The document outlines Contino's approach to AWS cloud governance and security through automation, emphasizing the importance of integrating security within the DevSecOps practice. It highlights key outcomes achieved for clients, such as significant reductions in manual effort and improved compliance ratings through automated solutions. Additionally, it offers insights into security frameworks, practices, and tools necessary for ensuring compliance and effective security management in cloud environments.

1. Atlanta AWS Builders -
AWS Cloud Governance & Security
through Automation
Jason Lutz - DevOps Consultant
James Strong - Cloud Native Director
8/20/2020

2. 01 | Introduction to Contino
02 | DevSecOps Intro
03 | Compliance & Governance at the Enterprise Level
04 | Cloud Service Provider and Account Security
05 | Network & Workload Security
Agenda
2

3. ● 360~ people
● 500+ engagements
● 250+ customers
First Customers
Financial Services
Global Offices
A Brief History of Time
3
Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises
transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps.
Founded
2014
October
2019
Key Industries
● Manufacturing
● Banking & Financial Services
● Telecommunications
● Public Sector & Healthcare
● Travel & Transport

4. Speakers

5. Speakers

6. 6
The DevSecOps & Cyber Security Practice DevSecOps &
Cyber Security
Practice
Where can Contino optimise your security
posture?
We treat security as a first class citizen.
Security & Risk
Management
3
Apply evidence based controls
and governance, that are
supported by data and industry
best practice.
Regulatory aligned
governance
frameworks that
provide rigour &
control, with speed in
mind.
Security Operating
Model
2
Establish team structures and
operating procedures for a
proactive posture.
Right sized, structured
and skilled workforces
to support multi speed
enterprise delivery.
Move fast and remain
secure.
Security Advisory &
Education
1
Learn new skills and
prepare for constantly
evolving protagonists.
Setting the right path to
remain secure in a rapidly
evolving digital
environment and
establishing a baseline
security posture.
Example Customer
Outcomes:
60% effort reduction in
administering security
controls through automated
solutions.
65% faster MTTD and
remediation of security
vulnerabilities.
16,000 person days saved by
automating risk management
controls.
Remediation of critical
vulnerabilities to offset
instances of crypto-mining
and ransomware.
100% compliance rating with
CIS & NIST benchmarks.
Industry leading security
posture as validated by 3rd
party auditors across FS,
Healthcare and Public Sector.
Security
Engineering
4
Best of breed cloud native
security solutions,
underpinned by Red/Blue
Team concepts.
Proactive security
solutions, integrated
with detection,
prevention and
notification systems
that have automation at
their core.
Security Enabled
Lighthouse
Projects
5
New working practices, tooling and
team structures to reduce MTTD of
Security vulnerabilities and
attacks.
Building upon
foundational security
posture by introducing
Security Chaos
Engineering and
patterns to support
advanced attacker
techniques across your
technology estate.

7. Security is properly
integrated into the
software development
lifecycle (SLDC). Early
fast feedback is valued
over retrospective
corrections.
Security is a final hurdle/
set of gated checks
added to the end of the
process
Traditional Security vs DevSecOps - DevSecOps 101
Development Commit Build Test Deploy
Automated
Tests
Automated
Security
Early
Feedback
Security
Validation
Code Quality
Validation
Security Policy
Checks
Security
Requirements
Documentation
Development
Manual Security
Tests
Manual Penetration
Tests
Manual
Checks
Exceptions
Manual Signoffs
Re-Work
Deploy?
X
Automated
Builds
Automated
Deployment
All changes
Treated as code

8. Benefits of DevSecOps
● Speed of Delivery
● Speed of Recovery
● Immutable Infrastructure
● Security Auditing, Monitoring, and Notification Systems
● Security is Federated
● DevSecOps Fosters a Culture of Openness and Transparency

9. A DevSecOps culture means:
● Communication
● Customer Focused Organization
● Agility and Security
● Ownership
“Every program and every privileged user of the system should
operate using the least amount of privilege necessary to complete
the job.” - MIT Professor Jerome Saltzer.
Creating A Culture of Security - DevSecOps 101

10. AWS Shared Responsibility Model
Source: https://aws.amazon.com/compliance/shared-responsibility-model/

11. Enterprise Security Compliance:
● Security Program
● Security Framework
Enterprise Security Compliance
Cloud Security Program
Workload &
Network Security
Cloud Security Program:
● Cloud Security Posture
Management
● Workload and Network
Security

12. NIST CSF
➔ Framework Tiers
➔ Tier 1: Partial
➔ Tier 2: Risk Informed
➔ Tier 3: Repeatable
➔ Tier 4: Adaptive

13. Compliance & Governance
Identify
Security Hub, Organizations, Control Tower, Trusted Advisor, Service
Catalog, Config, Systems Manager
Protect
VPC, IoT Device Defender, Direct Connect, Resource Access
Manager, Directory Services, AWS Shield, IAM, Secrets Manager,
KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO
Detect GuardDuty, Macie, Inspector, SecurityHub
Respond
Automate: CloudWatch, Systems Manager, Lambda
Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53
Recover S3, Glacier

14. Compliance and Governance on AWS
Services & Tools
AWS Artifacts (Identify)
AWS CloudTrail (Detect)
AWS Config (Detect & React)
AWS Trusted Advisor (Detect)
AWS Inspector (Detect)
AWS SSM (Protect & Respond)
AWS ECR (Detect, Protect)
AWS CloudWatch (Detect & Respond)
AWS EBS (Protect)
AWS S3 (Protect)
AWS KMS (Protect)
AWS Security Hub (Identify, Detect, Protect, Respond, Recover)
Best Practices
AWS Security Best Practices
AWS Well Architected Framework
CIS AWS Benchmarks

15. Compliance and Governance on AWS
Services & Tools
AWS Artifacts (Identify)
AWS CloudTrail (Detect)
AWS Config (Detect & React)
AWS Trusted Advisor (Detect)
AWS Inspector (Detect)
AWS SSM (Protect & Respond)
AWS ECR (Detect, Protect)
AWS CloudWatch (Detect & Respond)
AWS EBS (Protect)
AWS S3 (Protect)
AWS KMS (Protect)
AWS Security Hub (Identify, Detect, Protect, Respond, Recover)
Best Practices
AWS Security Best Practices
AWS Well Architected Framework
CIS AWS Benchmarks

16. AWS Config
& Config Aggregator

17. Cloud Service Provider and Account Security
Identity and Access Management (IAM) - root, credentials,
password policies, MFA, etc.
Logging - CloudTrail, CloudWatch, S3 access, VPC Flow
Logs, KMS/CMKs
Monitoring - Log metrics/alarms: api’s, root, S3 changes,
network changes
Networking - check for ingress, default security group
settings, VPC peering least access

18. CIS and Account Security on AWS

19. CIS and Account Security on AWS

20. CIS and Account Security on AWS

21. CIS Benchmark Demo
Prowler

22. Multi Account Architecture of Security Hub

23. Network Security
AWS Security Hub Demo
https://www.contino.io/insights/aws-config-aggregator-compliance

24. Workload Security
NIST Special Publication 800-190 Application Container Security Guide
● Major Risks for Core Components of Container Technologies
● Countermeasures
● Container Threat Scenarios
● Security Considerations for Container Technology Life Cycles
NIST Special Publication 800-204 Security Strategies for Microservices-based Application
Systems
CIS Benchmarks Docker & Kubernetes
CIS Hardening Guides for Operating Systems & Server Applications

25. Workload Security AWS
Demo Container Security

26. As you move to an infrastructure as code approach, Enterprises will also have the potential to
integrate compliance and security as code into your infrastructure development pipelines.
This enables your application and infrastructure teams to deliver software innovation in a controlled,
secure, compliant and governed manner using automation rather than manual reviews and audits.
For more thought leadership on DevSecOps please visit the following URLs:
● A Quick Compliance As Code Demo:
https://www.contino.io/insights/devsecops-quick-compliance-as-code
● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc
● Enter The Vault:
https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino
● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs
● Introduction To DevSecOps White Paper:
https://www.contino.io/resources/devsecops-best-practice-guide
Contino Approach To DevSecOps

27. Atlanta
atlanta@contino.io
Thank You
contino.io continohq contino
London
london@contino.io
New York
newyork@contino.io
Melbourne
melbourne@contino.io
Sydney
sydney@contino.io