AWS Cloud Operations Blog
How BMW Group uses automation to achieve end-to-end compliance at scale on AWS
This post is co-written with Dr. Jens Kohl, Daniel Engelhardt, and Sascha Kallin from BMW Group.
The BMW Group – headquartered in Munich, Germany – is a vehicle manufacturer with 149,000 employees worldwide and manufactures in over 30 production and assembly facilities across 15 countries. Today, the BMW Group (BMW) is the world’s leading manufacturer of premium automobiles and motorcycles, and provider of premium financial and mobility services.
BMW Connected Company is a division within BMW responsible for developing and operating premium digital services for BMW’s connected fleet, which currently numbers more than 22 million vehicles in over 50 countries worldwide.
After completing a successful 3-year migration of around 1,300 microservices, the BMW ConnectedDrive platform and services are now hosted on AWS, and used to process, store, and utilize connected vehicle data to provide premium, personalized digital services to customers based on their preferences and driving style.
The BMW ConnectedDrive backend is a highly complex, high-performance mesh of services distributed across multiple Regions and hundreds of AWS accounts, processing over 12 billion requests and 145TB of data traffic per day. With over 450 DevOps teams performing daily deployments, BMW faced a major challenge in verifying workloads adhere to both industry and internal standards BMW has defined to mitigate risks to availability, and data privacy.
To address this, BMW built a fully automated solution to quickly notify teams of potential optimizations by continuously monitoring and assessing workloads against BMW standards, regulatory requirements, and best practices as well as the AWS Well-Architected Framework with its six pillars Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability.
In this post, we explore how BMW Connected Company leveraged AWS Config and AWS Trusted Advisor to efficiently and proactively monitor and assess compliance across hundreds of AWS accounts in a fully automated way to continuously optimize their cloud services.
Solution Architecture
Figure 1: Architecture of continuous compliance solution that utilizes AWS Trusted Advisor and AWS Config for assessment and central data collation
1. AWS Trusted Advisor: BMW integrated AWS Trusted Advisor into their compliance assessment workflow to gain insights and identify actionable items across their workloads. AWS Trusted Advisor continuously evaluates BMW’s AWS environment using best practice checks across the categories of cost optimization, performance, resilience, security, operational excellence, service limits, and provide recommendations to optimize costs, increase performance, improve security, resilience, and operate at scale in the cloud.
BMW combined AWS Trusted Advisor with AWS Config rules to enable customized compliance automation and implement additional standards alongside the default AWS Trusted Advisor best practice checks. This approach helped BMW better optimize their workloads for security and performance based on their unique requirements and environment.
2. AWS Config: To continuously monitor the configuration of workloads against industry best practices and internal standards, BMW deployed AWS Config across its accounts using a combination of AWS Config managed rules and AWS Config custom rules.
AWS Config managed rules are pre-built rules that AWS Config uses to evaluate if AWS resources comply with best practices and guidelines published by AWS such as the AWS Well-Architected Framework. An example of an AWS Config managed rule aligned to the Cost Efficiency Pillar, checks if Amazon EC2 instances are using the latest generation instance type, which can help reduce costs. Whereas another rule aligned to the Security Pillar, checks if Amazon EBS volumes are encrypted, which can help improve security.
To achieve full coverage of all use cases, BMW defined and implemented a set of AWS Config custom rules, tailored to their specific requirements and guidelines. These rules are designed to identify opportunities for optimization. For example, BMW developed rules to check if AWS Lambda functions are using the latest version of the AWS Lambda runtime, or Amazon RDS instances are using the latest version of the Amazon RDS engine, which can help improve performance and reliability. In another example, BMW developed a rule to check Amazon SQS queues are encrypted with a customer managed key in Amazon Key Management Service (KMS) for higher security.
To manage compliance across all BMW ConnectedDrive AWS accounts, AWS Config rules were deployed through AWS Config conformance packs. This allowed BMW to rapidly deploy hundreds of AWS Config rules to all accounts and AWS Regions in a consistent, automated manner. This scalable approach also enabled BMW to continuously monitor for configuration drift and helped maintain consistent governance and compliance.
3. Centralized compliance data: To centralize compliance data, BMW deployed an AWS Config aggregator to a central account to collect AWS Config data from all member accounts. Secondly, an Amazon EventBridge scheduled event invokes an AWS Lambda function to call the AWS CLI and export a snapshot of compliance data to a central Amazon S3 Bucket. The data is enriched with metadata identifying the account source, owner, and compliance severity for analysis.
In addition, AWS Trusted Advisor findings were also aggregated centrally to provide a comprehensive view of potential cost optimizations, and service limits across the multi-account environment. By centralizing and unifying AWS Config and AWS Trusted Advisor data, BMW improved compliance visibility whilst enabling automated analysis and reporting workflows.
4. Automation and orchestration: BMW automated compliance monitoring and assessment using a combination of periodic and scheduled checks. For example, when new Amazon EC2 instances are created, AWS Config rules evaluate the resources against compliance policies. BMW also developed AWS Config custom rules backed by AWS Lambda to trigger an evaluation of the resources tailored to internal requirements and guidelines. This automation provides continuous compliance monitoring as BMW’s infrastructure changes. By streamlining assessment workflows with automation, BMW reduced the manual effort required to verify adherence to security and operational best practices across their evolving environment.
5. Visualization: BMW developed a series of dashboards in Amazon QuickSight to visualize aggregated compliance data stored centrally in Amazon S3 and provide teams an interactive, holistic view of compliance status across accounts, Regions, and services. As illustrated below, these dashboards enabled the BMW DevOps teams to quickly and easily identify compliance gaps and take action.
Figure 2: BMW compliance assessment Amazon QuickSight dashboard
How has this solution helped drive continuous improvement?
Previously, BMW needed to manually review each AWS account and workload to identify non-compliant resources and optimization opportunities. As development is continuous, reviews were performed on a regular basis throughout the development lifecycle and after each major release. This process was time-consuming and required significant resources.
With this automated end-to-end solution, BMW now proactively generates visual reports of any non-compliant findings and offers additional information such as description and possible remediations to the relevant DevOps team. This significantly reduced the overhead required for compliance, (e.g. searching for documentation to understand the issue and/or remedies) and released resources previously devoted to manual reviews. Teams can now focus efforts on innovation and developing exciting digital services.
Even for advanced DevOps teams, keeping up with the rapid pace of change and innovation can prove challenging. By providing guardrails and recommendations directly in the workflow, this solution helped bridge knowledge gaps in areas where DevOps teams do not have deep AWS expertise and build compliant and optimized workloads faster.
Taking this further, BMW integrated a Generative AI chatbot, powered by Amazon Bedrock, to build on the workflow and automatically provide remediation recommendations and code snippets. This guides teams to resolve issues and remediate findings faster and in an automated way, as detailed in this re:Invent innovation talk including Jens Kohl from BMW Group: From Hype to impact: Building a generative AI architecture, and this AWS blog post: BMW Group Develops a GenAI Assistant to Accelerate Infrastructure Optimization on AWS.
As workloads scale and new insights emerge, BMW leverages Guard, with AWS Config Custom Policy Rules and AWS Config rule development kit library to continuously expand the rule set and raise standards over time. Teams develop new policies and rules to check for additional best practices based on learnings, creating a cycle of continuous improvement, increased efficiency, and spinning the automation flywheel faster.
Figure 3: BMW end-to-end compliance assessment workflow
Conclusion
In conclusion, this solution has not only optimized resource utilization, but also improved cost optimization. As BMW continues expanding their workloads on AWS, they plan to continue to leverage AWS Config and AWS Trusted Advisor to optimally manage workloads’ compliance whilst exploring new efficiency initiatives.
To learn more about BMW’s journey, see this re:Invent talk including Jens Kohl from BMW Group: Implementing end-to-end compliance on AWS, featuring BMW.