The Australian Cyber Security Centre (ACSC) awarded PROTECTED certification to AWS for 42 cloud services in the AWS Asia-Pacific (Sydney) Region. This is the highest data security certification available in Australia for the cloud, and AWS has the most PROTECTED services of any public cloud service provider. This session will cover the services that were certified, a reference architecture that allows you to build applications which handle highly sensitive government data, and the benefits this provides to public sector and commercial organisations in Australia. Presenter: Dr. John Hildebrandt, Senior Solutions Architect, AWS

1. P U B L I C S E C T O R
S U M M I T
Ca nbe r r a

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
PROTECTED Workloads on AWS
John Hildebrandt
Solutions Architect, AWS

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
“Innovation and cloud help
form the basis on which we will
make the Australian
government more secure.
Innovation is good. The
cloud is good – because it
helps us move off from
legacy systems. Our biggest
risk is indeed legacy
systems.”
Voice of our customers

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
AWS security
PROTECTED on AWS
Shared responsibility model
Consumer guide
Reference architecture

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
ORMove fast Stay secure
Before…

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
ORANDMove fast Stay secure
Now…

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to
boost our own security is really important for our business.
AWS does a much better job at security than we could ever
do running a cage in a data center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises
data center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
“CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
Source: Clouds Are Secure: Are You Using Them Securely?

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS
Strengthen your security posture

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Inherit global security and compliance controls

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Quick acronym glossary
ACSC Australian Cyber Security Centre
https://www.acsc.gov.au/
ASD Australian Signals Directorate
https://asd.gov.au/
ISM Australian Government Information Security Manual
IRAP Information Security Registered Assessors Program

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS services assessed at PROTECTED
42 services across a broad range of categories
Standard services, standard pricing
Leverage familiar and established AWS Sydney Region
Access to three Availability Zones
Consumer guide and reference architecture immediately available

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
PROTECTED classification
www.protectivesecurity.gov.au
Sensitive
information
Security classified information
UNOFFICIAL OFFICIAL OFFICIAL:
Sensitive
PROTECTED SECRET TOP SECRET
Compromise
of information
confidentiality
would be
expected to
cause →
No business
impact
1 Low business
impact
2 Low to
medium
business
impact
3 High
business
impact
4 Extreme
business
impact
5 Catastrophic
business
impact
Not applicable.
This
information
does not form
part of official
duty.
Not applicable.
This is the
majority of
routine
information
created or
processed by
the public
sector.
Limited
damage to an
individual,
organisation.
or government
generally if
compromised.
Damage to the
national
interest,
organisations
or individuals.
Serious
damage to the
national
interest,
organisations,
or individuals.
Exceptionally
grave damage
to the national
interest,
organisations,
or individuals.

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Availability Zones
AWS Region
Availability Zone
Physical Sites
Availability Zone
Physical Sites
Availability Zone
Physical Sites
ap-southeast-2a ap-southeast-2b
ap-southeast-2c
Sydney Region
ap-southeast-2

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
The process AWS took with the ACSC
Documentation
review
(phase 1)
Assess the
system
(phase 2)
ACSC
deep dive
(certification)
&
No shortcuts to PROTECTED

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
PROTECTED services in scope
Analytics
Amazon EMR
Amazon Kinesis Data
Firehose
Amazon Kinesis Data
Streams
Amazon WorkSpaces
Desktop
Amazon WorkDocs
Amazon API
Gateway
Mobile
Storage
Amazon S3
Amazon S3 Glacier
Amazon EBS
Amazon
DynamoDB
Databases
Amazon
ElastiCache
Amazon Redshift
Amazon RDS
Management
Amazon CloudWatch
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems
Manager
Compute
Amazon EC2
Amazon ECS
ELB
AWS Lambda
Networking & Content
Delivery
Amazon
CloudFront
Amazon VPC
AWS Direct Connect
Security
Application Integration
AWS Step Functions
Amazon SNS
Amazon SQS
Amazon SWF
Amazon Cognito
Amazon
GuardDuty
Amazon
Inspector
AWS CloudHSM
Directory Service
IAM
AWS KMS
https://aws.amazon.com/compliance/services-in-scope/

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What’s the difference?
Is there a checkbox? How do I order PROTECTED services?
… there is no difference.

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Additional Unclassified DLM services
All Protected services can be used
at Unclassified DLM.
Unclassified DLM services can be
leveraged in Protected solutions.
Trusted advisor:
Amazon Route 53
AWS Organisations
AWS Shield

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS shared responsibility model
Security in
the cloud
Managed by
customers
Security of
the cloud
Managed by
AWS

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security in
the Cloud
Managed by
customers
Security of
the Cloud
Managed by
AWS
AWS Shared Responsibility Model

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumer guide
ACSC developed guidance specifies the required mitigations and additional
security controls for using AWS in PROTECTED systems.
Available now on AWS Artifact.
May need to adapt for your design and business requirements. Talk to ACSC
and AWS.
Services that are certified UNCLASSIFIED DLM are not excluded from use in
PROTECTED systems, but must not contain or process PROTECTED
information themselves.

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumer guide
Data in transit
Data at rest protection
Data sovereignty
Incident response
Logging, monitoring, audit
Segmentation and segregation
Service hardening
Other guidance

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Reference Architecture

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Identity and Access
Management (IAM)
- Min priv. + MFA
AWS Organizations
- SCP’s
AWS Directory Service
- Federated ID
AWS CloudTrail
- All accounts and regions
AWS Config
Amazon
CloudWatch, CloudWatch
Logs, CloudWatch Events
Amazon GuardDuty
- All account and regions
Amazon VPC flow logs
ACSC Logging solution
Amazon EC2
Systems Manager
- Patching, automation,
session, parameters
AWS Shield
AWS WAF
Amazon Inspector
Amazon VPC
AWS CloudFormation
AWS Key Management
Service (AWS KMS)
- Recommended on all
supported services
Server Side Encryption
Encryption in transit
- VPN and Application
AWS Config Rules
- e.g. KMS enforcement;
continuous compliance
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
Reference architecture – CAF alignment

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Resources
AWS and Essential 8: https://aws.amazon.com/blogs/publicsector/aws-and-
the-australian-signals-directorate-essential-eight/
AWS and ASD Cloud Security for Tenants:
https://d1.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs
_Cloud_Computing_Security_for_Tenants_in_the_Context_of_AWS.pdf
Services in Scope https://aws.amazon.com/compliance/services-in-scope/
AWS Compliance IRAP page: https://aws.amazon.com/compliance/irap/
AWS Security and Compliance pages:
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Summary
ACSC awarded PROTECTED certification to AWS.
Now listed on CCSL at PROTECTED and UNCLASSIFIED DLM levels.
Broad range of 42 services now in scope at PROTECTED.
All available at standard public pricing.
Leverage established AWS Sydney Region with three Availability Zones.
Reference architecture and ACSC consumer guidance immediately available.

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Call to action
Provide feedback on services in scope.
Provide feedback on consumer guidance and reference architecture.
Go build.
Leverage other resources:
Security best practices and whitepapers
Compliance quick starts
Provide feedback on what you need