AWS and the Cloud has ushered in a new era for Information Security & Risk Professionals. In this session, we will talk through how the world's leading corporates are reinventing their internal GRC practices to enable their business to leverage the business value of AWS while improving the security posture of their organisation. We will talk about the journey undertaken by globally regulated entities such as Capital One who now believe they can operate more securely in the public cloud than they can in their own data centres. Finally, we will provide lessons and best practices on how you can use AWS to improve the security posture of your organisation. Speaker: Rodney Haywood, Manager Solutions Architecture, Amazon Web Services Featured Customer - Xero

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rodney Haywood – Senior Manager, Solutions Architecture A/NZ
April 2016
Security and Governance on AWS
Better, Faster and Cost Effective
Technical 201

2. "The financial services industry attracts some of the worst
cyber criminals. We work closely with AWS to develop a
security model, which we believe enables us to operate
more securely in the public cloud than we can in our own
data centers.”
Rob Alexander, CIO, Capital One

3. Better Faster
Lower
Cost

4. How Might AWS be
Better?

5. Security is Job Zero

6. A High Pace of Innovation

7. Services
2009
Amazon RDS
Amazon VPC
AWS Auto Scaling
AWS Elastic Load
Balancing
2010
Amazon SNS
AWS Identity
& Access
Management
Amazon
Route 53
2011
Amazon
ElastiCache
Amazon SES
AWS
CloudFormation
AWS Direct
Connect
AWS Elastic
Beanstalk
GovCloud
2012
Amazon SWF
Amazon
Redshift
Amazon
Glacier
Amazon
Dynamo DB
Amazon
CloudSearch
AWS Storage
Gateway
AWS Data
Pipeline
2013
Amazon
CloudTrail
Amazon
CloudHSM
Amazon
WorkSpaces
Amazon
Kinesis
Amazon Elastic
Transcoder
Amazon
AppStream
AWS OpsWorks
2014
AWS KMS
Amazon Config
Amazon Cognito
Amazon Mobile
Analytics
Amazon EC2
Container Service
Amazon RDS for
Aurora
Amazon Lambda
Amazon WorkDocs
AWS Directory
Service
AWS CodeCommit
AWS CodePipeline
2015
Amazon EFS
Amazon API Gateway
Amazon WorkMail
Amazon Machine
Learning
AWS Device Farm
AWS WAF
Amazon
Elasticsearch Service
Amazon QuickSight
AWS Import/Export
Snowball
Amazon Kinesis Firehose
Amazon RDS for MariaDB
Amazon Inspector
AWS Database Migration
Service
AWS IoT
Amazon EC2 Container
Registry
Amazon Kinesis Analytics
AWS Mobile Hub
* As of 30 Nov 15
AWS EMR
Amazon CloudWatch
Amazon FPS AWS Import/Export
Trusted Advisor AWS Service Catalog
AWS CodeDeploy
Amazon CloudWatch Logs

8. Security Services
2009
Amazon RDS
Amazon VPC
AWS Auto Scaling
AWS Elastic Load
Balancing
2010
Amazon SNS
AWS Identity
& Access
Management
Amazon
Route 53
2011
Amazon
ElastiCache
Amazon SES
AWS
CloudFormation
AWS Direct
Connect
AWS Elastic
Beanstalk
GovCloud
2012
Amazon SWF
Amazon
Redshift
Amazon
Glacier
Amazon
Dynamo DB
Amazon
CloudSearch
AWS Storage
Gateway
AWS Data
Pipeline
2013
Amazon
CloudTrail
Amazon
CloudHSM
Amazon
WorkSpaces
Amazon
Kinesis
Amazon Elastic
Transcoder
Amazon
AppStream
AWS OpsWorks
2014
AWS KMS
Amazon Config
Amazon Cognito
Amazon Mobile
Analytics
Amazon EC2
Container Service
Amazon RDS for
Aurora
Amazon Lambda
Amazon WorkDocs
AWS Directory Service
AWS CodeCommit
AWS CodePipeline
2015
Amazon EFS
Amazon API Gateway
Amazon WorkMail
Amazon Machine
Learning
AWS Device Farm
AWS WAF
Amazon
Elasticsearch Service
Amazon QuickSight
AWS Import/Export
Snowball
Amazon Kinesis Firehose
Amazon RDS for MariaDB
Amazon Inspector
AWS Database Migration
Service
AWS IoT
Amazon EC2 Container
Registry
Amazon Kinesis Analytics
AWS Mobile Hub
* As of 30 Nov 15
AWS EMR
Amazon CloudWatch
Amazon FPS AWS Import/Export
Trusted Advisor AWS Service Catalog
AWS CodeDeploy
Amazon CloudWatch Logs

9. Security Features
0%
5%
10%
15%
20%
25%
30%
35%
40%
0
100
200
300
400
500
600
700
800
2008 2009 2010 2011 2012 2013 2014 2015
Security Features All Significant Features and Services Percent

10. Unified Fine-­grained
Access Control

11. AWS Identity and Access
Management
Authenticate Authorize
Username / Password
Access Key / Secret Key
Federation
Temporary Credentials
Cross Account
Policies
• Action
• Resource
• Condition

12. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:ap-southeast-2:ACCOUNT-ID-WITHOUT-HYPHENS:instance/*",
"Condition": {"StringEquals": {"ec2:ResourceTag/department": "dev"}}
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:ap-southeast-2:ACCOUNT-ID-WITHOUT-HYPHENS:volume/*",
"Condition": {"StringEquals": {"ec2:ResourceTag/volume_user": "${aws:username}"}}
}
]
}

13. AWS Identity and Access
Management
Authenticate Authorize Audit
Username / Password
Access Key / Secret Key
Federation
Temporary Credentials
Cross Account
Policies
• Action
• Resource
• Condition
AWS CloudTrail
Record of API calls

14. Visibility
“You can’t secure what you don’t know about.”

15. What Assets do I Have?
View Current Assets via Multiple Interfaces
• AWS Management Console
• AWS SDKs
• AWS CLI
• Windows PowerShell

16. What Instances do I Have in a Region?
AWS SDK for Ruby
#!/usr/bin/ruby
require 'rubygems’; require 'aws-sdk'
AWS.regions['ap-southeast-2'].ec2.instances.each do |instance|
puts instance.id
end
OUTPUT
i-9e47d6a1
i-93eb2cad
i-9bc1b747
i-5085ef8c
i-49739697
AWS CLI
$aws ec2 describe-instances --query "Reservations[*].Instances[*].InstanceId" --output text

17. What Access is Occurring?
AWS CloudTrail
• Records AWS API to S3 giving you a history
• Includes the identity, time and source IP address of
the API caller. Request Parameters and the Response
elements returned
• Enables security analysis, resource change tracking,
and compliance auditing
• Optionally encrypted with your AWS KMS key
• Optional Log File Integrity Validation

19. Is Access and Permission Being Used?
• IAM Password & IAM Access Key last used details
• IAM Access Advisor

22. What Activity is Occurring?
AWS CloudWatch Events
• Near real-­time stream of system events that describe
changes in AWS resources
• Supported events include console login, auto scaling,
instance state change, an API call or a schedule
• Triggers to Lambda function, SNS topic, SQS queue,
Kinesis stream or built-­in functions

23. Creating a CloudWatch Event to notify on login

24. Receiving a CloudWatch Event for an API call
{
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.cloudformation",
"time": "2016-04-21T07:37:57Z",
"region": "ap-southeast-2",
"detail": {
"userIdentity": {
"type": "IAMUser",
"userName": "rodosadmin",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2016-04-21T01:55:06Z"
}
},
},
"eventSource": "cloudformation.amazonaws.com",
"eventName": "CreateStack",
"awsRegion": "ap-southeast-2",
"sourceIPAddress": "144.132.157.178",
"requestParameters": {
"stackName": "CoffeeShop",
"parameters": [...],
"templateURL": "http://s3-ap-southeast-
2.amazonaws.com/my.template",
"tags": [],
"disableRollback": false,
},
"responseElements": {
"stackId": "arn:aws:cloudformation:ap-
southeast-
2:518127492581:stack/CoffeeShop/f7550530-0793-
11e6-bb66-50fae957fce6"
},
}
}

25. What Network Activity is Occurring?
• VPC Flow Logs
Capture IP traffic information to & from VPC interfaces
• AWS Web Application Firewall
Improve web traffic visibility to monitor requests that
match your security filter criteria

26. What Activity Occurred?
AWS Config
A fully managed service that provides you with an AWS
resource inventory, configuration history, and
configuration change notifications to enable security and
governance.
• Supports EC2, IAM and CloudTrail
• Interactive view in AWS Management Console
• History files stored in S3
• Send change events to an SNS topic

30. How Might AWS Be
Faster?

31. Reduced Heavy Lifting

32. Audits, Accreditations and Certifications
• Independent 3rd party assessors review and validate AWS internal controls
• Audit reports (such as SOC1 & SOC2) are available under NDA.
• You can review the control results and auditor notes.
• You can take comfort that the controls have been appropriately
implemented and are operating effectively.

33. AWS
Foundation
Services
AWS
Global
Infrastructure
Your
own
accreditation
Start with services
Your
own
certifications
Your
own
external
audits
Built on AWS
consistent baseline of
validated controls
Customer scope and
effort is reduced
Better results through
focused efforts

34. Shared Responsibility across Deployment Models
Infrastructure
Services
Container Services Abstract Services
Customer IAM
AWS IAM
Networking/Firewall
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
AWS Foundation
Services
AWS Global
Infrastructure
AWS Foundation
Services
AWS Global
Infrastructure
Applications
Operating System
AWS Foundation
Services
AWS Global
Infrastructure
Applications
Operating System
Networking/Firewall
AWS IAM
Data
Customer IAM
Customers
AWS
AWS
AWS
Customers
Amazon
EC2
Amazon
RDS
Amazon
Redshift
Elastic Load
Balancing
Amazon
DynamoDB
Amazon
S3
Amazon
Kinesis
Customers

35. Automation

36. Automation
• Completely API driven
• Execute faster, remediate faster
• Build more resilient processes
• Complete traceability
Lower automation results in longer planning
cycles and more complex manual processes,
which reduces speed and reliability.
Environment Lifecycle
Event Response
driving

37. An Ecosystem of
Innovators

38. https://github.com/awslabs/aws-­config-­rules/
A Community – Based Source of Custom Rules for AWS
Config
For example
23. Ensure that no users have password policy requirements weaker than
specified.
24. Ensure that no users have access keys that have never been used.
25. Ensure that there are no users that have never been logged in.

39. AWS Foundations Benchmark
A set of security
configuration best
practices for AWS.
Providing AWS users with
clear, step-­by-­step
implementation and
assessment procedures.

41. Cloud Custodian is a rules engine for AWS resource management. It allows users to define
policies to be enforced to enable a well managed cloud, with metrics and structured outputs.
It consolidates many of the adhoc scripts organizations have into a lightweight and flexible
tool.
Organizations can use Custodian to manage their AWS environments by ensuring
compliance to security policies, tag policies, garbage collection of unused resources, and
cost management via off-­hours resource management.
Cloud Custodian

42. How Might AWS be
Lower Cost?

43. Commodity Pricing
Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
AWS WAFAWS Directory
Service
AWS KMS
VPN
Connection
AWS
CloudHSM
Amazon
VPC
AWS
CloudFormation
AWS IAM
MFA
token
EBS
Encryption
Eligible Free Tier / Trial Pay for Use
Free
Amazon
Inspector

44. Listings for “security”
products in the Sydney
region.
• 844 in total
• 102 with a 4★ rating
• 36 launch CloudFormation

45. Better Faster Lower
Cost

46. Framework for
Modernising Security
Governance.

47. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Three Lines of Defense
Operations Supervision Evaluation

48. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Management
Controls
Internal
Control
Measures
Internal Audit
Financial Control
Security
Risk Management
Quality
Inspection
Compliance
Three Lines of Defense – Responsibilities
Operations Supervision Evaluation

49. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Controls
• Transparency
• Log Processing
• Policy Review
• Separation of Duties
• Account Governance
• Event Review
Controls
• Configuration Controls
• Authorisation Controls
• Change Controls
• Logging & Integrity Controls
• Policy Controls
• Policy Violation Controls
Three Lines of Defense – Applicable Controls
Controls
• Network Controls
• Access Controls
• Traceability Controls
• Encryption Controls
• Awareness and Response
Controls
Operations Supervision Evaluation

50. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
AWS Applicable ServicesAWS Applicable Services
Three Lines of Defense – AWS Services
AWS Applicable Services
Amazon
VPC
AWS IAM AWS KMS
Amazon
CloudWatch
Amazon
CloudWatch
AWS
Config
AWS
CloudTrail
AWS
CloudFormation
AWS
CloudTrail
Permissions
Amazon
SNS
Amazon
Inspector
AWS
Config
Amazon S3Marketplace
Operations Supervision Evaluation
AWS Trusted
Advisor

51. 3 Lines of Defense Example
Control : Are policies enforced?
Enforcement : Configuration Management

52. 1st Line of Defense (Operations) : Configuration Management
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
Provisions

53. 2nd Line of Defense (Supervision) -­ Configuration Monitoring
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Provisions
AWS Config rules

54. 3rd Line of Defense (Evaluation) -­ Configuration Log Testing
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Provisions
AWS Config rules AWS CloudTrail
Amazon S3

55. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Three Lines of Defense Risk Management
INFRASTRUCTURE
AS CODE
AUTOMATE
COMPLIANCE
TOTAL
TRANSPARENCY
Operations Supervision Evaluation

56. Better Faster Lower
Cost
Modernize
Governance

57. Aaron McKeown, Lead Security Architect, Xero
Cloud Security @ Xero

58. Beautiful cloud-­based accounting software connecting people
with the right numbers anytime, anywhere, on any device

59. subscribers
600,000
474Mraised in capital
$
transactions processed
in past 12 mths
356B$
+
23Mbusinesses have interacted
on the Xero platform
+
215Minvoices in past 12 mths
+
1300staff globally
+
All figures shown are in NZD
subscription revenue
FY15
121M$
+

60. Improving data
protection
Eliminating
scheduled
downtime
Maintaining
and improving
our security
Support the next
wave of growth
Reducing our per
customer cost
Public cloud migration

61. Repeatable and Automated
build and management of
Security Systems
Accelerated pace of
security innovation
On-­Demand security
infrastructure that works at
any scale
Key Principles

62. VPN
connectivity
Host Based
Security
Web Application
Security and
Delivery
Shared Key
Management
Services
Security
Operations and
Consulting
Services
Secure
Bastion
Access
Proxy Services
Security as a Service

63. Security by Design -­
What's that?
Communication is Key -­
Who are your
spokespeople?
Measure and Test,
Monitor Everything
Welcome to the cloud -­
"Where's my span port"?
Key Learnings

64. Repeatable and Automated
build and management of
Security Systems
Accelerated pace of
security innovation
On-­Demand security
infrastructure that works
at any scale
Final Takeaways

65. Thank You!

66. Additional AWS Security and Compliance Resources
http://aws.amazon.com/security
http://aws.amazon.com/compliance
http://aws.amazon.com/compliance/#whitepapers
https://aws.amazon.com/compliance/compliance-­enablers/
http://aws.amazon.com/documentation
http://aws.amazon.com/iam
https://www.youtube.com/user/AmazonWebServices
https://aws.amazon.com/blogs/aws/new-­aws-­security-­courses/
awscompliance@amazon.com

67. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-­person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training

68. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training

69. Thank you!