aws govcloud (us) for highly regulated workloads | aws public sector summit 2016
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Gile, Senior Manager, AWS Security Assurance
June 20, 2016
AWS GovCloud (US) for Highly Regulated Workloads
Security assurance programs overview
AWS GovCloud (US)
FedRAMP-Mod SRG Level 4
FIPS 140-2US Persons
ITAR/Export Controlled
NIST 800-171DISA SRG L2/4
CJISFISMA
Connectivity (API, VPN, DX)
CJIS
Amazon EC2, Amazon S3, Amazon EBS, Amazon VPC, AWS Identity & Access Management (IAM), Amazon Redshift
Secure the cloud, with the cloud
AWS securityprotection and
certification
Security features in the customer environment
Customer security and compliance
• Advanced security protection
• Enhanced auditability• FedRAMP• FISMA• DoD RMF• Financial reporting• Healthcare/life
sciences• Local requirements
Amazon Inspector AWS WAF AWS Config
Rules
Identity management
Access control
Usage auditing
Key storage
Monitoring and logs
Security assurance programs: FedRAMP
AWS GovCloud (US)
FedRAMP-Mod
FIPS 140-2US Persons
EC2 | S3 | EBS | VPC | IAM | Amazon Redshift
Inherited:MAMPPA
FedRAMP continuous monitoring
3 AWS FedRAMP packages
AWS FedRAMP SSP template
Agency authorization requirements
https://aws.amazon.com/solutions/case-studies/finra/ https://aws.amazon.com/compliance/fedramp/
Security assurance programs: DoD SRG
AWS GovCloud (US)
SRG Level 4
FIPS 140-2US Persons
FedRAMP continuous monitoring
AWS FedRAMP package
AWS FedRAMP SSP template
DFARS
Inherited:MAMPPAEC2 | S3 | EBS | VPC | IAM
Agency authorization requirements
https://aws.amazon.com/government-education/defense/ https://aws.amazon.com/compliance/dod/
Security assurance programs: CJIS
AWS GovCloud (US)
FIPS 140-2US Persons
CJIS Security Policy v5.5
CJIS Security Policy Workbook
FedRAMP Assessments
Inherited:MAMPPAEC2 | S3 | EBS | VPC | IAM | Amazon Redshift
Agency Authorization Requirements
https://aws.amazon.com/blogs/publicsector/cjis/
CJIS
https://aws.amazon.com/compliance/cjis
NIST 800-171
• Confidentiality of CUI• 14 control families, 109 requirements• Maps to 131 NIST 800-53r4 controls
https://blogs.aws.amazon.com/security/post/Tx115XWF9J5G4MM/Need-NIST-Compliance-in-the-AWS-Cloud-AWS-Compliance-Has-You-Covered-NIST-800-171
IRS Pub 1075
Mandatory FTI Req’t for Cloud ResponsibilityNotification of use Customer
Data isolation AWS/Customer
SLA Customer
Encryption in transit AWS/Customer
Encryption at rest AWS/Customer
Data deletion AWS/Customer
Risk assessment AWS/Customer
Security controls AWS/Customer
http://aws.amazon.com/compliance/irs-1075/
Security Assurance Links
https://aws.amazon.com/compliancehttps://aws.amazon.com/securityhttps://aws.amazon.com/compliance/fedramphttps://aws.amazon.com/compliance/dodhttps://aws.amazon.com/compliance/resources https://aws.amazon.com/govcloud-ushttps://aws.amazon.com/documentation
[email protected]://aws.amazon.com/compliancehttps://aws.amazon.com/professional-services/enterprise-accelerators/compliance-jumpstart/
Thank you!