When it comes to security, human error far outpaces other causes of failures. The risk of humans touching sensitive data is clear, so how do you get them away from your data while also speeding up time to detection and remediation? Stephen Schmidt, AWS CISO, will share hard-earned lessons around potential opportunities in your security program, along with practical steps to improve the agility of your organization.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Stephen Schmidt
Humans and Data Don’t Mix
Best Practices to Secure Your Cloud
@AWSSecurityInfo
Vice President and Chief Information Security Officer
Amazon Web Services (AWS)

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Get Humans Away from Your Data

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security Blind Spots
Disparate sources

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Lack of rigorDisparate sources
Security Blind Spots

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Can’t scaleLack of rigorDisparate sources
Security Blind Spots

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Security in the CI/CD Pipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
CodeBuild
AWS
Step Functions
AWS
Step Functions
AWS
CodePipeline
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Security in the CI/CD Pipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING
AWS
CodeBuild
AWS
CodePipeline

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD TESTING &
STAGING
PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Security in the CI/CD Pipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
AWS
CodeBuild
AWS
CodePipeline

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Source Control
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
AWS
CodeCommit
AWS
CloudFormation

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VS.
SOURCE
CONTROL
Infrastructure as Code

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Seek Vendors Who Embrace APIs
SOURCE
CONTROL

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Build
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
BUILD
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
BUILD ARTIFACTS
AWS
CodeBuild

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*”
},
{
"Effect": "Allow",
"NotAction":"sns:Delete*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*”
},
{
"Effect": ”Deny",
"Action": "sns:Delete*",
"Resource": "*"
}
]
}
Policy A Policy B
Is Policy A more permissive than Policy B?
BUILD

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Testing & Staging
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
BUILD
AWS
CodeCommit
AWS
CloudFormation
BUILD ARTIFACTS
TESTING &
STAGING
DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeBuild
AWS
CodePipeline

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Finding Weaknesses & Defects
TESTING
& STAGING
Amazon
Inspector

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Deployment & Production
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
BUILD
AWS
CodeCommit
AWS
CloudFormation
BUILD ARTIFACTS
TESTING &
STAGING
DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
DEPLOY TO
PRODUCTION ENVIRONMENT
PRODUCTION
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS
CodeBuild
AWS
CodePipeline

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Original Amazon EC2 Host Architecture
SERVER

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Amazon EC2 C3 Instances
SERVER
NITRO
SYSTEM

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Amazon EC2 C4 Instances
SERVER
NITRO
SYSTEM

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Nitro Hypervisor
Amazon EC2 C5 Instances
SERVER
NITRO
SYSTEM

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
No Shell Access!
23

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Maintaining Runtime Environment
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING
AWS
CodeBuild
AWS
CodePipeline

25. Automate Answering the Tough Questions
• What data do I have in the cloud?
• Where is it located?
• Where does my sensitive data exist?
• What’s sensitive about the data?
• What PII/PHI is possibly exposed?
• How is data being shared and stored?
• How and where is my data accessed?
• How can I classify data in near-real time?
• How do I build workflow remediation for my security and compliance
needs?

26. AWS CloudTrail
Track user
activity and API
usage
Automation: Log Data Inputs
VPC Flow Logs
IP traffic to/from
network
interfaces in your
VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS Logs
Log of DNS
queries in a VPC
when using the
VPC DNS resolver

27. Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Automation: Machine Learning
Amazon Macie
Machine learning-powered
security service to discover,
classify, & protect sensitive
data

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Using NLP and ML together
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Content Classification with NLP
PII and personal data
Source code
SSL certificates, private keys
iOS and Android app signing keys
Database backups
OAuth and Cloud SaaS API Keys

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Use ML and Scaled Services
• Use behavioral
analytics to
baseline normal
behavior patterns
• Contextualize by
value of data being
accessed

31. Amazon GuardDuty Threat Detection and Notification

32. Automation: Triggers
Amazon CloudWatch
Events
Delivers a near real-time stream
of system events that describe
changes in AWS resources
AWS Config Rules
Continuously tracks your
resource configuration changes
and if they violate any of the
conditions in your rules

33. Automating Remediation
AWS Systems
Manager
Automate patching and
proactively mitigate threats
at the instance level
AWS Lambda
Capture info about the IP
traffic going to and from
network interfaces in your
VPC

34. • Asynchronously
execute commands
• No need to SSH/RDP
• Commands and output
logged
Remediating Threats on Amazon EC2 Instances
Amazon EC2 Systems Manager -
Run Command
EC2 Instances
Lambda
function
AWS Systems
Manager
Amazon
EC2

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Tools we use: COEs

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
Call to Action – Do Try This at Home

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Call to Action – Do Try This at Home
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
• Catalog the controls and visibility into CI/CD pipelines. That’s
where change management and control happens now (1-3
months).

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
• Catalog the controls and visibility into CI/CD pipelines. That’s
where change management and control happens now (1-3
months).
• Begin to document every instance of human interaction with
systems that process data. Let engineering & operations teams
drive this goal. (1-6 months).
Call to Action – Do Try This at Home

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
• Catalog the controls and visibility into CI/CD pipelines. That’s
where change management and control happens now. Set clear
goals with owners to harden the pipeline (1-3 months).
• Begin to document every instance of human interaction with
systems that process data. Let engineering & operations teams
drive this goal. (1-6 months).
• Set and achieve a goal to reduce human access to systems that
process sensitive data by 80% (1-2 years).
Call to Action – Do Try This at Home

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for as
many days as you can (and not just the appsec team) (1-2 months).
• Catalog the controls and visibility into CI/CD pipelines. That’s where
change management and control happens now. Set clear goals with
owners to harden the pipeline (1-3 months).
• Begin to document every instance of human interaction with systems
that process data. Let engineering & operations teams drive this goal.
(1-6 months).
• Set and achieve a goal to reduce human access to systems that
process sensitive data by 80% (1-2 years).
• Set and achieve a goal to drive workload deployment from source
code. Catalog the % of workloads that are built on automation vs.
those built with manual steps (1 year).
Call to Action – Do Try This at Home

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
More Information
Visit the AWS Booth: Exhibit Hall #805
AWS Security Twitter: @AWSSecurityInfo
AWS Security Blog: aws.amazon.com/blogs/security/