DevOps
Communications & Media

Compliance, Auto Remediation & Cost Control Solution

Trility helped this client achieve cost reporting, enforce organizational tagging requirements, and leverage a third-party security scanning tool, Prisma, to auto-remediate issues discovered in AWS accounts. Trility built a tiered solution that managed security levels to meet the client’s requirements for government contracts.

Problem Statement

Trility was hired to help this client with two problems. The client teams were deploying existing and new AWS resources that were non-compliant and lacked the required tags for cost reporting. 

The client had also implemented Prisma, a third-party security scanning tool to auto-remediate issues discovered in AWS accounts. Due to the client’s organizational structure, they had two separate teams configuring and maintaining Prisma and the AWS environment, which led to a disconnect of the data shared, synced, and documented between the teams, Prisma, and environments.

In addition, Prisma required administrative-level access to those accounts, which was not feasible for the client’s government contracts that fell under classified and national security standards.

Solution Approach

To address non-compliant resources, the team created an on-demand reporting script that scans and logs resources without the required tags and removes them. By using Service Control Policies, the team prevented the creation of EC2, RDS, and other resources. Trility also used AWS Config to create rules and events to remediate tagging issues of S3 resources. 

For the Prisma customization, the chosen solution was to build a Lambda function inside AWS that receives and reads the alerts, and then it takes corrective action inside the account. For the client’s lower-level accounts, it was decided to allow Lambda to fix issues such as user accounts and security groups – Prisma’s recommended approach. For the higher-level accounts under the government contracts, it was restricted to a specific set of functions.

Outcomes

The client achieved verifiable compliance and cost-control reporting by enforcing AWS tagging across the organization. The solution enabled development teams to keep working by remediating the tagging issues in a timely fashion. A tiered customization of Prisma allowed the client to realize the business value and achieve a return on investment for the security scanning and auto-remediation tool.

The tiered solution allowed for:

  • Auto-remediate issues as much as possible

  • Receive alerts when “human review and action” is needed

  • Leverage a targeted way to address each AWS account based on security level

Project Attributes

  • Reduced COO
  • Reduced Risk
  • Reusable Patterns
  • Increased Capabilities
  • Increased Security
  • Verifiable Compliance
  • Documentation
  • Learning Sessions

Technologies Used

  • AWS Lambda
  • Prisma
  • AWS Config
  • AWS Service Control Policies (SCPs)
  • Docker
  • Python
  • Terraform