Customers must regularly attest to the security and compliance of AWS services in order to confidently operate within the cloud. To support customers with this task, AWS provides a number of resources to define our 13 control domains, differentiate between customer and AWS responsibilities, and demonstrate the mapping of an organization’s attestation needs to an AWS audit framework. During this session, customers familiarize themselves with our compliance reports (e.g., FedRAMP, SOC, ISO, PCI, etc.), dive deep on AWS compliance tools, and discuss mechanisms for leveraging the knowledge of AWS security subject matter experts.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pop the hood: Using AWS resources
to attest to security of the cloud
Kate Wildman
Customer Audit Program Lead
AWS Security Assurance
G R C 3 1 0
Brian Wagner
Head of FSI Compliance, EMEA
AWS WWCS Financial Services

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What you’re in for
• Understand how to conduct due diligence of AWS as a CSP under the AWS
Shared Responsibility Model
• Gain greater confidence in how to utilize available AWS audit resources to
perform due diligence of AWS as a CSP
• Become equipped to assess risks against the AWS control environment

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
…Why cloud due diligence?
Cycle of CSP due diligence
Prepping for due diligence of AWS
Building a CSP due diligence framework
Evaluating control coverage
Case studies

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sound familiar?
“This new piece of legislation is being passed…is AWS compliant?”
“I’m not moving any workloads until I can get attestation of all the controls on our
third-party oversight framework…”
“Our business is evolving, and so is our institution’s risk appetite. Our risk
committee is breathing down our necks—how can we make sure AWS is operating
for compliance?”
“I’ve got this questionnaire…”

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common reasons for CSP due diligence
• Evolving regulatory requirements
• Customers experiencing rapid business growth
• Expansion of workloads into new geographies, industries, or technologies
• An institution’s risk appetite

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challengesof due diligence at hyperscale

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…About those reports

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Shared Responsibility Model

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Shared Responsibility Model

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cycle of CSP due diligence
Plan Your Due
Diligence
Build
Framework
Evaluate
Coverage
Write & Share
Report
Mitigate &
Monitor

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identify stakeholders
Your institution’s due diligence is comprised of many different stakeholders across
your business…so much so that you may find multiple exercises happening across
teams! To coordinate, identify:
• Cloud governors
• Scoping stakeholders
• Coverage evaluators
• Audit report consumers
• Your own auditors

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
…And identify more stakeholders!
AWS stakeholders are also
an important part of your
due diligence journey
• AWS Account Team
• AWS Security Solutions
Architects
• AWS Enterprise Support
• AWS Compliance Leads
• AWS Security

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Prepare to evaluate
The most successful due diligence exercises take a breadth of elements into
consideration before looking at a framework. Set yourself up for success by…
• Starting early!
• Identifying stakeholders across the business
• Aligning with a cloud governance function and risk appetite
• Vetting your understanding of the AWS Shared Responsibility Model
• Identifying existing third-party/vendor assessment frameworks

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start here

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
It’s ba-ack!

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aligning to the AWS control environment

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call in the experts!
• Feeling like you’re missing
something? Not sure where to
begin? Experts in AWS Professional
Services can help.
• Engagements can include:
• Analyzing shared responsibilities
• Building a cloud-focused framework
• Mapping to existing AWS compliance
• Designing compliant applications
• Architecting or assessing for specific
compliance (e.g., PCI, HITRUST)

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building an assessment framework
• Identify the risk you’re looking to mitigate
• For example, an AWS employee is not suitably qualified to access the information system
• Describe your control objective
• For example, appropriate measures are in place to achieve adequate separation of duties and access
management
• Identify coverage required to meet the objective
• For example, demonstrate that employees with physical access do not overlap permissions granting
logical access
• Include additional asks
• Capacity management
• Bug bounties
• Penetration testing

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Make sure you…
✓ Collect existing frameworks
✓ Identify external industry and regulatory requirements
✓ Align to your institution’s risk appetite
✓ Consider the AWS Shared Responsibility Model
✓ Align to the AWS control environment
✓ Include both risks and controls for evaluation

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Artifact

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS service documentation

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS data center resources

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS data center resources

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS whitepapers
• More than 50 security and
compliance whitepapers, guides,
and workbooks available online,
including:
• AWS Risk & Compliance Whitepaper
• Operational Resilience Guide
• Introduction to Auditing the Use of AWS
• AWS Certifications, Programs, Reports,
and Third-Party Attestations Whitepaper
• AWS Security Checklist

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Auditor Learning Path

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance briefings
• Engage directly with AWS on matters of compliance and security by addressing
questions to AWS security and compliance specialists
• Topics could include, but aren’t limited to…
• Application of the AWS Shared Responsibility Model
• Deep dives into AWS audit reports and certifications
• Matters pertaining to the AWS control environment
• Best practices for secure architecture
• Contact your AWS account representative to schedule a briefing today!

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Write & share your report
Documenting
• Map risks and controls to available resources
• Schedule compliance briefings to discuss gaps and request additional resources,
where available
• Document coverage and alignment to risk appetite
Externalizing
• Circulate with all identified stakeholders
• Identify mitigations for areas without coverage
• Document risk acceptance, where appropriate

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ongoing due diligence
Plan Your Due
Diligence
Build
Framework
Evaluate
Coverage
Write & Share
Report
Mitigate &
Monitor

35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
“It’s amazing to me that security is so
ingrained in your culture. I think that’s AWS’s
main differentiator—mostof what I’ve seen
wouldn’t be possible if it weren’t truly
embedded in the essenceof your
institution.”

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
“The way you do security is immaculate…the
transparencyyou’ve provided us is
surprising, and we’re now very keen to
understandjust what we can do to replicate
it in our own environment.”

38. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.