This document provides a summary of security best practices when using AWS. It recommends taking a prescriptive approach that involves understanding AWS's security approach, building strong compliance foundations, integrating identity and access management, enabling detective controls, establishing network security, implementing data protection, optimizing change management, and automating security functions. It describes specific AWS services that can be used for each, such as IAM, VPC, CloudTrail, CloudWatch, Config, and CloudFormation. The overall message is that security responsibilities are shared between AWS and customers, and adopting AWS security best practices allows moving fast while staying secure.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dr. Hermann Schloss, Technical Trainer, AWS
Shaikh Salman bin Mohammed Al-Khalifa, General Manager of Information Technology, IGA
25 September 2017
Security Best Practices

2. Prescriptive Approach
Understand
AWS
Security
Practice
Build Strong
Compliance
Foundations
Integrate Identity
& Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions

3. Understand AWS Security
Practice

4. Why is enterprise security traditionally hard?
Lack of visibility Low degree of automation

5. AND
Move
Fast
Stay
Secure

6. Making life easier
Choosing security does not mean giving up
on convenience or introducing complexity

7. Security ownership
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded

8. Strengthen your security posture
Get native functionality and tools
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned
from 1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations

9. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the cloud
AWS is
responsible for
the security OF
the cloud

10. Build Strong Compliance
Foundations

11. AWS Assurance Programs
AWS maintains a formal control environment
• SOC 1 Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001, 27017, 27018 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Authorization
• Architect for HIPAA compliance

12. AWS Trusted Advisor
AWS Trusted
Advisor

13. Integrate AWS Identity and
Access Management (IAM)

14. AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies

15. Account Governance – New Accounts
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Baseline Requirements
Actions &
Conditions
Map
Enterprise
Roles

16. Enable Detective Controls

17. AWS CloudTrail & Amazon CloudWatch
AWS
CloudTrail
Amazon
CloudWatch
ü Enable Globally for All AWS Regions
ü Encryption & Integrity Validation
ü Archive & Forward
ü Amazon CloudWatch Logs
ü Metrics & Filters
ü Alarms & Notifications

18. Establish Network Security

19. AWS Global Infrastructure
16 AWS Regions
• North America
• Europe
• Asia Pacific
• South America
Each Region has at least 2 Availability Zones
• 44 Availability Zones (AZs)
77 AWS Edge Locations
• North America
• Europe
• Asia Pacific
• South America
Availability
Zone A
Availability
Zone B
Availability
Zone C

20. VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
Amazon
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
Amazon RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud

21. Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)

22. Security Groups

23. Security Groups

24. Security Groups

25. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to Amazon CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject

26. VPC Flow Logs – CloudWatch Alarms

27. Implement Data Protection

28. Cryptographic Services
Amazon
CloudHSM
ü Deep integration with AWS services
ü CloudTrail
ü AWS SDK for application encryption
ü Dedicated HSM
ü Integrate with on-premises HSMs
ü Hybrid Architectures
AWS
KMS

29. Optimize Change Management

30. AWS Config & AWS Config Rules
AWS
Config
AWS
Config
Rules
ü Record configuration changes
continuously
ü Time-series view of resource
changes
ü Archive and compare
ü Enforce best practices
ü Automatically roll-back unwanted
changes
ü Trigger additional workflow

31. AWS Config – VPC Example

32. AWS Config – VPC Example

33. AWS Config Rules – Tenancy Enforcement Example

34. AWS Config Rules – Tenancy Enforcement Example

35. AWS Config Rules – Tenancy Enforcement Example

36. AWS CloudFormation – Infrastructure as Code
Template StackAWS
CloudFormation
ü Orchestrate changes across AWS
services
ü Use as foundation to AWS Service
Catalog products
ü Use with source code repositories to
manage infrastructure changes
ü JSON-based text file describing
infrastructure
ü Resources created from
a template
ü Can be updated
ü Updates can be
restrictured

37. Change Sets – Create Change Set

38. Change Sets

39. Change Sets

40. Automate Security Functions

41. Evolving the Practice of Security Architecture
Security architecture as a separate function can no longer
exist
Static position papers,
architecture diagrams &
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice

42. Evolving the Practice of Security Architecture
Security architecture can now be part of the ‘maker’ team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline Jenkins

43. Prescriptive Approach – Get Started!
Understand
AWS
Security
Approach
Build Strong
Compliance
Foundations
Integrate Identity
& Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!