© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ian Massingham, Dave Walker

17/03/16

What’s (nearly) New?Edinburgh

Cloud Security Principles Compliance

o Issued 1 Apr 2014 by the CESG

o They replace the Business Impact Levels model (BIL: IL1-IL5+)

o Distributed certification model

o Risk-based approach: suitability for purpose

o New protective marking mechanisms

o AWS Whitepaper Available

Cyber Essentials Plus Compliance in DublinCyber Essentials Plus is a UK

Government-backed, industry-

supported certification scheme

that helps organisations

demonstrate security against

common cyber attacks.

The ‘Plus’ scheme benefits from

independent testing and validation

compared to the baseline ‘Cyber

Essentials’ scheme that is self-

attested.

ISO 27018

Based on cert ificat ion examination in conformity with defined

requirements in ISO/ IEC17021:2011 and ISO/ IEC 27006:2011,

the Information Security Management System

as defined and implemented by

headquartered in Seatt le, Washington, United States of America,

cert ified under cert ificat ion number [2013-009],

is also compliant with the requirements as stated in the standard:

EY Cert ifyPoint will, according to the cert ificat ion agreement

dated October 23, 2014, perform surveillance audits and acknowledge the

cert ificate until the expirat ion date of this cert ificate or the expirat ion of the

related ISMS cert ificate with number [2013-009].

*This cert if icate is applicable for the assets, services and locations as described in the

scoping section on the back of this cert ificate, with regard to the specific requirements

for information security and protection of personally identif iable information (PII)

as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.

ISO/ IEC 27018:2014

Issue date of certificate: October 1, 2015

Expiration date of certificate: November 12, 2016

Amazon Web Services, Inc.*

Cert ificate Cert ificate number: 2015-016

Cert ified by EY Cert ifyPoint since:

October 1, 2015

© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at

Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.

Drs. R. Toppen RA

Director EY CertifyPoint

DIGITAL COPY 1/3

o Customers control their content.

o Customers' content will not be used for any

unauthorized purposes.

o Physical media is destroyed prior to leaving

AWS data centers.

o AWS provides customers the means to

delete their content.

o AWS doesn’t disclose customers' content

ISO 27017

Based on cert ificat ion examination in conformity with defined

requirements in ISO/ IEC17021:2011 and ISO/ IEC 27006:2011,

the Information Security Management System

as defined and implemented by

headquartered in Seatt le, Washington, United States of America,

cert ified under cert ificat ion number [2013-009],

is also compliant with the requirements as stated in the standard:

EY Cert ifyPoint will, according to the cert ificat ion agreement

dated October 23, 2014, perform surveillance audits and acknowledge the

cert ificate until the expirat ion date of this cert ificate or the expirat ion of the

related ISMS cert ificate with number [2013-009].

*This cert if icate is applicable for the assets, services and locations as described in the

scoping section on the back of this cert ificate, with regard to the specific requirements

for information security and protection of personally identif iable information (PII)

as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.

ISO/ IEC 27018:2014

Issue date of certificate: October 1, 2015

Expiration date of certificate: November 12, 2016

Amazon Web Services, Inc.*

Cert ificate Cert ificate number: 2015-016

Cert ified by EY Cert ifyPoint since:

October 1, 2015

© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at

Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.

Drs. R. Toppen RA

Director EY CertifyPoint

DIGITAL COPY 1/3

o Newest ISO code of practice

o Builds on top of ISO 27002

o Information security controls specific to

Cloud services

o Scope includes all AWS Regions and edge

locations

AWS Security Tools

AWS Trusted Advisor

AWS Config Rules

Amazon Inspector

Periodic evaluation of alignment with AWS Best

Practices. Not just Security-related.

Create rules that govern configuration of your

AWS resources. Continuous evaluation.

Security insights into your applications.

Runs on EC2 instances; on-demand scans

AWS Compliance AWS: Security of the cloud

Customer: Security in the cloud

Cloud Config Rules

AWS Config Rules features

Flexible rules evaluated continuously and retroactively

Dashboard and reports for common goals

Customizable remediation

API automation

AWS Config Rules

Broad ecosystem of solutions

AWS Config Rules benefits

Continuous monitoring for unexpected changes

Shared compliance across your organization

Simplified management of configuration changes

Security by Design - SbD

• Systematic approach to

ensure security• Formalizes AWS account design

• Automates security controls

• Streamlines auditing

• Provides control insights

throughout the IT

management process

AWS

CloudTrailAWS

CloudHSM

AWS IAMAWS KMS

AWS

Config

GoldBase - Scripting your governance policy

Set of CloudFormation Templates & Reference

Arhcitectures that accelerate compliance with PCI, EU

Personal Data Protection, HIPAA, FFIEC, FISMA, CJIS

Result: Reliable technical implementation of administrative

controls

What is Inspector?

• Application security assessment

• Selectable built-in rules

• Security findings

• Guidance and management

• Automatable via APIs

Rule packages

• CVE (common vulnerabilities and exposures)

• Network security best practices

• Authentication best practices

• Operating system security best practices

• Application security best practices

• PCI DSS 3.0 readiness

Getting started

Prioritized findings

Detailed remediation recommendations

What is AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

AWS

WAF

AWS WAF rules:

1: BLOCK requests from bad guys.

2: ALLOW requests from good guys.

Types of conditions in rules:

1: Source IP/range

2: String Match

3: SQL Injection

Why AWS WAF?

Application DDoS, Vulnerabilities, Abuse

Good users

Bad guys

Web server Database

AWS WAF Partner integrations

• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF

• Offer additional detection and threat intelligence

• Dynamically modify rulesets of AWS WAF for increased protection

S2N – AWS Implementation of TLS

• Small:

• ~6,000 lines of code, all audited

• ~80% less memory consumed

• Fast:

• 12% faster

• Simple:

• Avoid rarely used options/extensions

VPC Flow Logs

Flow Log Record Structure

Event-Version

Account Number

ENI-ID

Source-IP

Destination-IP

SourcePort

Destination-Port

Protocol Number

Number of Packets

Number of Bytes

Start-Time Window

End-Time Window

Action

State

2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

ACCEPT OK

AWS Certificate Manager (ACM) makes it easy to

provision, manage, deploy, and renew SSL/TLS certificates

on the AWS platform.

Introducing AWS Certificate Manager

AWS Certificate Manager

• Provision trusted SSL/TLS certificates from AWS for use

with AWS resources:

• Elastic Load Balancing

• Amazon CloudFront distributions

• AWS handles the “maths and maintenance”

• Key pair and CSR generation

• Managed renewal and deployment

• Domain validation (DV) through email

• Available through AWS Management console, CLI, or API

AWS Certificate Manager (ACM) Benefits

• Protect and secure websites and applications

• Provision certificates quickly and easily

• Free

• Managed certificate renewal

• Secure key management

• Centrally manage certificates on the AWS Cloud

• Integrated with other AWS Cloud Services

ACM Use Cases

• Help meet regulatory compliance requirements for

encryption of data in transit

• PCI, FedRAMP and HIPAA

• Minimize downtime and outages

• Improve search rankings by using SSL/TLS

ACM-Provided Certificates

Domain names

• Single domain name: www.example.com

• Wildcard domain names: *.example.com

• Combination of wildcard and non-wildcard names

• Multiple domain names in the same certificate (up to 10)

ACM-provided certificates are managed

• Private keys are generated, protected, and managed

• ACM-provided certificates cannot be used on EC2 instances or on-premises servers

• Can be used with AWS services, such as ELB and CloudFront

Algorithms

• RSA 2048 and SHA-256

What is available at launch?

• SSL/TLS certificates for use with AWS services (ELB and

CloudFront)

• Availability in US-East (N. Virginia)

• Domain validation via email

• Console, API, CLI

• Integration with ELB and CloudFront

• Managed renewal and deployment

What is NOT available at launch?

• Availability in additional regions

• Certificates for use on EC2

• “Take home” certificates that can be used anywhere

• Cross-region certificates

• Cross-account access to certificates

• CloudTrail logging of ACM API calls

• Tagging

• Certificates for email, code signing, or any other purpose except

SSL/TLS termination

Certification & Education

• Security Fundamentals on AWS• free, online course for security auditors and

analysts

• Security Operations on AWS• 3-day class for Security engineers, architects,

analysts, and auditors

• AWS Certification• Security is part of all AWS exams

Rich Security Capabilities in the Cloud

Prepare

Prevent

Detect

Respond

o AWS Security Solutions Architects

o AWS Professional Services

o AWS Secure by Design & GoldBase

o AWS Security Best Practices

o Partner Professional Services

o AWS Training and Certification

o Understand Compliance Requirements

Prepare

o Use IAM – consider MFA, roles, federation, SSO

o Implement Amazon WAF

o Leverage S2N for secure TLS connections

o Implement Config Rules to enforce compliance

o Implement Amazon Inspector to identify

vulnerabilities early on

Prevent

o CloudTrail enabled across all accounts and services

o Consider Config & Config Rules logs

o Inspector can be used as a detective tool

o Trusted Advisor goes beyond just security

o Use CloudWatch logs

o VPC Flow Logs give insight into intended and

unintended communication taking place into your VPC

o Look at partner log management and security

monitoring solutions

Detect

o Be Prepared:

o Develop, acquire or hire Security Incident Response

capabilities

o Test preparedness via game days

o Automated response and containment is always

better than manual response

o AWS supports forensic investigations

o Leverage AWS Support for best results

o Talk to our security partners

Respond

Be Secure & Compliant in

the Cloud!

Thank you!