© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chad Woolf, AWS Director of Risk and Compliance
Tim Sandage, AWS Senior Risk and Compliance Strategist
October 2015
SEC312
Reliable Design and Deployment
of Security and Compliance
What to expect from this session
• Technical session for audit/governance users
• “Security by Design” approach: consuming AWS
securely
• Live demo of these concepts
• Key resources for achieving this in your own AWS
account
When, not a matter of if
Regulated, audited, and
sensitive data will be better
fit to be stored and
processed in the cloud.
The AWS cloud allows for advanced governance
Manual auditing in a
simple world
Governance in a complex
world
Thick procedure manuals Software-enforced
processes
Periodic surveys Alarming/triggering
Few truly automated
controls
Ubiquitous, software-driven,
predictable controls
Sample testing, hoping Full population monitoring,
test of 1
Evolution of compliance at AWS
AWS certifications
Customer enabler docs
Customer case studies
Security by Design tech
(SbD)
AWS
CloudTrailAWS
CloudHSM
AWS IAMAWS KMS
AWS
Config
Quality by Design - QbD
“Quality by Design (QbD) is a modern, scientific approach that formalizes
product design, automates manual testing, and streamlines troubleshooting.
It is a systematic approach to ensure quality; instead of relying on finished
product testing alone, QbD provides insights upstream throughout the
development process.”- DPT Labs, “What Is Quality by Design (QbD)—And Why Should You Care?”
http://www.dptlabs.com/wp-content/uploads/2013/05/What-is-Quality-by-Design-QbD-and-Why-Should-You-Care.pdf
Security by Design – SbD
Security by Design (SbD) is a modern,
security assurance approach that
formalizes AWS account design, automates
security controls, and streamlines auditing.
It is a systematic approach to ensure
security; instead of relying on after-the-fact
auditing, SbD provides control insights
throughout the IT management process.
CloudTrail
CloudHSM
IAMKMS
Config
Impact of Security by Design
SbD – Scripting your governance policy
Result: Reliable technical implementation of administrative
controls
Elements of a secure architecture
1. Create a golden
environment
2. Enforce AWS Service Catalog
3. Create permissions to
use AWS services
What you do in any IT environment
• Firewall rules
• Network ACLs
• Network time pointers
• Internal and external subnets
• NAT rules
• Gold OS images
• Encryption algorithms for data
in transit and at rest
Golden code: Security translation to AWS
AWS JSON translation
Gold image,
NTP, and NAT
Network ACLs,
subnets, firewall
rules
Create a golden environment
• Create a gold OS image
• Configure use of AWS services, for example:
1. Create a golden
environment
2. Enforce Service Catalog
3. Create permissions to use AWS
services
Amazon S3 Amazon EBS Amazon Redshift
• Force SSE
• Turn on logging
• Specify retention
• Set Amazon Glacier
archiving
• Prevent external access
• Specify overriding
permissions
• Set event notifications
• Define volume type
• Volume size limits
• IOPS performance
(input/output)
• Data location – regions
• Snapshot (backup) ID
• Encryption requirements
• Cluster type (single or multi)
• Encryption (KMS or HSM)
• VPC location
• External access (yes/no)
• Security groups applied
• Create SNS topic
• Enforce Amazon
CloudWatch alarms
Demo: Configuring S3 in the GUI
Logging
{
"LoggingEnabled": {
"TargetPrefix": "logs/",
"TargetBucket": "audit-aws-cloudtrail-s3"
}
Lifecycle
{
"Rules": [
{
"Status": "Enabled",
"Prefix": "",
"Transition": {
"Days": 180,
"StorageClass": "GLACIER"
},
"ID": "Rule for the Entire Bucket
Console/web view Command-line view
Create a golden environment 1. Create a golden
environment
2. Enforce Service Catalog
3. Create permissions to use AWS
services
Creates an S3
bucket for
CloudTrail
Creates SNS
topic
SNS CloudTrail and S3 template
Turns on S3
logging for
CloudTrail logs Sets SNS
notification
Sets security for
CloudTrail S3
bucket
Create a golden environment – Help!
• Whitepapers – Security best practices
• AWS Solutions Architects, AWS Professional Services
• AWS Partners
• AWS GoldBase – Tactical enablers
Enforce AWS Service Catalog
• Allows administrators to create and manage approved
catalogs of resources (products) that end users can access
via a personalized portal.
• An AWS Service Catalog product is a deployable AWS
CloudFormation template.
1. Create a golden
environment
2. Enforce Service Catalog
3. Create permissions to use AWS
services
Provisioning Team creates
and manages Service Catalog
Products built from
CloudFormation Templates
Demo: AWS Service Catalog
Demo will include:
CloudFormation templates
enforcement
• Portfolios
• Products
• Permissions (IAM)
• Create/deploy
• User launch
• Constraints
• Tags
Create permissions to use AWS
AWS Service Catalog
• Gives workload owners permissions to
deploy templates and nothing more
1. Create a golden
environment
2. Enforce Service Catalog
3. Create permissions to use AWS
services
Main.json
CloudFormation
Template
Additional
CloudFormation
Templates
AWS Service Catalog constraints specify IAM
role used only for template deployment
Workload
owner with
limited IAM
permissions
Demo: IAM permission
Read Write List
Bob
Doug
Jim
Sara
Read Write List
Bob
Larry
Sam
Network
resource
Server
resources
AWS Service Catalog permissions
Who has access to a particular resource?
Demo: IAM overview
• Users, groups, and roles
• User settings
• Default IAM policies
• Custom IAM policies
• Account settings
• Roles versus users
Impact of Security by Design
SbD – Scripting your governance policy
Result: Reliable technical implementation of administrative
controls
Closing the loop: AWS Config Rules
• AWS Config Rules: a sweeping check of whether
your security design is deployed in existing
environments
• Accurate, complete audit
AWS Config Rules
How Config Rules can be used to audit any
environment
Config RuleConfig results
AWS Config Rules session
SEC314 – AWS Config: Full Visibility and Improved
Governance of Your AWS Resources
Thursday, October 8, 5:30–6:30 PM – Palazzo K
AWS Inspector: Audit perspective
• Inspector: In-host assistance
• Session:
• SEC324 – Introducing Amazon
Inspector – Security Insight into
Your Application Deployments
(5:30 P.M. tomorrow)
SbD: The Next Big Thing in IT GRC
AWS provides Governance, Risk, and Compliance (GRC)
teams:
1. The right SbD tech – AWS
2. SbD whitepaper
3. AWS GoldBase1. Security controls implementation matrix
2. Architecture diagrams
3. CloudFormation templates – Industry compliance templates for PCI,
NIST 800-53, HIPAA, FFIEC, and CJIS
4. User guides and deployment instructions
4. AWS Config Rules – Auditing
5. AWS Inspector – Advanced in-host security and audit
6. Training
CloudTrail
CloudHSM
IAMKMS
Config
Getting started
aws.amazon.com/compliance/securitybydesign
• SbD whitepaper – To wrap your head around this topic
• AWS GoldBase whitepaper –Explore the resources and
templates
• Auditing Your Architecture self-training QuickLab ($27)
• Auditing Your Architecture – 6hrs, 3 labs, instructor led
(AWS or Partner provided)
• email: [email protected]
Related sessions
• SEC 302 – IAM Best Practices to Live By (1:30
P.M. today – see the replay on YouTube)
• SEC 324 – Introducing Amazon Inspector –
Security Insight into Your Application
Deployments (5:30 P.M. tomorrow)
• SEC305 – Become an AWS IAM Policy Ninja in
60 Minutes or Less (11:00 A.M. tomorrow)
• SEC314 – AWS Config: Full Visibility and
Improved Governance of Your AWS Resources
(5:30 P.M. tomorrow)
Remember to complete
your evaluations!
Thank you!
Top Related