This document discusses AWS security services for financial services institutions. It covers the AWS shared security responsibility model, AWS compliance with standards like PCI and ISO, and key security services like IAM, VPC, encryption, WAF, and security monitoring tools. It also discusses the AWS security assessment methodology using the AWS Cloud Adoption Framework.

3. AWS Security for Financial Services
Jonathan Rault,
Asia Security Practice Lead, Professional Services

4. 1
2
3
AWS Shared Security Model
AWS Compliance
Key Security Services
Todays webinar will cover
4 Cloud Adoption Framework & Partner Marketplace

5.  AWS is offering building blocks
It can be as well YOUR final product 
Foreword…

6. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security &
Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling, &
Load Balancing
Storage
Object, Blocks, Archival,
Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics

8. Trusted by Financial Services Institutions Worldwide

9. Trusted by Financial Services Institutions in APAC

10. Leverage security
enhancements from 1M+
customer experiences
Benefit from AWS
industry leading
security teams 24/7,
365 days a year
Security infrastructure
built to satisfy military, global
banks, and other high-
sensitivity organizations
Over 50 global
compliance
certifications and
accreditations
Security is Job Zero

11. Shared Security Responsibility Model

12. Shared Security Model

13. Compliance

14. AWS Compliance

15. AWS is Level 1 compliant under the Payment Card Industry (PCI) Data
Security Standard (DSS). Customers can run applications on our PCI-
compliant technology infrastructure for storing, processing, and transmitting
credit card information in the cloud.
AWS is ISO 27001 certified under the International Organization for
Standardization (ISO) 27001 standard. ISO 27001 is a widely-adopted global
security standard that outlines the requirements for information security
management systems.
AWS Service Organization Control (SOC) Reports are independent third-party
examination reports that demonstrate how AWS achieves key compliance controls and
objectives.
AWS Compliance

16. Key Security Services

17. Deep set of cloud security tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrailService
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation

18. Identity & Access
Management (IAM)
AWS Security

19. User Access (IAM)
• With AWS IAM you get to control who can do
what in your AWS environment and from
where
• Fine-grained control of your AWS cloud with
two-factor authentication
• Integrated with your existing corporate
directory using SAML 2.0 and single sign-on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management

20. Virtual Private Cloud
(VPC)
AWS Security

21. VPC: Private, isolated network on the AWS cloud
AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private
Cloud
• Provision a logically isolated
section of the AWS cloud
• You choose a private IP range for
your VPC
• Segment this into subnets to
deploy your compute instances
AWS network security
• AWS network will prevent spoofing
and other common layer 2 attacks
• You cannot sniff anything but your
own EC2 host network interface
• Control all external routing and
connectivity

22. VPC: Control which subnets access the Internet
App
DB
Web
Web
PUBLIC
PRIVATE PRIVATE
PRIVATE

23. VPC: Firewall using Network Access Control Lists
App
DBWeb
Web
Deny all traffic
Allow

24. VPC: Security groups
App
DBWeb
Web
Port 443
Port
443

25. VPC security
controls
Route
Table
Route
Table
Internet
Gateway
Virtual
Private
Gateway
Virtual
Router
VPC 10.1.0.0/16
• Network ACL per
Subnet
• Route Table per
Subnet
• Security Groups

26. AWS WAF: Web Application Firewall

27. Encryption
AWS Security

28. First class security and compliance
starts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
Encryption

29. • One-click Encryption of server and database
storage
• Centralized key management
(create, delete, view, set policies)
• Import your own keys
• Enforced, automatic key rotation
• Visibility into any changes via CloudTrail
Encryption with AWS KMS
Read more on: https://aws.amazon.com/kms/details/#secured

30. AWS KMS: Key Management Service

31. • You receive dedicated access to HSM
appliances
• Managed and monitored by AWS
• HSMs located in AWS data centers
• SafeNet Luna SA HSM appliances
• Only you have access to your keys and
operations on the keys
• HSMs are inside your Amazon VPC —
isolated from the rest of the network
• HA with your on-prem HSM
CloudHSM
AWS administrator—
Manages the appliance
You—Control keys and
crypto operations
Amazon VPC
Encryption with AWS CloudHSM

32. Vulnerability Management
AWS Security

33. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support Dev/Ops Model
• Automatable via API’s
• AWS Context Aware
• Static & Dynamic Telemetry
• Integrated with CI/CD tools
• On-Demand Pricing model
• CVE & CIS Rules Packages
• AWS AppSec Best Practices

34. Amazon Inspector

35. Trusted Advisor

36. Security Incident Event
Management (SIEM)
AWS Security

37. Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted security
group
eu-west-1 205.251.233.176
AWS CloudTrail

38. Monitor and Store Logs
Set Alarms (react to changes)
View Graphs and Statistics
Collect and Track Metrics
What does it do?
How can you use it?
React to application log events and availability
Automatically scale EC2 instance fleet
View Operational Status and Identify Issues
Monitor CPU, Memory, Disk I/O, Network, etc.
CloudWatch Logs / CloudWatch Events
CloudWatch Alarms
CloudWatch Dashboards
CloudWatch Metrics
Amazon CloudWatch

39. Logs list sample
Logs Aggregation Freq. Store Term Use cases
AWS log CloudTrail min. S3 X years • Alert for a specific operation
• Long-term storage for auditing purposes
Network log VPC Flow Log min. CloudWatch Logs X years • Visualization for security purposes
OS log Zabbix 5 min. Zabbix/S3 1 year • Keep recent days for simple troubleshooting
• Long term storage for past event investigations
Middleware log Zabbix 5 min. Zabbix/S3 1 year • Keep recent days for simple troubleshooting
• Long term storage for past event investigations
Application access log Zabbix 5 min. Zabbix/S3 X years • Fault correlation and alerts on particular requests
• Long term storage for past event investigations
Application log Zabbix 5 min. Zabbix/S3 1 year • Keep recent days for simple troubleshooting
• Long term storage for past event investigations
ELB access log ELB log min. S3 X years • Security investigations
• Long term storage for past event investigations
S3 access log S3 log min. S3 X years • Security investigations
• Long term storage for past event investigations
RDS log AWS CLI 60 min. S3 1 year • Keep recent days for simple troubleshooting
• Long term storage for past event investigations
Other AWS services log xx log

40. VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
Virtual
Gateway
Corporate
data center
Users
Data center router
Update
Servers
Connectivity
CloudTrail
CloudWatch
SIEM
Aggregator
SIEM

41. Change Management
AWS Security

42. AWS Config

43. AWS Config Rules

44. Security as Code

45. Golden Code: Security Translation to AWS
What you do in any IT Environment
• Firewall rules
• Network ACLs
• Network time pointers
• Internal and external subnets
• NAT rules
• Gold OS images
• Encryption algorithms for data in
transit and at rest
AWS JSON translation
Gold Image, NTP
and NAT
Network ACLs,
Subnets, FW rules

46. • Free, self-paced, available online
• Covers access control and management, governance,
logging, and encryption methods.
• It also covers security-related compliance protocols and risk
management strategies, as well as procedures related to
auditing your AWS security infrastructure.
https://aws.amazon.com/training/course-descriptions/security-
fundamentals/
AWS Security Fundamentals

47. Cloud Adoption Framework

48. Strategy and Value Domain
Why to invest?
Why change?
How to measure success?
Process Domain
How to structure cloud programs?
How to ensure quality of delivery?
People Domain
What skills and capabilities are
required?
How to compose migration team?
Maturity Domain
What are the priorities?
When to deliver solutions?
Platform Domain
How to design foundations?
How to migrate workloads?
Operating Domain
What are key ops capabilities?
What is the new ITSM cycle?
Security Domain
Will risk increase?
Can we run cloud secure and
compliant?
AWS Cloud Adoption Framework

49. AWS Security Perspective
Directive controls establish the
governance, risk, and
compliance models the
environment will operate within.
Preventive controls protect your
workloads and mitigate threats
and vulnerabilities.
Detective controls provide full
visibility and transparency over
the operation of your
deployments in AWS.
Responsive controls drive
remediation of potential
deviations from your security
baselines.
AWS Security Portal > Resources
https://d0.awsstatic.com/whitepapers/AWS_CAF_Se
curity_Perspective.pdf

50. Automated
Operations
Iterative
Development
Value-based Planning
Security
Health Check
10 Days
Security
Operations
Runbook
10 Days
Enterprise
Security
Strategy
10 Days
Security
Operations
Playbook
35 Days
Security
Discovery
Workshop
5 Days
Cloud
Business Case
Using
AWS?
Yes
No
Security Health Check Lite
Test & Optimize
Security
Incident
Response
15 Days
Analytics &
Continuous
Compliance
60 Days
Security Epics
Program
65 Days
Professional Services – Security Journey

51. Partner Marketplace

52. AWS Marketplace Network/Security Partner Ecosystem
Infrastructure
Security
Logging and
Monitoring
Identity and
Access Control
Configuration and
Vulnerability
Analysis
Data
Protection
SaaS
SaaS
SaaS

53. “We work closely with AWS to develop
a security model, which we believe enables us
to operate more securely in the public cloud
than we can in our own data centers.”
Rob Alexander - CIO, Capital One
More secure in the cloud