This session demonstrates how to architect for continuous compliance and security using CloudWatch Events and AWS Config rules. This session focuses on the actual code for the various controls, actions, and remediation features, and how to use various AWS services and features to build them. The demos in this session include CIS Amazon Web Services Foundations validation; examples of custom rules for regulatory compliance and how to automate aspects of incident response.
2. What to expect from this session
• How To Enforce Compliance
• How To Assess Compliance
• How To Remediate Compliance
• Services:
• AWS Config Rules
• AWS CloudFormation
• AWS Service Catalog
3. COMPLIANCE
‘a state of being in accordance with
established guidelines, industry
regulations and government
legislation’
6. AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies
7. AWS CloudFormation – Everything as Code
Template StackAWS
CloudFormation
ü Orchestrate changes across AWS
Services
ü Use as foundation to Service Catalog
products
ü Use with source code repositories to
manage infrastructure changes
ü JSON/YAML-based text file describing
infrastructure
ü Resources created from
a template
ü Can be updated
8. Auto Scaling group
DMZ Zone
security group
security group
root volume
data volume
S3
bucket (encrypted
AES256)
logs
Amazon EBS
snapshot
(encrypted at
rest)
EC2 instance
WEB
corporate data center
Auto Scaling group
App Zone
security group
root volume
data volume S3
bucket (encrypted
AES256)
logs
Amazon EBS
snapshot
EC2 instance
APP
DB Zone
AWS
CloudHSM
security group
AWS KMS
Direct Connect
Or
VPN
Internet
HTTP / HTTPS only to
the web-tier
11. Any IP on the
Internet
Telnet, insecure,
clear-text
protocol
CloudFormation. An example: Firewall rule
Mis-configuration detected BEFORE the environment is even built!
Fail to MAS TRM 9.1.1: FIs
should identify important
data and adopt adequate
measures to detect and
prevent unauthorised
access, copying or
transmission of confidential
information.
16. IT Security Policy & Controls
Nobody reads them
Difficult to enforce
Rarely updated
17. AWS Config Rules
• Set up rules to check configuration
changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous
assessment
• Use dashboard for visualizing compliance
and identifying offending changes
18. AWS Config Rules
Internal Controls
MAS Guidelines
Industry best
practice
Bake these compliance checks into your CloudFormation templates
21. MAS TRM Guideline AWS Config Rule
9.1.6 Confidential information
stored on IT systems, servers
and databases should be
encrypted
Encryption should be used for EBS Volumes
9.3.2 The FI should conduct
regular enforcement checks to
ensure that the baseline
standards are applied uniformly
and non-compliances are
detected and raised for
investigation.
Instances must be from a specific ‘gold’ approved AMI
9.6.2 The FI should implement
network surveillance and security
monitoring procedures
VPC Flow Logs must be enabled
MAS TRM Example
Managed Rule
Managed Rule
Custom Rule
29. Conclusion
Prevent users
operating in a non-
compliant
environment.
Perform Continuous
Compliance. Annual
assessments do not
meet the bar.
Automate
remediation. Improve
consistency and
response time.
Automate
Everything.
Prevention.
Detection.
Response.