Volkswagen Group Centrally Manages Security Threats on AWS Using Amazon GuardDuty

Overseeing more than 650,000 employees, Volkswagen Group (Volkswagen) needs strong security to support its operations. The global automobile manufacturer uses on-premises and cloud-based solutions, including applications powered by Amazon Web Services (AWS). Looking to further strengthen its security posture, Volkswagen deployed Amazon GuardDuty, a threat-detection service that continuously monitors for malicious activity and unauthorized behavior to protect organizations’ AWS accounts, workloads, and data. Using AWS security services, the company gained a centralized view of its AWS accounts and can automatically respond to threats.

Founded in 1937 and headquartered in Germany, Volkswagen operates 118 production plants in 20 European countries. It creates products for 10 automobile brands, including Volkswagen Passenger Cars, Audi, SEAT, ŠKODA, Bentley, Bugatti, Lamborghini, Porsche, Ducati, and Volkswagen Commercial Vehicles. Volkswagen needed a way to scale its projects so that it could host applications across its organization. In 2016, it began using AWS to scale large projects, such as an application that consolidates controls for its electric vehicles. “After we started using AWS services to scale the modular electric vehicle matrix project, demand for application hosting increased,” says Sachin Patil, product owner for AWS Cloud foundational services at Volkswagen. “We then started working heavily on AWS to support those projects.”

Volkswagen uses over 200 AWS services, including Amazon Elastic Compute Cloud (Amazon EC2), a web service that provides secure, resizable compute capacity in the cloud. As the company continued to adopt AWS services, it wanted to strengthen security and vulnerability detection across AWS accounts. To accomplish this goal, Volkswagen developed a solution using Amazon GuardDuty alongside its on-premises security information and event management service powered by Splunk, a software solution that captures, indexes, and correlates near-real-time data in a searchable interface.

Volkswagen deployed Amazon GuardDuty using an account provisioning system that it developed internally. However, this process was time consuming, and Volkswagen realized that customizing security controls to individual AWS accounts was cumbersome for the large organization. After the company brought this realization to AWS during a quarterly business review, the AWS team added support for AWS Organizations to Amazon GuardDuty. AWS Organizations is a service that helps enterprises centrally manage and govern their AWS environments as they grow and scale. Using AWS Organizations, Volkswagen can deploy Amazon GuardDuty as soon as it creates an AWS account. “Because Amazon GuardDuty supports AWS Organizations, we don’t need to activate Amazon GuardDuty in each individual account. By default, any account we create will have it implemented,” says Sachin. “AWS is a customer-focused company, and the AWS team listens to our concerns. AWS Organizations for Amazon GuardDuty has saved us a lot of time.” Using AWS Organizations for Amazon GuardDuty, Volkswagen reduced account provisioning time by 5–7 minutes per batch.

Volkswagen also uses AWS Organizations to implement AWS Security Hub, a service that provides a comprehensive view of security alerts and security posture across AWS accounts so that account owners have centralized access to security threats and findings. Using AWS Organizations to activate AWS Security Hub and other organization-level services, Volkswagen further reduced its overall account provisioning time by an additional 15–20 minutes per batch. It can also detect threats at the time of account creation, improving security. When the system detects a threat, its findings flow into Volkswagen’s Splunk security information and event management instance, alerting Volkswagen’s security operations center (SOC) to act.

Volkswagen has also implemented automation into the threat-detection process to ease employee workloads. For example, if Amazon GuardDuty detects an Amazon EC2 instance that may be contaminated with a rootkit virus, it initiates a workflow to email the account owner. It also adds the finding to AWS Security Hub, alerting the SOC team. A team member can then verify the Amazon GuardDuty finding and perform remediation actions, such as decommissioning the Amazon EC2 instance and creating a copy in the SOC AWS account. This account contains tools used to analyze root causes and remediate issues. Once the issue is remediated and marked as resolved, Amazon GuardDuty will alert the account to view the security findings in AWS Security Hub. For particularly critical issues, the SOC team and account owners receive alerts that can automatically block the affected application or account immediately, preventing the threat from harming other parts of Volkswagen’s system.

Volkswagen also uses AWS Organizations to enforce service control policies and manage permissions across AWS accounts. For example, the SOC team manages a list of approved AWS Regions that account owners are permitted to use. When an employee begins a project, the team will approve certain AWS Regions based on the project’s needs, purpose, and applicable regulations. These policies provide the SOC team with visibility into potential security issues and prevent employees from provisioning and accessing resources outside approved AWS Regions. During the account provisioning process, Volkswagen automatically applies service control policies, preventing individual accounts from modifying Amazon GuardDuty or AWS Security Hub. By implementing centralized and preventative policies, Volkswagen can reduce potential errors and focus on innovation. “When our users think about using AWS services for security, they’re already there. They don’t have to go and build a solution from scratch,” says Sachin. “This in turn saves a lot of time because the users know that the solution is secure and meets the Volkswagen standard. They can focus on building applications and connecting to vehicles."

Using Amazon GuardDuty, AWS Security Hub, and AWS Organizations, Volkswagen can automatically identify security threats and quickly deploy solutions to protect its AWS accounts, business applications, and infrastructure. Volkswagen will continue to use AWS services to develop innovative solutions, such as Firestarter, an application served on Amazon API Gateway that is based on the open-source JavaScript library React. Volkswagen will serve Firestarter on Amazon API Gateway, a fully managed service that makes it simple to create, publish, maintain, monitor, and secure APIs at any scale. Using Firestarter, Volkswagen will streamline and expedite onboarding to its AWS environment for new customers.

Volkswagen has also benefited from the support it received from the AWS team. “The customer-centric approach at AWS is noticeable,” says Anurag Agrawal, basic platform owner at Volkswagen. “There’re a lot of things that we have learned from AWS that have become part of our organization.”