Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC312) Reliable Design & Deployment of Security & Compliance

5,969 views

Published on

"No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. This session will focus on ""Secure by Design"" principles and show how you can configure the AWS environment to provide the reliable operation of security controls, such as:


Organizational governance
Asset inventory and control
Logical access controls
Operating system configuration
Database security
Applications security configurations


This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS Identity and Access Management (IAM), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how AWS technology can be used to create a secure and auditable environment."

Published in: Technology

(SEC312) Reliable Design & Deployment of Security & Compliance

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chad Woolf, AWS Director of Risk and Compliance Tim Sandage, AWS Senior Risk and Compliance Strategist October 2015 SEC312 Reliable Design and Deployment of Security and Compliance
  2. 2. What to expect from this session • Technical session for audit/governance users • “Security by Design” approach: consuming AWS securely • Live demo of these concepts • Key resources for achieving this in your own AWS account
  3. 3. When, not a matter of if Regulated, audited, and sensitive data will be better fit to be stored and processed in the cloud.
  4. 4. The AWS cloud allows for advanced governance Manual auditing in a simple world Governance in a complex world Thick procedure manuals Software-enforced processes Periodic surveys Alarming/triggering Few truly automated controls Ubiquitous, software-driven, predictable controls Sample testing, hoping Full population monitoring, test of 1
  5. 5. Evolution of compliance at AWS AWS certifications Customer enabler docs Customer case studies Security by Design tech (SbD) AWS CloudTrailAWS CloudHSM AWS IAM AWS KMS AWS Config
  6. 6. Quality by Design - QbD “Quality by Design (QbD) is a modern, scientific approach that formalizes product design, automates manual testing, and streamlines troubleshooting. It is a systematic approach to ensure quality; instead of relying on finished product testing alone, QbD provides insights upstream throughout the development process.” - DPT Labs, “What Is Quality by Design (QbD)—And Why Should You Care?” http://www.dptlabs.com/wp-content/uploads/2013/05/What-is-Quality-by-Design-QbD-and-Why-Should-You-Care.pdf
  7. 7. Security by Design – SbD Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It is a systematic approach to ensure security; instead of relying on after-the-fact auditing, SbD provides control insights throughout the IT management process. CloudTrail CloudHSM IAM KMS Config
  8. 8. Impact of Security by Design SbD – Scripting your governance policy Result: Reliable technical implementation of administrative controls
  9. 9. Elements of a secure architecture 1. Create a golden environment 2. Enforce AWS Service Catalog 3. Create permissions to use AWS services
  10. 10. What you do in any IT environment • Firewall rules • Network ACLs • Network time pointers • Internal and external subnets • NAT rules • Gold OS images • Encryption algorithms for data in transit and at rest Golden code: Security translation to AWS AWS JSON translation Gold image, NTP, and NAT Network ACLs, subnets, firewall rules
  11. 11. Create a golden environment • Create a gold OS image • Configure use of AWS services, for example: 1. Create a golden environment 2. Enforce Service Catalog 3. Create permissions to use AWS services Amazon S3 Amazon EBS Amazon Redshift • Force SSE • Turn on logging • Specify retention • Set Amazon Glacier archiving • Prevent external access • Specify overriding permissions • Set event notifications • Define volume type • Volume size limits • IOPS performance (input/output) • Data location – regions • Snapshot (backup) ID • Encryption requirements • Cluster type (single or multi) • Encryption (KMS or HSM) • VPC location • External access (yes/no) • Security groups applied • Create SNS topic • Enforce Amazon CloudWatch alarms
  12. 12. Demo: Configuring S3 in the GUI Logging { "LoggingEnabled": { "TargetPrefix": "logs/", "TargetBucket": "audit-aws-cloudtrail-s3" } Lifecycle { "Rules": [ { "Status": "Enabled", "Prefix": "", "Transition": { "Days": 180, "StorageClass": "GLACIER" }, "ID": "Rule for the Entire Bucket Console/web view Command-line view
  13. 13. Create a golden environment 1. Create a golden environment 2. Enforce Service Catalog 3. Create permissions to use AWS services Creates an S3 bucket for CloudTrail Creates SNS topic SNS CloudTrail and S3 template Turns on S3 logging for CloudTrail logs Sets SNS notification Sets security for CloudTrail S3 bucket
  14. 14. Create a golden environment – Help! • Whitepapers – Security best practices • AWS Solutions Architects, AWS Professional Services • AWS Partners • AWS GoldBase – Tactical enablers
  15. 15. Enforce AWS Service Catalog • Allows administrators to create and manage approved catalogs of resources (products) that end users can access via a personalized portal. • An AWS Service Catalog product is a deployable AWS CloudFormation template. 1. Create a golden environment 2. Enforce Service Catalog 3. Create permissions to use AWS services Provisioning Team creates and manages Service Catalog Products built from CloudFormation Templates
  16. 16. Demo: AWS Service Catalog Demo will include: CloudFormation templates enforcement • Portfolios • Products • Permissions (IAM) • Create/deploy • User launch • Constraints • Tags
  17. 17. Create permissions to use AWS AWS Service Catalog • Gives workload owners permissions to deploy templates and nothing more 1. Create a golden environment 2. Enforce Service Catalog 3. Create permissions to use AWS services Main.json CloudFormation Template Additional CloudFormation Templates AWS Service Catalog constraints specify IAM role used only for template deployment Workload owner with limited IAM permissions
  18. 18. Demo: IAM permission Read Write List Bob    Doug    Jim   Sara  Read Write List Bob    Larry  Sam   Network resource Server resources AWS Service Catalog permissions Who has access to a particular resource? Demo: IAM overview • Users, groups, and roles • User settings • Default IAM policies • Custom IAM policies • Account settings • Roles versus users
  19. 19. Impact of Security by Design SbD – Scripting your governance policy Result: Reliable technical implementation of administrative controls
  20. 20. Closing the loop: AWS Config Rules • AWS Config Rules: a sweeping check of whether your security design is deployed in existing environments • Accurate, complete audit
  21. 21. AWS Config Rules How Config Rules can be used to audit any environment Config Rule Config results
  22. 22. AWS Config Rules session SEC314 – AWS Config: Full Visibility and Improved Governance of Your AWS Resources Thursday, October 8, 5:30–6:30 PM – Palazzo K
  23. 23. AWS Inspector: Audit perspective • Inspector: In-host assistance • Session: • SEC324 – Introducing Amazon Inspector – Security Insight into Your Application Deployments (5:30 P.M. tomorrow)
  24. 24. SbD: The Next Big Thing in IT GRC AWS provides Governance, Risk, and Compliance (GRC) teams: 1. The right SbD tech – AWS 2. SbD whitepaper 3. AWS GoldBase 1. Security controls implementation matrix 2. Architecture diagrams 3. CloudFormation templates – Industry compliance templates for PCI, NIST 800-53, HIPAA, FFIEC, and CJIS 4. User guides and deployment instructions 4. AWS Config Rules – Auditing 5. AWS Inspector – Advanced in-host security and audit 6. Training CloudTrail CloudHSM IAM KMS Config
  25. 25. Getting started aws.amazon.com/compliance/securitybydesign • SbD whitepaper – To wrap your head around this topic • AWS GoldBase whitepaper –Explore the resources and templates • Auditing Your Architecture self-training QuickLab ($27) • Auditing Your Architecture – 6hrs, 3 labs, instructor led (AWS or Partner provided) • email: awsaudittraining@amazon.com
  26. 26. Related sessions • SEC 302 – IAM Best Practices to Live By (1:30 P.M. today – see the replay on YouTube) • SEC 324 – Introducing Amazon Inspector – Security Insight into Your Application Deployments (5:30 P.M. tomorrow) • SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or Less (11:00 A.M. tomorrow) • SEC314 – AWS Config: Full Visibility and Improved Governance of Your AWS Resources (5:30 P.M. tomorrow)
  27. 27. Remember to complete your evaluations!
  28. 28. Thank you! awscompliance@amazon.com

×