Beth Massey
Stax on Stax
29 Apr 2020

Boost Your AWS Compliance in One Day a Month with Stax and Gamification

AWS compliance can feel hard sometimes. Developers focus on building the right products and features for the business, and compliance is often presented as a secondary concern. Sure, the team might be aware of the guidelines and recommendations. But those can often be hard to implement and time-consuming to check, especially if they’ve just been told to “make it compliant”. Make it compliant with what?

At Stax, we believe in making the right thing easy. So, how do you give your devs the tools to get started with compliance? Make a thing that people can easily see and make it fun! This is easy with the combination of Stax's Rules feature, and the power of gamification.

The Good News

I’ve found that when people start using Stax's Rules feature, they expected their metrics to be awful. But most companies are at about 35% compliance for the CIS AWS Foundations Benchmark without even knowing! Why? Turns out that due to the shared security model, AWS bakes a lot of security in as things get set up. If you’re using Stax to create your resources, you’ll be even better off because the platform turns on all the access logging and security controls as accounts are created, but there are still a lot of quick wins out there!

Where Do You Start?

The CIS AWS Foundations Benchmark. There are four areas to choose from, and I’d always suggest you start with Identity and Access Management. There are a bunch of really easy, very quick wins to be found here. They’re things you really should be doing anyway, like having a complex password policy, using Multi-Factor Authentication, and avoiding the use of your root account. Most of this is something an admin can do in just an hour or so, unless you need to order hardware tokens which can take a bit longer due to shipping etc. Minimum effort, maximum results.

Great, Now What?

That kind of depends on your industry, how big your company is and where you’re at with your maturity within AWS. We don’t think the CIS AWS Foundations Benchmark is necessarily one-size-fits-all, so we’ve put together a group of the rules we do think everyone should follow under the Cloud Quality section of the Rules area. If you have lots of AWS resources and lots of developers, it’s worth splitting things out by team by setting up a Team View. This helps teach your devs to fish. They should start with the high-severity rules and fix things so they know how to make things better in the future.

Wait, Where Does the Fun Come In?

We’ve had one of our customers gamify compliance improvements and their devs have been really responsive! How? Using the Team View I mentioned above, in conjunction with the Dashboard page within the Stax Cost & Compliance module, you can see the Cloud Quality Compliance stats organized by team.

Set up a ‘game day’, when everyone focuses on upping their compliance. By using on-demand Rule re-evaluation, your devs will be able to make the changes they think are needed, hit the ‘re-evaluate’ button and they’ll quickly be able to see if what they did worked and the corresponding compliance improvement. Ensure you reward your teams appropriately, whether it’s finishing early, having a pizza and beer night, or just internal recognition, maybe with a trophy! One of our internal teams has a frog that the most productive team member gets to keep on their desk until the next game day!

What about Rules That Are Irrelevant or Contain Exceptions?

It’s important to remember that these are best-practice rules, but certain things will be difficult or impossible to fix depending on a multitude of factors. Examples include: requiring an open S3 bucket for your static marketing website; managing legacy software applications; or needing to build to spec to meet your backup vendor’s requirements in order to receive support.

Fair’s fair, it might make sense to disable rules that don’t make sense for your business (you’ll need to be an admin) or make exceptions for resources that are snowflakes. I’m not suggesting you turn off everything, but it’s important to be sensible. It’s also easier to deal with things as they get created or as they become non-compliant instead of beating your head against the wall for legacy resources.

Once you’re at an ‘okay’ point, you should be able to deal with any issues as they come up by using Stax’s email/Slack alerts and having a monthly ‘focus’ day. That’s what lots of our customers do. It’s also worth checking out the other Rules in the Catalog, like the tagging Rules and the Tag Policy section. By doing this, you can ensure your team alignment and the corresponding alerts are accurate, relevant and meaningful. Just like most things, once you get over the first hill, it’s a lot easier!

It's a Journey, Not a Destination

As hard as it can be to take that first step, in most cases your compliance won’t be as bad as your worst fears. The sooner you get started, the easier it’ll be to stay on track. We’re all learning to fish. Technology is always changing, so there will always be new things to check, but by giving your developers the tools they need to make compliance easy, you’re well on your way to having a thriving DevOps culture!