In this session, we explain how customers can enable business agility by evolving their governance approach to run at the speed of the cloud. Learn how to think about security in the AWS Cloud and receive prescriptive guidance on implementing technology to support your business. Hear about what good looks like and learn how you can apply this approach in your organisation today. Presenter: Sara Gray, Paul Hawkins, Raisa Hasham, Solutions Architect, AWS

1. P U B L I C S E C T O R
S U M M I T
Canberra, ACT

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security at the Speed of the Cloud: How to Do
It and How You Can Do It Now
Sara Gray
Security Solutions Architect
AWS
Raisa Hashem
DevOps Security Specialist
AWS

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
• Customer challenge
• Journey
• Guardrails in action
• Call to action

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Who are we representing in this talk?
Development lead
Building applications on AWS
Security architect
Helping enable security at scale
Raisa
Sara

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Our microservices application
AWS Lambda Amazon API
Gateway
Amazon
DynamoDB
AWS Lambda
AWS Lambda
AWS Cloud
Amazon VPC
Role

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
There had to be a better way

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Realisation
Culture TechnologyMental model
Start from the customer and
work backward

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Understanding
Service governance DetectiveProtective

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Map AWS controls
Protect Detect Respond
Automate
Investigate
RecoverIdentify

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Realisation
Culture TechnologyMental model
Reinforce with principles:
1. Enable the business to move fast and stay
secure
2. Standardise, don’t centralise
3. Keep the people away from the data

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security controls
assessment
Service assessment
control review
Assurance controls portfolios
Baseline assurance controls
AWS service specific
controls
App
specific
controls

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Realisation
Culture TechnologyMental model
1. Preventative and baseline controls
2. Automated delivery mechanisms
3. Context specific controls and response

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Delivering
controls at
scale
Proactive
delivery
Reactive
delivery
Retroactive
delivery
Stack set
Amazon CloudWatch
event bus
Compliance
CI/CD pipeline
Amazon API
Gateway product
AWS Lambda
product
Assurance controls portfolios
Application product
Dev baseline product Test baseline product
Baseline assurance portfolio
AWS service assurance portfolio
Application
assurance portfolio
Prod baseline product
Application account

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Our microservices application
AWS Lambda Amazon API
Gateway
Amazon
DynamoDB
AWS Lambda
AWS Lambda
AWS Cloud
VPC
Role
AWS Config
AWS Organizations

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What did we build?
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS Identity and Access
Management (IAM)
Permissions
AWS Organizations

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Identity as a protective control
AWS Cloud
Role
Administrators
Developers
Amazon GuardDuty AWS CloudTrail AWS ConfigAWS Security Hub
AWS Identity and Access
Management (IAM)
AWS Secrets
Manager

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Identity as a protective control
AWS Cloud
Role
Administrators
Developers
Amazon GuardDuty AWS CloudTrail AWS ConfigAWS Security Hub
AWS Identity and Access
Management (IAM)
AWS Secrets
Manager
Amazon EC2
Amazon RDS
VPC
Amazon S3

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Identity as a protective control
AWS Cloud
Role
Administrators
Developers
Amazon GuardDuty AWS CloudTrail AWS ConfigAWS Security Hub
AWS Identity and Access
Management (IAM)
AWS Secrets
Manager
Amazon EC2
Amazon RDS
VPC
Amazon S3
Role

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Identity as a protective control
AWS Cloud
Role
Administrators
Developers
Amazon GuardDuty AWS CloudTrail AWS ConfigAWS Security Hub
AWS Identity and Access
Management (IAM)
AWS Secrets
Manager
Amazon EC2
Amazon RDS
VPC
Amazon S3
Role
Permissions
boundary

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Identity as a protective control
AWS Cloud
Role
Administrators
Developers
Amazon GuardDuty AWS CloudTrail AWS ConfigAWS Security Hub
AWS Identity and Access
Management (IAM)
AWS Secrets
Manager
Amazon EC2
Amazon RDS
VPC
Amazon S3
Role
Permissions
boundary
Amazon DynamoDB
AWS Lambda Amazon API Gateway
VPC

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Identity as a protective control
AWS Cloud
Role
Administrators
Developers
Amazon GuardDuty AWS CloudTrail AWS ConfigAWS Security Hub
AWS Identity and Access
Management (IAM)
AWS Secrets
Manager
Amazon EC2
Amazon RDS
VPC
Amazon S3
Role
Permissions
boundary
Amazon DynamoDB
AWS Lambda Amazon API Gateway
VPC
Permissions
boundary
Role

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Protect monitoring
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”ProtectMonitoring",
"Effect": "Deny",
"Action": [
"securityhub:*",
"guardduty:*",
"cloudtrail:StopLogging"
],
"Resource": [
"*"
]
}
]
}

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Deny action unless administrator
"Sid": "DenyAccessToAdminRole",
"Effect": "Deny",
"Action": [
"iam:DeleteRole",
"iam:UpdateRole" ],
"Resource": [
"arn:aws:iam::*:role/DevRole*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AdminRole"
}
}

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Require permissions boundary
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::*:role/path/"
],
"Condition": {
"StringLike": {
"iam:PermissionsBoundary":"arn:aws:iam::*:policy/permissionboundary"
}
}

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What did we build?
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS Config AWS Lambda
AWS Systems
Manager

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Detect: AWS Config and AWS Config rules
Continuous monitoring and detection with
AWS Config and AWS Config rules

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Detect: AWS Config rules developed with RDK
The Rules Development Kit (RDK) is the fastest way to develop
and the easiest way to test custom AWS Config rules.
It is designed to support your first AWS Config rule, enterprise-grade rule
development, and CI/CD pipelines.
Open-source software maintained by AWS; documentation and
contributions available at https://github.com/awslabs/aws-config-rdk.
$ pip install rdkEasy install via pip:

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multi-account structure for secure deployment
Application account
Application
team
Security account
AWS Lambda
function
AWS CloudFormation
StackSet
Automatic deployment
of controls on first use
of AWS service

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multi-account structure for secure deployment
Application account
Application
team
Security account
AWS Lambda
function
AWS CloudFormation
StackSet
Amazon API
Gateway
Creates
resource
Automatic deployment
of controls on first use
of AWS service

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multi-account structure for secure deployment
Application account
Application
team
Security account
AWS Lambda
function
AWS CloudFormation
StackSet
Automatic deployment
of controls on first use
of AWS service
Amazon API
Gateway
Creates
resource
Amazon
CloudWatch
event
Triggers

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multi-account structure for secure deployment
Application account
Application
team
Security account
AWS Lambda
function
AWS CloudFormation
StackSet
Automatic deployment
of controls on first use
of AWS service
Amazon API
Gateway
Creates
resource
Amazon
CloudWatch
event
Triggers
AWS Config rules
Deploys

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Detect
Application account
API Gateway
API Gateway
AWS Config rule
Security account
Application
team
Triggers
evaluation
Application
team
API Gateway rule
AWS Lambda
function
Notification AWS
Lambda function

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Detect
Calls
Application
team
API Gateway
Application accountSecurity account
API Gateway
AWS Config rule
API Gateway rule
AWS Lambda
function
Notification AWS
Lambda function

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Detect
Evaluates
Application
team
API Gateway
Application accountSecurity account
API Gateway
AWS Config rule
API Gateway rule
AWS Lambda
function
Notification AWS
Lambda function

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Detect
Responds
Application
team
API Gateway
Application accountSecurity account
API Gateway
AWS Config rule
API Gateway rule
AWS Lambda
function
Notification AWS
Lambda function

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Respond: Remediate
Application
team
Updates
resource
State change =
non-compliant
API Gateway
Resource
policy
Application accountSecurity account
API Gateway
AWS Config rule
API Gateway rule
AWS Lambda
function
Notification AWS
Lambda function

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Respond: Notify
Trigger
notification
Application
team
API Gateway
Resource
policy
Application accountSecurity account
API Gateway
AWS Config rule
API Gateway rule
AWS Lambda
function
Notification AWS
Lambda function

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Iteration
Educate MonitorEnable

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security likes it
Automation Visibility Codification
and developers like it

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Governance modelProduct teams Automation
You can build this too

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Links
http://bit.ly/2YAs1Rohttp://bit.ly/2VS7P0E
AWS security workshops
AWS Well-Architected Tool
GitHub Continuous assurance