by Bill Reid, Sr Mgr, Solutions Architecture AWS Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Intro to AWS Cloud Adoption Framework (CAF)
Security Perspective
Will Reid, CISM, FIP
Leader, N. Amer. Solution Architects
Security and Compliance Specialists

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
My Cloud Journey
• Small Software Company – an “ASP”
• Large Software Company in Redmond
– Putting medical records in a cloud
• Smaller Software Companies in Seattle
– CISO/CPO – clean up, return to ground zero
– Move to AWS from Co-lo facility

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Your AWS Cloud Journey

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Cloud Adoption Framework
The Cloud Adoption Framework (CAF) helps organizations understand how
cloud adoption transforms the way they work, by identifying the
stakeholders that are critical to cloud adoption and groups them into 6
Perspectives

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CAF Security Perspective
Security Perspective
Directive
Preventative Detective
Responsive

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Governance for Cloud Adoption
• Develop Cloud Governance Program

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Governance for Cloud Adoption
• Develop Cloud Governance Program
• Review Data Classification

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Governance for Cloud Adoption
• Develop Cloud Governance Program
• Review Data Classification
• Review Company policies

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Governance for Cloud Adoption
• Develop Cloud Governance Program
• Review Data Classification
• Review Company policies
• Build Security Standards Control Framework

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Governance for Cloud Adoption
• Develop Cloud Governance Program
• Review Data Classification
• Review Company policies
• Build Security Standards Control Framework
• Develop a Cloud Security Strategy
Ø Get executive buy-in
Ø Communicate and educate

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Cloud Security Strategy
• The Cloud Security Strategy is rooted in your policies &
security requirements
• The Cloud Security Strategy must highlight enterprise
security principles for a successful cloud transformation
• Exploit the benefits of automation in the cloud to enforce
your policies and security requirements

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Security Epics Program

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Security Epics
We identified ten themes, that are treated as Epics in an agile methodology and contain the user stories
including both use cases & abuse cases. Frequent iteration via sprints will lead to increase maturity whilst
retaining flexibility to adapt to business pace and demand.
• 1st Sprint Example
– Define the account
structure and implement
the core set of best
practices
• 2nd Sprint Example
– Implement federation
• 3rd Sprint Example
– Expand account
management to cater for
multiple accounts

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security Perspective
• The CORE 5
Ø IAM
Ø Detective Controls
Ø Infs. Security
Ø Data Protection
Ø Incident Response
The increase in agility and ability to perform actions faster, at a larger scale and at a lower cost, does not
invalidate well-established Information Security principles. The journey you will take to ensure your
environment maintains strong security footing includes the following steps:

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The CORE 5:
Identity and Access Management (IAM)

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Account Governance & Ownership
AWS
Organizations
AWS
IAM
Centrally manage multiple accounts to help you scale.
• control which AWS services are available to individual accounts
• automate new account creation
• easily manage security and automation settings
Securely control access to AWS services and resources for
your users.

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies
v MFA
v Root
v Federation

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The CORE 5:
Logging & Monitoring

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
VISIBILITY
AWS
CloudTrail
AWS
Config
Amazon
CloudWatch
Amazon
Inspector
Flow
logs
Web service that records
AWS API calls for your
account and delivers log
files to you.
Monitoring service for
AWS cloud resources and
the applications you run
on AWS.
- collect and track
metrics
- collect and monitor log
files
- set alarms
- automatically react to
changes in your AWS
resources
Resource inventory,
configuration history,
and configuration
change notifications to
enable security and
governance Automatically assesses
applications for
vulnerabilities or
deviations from best
practices
Capture information about the IP
traffic going to and from network
interfaces in your VPC.
Account Resources Network

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The CORE 5:
Infrastructure Security

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Infrastructure Protection
Amazon
VPC
AWS
CloudFormation
AWS
OpsWorks
Security
Groups
AWS WAF
AWS
Shield
Virtual firewall that
controls the traffic for
one or more resources.
Easily create and
manage a collection of
related AWS resources,
provisioning and
updating them in an
orderly and predictable
fashion
Automate how servers
are configured,
deployed, and
managed.
Provision a logically isolated
section of AWS cloud where you
can launch AWS resources in a
virtual network that you define.
DDoS protection service that
safeguards web applications
running on AWS
Protect your web applications
from common web exploits that
could affect
application availability,
compromise security, or consume
excessive resources
R e s o u r c e s N e t w o r k

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The CORE 5:
Data Protection

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Data Protection
• Deep integration
with AWS Services
• CloudTrail
• AWS SDK for
application
encryption
AWS KMSAmazon CloudHSM V2
• Fully Managed service
• Standards-compliant
• FIPS 140-2 Level 3
• AWS-Native
AWS Certificate Manager
• Provision, manage,
and deploy TLS
certificates
• Use with Amazon ELB
or Amazon CloudFront
distribution

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The CORE 5:
Incident Response

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AUDITABILITY
AWS
Config
rule
AWS Trusted Advisor
Config Rules enables you to create rules that automatically
check the configuration of AWS resources recorded by AWS
Config.
Trusted Advisor provides real time
guidance to help you provision your
resources following AWS best
practices.
- reduce cost
- increase performance
- improve security

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Security Team
Operations
Application Security
Engineering
Aligned for agility

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AND
Move Fast
Stay Secure

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Enterprise Stages of AWS Adoption
Project
Foundation
Migration
Reinvention
Discovery
Targeted
At Scale
ClientValue
Cloud Adoption Over Time

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Stages of Cloud Adoption
CUSTOMER CLOUD CENTER OF EXCELLENCE (CCOE)
PROJECT FOUNDATION
MIGRATION
REINVENTION
INNOVATION RETIRE TECH
DEBT
Value
Time
DISCOVERY
AWS CLOUD ADOPTION FRAMEWORK

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Getting to cloud is a journey.
Your journey will be unique.

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
THANK YOU!