© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Chad Woolf, AWS Director of Risk and Compliance

Tim Sandage, AWS Senior Risk and Compliance Strategist

October 2015

SEC312

Reliable Design and Deployment

of Security and Compliance

What to expect from this session

• Technical session for audit/governance users

• “Security by Design” approach: consuming AWS

securely

• Live demo of these concepts

• Key resources for achieving this in your own AWS

account

When, not a matter of if

Regulated, audited, and

sensitive data will be better

fit to be stored and

processed in the cloud.

The AWS cloud allows for advanced governance

Manual auditing in a

simple world

Governance in a complex

world

Thick procedure manuals Software-enforced

processes

Periodic surveys Alarming/triggering

Few truly automated

controls

Ubiquitous, software-driven,

predictable controls

Sample testing, hoping Full population monitoring,

test of 1

Evolution of compliance at AWS

AWS certifications

Customer enabler docs

Customer case studies

Security by Design tech

(SbD)

AWS

CloudTrailAWS

CloudHSM

AWS IAMAWS KMS

AWS

Config

Quality by Design - QbD

“Quality by Design (QbD) is a modern, scientific approach that formalizes

product design, automates manual testing, and streamlines troubleshooting.

It is a systematic approach to ensure quality; instead of relying on finished

product testing alone, QbD provides insights upstream throughout the

development process.”- DPT Labs, “What Is Quality by Design (QbD)—And Why Should You Care?”

http://www.dptlabs.com/wp-content/uploads/2013/05/What-is-Quality-by-Design-QbD-and-Why-Should-You-Care.pdf

Security by Design – SbD

Security by Design (SbD) is a modern,

security assurance approach that

formalizes AWS account design, automates

security controls, and streamlines auditing.

It is a systematic approach to ensure

security; instead of relying on after-the-fact

auditing, SbD provides control insights

throughout the IT management process.

CloudTrail

CloudHSM

IAMKMS

Config

Impact of Security by Design

SbD – Scripting your governance policy

Result: Reliable technical implementation of administrative

controls

Elements of a secure architecture

1. Create a golden

environment

2. Enforce AWS Service Catalog

3. Create permissions to

use AWS services

What you do in any IT environment

• Firewall rules

• Network ACLs

• Network time pointers

• Internal and external subnets

• NAT rules

• Gold OS images

• Encryption algorithms for data

in transit and at rest

Golden code: Security translation to AWS

AWS JSON translation

Gold image,

NTP, and NAT

Network ACLs,

subnets, firewall

rules

Create a golden environment

• Create a gold OS image

• Configure use of AWS services, for example:

1. Create a golden

environment

2. Enforce Service Catalog

3. Create permissions to use AWS

services

Amazon S3 Amazon EBS Amazon Redshift

• Force SSE

• Turn on logging

• Specify retention

• Set Amazon Glacier

archiving

• Prevent external access

• Specify overriding

permissions

• Set event notifications

• Define volume type

• Volume size limits

• IOPS performance

(input/output)

• Data location – regions

• Snapshot (backup) ID

• Encryption requirements

• Cluster type (single or multi)

• Encryption (KMS or HSM)

• VPC location

• External access (yes/no)

• Security groups applied

• Create SNS topic

• Enforce Amazon

CloudWatch alarms

Demo: Configuring S3 in the GUI

Logging

{

"LoggingEnabled": {

"TargetPrefix": "logs/",

"TargetBucket": "audit-aws-cloudtrail-s3"

}

Lifecycle

{

"Rules": [

{

"Status": "Enabled",

"Prefix": "",

"Transition": {

"Days": 180,

"StorageClass": "GLACIER"

},

"ID": "Rule for the Entire Bucket

Console/web view Command-line view

Create a golden environment 1. Create a golden

environment

2. Enforce Service Catalog

3. Create permissions to use AWS

services

Creates an S3

bucket for

CloudTrail

Creates SNS

topic

SNS CloudTrail and S3 template

Turns on S3

logging for

CloudTrail logs Sets SNS

notification

Sets security for

CloudTrail S3

bucket

Create a golden environment – Help!

• Whitepapers – Security best practices

• AWS Solutions Architects, AWS Professional Services

• AWS Partners

• AWS GoldBase – Tactical enablers

Enforce AWS Service Catalog

• Allows administrators to create and manage approved

catalogs of resources (products) that end users can access

via a personalized portal.

• An AWS Service Catalog product is a deployable AWS

CloudFormation template.

1. Create a golden

environment

2. Enforce Service Catalog

3. Create permissions to use AWS

services

Provisioning Team creates

and manages Service Catalog

Products built from

CloudFormation Templates

Demo: AWS Service Catalog

Demo will include:

CloudFormation templates

enforcement

• Portfolios

• Products

• Permissions (IAM)

• Create/deploy

• User launch

• Constraints

• Tags

Create permissions to use AWS

AWS Service Catalog

• Gives workload owners permissions to

deploy templates and nothing more

1. Create a golden

environment

2. Enforce Service Catalog

3. Create permissions to use AWS

services

Main.json

CloudFormation

Template

Additional

CloudFormation

Templates

AWS Service Catalog constraints specify IAM

role used only for template deployment

Workload

owner with

limited IAM

permissions

Demo: IAM permission

Read Write List

Bob

Doug

Jim

Sara

Read Write List

Bob

Larry

Sam

Network

resource

Server

resources

AWS Service Catalog permissions

Who has access to a particular resource?

Demo: IAM overview

• Users, groups, and roles

• User settings

• Default IAM policies

• Custom IAM policies

• Account settings

• Roles versus users

Impact of Security by Design

SbD – Scripting your governance policy

Result: Reliable technical implementation of administrative

controls

Closing the loop: AWS Config Rules

• AWS Config Rules: a sweeping check of whether

your security design is deployed in existing

environments

• Accurate, complete audit

AWS Config Rules

How Config Rules can be used to audit any

environment

Config RuleConfig results

AWS Config Rules session

SEC314 – AWS Config: Full Visibility and Improved

Governance of Your AWS Resources

Thursday, October 8, 5:30–6:30 PM – Palazzo K

AWS Inspector: Audit perspective

• Inspector: In-host assistance

• Session:

• SEC324 – Introducing Amazon

Inspector – Security Insight into

Your Application Deployments

(5:30 P.M. tomorrow)

SbD: The Next Big Thing in IT GRC

AWS provides Governance, Risk, and Compliance (GRC)

teams:

1. The right SbD tech – AWS

2. SbD whitepaper

3. AWS GoldBase1. Security controls implementation matrix

2. Architecture diagrams

3. CloudFormation templates – Industry compliance templates for PCI,

NIST 800-53, HIPAA, FFIEC, and CJIS

4. User guides and deployment instructions

4. AWS Config Rules – Auditing

5. AWS Inspector – Advanced in-host security and audit

6. Training

CloudTrail

CloudHSM

IAMKMS

Config

Getting started

aws.amazon.com/compliance/securitybydesign

• SbD whitepaper – To wrap your head around this topic

• AWS GoldBase whitepaper –Explore the resources and

templates

• Auditing Your Architecture self-training QuickLab ($27)

• Auditing Your Architecture – 6hrs, 3 labs, instructor led

(AWS or Partner provided)

• email: awsaudittraining@amazon.com

Related sessions

• SEC 302 – IAM Best Practices to Live By (1:30

P.M. today – see the replay on YouTube)

• SEC 324 – Introducing Amazon Inspector –

Security Insight into Your Application

Deployments (5:30 P.M. tomorrow)

• SEC305 – Become an AWS IAM Policy Ninja in

60 Minutes or Less (11:00 A.M. tomorrow)

• SEC314 – AWS Config: Full Visibility and

Improved Governance of Your AWS Resources

(5:30 P.M. tomorrow)

Remember to complete

your evaluations!

Thank you!

awscompliance@amazon.com