
close,
that
port
for
you
and
you
can
put
a
workflow
associated
with
it.
A
If
you
like,
like,
for
instance,
we
typically
do
a
72
hour,
email
notification
in
the
open
source
world
and
we
say:
hey
you
got
this
problem,
you
fix
it.
If
you
don't
fix
it,
we're
fixing
it
at
72
hours,
then
we
say
hey.
If
you
don't
fix
it,
we're
fixing
it
48
hours,
then
24
hours.
Then
we
just
go
fix
it
so
that
let
me
see
if
we
actually
have
any
of
those
in
our
health
and
location
we
do
so.
A
This
is
the
we
got
to
work
on
this
name
a
little
bit,
but
this
is
a
security
group
autofix
and
the
purpose
of
it
is
to
delete
unused,
autofixes
or
I'm
sorry
unused
security
groups,
and
so
the
idea
here
is
again:
here's
your
email
notification,
one
two
and
three
and
then
finally,
we
just
went
and
fixed
it
and
clearly
our
developers
are
testing
this.
A
But
what
that
does
is
there's
an
interesting
Dynamic
here
with
autofixes
and
even
one
click
fixes,
and
it
boils
down
to
trust
and
it
boils
down
to
forcing
a
conversation
between
security
and
operational
uptime.
So
for
a
security
group
because
it's
not
being
used
the
the
side
effect
of
deleting
it
is
not
all
that
bad,
you
might
delete
a
security
group
and
that
might
offend
a
developer.
Who
is
going
to
use
that
Security
Group
at
some
point
in
the
near
future
or
something
like
that?
A
But
what
what
you're
typically
not
going
to
do
is
cause
an
outage.
But
let's
say
you:
you
invoke
the
autofix
for
S3
bucket
open
to
the
public.
Okay,
you
are
most
likely
going
to
cause
an
outage
by
making
that
S3
bucket
private
okay
and
it's
an
organizational
question
on
whether
you
want
to
suffer
that
or
not,
and
and
that's
how
really
the
one
click
fix
came
about
was
we
did
the
autofix
and
people
are
getting
surprised
that
that
the
S3
buckets
were
getting
closed
and
they
didn't
have
notification
right.
A
So
we
created
the
one
click
fix
and,
of
course
the
developer
looks
at
it
and
says:
okay,
I
got
eyes
on
glass,
I
know
what's
happening,
I'm
going
to
close
that
thing
or
they
go
in
there
and
do
some
tweaks
and,
and
they
go
fix
it
themselves
on
several
of
them.
They
hit
The,
One,
Click
fix
and
once
they
had
confidence
that
it
didn't
create
any
operational
issues.
They
went
into
the
autofix,
but
that's
still
again,
culturally.
You
know
how
we
work
and
with
all
the
automation
that
we
have.
A
You
still
got
to
ask
your
question:
why
aren't
we
fixing
that
in
the
pipeline?
Why
aren't
we
preventing
it
from
happening
in
the
first
place,
and
you
got
to
have
that
triage
event
to
find
out
what's
happening
there?
So,
let's
go
back
up
to
the
dashboard,
we
categorize
all
of
our
policy
and,
if
I
go
into
high
here,
just
for
completeness,
it's
just
going
to
filter
this
list
and
and
we're
in
the
violations
menu.
A
Now
it's
going
to
filter
the
list
on
your
highs
and
if
I
go
to
mediums
hello,
it's
going
to
do
that
each
one
of
those
severities.
So
as
we
go
into
category
compliance,
we
have
four
four
categories:
security,
that's
where
we're
spending
most
of
our
time
on
getting
those
security
policies
in
place,
but
we
also
have
some
cost
policies
and
we're
not
even
attempting
to
compete
with
the
you
know.
The
very
mature
cost,
Management
Solutions
out
there
when
we
say
cost
here,
we're
just
being
opportunistic.
A
A
You
also
have
utilization
of
an
ec2
instance.
Maybe
you
have
an
XXL
out
there
running
at
eight
percent
and
you
look
at
that
trend
line
over
time
and
it
never
gets
above
15.
A
You
probably
save
quite
a
bit
of
money
by
dropping
that
down
two
or
three
steps,
maybe
down
to
a
medium,
maybe
down
to
a
large
who
knows
so
that's
what
we're
looking
for
in
those
those
sort
of
policies
and
then
the
operations
we're
looking
for
those
purely
operational
things
like
every
one
of
our
our
accounts
at
T-Mobile
we
had
standard
regions
right
and
if
you
deployed
an
asset
outside
of
the
standard
region,
then
we
had
a
problem
right
and
so
we
identify.
A
Are
you
deploying
and
it
wasn't
it's
not
a
huge
problem,
but
the
question
is:
why
are
you
doing
that?
So
we
have
policy
related
to
your
Region's
and
are
you
configuring,
Auto
scale
correctly
and
that
sort
of
thing?
So
we
have,
you
know,
a
small
number
of
of
operational
policies
and
we
have
a
small
number
of
cost
policies
too.
A
To
be
clear
tagging
we
made
tagging
a
first-class
citizen,
because,
if,
if
you,
if
you
get
into
the
scale
of
even
a
medium
Enterprise
you're
going
to
be
at
a
hundred
thousand
or
more
assets
before
you
know
it
and
when
I
say
assets,
I
mean
resources,
a
hundred
thousand
resources
or
more
very
quickly.
If
you
don't
have
a
mature
tagging
model,
you
can't
keep
track
of
that
stuff.
You
you
simply
don't
know.
A
What's
going
on
so
having
a
mature
tagging
policy
and
model
and
making
sure
you're
at
least
tagging
every
single
asset
is
is
huge,
so
we
keep
that
as
a
first
class
citizen
from
purely
a
a
compliance
standpoint,
we
show
Trends,
and
this
is
messy
just
because
of
our
Dev
and
test
environments.
A
A
You
want
to
finish
over
here
as
approaching
a
hundred
percent
and
depending
on
your
company
policy,
you
may
ignore
lows.
For
instance,
we
have
one
customer,
I
shouldn't
call
them
a
customer
one
person
operating
in
an
open
source
that
we've
talked
to
where
they
they
have
24
hours
to
get
their
criticals
done.
A
The
inverse
is
true.
Also
your
violations,
no
matter
where
you
start,
you
want
to
drive
those
violations
down
to
zero
is
what
you're
after
we
have
a
view
here
down
here,
where
every
single
policy
that
we've
implemented,
we
give
you
the
overall
compliance
rating.
Okay,
so
we're
gonna
have
a
lot
of
zeros
here
because
of
the
environments
that
we're
in.
But
you
can
see,
we
don't
do
that.
We're
not
doing
mandatory
taggings
on
a
lot
of
things.
A
You
know
we're
not
ensuring
databases,
aren't
a
managed
tier
we're,
not
managing
the
key
ball
correctly.
That
sort
of
thing
so
there's
all
these
rules
and
then,
of
course,
in
the
real
world
you
get
into
something
that
looks
more
like
this
or
really
more
like
this.
A
You
know
and
then
the
ideal
state
is
clearly
get
yourself
to
a
hundred
percent
and
then,
finally,
on
this
dashboard,
we
go
on
here
and
we're
giving
you
a
view
of
all
your
assets
and
what
your
count
is.
So
you
know
policy
definitions
in
Azure
if
you've
ever
worked
in
Azure
there's
a
lot
of
these
things.
A
So
that's
our
our
major
thing
that
we're
working
on
right
now
in
testing,
so
we
do
have
a
bunch
of
them,
but
you
can
see
you
know,
even
in
our
small
environment
and
some
of
it's
contrived
security
groups
at
187,
you
got
eni
DHCP
options.
It
doesn't
take
long
for
these
to
start
growing
very,
very
quickly
and
in
our
world
these
shift
a
lot
depending
on
what
we're,
testing
and
deploying
for
the
tests.
A
So
that's
that's
the
main
dashboard
and
what's
interesting
about
this,
this
dashboard,
the
feedback
we're
getting
is
yeah.
This
is
good
for
the
developers.
It's
actionable,
as
the
numbers
get
bigger,
you
know,
is
there
further
refinement
or
prioritization
needed
in
any?
One
of
these
categories
is
a
question.
We
get
a
lot
from
technology
leaders,
they
like
the
summaries
and
the
trend
graphs,
and
they
also
like
the
idea
of
you
know
just
about
every
mature
organization
has
an
SLA
for
taking
care
of
critical
security
problems
and
high
security
problems.
A
They
can
manage
that
SLA,
based
on
what
these
numbers
are
in
several
places.
Here
you
can
see
we
have
export
this
stuff
to
XLS
Excel
and
that
sort
of
thing
we
also
have
API
available.
So
you
can
put
this
into
your
own
grafana
dashboards
or
whatever
your
your
operational
dashboards.
Are
that
you're
using
I'm
going
to
jump
into
violations
here
really
quick,
like
I,
said
we,
we
really
went
through
this
and
we
talked
about
and
we
clicked
through
every
one
of
these
columns
here,
so
it
there's
a
variety
of
ways
to
filter
it.
A
You
know
nothing
special
there.
You
know
you
can
export
this
also
to
get
more
information
assets
worth
a
little
bit
of
a
deeper
dive.
You
can
go
from
from
every
single
asset,
whether
it's
Azure
AWS
gcp.
That's
the
the
beauty
of
this.
A
This
aggregated
view
here,
but
you
can
see
the
trend
view
of
of
these
these
assets
throughout
time,
which
is,
is
definitely
something
valuable
and
then,
of
course,
you
can
start
getting
into
the
details
of
each
one
of
these
things
and
what's
going
on
our
policy
knowledge
base
right
now
in
the
open
source
world,
we
have
337
policy
like
I,
said
we're
we're
almost
complete
with
all
the
CIS
Benchmark
policy.
For
these
three
clouds,
gcp
Azure
and
naws.
A
244
of
our
policy
are
related
directly
to
security,
which
I
think
is
a
good
thing
and,
like
I,
said
a
handful
of
45
for
operations,
five
for
cost
and
43
related
to
to
tagging
things
properly,
and,
of
course,
you
can
filter
and
search
this.
You
know
how
about
it.
A
The
the
tagging
like
I,
said
we
made
it
a
first
class
citizen
right
now
because
it
is
worth
looking
at
that
and
we
we're
in
a
state
where
we're
not
doing
tagging
very
well
in
in
our
Dev
environment.
But
if
we
go
into
these
lists
or
I'm.
Sorry,
if,
if
we
look
at
this,
you
know
you
can
see
you
know,
152
are
not
tagged
exactly
what
they
are
and
you
can
see.
The
asset
list
has
some
filters
and
we
can
clear
that
and
do
a
different
filter.
A
So
I
already
went
through
the
the
fixed
Central
to
show
an
example
of
the
autofix.
We
do
have
about
two
dozen
autofix
rules
across
all
three
clouds
for
various
things,
as
I
mentioned
earlier,
some
of
them
cause
operational
issues.
A
Some
do
not
so
there
to
me.
It's
always
a
use
with
caution
and
make
sure
you
have
a
a
great
conversation
among
the
The,
devops,
Operators
and
SRE
of
whether
you're
willing
to
take
that.
Or
do
you
want
to
go
through
an
intermediate
step
like
a
one-click
fix
until
you
get
comfortable,
but
I
I?
Think
my
my
message
with
autofix?
A
Is
you
know,
even
though
this
is
a
cool
feature,
and
we
can
do
it,
you
don't
want
to
rely
on
this
because
remember
we're
verifying
exactly
what's
happening
in
your
resources
that
you're
exposing
and
it
doesn't
matter
what
environment
it
is.
It
doesn't
matter
what
cloud
it
is
we're
we're
inspecting
that
configuration
so
somehow
that
thing
got
into
that
state
and
it
it's
probably
due
to
Something
in
the
pipeline,
but
it
may
not
be
we
we've
seen
you
know.
People
will
open
up
an
SSH
ssh
port
or
a
RDP
Port.
A
Even
though
we
demand
that
the
cloud
should
be
immutable,
people
still
do
it,
and
people
are
people,
people
do
make
mistakes
and,
like
I
said,
one
of
the
fundamental
problems
is
education
in
the
cloud.
So
until
every
you
know,
until
we
get
you
know
years
down,
the
road
from
now
and
people
are
really
really
comfortable.
What
security
looks
like
in
the
cloud?
A
You
know
we're
going
we're
going
to
see
these
human
errors
and
Just
for
kicks
I'm
gonna
I'm
gonna
close
with
this
little
statistics
view
just
because
it
is
it's
an
easy
summary
of.
What's
Happening,
you
know
you
can
see,
we
have.
340
policies
have
been
enforced.
A
You
know
nearly
1300
evaluations
have
happened
in
the
the
last
day.
77
autofixes
were
applied,
we're
running
in
nine
accounts,
and
this
is
this
is
not
just
AWS.
This
is
all
three
clouds.
You
can
see.
Events
process
we
haven't
had
any
today
and
then
close
to
4
000
assets
scan
and
then,
of
course,
you
can
see
all
of
your
violations
on
there.
So
I'm
gonna
end
our
demo
here.
A
I
I
really
appreciate
for
all
those
who
stuck
with
us
and
are
still
listening.
Thank
you
for
paying
attention
and
thank
you
for
being
involved
in
in
this
webinar
I,
I
guess
from
here
I.
If
this
looks
interesting,
go
back
to
that
original
screen,
we
we
we
have
our
git
repo
there,
and
maybe
you
know,
maybe
I-
should
make
this
easier
for
you
we'll
end,
we'll
end
right
back
on
this
beginning
slide,
but
you
know
join
our
community,
get
to
the
repo
check
it
out.
A
You
know:
I
am
on
LinkedIn
I
love
being
on
LinkedIn
I,
I,
love
talking
to
developers
and
I
love
talking
to
technology
leaders
about
the
problems
in
the
cloud
and
what
problems
actually
need.
It
need
solved
in
the
cloud
so
by
all
means
reach
out
to
me.
So
with
that,
thank
you.
Everybody
have
a
good
day.
Take
care.