Cloud computing on AWS provides central IT organizations with the ability to control their applications, data and security. This session will detail the processes and controls that CIO organizations can put in place to maintain control while helping their customers to realize the many benefits of cloud computing.

1. AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 20, 2014
Compliance and Governance on the AWS Cloud
Mark Ryland
Chief Solutions Architect
Worldwide Public Sector Team

2. 2013 AWS WWPS Summit,
Canberra – May 23
Accreditation & Compliance, Old and New
Old world
• Functionally optional (you can build
a secure system without it)
• Audits done by an in-house team
• Not so much about actual security;
rather, check the compliance boxes
• Check once a year (?)
• Workload-specific analysis
New world
• Functionally necessary (no, you
cannot visit our data centers!)
• Audits done by third party auditors
• Better security drives better
compliance and vice versa
• Continuous monitoring, updates
• Based on all workload scenarios

3. Integration of Compliance and Security
• In the cloud, scale, speed, and security disallow 1:1
customer/vendor security assessments
• But of course “trust me” is not a viable solution to the
challenge
• Solution: rigorous compliance regimes and constant
surveillance by multiple teams of expert third-party
auditors generally better than 1:1 assessments

4. Expert Audits: the Validation Scalpel
• Experts auditors give
a 360° view of cloud
• Constantly engaged;
the overall process
never stops
• “Continuous
monitoring” like
you’ve never seen
before
SME
SME
SME
SME
SME
SME=subject matter expert

5. Benefits of Scale Apply to Security and Compliance
The entire community benefits from tough
scrutiny, the world-class AWS security team,
market-leading capabilities, and constant
improvements
Everyone’s Systems and Applications
Security Infrastructure
Security Infrastructure
Requirements
Nothing better for the community than a
tough set of customers…

6. Economies of Scale: World-class Teams
• Where would some of the world’s best
security and compliance experts like to
work?
• They want to work at scale: huge
challenges with huge rewards!
• So AWS has world-class security and
compliance teams watching your back!

7. AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons
Client-­‐side
Data
Encryp2on
Server-­‐side
Data
Encryp2on
Network
Traffic
Protec2on
Pla<orm,
Applica2ons,
Iden2ty
&
Access
Management
Opera2ng
System,
Network
&
Firewall
Configura2on
Customer
content
Customers
AWS & Customers Share Responsibility
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

8. Compliance: Common Foundations
AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons

9. AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons
Your
own
accredita2on
Meet Your Own Compliance & Security Objectives
Your
own
cer2fica2ons
Your
own
external
audits
Customer scope
and effort is
reduced
Better results
through focused
efforts
Built on AWS
consistent
baseline controls
Customers

10. AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons
… Like Several Australian Gov’t Customers
Your iRAP
assessments
and Security
and Risk
Management
Plans
Customers

11. You can choose to keep all your content (code, data,
etc.) onshore in Australia
• AWS makes no secondary use of customer content
• Managing your privacy objectives any way that you want
• Keep data in your chosen format and move it, or delete it, at any
time you choose
• No automatic replication of data outside of your chosen AWS
Region
• Customers can encrypt their content any way they choose
Read our new whitepaper on Australian Privacy
Considerations
Customers Retain Full Ownership and Control

12. Geographic
data locality
Control over regional
replication
Policies, resource
level permissions,
temporary credentials
Fine-grained
access control In-depth
logging
AWS
CloudTrail
AWS Governance Capabilities
Fine-grained visibility and control for accounts, resources, data
Visibility into
resources and
usage
Service
Describe*
APIs and
AWS
CloudWatch
Control over
deployment
AWS
CloudFormation

13. AWS Cloud Governance Mapping
Governance Area AWS Technologies
Roles and Responsibilities • Identity and Access Management: Groups, Policies, Roles
• Tag-based IAM policies
Configuration Management • Private “hardened” AMIs; others restricted via IAM policies
• Security-reviewed CloudFormation templates
• Elastic Beanstalk or OpsWorks for application lifecycle
management
Financial Controls and Reporting • Billing reports; linked accounts/consolidated billing
• Tagging of resources
• CloudWatch Billing Alarms
• Cost Explorer
Monitoring and Reporting • CloudWatch / CW Alarms
• Simple Notification Service (SNS)
• CloudTrail API logging

14. AWS Cloud Governance Mapping (cont.)
Governance Area AWS Technologies
Information Assurance:
Processing
• Private “hardened/gold master” AMIs (OS images)
• VPC network isolation for all workloads
• Optional dedicated EC2 instances
• CloudHSM service
Information Assurance:
Storage
• S3 AES 256 bit server-side encryption, client-side encryption
• EBS volume encryption; volume wiping before termination
• RDS database encryption
• Complete destruction of all storage media on
decommissioning
Information Assurance Transmission • SSL termination for all AWS endpoints
• HW/SW VPN Connections
• DirectConnect

15. AWS Cloud Governance Mapping (cont.)
Governance Area AWS Technologies
Network Security • Private addressing (Virtual Private Cloud)
• Route tables
• Network ACLs
• Security Groups
• Virtual Private Gateways
Identification and Authentication • Intrinsic IAM identities
• Federated IAM identities (AWS as RP); support for SAML
• Multi-factor authentication
• Groups and Roles (EC2, cross-account, federation)
• Strong password policies
Authorization and Access • IAM Policies centrally enforced across all services
• Resource-based IAM policies in S3, SQS, SNS
• CloudTrail logging of allow/deny with rich metadata

16. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Disaster Recovery and Continuity of
Operations: Data
• EBS Snapshots
• S3 online storage
• Glacier offline storage
• Storage Gateway
• Bulk data via Import/Export Service
• Managed AWS No-SQL/SQL Database Services
• Extensive 3rd party solutions
Disaster Recovery and Continuity of
Operations: Workloads
• Elastic Load Balancers, EC2 Auto Scaling, CloudWatch
• Route 53 – 100% SLA; health checks, latency based routing
• CloudFront CDN
• Multi-AZ, Multi-Region workload deployment

17. AWS Governance Tool: Trusted Advisor
• Trusted Advisor capabilities
– Analyzes account for various kinds of
issues and possible concerns
– New checks being added regularly
– Available as an API for integration with
your tools or 3rd party solutions
• Four categories:
– Cost savings
– Security
– Fault tolerance
– Performance
1,000,000+
recommendations
$207M+
in cost reductions

18. AWS Governance Tool: Cost Explorer
New portal feature
– Configured and custom reports
– View multiple linked accounts together
– Sort/filter by service, account, tags, etc
– Custom date ranges and graph types
– Save any result by bookmarking URL
– Download CSV data from any particular
view/report

19. AWS Governance Enabler: X-Account Roles
Cross-account roles
– Target accounts define “role” (container
of access policies); give permission to
central account to assume role
– Central account can assume roles to
access multiple accounts within same
org without credential sharing
– Powerful way for IT team to provide
central auditing and management
– CloudTrail logs, S3 logs, RDS logs, etc;
future features giving more transparency
– Today: API level only, but in the future …

20. Read our AWS security, compliance and privacy
whitepapers and best practices
• http://blogs.aws.amazon.com/security
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Australian Privacy Considerations
• AWS Risk and Compliance
• Security and governance best practices
• Audit and operational checklists
Best practices and guidance on compliance

21. THANK YOU
Please give us your feedback by filling out the Feedback Forms
AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 20, 2014