This document discusses frameworks and best practices for building a highly secure cloud environment on AWS and Azure. It covers the Cloud Adoption Framework (CAF), Well Architected Framework (WAF), game days, reference implementations, and industry organizations. It also provides details on security perspectives, pillars, principles, and recommended preventative, detective, and enforcing controls on AWS. The conclusion emphasizes iterating security controls over time, using detective controls for incident response, leveraging AWS services to supplement existing controls, and choosing from frameworks to meet an organization's specific needs.

1. Build and Manage a Highly Secure Cloud
Environment on AWS and Azure
CloudCheckr Webinar - August 1st, 2019

2. Frameworks
• Cloud Adoption Framework (CAF) – AWS
• Well Architected Framework (WAF) – AWS
• Game Days –Various
• Reference Implementations – AWS
• Industry Organizations – Government/Non-Government

3. Cloud Adoption Framework (CAF)
• Perspectives
• Business
• Value Realization
• People
• Roles & Readiness
• Governance
• Prioritization & Control
• Platform
• Applications & Infrastructure
• Security
• Risk & Compliance
• Operations
• Manage & Scale

4. Security Perspective
• Directive
• Account Ownership and contact information
• Change and asset management
• Least privilege access
• Preventive
• Identity and access
• Infrastructure protection
• Data protection
• Detective
• Logging and monitoring
• Asset inventory
• Change detection
• Responsive
• Vulnerabilities
• Privilege escalation
• DDoS attack

5. Well Architected Framework (WAF)
• Pillars
• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Cost Optimization
• Lenses
• Serverless
• High Performance Computing (HPC)
• Internet ofThings (IOT)

6. Security Pillar
• Design Principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Prepare for security events
• Best Practices
• Identity andAccess Management
• Detective Controls
• Infrastructure Protection
• Data Protection
• Incident Response

7. Game Days
• Define
• Workload, Personnel, Scenario, Environment, Schedule
• Execute
• Start, Middle, End
• Analyze
• Debrief, Examine, Document, Root CauseAnalysis (RCA), Correction of Error (CoE)

8. Reference Implementations
• “NIST Quickstart”
• Based on Cybersecurity Framework, SP 800-53, SP 800-37
• Corresponding Guide + Controls Matrix
• CIS and PCIVariants Available
• Good starting point

9. Industry Organizations
• National Institute of Standards andTechnology (NIST)
• Center for Internet Security (CIS)
• Cloud Security Alliance (CSA)
• International Information System Security Certification Consortium (ISC2)
• OpenWeb Application Security Project (OWASP)
• MITRE
• Payment Card Industry (PCI)
• Secure Controls Framework (SCF)
• Feisty Duck
• ThreatResponse

10. Preventative Controls - Baseline
• VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall)
• WAF: Layer 7WAF
• Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection
• VPC:VGW (Point to Point and IPSEC Connectivity) + Peering (VPC toVPC
Connectivity) + Endpoints (Private Connectivity toAWS Services)
• IAM + Directory Service + SSO: Standalone and Federated AAA
• KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS
services, provides expiration and ability to provide self-generated cryptographic
material
• Secure Credential Storage: Secrets Manager, Systems Manager

11. Preventative Controls -Workloads
• AWS Auto Scaling: EC2, Dynamo, AuroraAutoscaling
• Code Commit/ECS: Secure Application and Artifact Repository
• Code Deploy/Run Command: “Hands off”OS and configuration management +
application deployment
• EC2: Systems Manager (OS and above patching + auditing)
• AWS Backup: EC2, RDS, EFS, Dynamo Backups
• Workspaces: Secure Bastion
• OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management
• Host based security:Trend Micro Deep Security, etc.

12. Detective Controls
• Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent
storage
• Tags: Built-in asset + inventory marking and tracking on configuration items
• S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention
• VPC: Flow Logs (NetFlow) + Port Mirroring (New!)
• CloudWatch Logs:OS and above log management
• CloudTrail:AuditTrail, Exportable as JSON to idempotent storage
• Cloudfront, ALB andWAF: All log (CloudFront andALB in S3,WAF in Kinesis)

13. Enforcing Controls – AWS
• ControlTower
• Security Hub
• Service Catalog
• CloudFormation
• Guard Duty
• Inspector
• Macie
• Trusted Advisor
• Config Rules

14. Enforcing Controls –Third Party
• CIS CAT
• CloudCheckr
• AlertLogic
• Tenable
• Sumologic

15. Incident Response
• Disk Snapshots
• Don’t forget to remove from retention policy
• Automated withThreatResponse
• Memory Snapshots
• Automated withThreatResponse
• Logs
• Don’t forget to remove from retention policy
• Query and Correlate with Athena
• BlockAccess
• Revert to Known Good State
• Identify/Correct Root Cause
• Rotate Credentials (people and things)
• Measure

16. Conclusion
• Iterate introduction of your security controls – some in the short term is better than none in the
long term.
• Detective Controls are just as important as Preventative Controls, they play a significant
response in incident detection and response.
• Whether your workload is onAWS or not,AWS services can be used to supplement your controls.
• There is no lack of frameworks – pick and choose from them to make a framework that works
best for your organization’s needs.