Executive Summary

Capital One uses AWS to create exceptional banking experiences for customers. Capital One even has its own in-house cloud and data management tools. As a result, cloud governance is a necessity to protect against cybersecurity threats. This effort is helped in part by a tool called Cloud Custodian. Cloud Custodian enables enterprises to manage cloud resources by filtering, tagging, and then applying actions to them. Some benefits of Cloud Custodian is its ability to provide real-time compliance, manage costs, and capability to run anywhere (locally, on an instance, or Serverless in AWS Lambda).

Customer challenge

There are several checks in place using Cloud Custodian. This covers a wide-range of AWS services in areas such as encryption, tagging, logging, resource-specific configurations, and account level settings. Capital One must ensure Cloud Custodian is operating effectively, and therefore is tasked with the challenge of testing each one of these Cloud Custodian controls. Not only are there a large number of policies to test, but all of the complex scenarios that may happen in a Production environment must be accounted for. The testing must be scalable, reproducible, and automated.

Partner Solution (Contribution to Capital One)

The solution for this project includes writing Terraform code to automate the testing of various scenarios. When a resource(s) gets launched with Terraform, AWS EventBridge triggers an AWS Lambda function to run Cloud Custodian. Once the testing is complete, CloudTrail logs are collected with the use of the AWS SDK for Python (Boto3). Other testing includes checking compliance for AWS IAM and other IT accesses using Terraform, and the AWS CLI and other command-line tools. One final contribution is using Boto3 to write scripts that continuously monitor resources.

Why AWS?

AWS provides secure, reliable, scalable, and inexpensive cloud computing services. Terraform is an IaC tool that can be used for deploying infrastructure in cloud providers such as AWS. It allows one to implement services or applications without having to set up and configure each service manually, saving considerable time and avoiding the potential for mistakes and inconsistencies. Given its ease of use and wide-ranging capabilities, Terraform has helped the customer to automate the testing of Cloud Custodian controls. AWS's API also provides a seamless way to integrate the automation work being done in this space.

Why Capital One chose ITTStar?
(ITTStar Associates' Readiness to Solve Specific Problems)

ITTStar is an expert partner for data-driven innovation and has a unique approach to solving complex infrastructure and security problems using AWS. As an AWS Advanced Consulting Partner, our confidence comes from our understanding of how to integrate AWS services into our solutions, combined with our broken-down approach to solving holistic business challenges. Associates spend time gaining a deep understanding of AWS and other technologies by studying and designing solution architecture. Members of ITTStar also focus on solving real business problems with a diverse set of clients which prepare them for successful delivery on client projects.

Impact & Results:

  • Automated testing processes for Cloud Custodian allows for improvements in current implementation as well as providing ad-hoc testing and readily accessible information for IT auditing.
  • Improvements in the overall automation design and strategy have led to more robust solutions for testing which improve the efficiency of developing new code and maintaining current code.

About the Customer

Capital One has a mission to "change banking for good" and has evolved technologically over time to continue to uphold their values. It was founded on the belief of financial inclusion for all and got its start by using data analytics to create personalized credit offers. Today, Capital One's ML applications, APIs and cloud products are preventing online credit fraud and empowering other business partners to innovate in the cloud

/* */