www.cloudsec.com/tw | #CLOUDSEC

Control Security by Design

Harry Lin 林書平, Solutions Architect

Amazon Web Services

#CLOUDSEC

What to Expect From This Session

• Learn approaches to compliance that enable and are

improved by modern cloud technology

• Embrace core security design and operational principles

that address regulatory requirements as a result

• How to use AWS security services to build a automatic

compliance environment

#CLOUDSEC

Why is security such a hot topic?

Because it’s important, and it’s hard

Technology

Control/Compliance

#CLOUDSEC

2016 for IT/Developers

https://www.flickr.com/photos/via/

#CLOUDSEC

2016 for Auditors and Security Teams

https://www.flickr.com/photos/anniemole/

IT/Developers:

• Incentives

• Speed

• Features

• Want

• Freedom to innovate

• New technology

Incentives and Perspectives

Security:

• Incentives

• Compliance with regulatory

obligations

• Verifiable processes

• Want

• Well-known technology

• Predictability and stability

Who Cares About These Answers?

• When did that configuration/code change?

• Who made the change?

• Who logged in to that host?

• What did they do?

• Who pushed that code?

• Was that build tested before deployment?

• What were the test results?

• What are monitoring and recovery mechanism?

?

Two Approaches

https://www.flickr.com/photos/sp8254/https://www.flickr.com/photos/29853404@N03/

#CLOUDSEC

AWS Security By Design

Security Requirements

Implement necessary controls from design phase

#CLOUDSEC

Security by Design – SbD

• Systematic approach to ensure security• Formalizes AWS account design• Automates security controls• Streamlines auditing

• Provides control insights throughout the IT management processAWS

CloudTrailAWS

CloudHSM

AWS IAMAWS KMS

AWS

Config

#CLOUDSEC

SbD – Scripting your governance

policy

• Set of CloudFormation templates that accelerate

compliance with PCI, HIPAA, FFIEC, FISMA, CJIS

• Result: Reliable technical implementation of

administrative controls

#CLOUDSEC

AWS SbD Advantages

IT/Developers Benefits Trade capital expense for

variable expense

Benefit from massive economies of scale

Stop guessing capacity

Increase speed and agility

Stop spending money on data centers

Go global in minutes

Security Benefits Designed for Security & Quality

Constantly Monitored

Highly Automated

Highly Available

Highly Accredited

Repeatable with same quality

ISO 9001:2008, ISO 27001:2013ISO 27017:2015, ISO 27018:2014

1st Line of Defense - Operations 3rd Line of Defense - Evaluation2nd Line of Defense - Supervisory

Objective:• Evaluates Program• Tests effectiveness of controls

and monitoring programs (Auditing)

Objective:• Control (Compliance & Risk)• Establishes supervisory

framework to monitor and validate controls

Objective:

• Risk Management Operations

• Owns and Manages Risks

Three Lines of Defense - Objective

1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation

AWS Applicable ServicesAWS Applicable Services

Three Lines of Defense – AWS Services

AWS Applicable Services

Amazon

VPCAWS

CloudTrailAWS IAM

AWS KMS

Amazon

CloudWatch

IAM

Permissions

AWS

CloudFormation AWS

Config

AWS

Config Rules

AWS

CloudTrail

AWS

Service Catalog

Amazon

Inspector

Amazon

S3

1st Line of Defense - Operations

Deep Security

#CLOUDSEC

1st Line of Defense – Configuration Management

#CLOUDSEC

CloudFormation: Infrastructure as Code

Describe almost any AWS resource and have it automatically provisioned as a set of resources with a single API call (API-driven security).

Template StackAWS CloudFormation Engine

JSON-formatted file describing the resources to be created

Treat it as source code put it in your repository

AWS service component Processes AWS

CloudFormation template into stacks

A collection of resources created by AWS CloudFormation

API calls to Create, Update, and Delete

#CLOUDSEC

Configuration Management in AWS

CloudFormation template

Admin

Define

AWS Service Catalog

Publish

CloudFormation stack

Users

Browse and Launch

Provisions

#CLOUDSEC

2nd Line of Defense – Configuration Monitoring

#CLOUDSEC

AWS Config

• AWS Config is a fully managed service that

provides you with an inventory of your AWS

resources, lets you audit the resource

configuration history and notifies you of

resource configuration changes.

#CLOUDSEC

Config Rules

• Set up rules to check configuration changes recorded

• Use pre-built rules provided by AWS

• Invoked automatically for continuous assessment

• Use dashboard for visualizing compliance and identifying

offending changes

NormalizeRecordChanging Resources

AWS Config & Config Rules

Deliver

Stream

Snapshot (ex. 2014-11-05)

AWS Config

APIs

Store

History

Rules

#CLOUDSEC

AWS Managed Rules

• All EC2 instances must be inside a VPC.

• All attached EBS volumes must be encrypted, with KMS ID.

• CloudTrail must be enabled, optionally with S3 bucket, SNS topic and CloudWatch Logs.

• All security groups in attached state should not have unrestricted access to port 22.

• All EIPs allocated for use in the VPC are attached to instances.

• All resources being monitored must be tagged with specified tag keys:values.

• All security groups in attached state should not have unrestricted access to these specific ports.

#CLOUDSEC

Configuration Alarm

CloudFormation template

Admin

Define

AWS Service Catalog

Publish

CloudFormation stack

Users

Browse and Launch

AWS Config

Track changes

Notifies

Changes

Provisions

AWS Config rules

#CLOUDSEC

3rd Line of Defense – Configuration Testing

You are making

API calls...On a growing set of

services around the

world…

AWS CloudTrail

is continuously

recording API

calls…

And delivering

log files to you

AWS CLOUDTRAIL

Redshift

#CLOUDSEC

Use Cases Enabled by CloudTrail

• Security Analysis Use log files as an input into log management and analysis solutions to perform

security analysis and to detect user behavior patterns

• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2

instances, Amazon VPC security groups and Amazon EBS volumes

• Troubleshoot Operational Issues Identify the most recent actions made to resources in your AWS account

• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards

#CLOUDSEC

Configuration Log Testing

CloudFormation template

Admin

Define

AWS Service Catalog

Publish

CloudFormation stack

Users

Browse and Launch

AWS Config

Captures Resource Changes

Notifies

Changes

Provisions

AWS Config rules AWS CloudTrail

Captures all API

interaction

Amazon S3

ORMove Fast Control Securely

Move Fast Control SecurelyAND

Harry Lin 林書平

Amazon Web Services

linharry@amazon.com