Compliance is necessary and a good thing. However, many compliant companies are still getting breached. In this talk, we discuss the importance of using a risk model to figure out the biggest threat to your business and mitigation and monitoring tactics to guard against these high-risk threats. We also dive into a real-world example of achieving Payment Card Industry Data Security Standard (PCI-DSS) compliance in under a year; we share architecture and design patterns; and we discuss what worked and what didn't. Leave this session knowing what the top cloud attack vectors are and how to protect yourself by using AWS services to build a fully automated, highly flexible and secure environment. This session is part of the re:Invent Developer Community Day, six community-led sessions where AWS enthusiasts share technical insights on trending topics based on first-hand experiences and knowledge shared within local AWS communities.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance and Top Security Threats
in the Cloud—Are You Protected?
T E R I R A D I C H E L | @ T E R I R A D I C H E L
B O Y A N D I M I T R O V | @ N A T H A R I E L
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RISK-BASED ASSESSMENT
Start by addressing
the risk that is most
likely to occur and
could cause the
most damage to
your business
Severity of consequence
Probabilityoflikelihood
High
High
Medium
Medium
Low
Low

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LEAKY AMAZON S3 BUCKETS

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UNPROTECTED KEYS AND CREDENTIALS

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BROAD PERMISSION FOR ENGINEERS

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UNPATCHED SOFTWARE

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MALICIOUS SOFTWARE UPDATES

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OPEN NETWORK PORTS

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FLAT NETWORK

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BROAD PERMISSION FOR APPLICATION

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UNAUTHORIZED RESOURCES

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DELETED ASSETS

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DATA EXFILTRATION

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE BLACK SWAN

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CONFIGURATION MANAGEMENT

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT IS PCI-DSS COMPLIANCE?
• Standard for cardholder data
environments composed of security
best practices and controls
• It’s all about maintaining a secure
environment
• If you are handling credit card data,
this applies to you, too

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PEOPLE SAY “COMPLIANCE != SECURITY”
• Compliance is verified by assessment
done in point of time
• Compliance gives you awareness of
threat levels and security exploits that
one needs to mitigate, and it sets you
on a path for how to get there
• Being secure requires persistence and
continuation

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SECURITY RESPONSIBILITY IN THE CLOUD
https://aws.amazon.com/compliance/shared-responsibility-model/

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A LOT OF BUILDING BLOCKS TO GET YOU STARTED
API GatewayRDS
CloudFront
Route 53
CloudWatch
Logs
Cognito
EMR
DynamoDBECS
EC2 Auto Scaling
ConnectEBSGlacier
Kinesis
Streams
Redshift
SQSS3
SWF
VPC
WorkDocsCloudFormation
CloudHSM
CloudTrail
DMS
Direct Connect
Directory Service
Elastic Beanstalk
KMS
ELB
Lambda
Managed
Services
OpsWorks
WAF
WorkSpaces
Config

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A LOT OF BUILDING BLOCKS TO GET YOU STARTED
API GatewayRDS
CloudFront
Route 53
CloudWatch
Logs
Cognito
EMR
DynamoDBECS
EC2 Auto Scaling
ConnectEBSGlacier
Kinesis
Streams
Redshift
SQSS3
SWF
VPC
WorkDocsCloudFormation
CloudHSM
CloudTrail
DMS
Direct Connect
Directory Service
KMS
ELB
Lambda
Managed
Services
OpsWorks
WAF
WorkSpaces
Config
Elastic Beanstalk

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OUR STRATEGY FOR SECURITY (AND
COMPLIANCE)
 Embed security in the foundation of
our environment
 Measure and monitor everything
 Automate the whole stack

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LEARNING FROM THE PAST
https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg
Patrick Edwin Moran

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OODA IN AN AWS SECURITY CONTEXT
Observe Orient Decide ACT
VPC flow logs
Inspector agent
CloudWatch
insights
CloudTrail Config
More
CloudWatch
Inspector
Lambda
Shield
ShieldShieldWAF
Machine
Learning
Config
policies
Config
policies
CloudWatchWAF
WAF
SNS
Lambda
Lambda
More MoreMore

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OBSERVE: COLLECT ALL TRAILS
VPC
flow logs
CloudWatch
insights
CloudTrail Config
CloudWatch
Config
policies
Protected accounts Security account
Trails
logs

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIENT, DECIDE, ACT!
CloudWatch
logs/events
S3
SIEM
OPS
Config
policies
Protectedaccounts
Active
scans
Lambda
Trails
logs
SNS Security
team
Security account
Corrective
actions

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE CONTROLLING CORE
CloudWatch
logs/events
S3
SIEM
OPS
Config
policies
Protectedaccounts
Active
scans
Lambda
Trails
logs
SNS Security
team
Security account
Corrective
actions

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EXAMPLE: PROTECTING AGAINST LEAKY BUCKETS
Correct_ACL_Function
Config
Policies
[s3-bucket-public-write-prohibited]
[s3-bucket-public-read-prohibited]
CloudTrail
[PutObjectAcl]
CloudWatch
Events
Scan all account
buckets
Apply corrective
actions
Collect ACL change
API calls
Apply corrective
actions

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORGANIZE YOUR CONTROLS
…
8.1.4 Remove or disable inactive user accounts within 90 days
8.1.6 Limit repeated access attempts by locking out the user
ID after not more than six attempts
8.1.7 Set the lockout duration to a minimum of 30 minutes or
until an administrator enables the user ID
…
 https://github.com/awslabs/aws-config-rules

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
INTRODUCING AWS SIMPLE SECURITY
AUTOMATION FRAMEWORK (SSAF)
 https://github.com/awslabs/aws-ssaf
 Extendable framework for defining security
controls and automation of their lifecycle
 Developed by the AWS Professional Services
- Security Practice
 Utilizes AWS native services only
CloudWatchLambdaConfig
CloudFormation
templates

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
T E R I R A D I C H E L | @ T E R I R A D I C H E L
B O Y A N D I M I T R O V | @ N A T H A R I E L