© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Bryan Webster, Principal Architect, Trend Micro Brett Miller, Professional Services Consultant, AWS

June 20, 2016

Mission (Not) Impossible: NIST 800-53 high impact controls on AWS

Why we’re here today

• Learn how to implement NIST SP 800-53 (rev 4) High Impact security controls with AWS & partner technology

• Provide reusable building blocks and sample code• Demonstrate automated deployment and integration of

multiple technologies

Mission: PossibleImpossible

What are the challenges of achieving NIST high impact security controls on AWS?

AWS and you share responsibility for security

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Identity & Access Control

NetworkSecurity

Customer applications & contentYou get to define your controls ON the Cloud

AWS takes care of the security OF the Cloud

YouInventory & Config

Data Encryption

Enterprise Accelerator for NIST SP 800-53 (rev 4)

Works in Gov Cloud (US)& commercial AWS regions

Leveraging AWS services for NIST controls

AWS Identity & Access Management (IAM)

What is configured? Base security, IAM and access configuration for AWS account

Why?• Manage user access• Programmatically implement controls for

machines, roles, groups, data access

Control Families• Access Control• Audit & Accountability• Configuration

Management• Contingency Planning• Identification &

Authentication• System &

Communications Protection

• System & Information Integrity

CREATE_IN_PROGRESSCREATE_COMPLETE

AWS CloudTrail

What is configured?Define S3 bucket, versioning enabled, capture all events

Why?• Automated audit of infrastructure and

change management

Control Families • Access Control• Audit & Accountability• Configuration

Management

CREATE_IN_PROGRESSCREATE_COMPLETE

Amazon SNS, AWS CloudWatch

What is configured?Security alarms and notifications

Why?• Automated exception notification and

configurable alarms• Triggering incident response

Control Families• Access Control• Audit & Accountability• Configuration

Management

CREATE_IN_PROGRESSCREATE_COMPLETE

VPC, NACL, Security Groups

What is configured?Provides networking configuration for a standard management VPC, enforces traffic with NACL

Why?• Programmatic delivery of network infrastructure

and access controls

Control Families • Access Control

CREATE_IN_PROGRESSCREATE_COMPLETE

IAM, AWS CloudTrail, Amazon SNS, Amazon VPC, NACL

Infrastructure security

Cloud Infrastructure

Operating System

Data

ApplicationsFile Security

Netw

orkSecurity

Log Inspection and Application Scanning

Anti-malware and Integrity Monitoring

Intrusion prevention, Firewall

Anti-malware

Integrity Monitoring

Intrusion Prevention

Log Inspection

Web Reputation

Host Firewall

Trend Micro Deep Security

• Seamlessly integrated with EC2

• Deploy as AMI, SaaS or software

All in a single, host-based tool

Leveraging Deep Security for NIST controls

Management and Visibility

What is configured? Deploys Deep Security Manager to AWS

Why?• Visibility of EC2 resources• Single console with integrated threat

information

Applicable Controls• Access Control• Audit & Accountability• Incident Response• Risk Assessment• System &

Communications Protection

• System & Information Integrity

CREATE_IN_PROGRESSCREATE_COMPLETE

File Controls

What is configured? Anti-Malware, Integrity Monitoring, Log Inspection

Why?• Discover and block malicious code• Monitor files for changes • Inspect existing logs for indications of unusual

activity

Applicable Controls• Audit & Accountability• Configuration

Management• System & Information

Integrity

Applicable Controls• Audit & Accountability• Security Assessment

& Authorization• Configuration

Management• System & Information

Integrity

CREATE_IN_PROGRESSCREATE_COMPLETE

Network Controls

What is configured? Intrusion detection & prevention, Firewall

Why?• Add additional stateful controls to enhance

security groups and NACLs• Add layer 7 visibility and inspection

Applicable Controls• Security Assessment

& Authorization• Audit & Accountability• Configuration

Management• Contingency Planning• Identification &

Authentication• System &

Communications Protection

• System & Information Integrity

CREATE_IN_PROGRESSCREATE_COMPLETE

Automating NIST controls with AWS CloudFormation

Why use it?• Infrastructure

as code• Repeatable• Audit baseline

AWS CloudFormation

Third party integration with CloudFormation

If you can’t automate 3rd party products

with AWS CloudFormation

They aren’t built for AWS

AWS + Trend Micro Enterprise Accelerator: NIST 800-53 High Impact Controls

• Adds additional coverage for High Impact controls• Design philosophy• NIST SP 800-53 (r4) security controls best practices• Sample implementation for many different resource

types and hundreds of controls• Plug and play sub-templates to fit your requirements

https://aws.amazon.com/quickstart/

Trend Micro Deep Security

AWS Enterprise Accelerator - Compliance: NIST High Impact controls

AWS Enterprise Accelerator: NIST High Impact controls

Access Control

Audit & Accountability

Configuration Management

Contingency Planning

Identification & Authentication

Incident Response

Maintenance

Media Protection

Physical & Environmental Protection

Risk Assessment

Security Assessment & Authorization

System & Communications Protection

System & Information Integrity

System & Services Acquisition

Major NIST SP 800-53 (rev4) Trend Micro + AWS coverage

CustomerOverall Inherited Shared

Enterprise Accelerator: Quick Start CloudFormation Stack

2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions

Prevent Malicious code execution

Block Remote Exploits

Shield App Vulnerabilities

Detect OS and App changes

Deep Security Stack

Deep Security Manager, Agents, and required AWS Infrastructure

Amazon EC2 Instances, Availability Zones, Amazon RDS databases, Auto scaling

ELB load balancers, Amazon S3 Bucket Policies, Security Groups, Amazon SNS, Amazon SQS, Amazon Cloud Watch

VPCs, Subnets, Gateways, Route Tables, NACLs

Users, Groups & Roles, CloudFormation access, and Service Catalog constraints

Additional Resources

• Spreadsheet with High security controls mapping• Github repo• Templates• Deployment guide – tailor and deploy template

https://docs.aws.amazon.com/quickstart/latest/accelerator-nist-high-impact/welcome.html

aws.amazon.com/quickstart/

Question & Answer

trendmicro.com/aws