Woven by Toyota, Inc. (formerly Woven Planet Holdings, Inc.) is a carefully curated blend of expertise and resources dedicated to bringing to life the vision of “Mobility to Love, Safety to Live”. With three operating companies focusing on technological advancements in automated driving technologies, Woven sought to standardize its security, compliance and monitoring to ensure consistent organizational-level cloud governance.
Headquartered in Tokyo, Woven turned to NTT DATA’s AWS consulting and managed services team to implement a secure cloud foundation. With built-in security and operational rules for organization-wide standardization, the new infrastructure helps streamline innovation.
Woven by Toyota, Inc. (formerly Woven Planet Holdings, Inc.) represents a carefully curated blend of expertise and resources dedicated to bringing to life the vision of “Mobility to Love, Safety to Live." Woven has three operating companies, Woven Core, Woven Alpha and Woven Capital, that focus on technological advancements in automated driving technologies, creating revolutionary projects like Woven City and investing in innovative growth-stage ventures. Supporting these initiatives requires a strong infrastructure that streamlines the process of innovation.
Woven relies on Amazon Web Services (AWS) for its technology foundation and NTT DATA’s experienced AWS teams to help manage and continuously improve it. With numerous AWS accounts deployed as a part of an in-house self-service solution, the entire organization can consume automated accounts, thereby innovating at speed.
As part of its ongoing effort to ensure the strongest possible security posture, Woven relies on the NTT DATA team to help strengthen its infrastructure pipelines and cloud governance and achieve continuous security compliance.
- Achieves continuous compliance organization wide
- Standardizes security across hundreds of AWS accounts
- Sustains self-service account deployment for engineers
- Maintains engineer ability to innovate at the speed of the market
- Ensures adherence to budgetary controls to effectively manage costs
Starting with a secure foundation
With Woven’s AWS accounts all centrally managed, the two teams began the project by streamlining the management account and incorporating security best practices. Specifically, they tightened security around AWS roles and identity and access management (IAM) users. Following the principle of least privilege, the teams ensure that the system grants only necessary access and permissions to the management account. This process also reduces escalated permissions.
In addition, the teams built a highly secure continuous integration and continuous delivery/continuous deployment (CI/CD) structure using AWS CodePipeline. It follows a threat model that Woven identified and uses to counter potential in-house system compromises by securely delivering resources into the management account.
Redefining organizational units for high security
In addition to technological approaches to security, the Woven security team proposed and implemented a new organizational structure to reinforce the segregation between production, development and staging. This provides additional logical divisions in how the organization disperses AWS accounts.
The teams implemented AWS service control policies (SCPs)—organization-wide policies that help manage permissions—to create boundary-level security. The new organizational structure also takes advantage of AWS Organizations features within services such as AWS CloudTrail, AWS Config and AWS CloudFormation StackSets.
These features work as a catalyst to automate and roll out centralized controls with less development overhead, providing a simple, secure and effective framework. This, in turn, enables the team’s engineers to plug in the various automation pipelines. For example, the team can now roll out stack sets to the entire organization or a subset of the organizational unit using AWS CloudFormation’s managed deployment model service as a part of its organization feature set.
Achieving continuous compliance
With best practices established, the next phase of the project defined and developed secure CI/CD pipelines, including:
- Management account pipeline to deploy infrastructure as a code (IaC) to the AWS management account.
- SCP pipelines to deploy AWS SCPs to the management account; the team also developed an SCP pipeline to deliver and test SCPs before they are deployed using an AWS provided simulation tool called AWS IAM Policy Simulator.
- StackSets pipelines that deploy IaC as stack sets to the management account. The team delivers secure in-house solutions as stack sets using a StackSets pipeline. StackSets is an AWS CloudFormation-based service that allows stacks to be rolled out across accounts and organizational units to selected regions in tandem. For example, the team delivered a system that ensures all the Amazon Simple Storage Service (Amazon S3) buckets within the organization are protected using the Amazon S3 Public Block Access settings. This system ensures that Amazon S3 Public Block Access settings are consistent with the organization standard which reduces the probability of an Amazon S3 bucket data security breach.
With pipelines built, the teams turned their attention to maintaining continuous security compliance with SCPs and conformance packs deployed as stack sets. (A conformance pack is a collection of AWS Config rules and remediation actions, deployable as a single entity in an account or across AWS Organizations.)
With hundreds of AWS accounts, it’s important to ensure the resources deployed into AWS Organizations are secure. To do so, the teams define security standards using AWS Config, which helps Woven define specific rules. Based on these rules, the teams can mark resources as compliant or non-compliant. Using AWS Config conformance packs, NTT DATA helps deploy multiple configuration rules that must be followed for compliance and to ensure that resources deployed into accounts meet Woven’s operational and security objectives.
To make sure Woven has a framework for deploying these security compliance checks, the team designed a system in which configuration rules deploy as conformance packs. The packs cover compliance for various domains, including networking, encryption, identity and access, and unsafe publishing.
Because manual resource remediation can be difficult, many of the config rules deployed using conformance packs also support auto-remediation. The team uses AWS Lambda functions to achieve auto-remediation and send notifications whenever a resource is identified as non-compliant per the deployed config rules. The remediation feature boosts engineers’ confidence in the system because it auto-remediates many critical non-compliance behaviors, which helps monitor and control the non-compliance rate.
Monitoring and Managing Compliance With AWS CloudTrail
Woven uses standard AWS CloudTrail settings to enable a log of all events across all accounts in the organization. This way, when a new account is created, the team does not have to enable AWS CloudTrail separately. Whenever a new member account is added, the team uses the AWS Organizations feature to auto-enable the organization trail. This helps ensure consistent AWS CloudTrail settings across accounts. Woven uses an Amazon S3 bucket in a separate audit account to centrally manage all AWS CloudTrail logs.
To ensure Amazon S3 public access compliance, the team rolled out a strict Amazon S3 public access lock using the AWS CloudFormation StackSet delivery framework. Now, any account the organization adds also includes an AWS Lambda solution that disables Amazon S3 public access settings at the account level. This serves to disallow public access to Amazon S3 buckets, proactively addressing a major security concern.
The teams also worked together to build in a budget compliance check. The solution tracks spending across organizational units and sends an alert when a sandbox account crosses a certain threshold. This capability helps Woven ensure continuous compliance with established budget constraints. A built-in notification system sends a personalized Slack alert to account owners when a budget threshold is breached. These notifications boost awareness and discipline without interrupting innovation.
Woven is now confident that AWS accounts are well protected and in line with established operational and security objectives. Such continuous compliance helps Woven ensure standardization across AWS Organizations and gives the company centralized control over cloud security best practices. Woven achieves all this while empowering engineers through self-service capabilities that allow them to deploy accounts as needed so they can innovate at market speed.
About Woven by Toyota, Inc.
Woven by Toyota, Inc. (formerly Woven Planet Holdings, Inc.) is the mobility technology subsidiary of Toyota Motor Corporation. It helps Toyota develop next-generation cars and realize a mobility society in which everyone can move freely, happily and safely.