SlideShare a Scribd company logo

Cloud control fitness - GRC202 - AWS re:Inforce 2019

Amazon Web Services
Amazon Web Services

This document discusses cloud control frameworks and compliance on AWS. It provides an overview of AWS compliance programs and certifications across different regions and standards. It emphasizes that security and compliance are shared responsibilities between AWS and customers. Customers can use AWS services to implement controls that meet their objectives and address risks. The document provides examples of how to structure enterprise-wide, service-specific, and workload-specific controls on AWS. It recommends taking a risk-based approach and focusing on controls needed to achieve strategic objectives. Customers can use industry standard frameworks that AWS already supports as a starting point.

1 of 26
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud control fitness Brian Wagner Head of FSI Compliance, EMEA AWS G R C 2 0 2 Kristen Haught FSI Compliance Specialist, Americas AWS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and compliance are shared responsibilities
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS control plane is ubiquitous 21 Regions 66 Availability zones 158 Edge locations
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance with global standards Certifications & Attestations Laws, Regulations, and Privacy Alignments & Frameworks Cloud Computing Compliance Controls Catalogue (C5) DE ✓ CISPE EU ✓ CIS (Center for Internet Security) 🌐 ✓ Cyber Essentials Plus GB ✓ EU Model Clauses EU ✓ CJIS (US FBI) US ✓ DoD SRG US ✓ FERPA US ✓ CSA (Cloud Security Alliance) 🌐 ✓ FedRAMP US ✓ GLBA US ✓ Esquema Nacional de Seguridad ES ✓ FIPS US ✓ HIPAA US ✓ EU–US Privacy Shield EU ✓ IRAP AU ✓ HITECH 🌐 ✓ FISC JP ✓ ISO 9001 🌐 ✓ IRS 1075 US ✓ FISMA US ✓ ISO 27001 🌐 ✓ ITAR US ✓ G-Cloud GB ✓ ISO 27017 🌐 ✓ My Number Act JP ✓ GxP (US FDA CFR 21 Part 11) US ✓ ISO 27018 🌐 ✓ Data Protection Act – 1988 GB ✓ ICREA 🌐 ✓ MLPS Level 3 CN ✓ VPAT/Section 508 US ✓ IT-Grundschutz DE ✓ MTCS SG ✓ Data Protection Directive EU ✓ MITA 3.0 (US Medicaid) US ✓ PCI DSS Level 1 💳 ✓ Privacy Act (Australia) AU ✓ MPAA US ✓ SEC Rule 17-a-4(f) US ✓ Privacy Act (New Zealand) NA ✓ NIST US ✓ SOC 1, SOC 2, SOC 3 🌐 ✓ PDPA – 2010 (Malaysia) MY ✓ Uptime Institute Tiers 🌐 ✓ PDPA – 2012 (Singapore) SG ✓ Cloud Security Principles GB ✓ 🌐 = industry or global standard PIPEDA (Canada) CA ✓ Agencia Española de Protección de Datos ES ✓
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: Global CSA Cloud Security Alliance controls Annual ISO 9001 Global quality standard Annual ISO 27001 Security management controls Annual ISO 27017 Cloud-specific controls Annual ISO 27018 Personal data protection Annual PCI DSS Level 1 Payment card standards Annual SOC 1 Audit controls report Biannual SOC 2 Security, availability, & confidentiality report Biannual SOC 3 General controls report Annual
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: Europe C5 (Germany) Operational security attestation Cyber Essentials Plus (UK) Cyber threat protection ENS High (Spain) Spanish government standards G-Cloud (UK) UK government standards IT-Grundschutz (Germany) Baseline protection methodology TISAX Automotive industry standard
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: United States CJIS Criminal Justice Information Services DoD SRG DoD Data Processing FedRAMP GovernmentData Standards FERPA Educational Privacy Act FFIEC Financial Institutions Regulation FIPS GovernmentSecurity Standards FISMA Federal Information Security Management GxP Quality Guidelines and Regulations HIPAA Protected Health Information ITAR International Arms Regulations MPAA Protected Media Content NIST National Institute of Standards and Technology SEC Rule 17a-4(f) Financial Data Standards VPAT / Section 508 Accessibility Standards
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: Asia Pacific FISC (Japan) Financial industry information systems IRAP (Australia) Australian security standards K-ISMS (Korea) Korean information security MTCS Tier 3 (Singapore) Multi-tier cloud security standard My Number Act (Japan) Personal information protection
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance is a shared responsibility Your cloud control framework # Domain Objective Implementation 1 2 3 4 5 6
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. ISO 11 12 13 14 15 16 Use AWS services to create your own controls PCI # Req Summary 99.52 ✓ ✓ 99.53 ✓ 99.54 ✓ ✓ ✓ 99.55 ✓ 99.56 ✓ ✓ ✓ ✓ SOC Control Criteria Test Result CTRL5 CC1; CC2 CTRL6 CC3; CC4 CTRL7 CC5; CC6; CC7; CC8; CC9 CTRL8 CC6; CC7 CTRL9 CC5; CC6; CC11 Your cloud control framework # Domain Objective Implementation 1 2 3 4 5 6 def lambda_handler(event`, context): global AWS_CONFIG_CLIENT AWS_CONFIG_CLIENT = get_client(‘config', event) check_defined(event, ‘event’) invoking_event = json.loads(event[‘invokingEvent’]) rule_parameters = {} if ‘ruleParameters' in event: rule_parameters = json.loads(event[‘ruleParameters’])
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control-risk relationship Strategic objective n Risk n Control objective n Control nControl 5Control 4Control 3Control 2Control 1 Control objective n Control objective 3 Control objective 2 Control objective 1 Risk 3Risk 2Risk 1 Strategic objective 3 Strategic objective 2 Strategic objective 1 Declarative statement of intent Explicit identification of risk Outcome-specific AWS controls Customer controls
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a “good” control? Controls should Mitigate a specific risk Have clear acceptance criteria Controls should not Define implementation Control Is it testable? Is the result binary? End Refactor Split into multiple controls Yes No No Does the risk still apply? DiscardNo Yes Yes
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control lineage: Example New applications with PII in scope will be designed for the cloud Unauthorized access to data Data at rest will be encrypted with an AES-256 key Strategic objective n Risk n Control objective n Control n Declarative statement of intent Explicit identification of risk Outcome-specific AWS controls Customer controls AWS services that integrate with AWS KMS for key management use a 256-bit data key locally to protect customer content. Amazon EBS volumes will use AWS KMS to encrypt with an approved CMK.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volumes will use AWS KMS to encrypt with an approved CMK def test_Scenario_12_volumeEncryptedNotWithProperKMSNoSubnetExceptionNoVolumeException(se ec2_mock.describe_instances = MagicMock(return_value={"Reservations":[{"Instances":[{"S rule_parameters = { "VolumeExceptionList": "vol-0003", "SubnetExceptionList": "subnet-01", "KmsIdList": "115ff9cc-9beb-4517-bec8-45cabmfrbee6f” } configuration = constructConfiguration( // Truncated. Code can be found at https://github.com/awslabs/aws-config-rules/ resp_expected.append(build_expected_response( 'NON_COMPLIANT’, 'vol-02’, annotation='This EBS volume is encrypted, but not with a KMS Key listed in the param assert_successful_evaluation(self, response, resp_expected) EBSVolume: Type: AWS::EC2::Volume DeletionPolicy: Snapshot Properties: AutoEnableIO: true AvailabilityZone: eu-west-1a Encrypted: true KmsKeyId: !Ref KmsKeyId Size: !Ref SizeInGB
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control–risk relationship: Example Strategic Objective n Risk n Control Objective n Control n • Declarative statement of intent • Explicit identification of risk • Outcome specific • AWS controls • Customer controls Detect anomalous activity Tampering of data Capital analysis stress testing using company data Logging enabled Role-based policies Prevent changes to IAM policies AWSCA 2.1 – 2.4 in SOC Employ least privilege Segregation of duties Unauthorized changes to source code Market risk analysis using public data sets Data is encrypted end to end Unauthorized access to PII Credit risk analysis using customer data Data is encrypted at rest
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Types of controls to create using AWS ISO 11 12 13 14 15 16 PCI # Req Summary 99.52 ✓ ✓ 99.53 ✓ 99.54 ✓ ✓ ✓ 99.55 ✓ 99.56 ✓ ✓ ✓ ✓ SOC Control Criteria Test Result CTRL5 CC1; CC2 CTRL6 CC3; CC4 CTRL7 CC5; CC6; CC7; CC8; CC9 CTRL8 CC6; CC7 CTRL9 CC5; CC6; CC11 Your Cloud Control Framework # Domain Objective Implementatio n 1 2 3 4 5 6 Enterprise-wide controls Service-specific controls Workload-specific controls Controls Library
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workload-specific controls Whenanewstrategicobjectiveisidentified,assesstheriskandidentifythepropercontrolstosecuretheworkload. All production accounts: Enable Amazon GuardDuty for intelligent threat detection and continuous monitoring of your AWS accounts and resources. Log archive account: Enable S3 Object Lock for Write Once, Read Many (WORM) data storage. Public website: Exception to allow public S3 bucket.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Service-specific controls Addasteptoyourserviceadoptionframeworktoidentifythecontrolsneededtousetheservicesecurely. https://docs.aws.amazon.com/AmazonS3/latest/dev/security.html
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enterprise-wide controls Establishbaselinecontrolsthatshouldbeimplementedacrossyourorganizationregardlessofworkloadandservice. Logging activity: Enable AWS CloudTrail and send all the AWS service API calls to an Amazon S3 bucket in the log archive account. Logging configuration changes: Enable AWS Config and forward the configurations of AWS resources to the log archive S3 bucket. Detect unauthorized access attempts: Configure Amazon CloudWatch alarms and events to send a notification of API authentication failures within an account.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS benchmarks are technical industry best practices. This removes guesswork for security professionals about how to implement foundational security measures in your AWS account. The prescribed best practices make implementation of core AWS security measures straightforward for security teams and AWS account owners. Industry best practices for securing AWS resources: https://aws.amazon.com/blogs/security/announcing-industry-best-practices-for- securing-aws-resources/ CIS foundations benchmark: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benc hmark.pdf CSA is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.” AWS CSA landing page: https://aws.amazon.com/compliance/csa/ CSA Consensus Assessments Initiative Questionnaire (CAIQ): https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative- questionnaire-v3-0-1/ The NIST 800-53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems. AWS NIST landing page: https://aws.amazon.com/compliance/nist/ NIST cybersecurity framework (CSF): https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framew ork_CSF.pdf Quick start: NIST compliance on AWS: https://docs.aws.amazon.com/quickstart/latest/compliance-nist/welcome.html Starting from scratch
Your control environment Your workload
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Growing your control environment • What business outcome are you trying to achieve? • What is the nature of the data involved? • What are the resiliency requirements? Control 5Control 4Control 3Control 2Control 1 Control objective n Control objective 3 Control objective 2 Control objective 1 Risk 3Risk 2Risk 1 Strategic objective 3 Strategic objective 2 Strategic objective 1 Controls library
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Risk Take a risk-based approach to your cloud control environment Scope Focus on the controls needed to fulfill strategic objectives Head start Use industry-standard frameworks that AWS already aligns with Share the responsibility Use the AWS tools and services to meet your objectives
Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

How Dow Jones uses AWS to create a secure perimeter around its web properties...
How Dow Jones uses AWS to create a secure perimeter around its web properties...How Dow Jones uses AWS to create a secure perimeter around its web properties...
How Dow Jones uses AWS to create a secure perimeter around its web properties...
Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Amazon Web Services
 
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Amazon Web Services
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Amazon Web Services
 

Recommended

How Dow Jones uses AWS to create a secure perimeter around its web properties...
How Dow Jones uses AWS to create a secure perimeter around its web properties...How Dow Jones uses AWS to create a secure perimeter around its web properties...
How Dow Jones uses AWS to create a secure perimeter around its web properties...
Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Amazon Web Services
 
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Amazon Web Services
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Amazon Web Services
 
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
Amazon Web Services
 
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
Amazon Web Services
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...
Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
Amazon Web Services
 
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019 Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019 Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019 AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
Amazon Web Services
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Amazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
Kocapep
 

More Related Content

What's hot

Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
Amazon Web Services
 
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
Amazon Web Services
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...
Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
Amazon Web Services
 
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019 Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019 Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019 AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
Amazon Web Services
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Amazon Web Services
 

What's hot (20)

Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
 
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
 
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019 Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019 Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
Privacy by design on AWS - FND202-R - AWS re:Inforce 2019
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019 AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
AWS event engineering at scale - SEP329 - AWS re:Inforce 2019
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...
 

Similar to Cloud control fitness - GRC202 - AWS re:Inforce 2019

Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
Kocapep
 
SEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptxSEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptx
DubemJavapi
 
Why Your Customers Care About Compliance and You Should Too
Why Your Customers Care About Compliance and You Should TooWhy Your Customers Care About Compliance and You Should Too
Why Your Customers Care About Compliance and You Should Too
Amazon Web Services
 
Cybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionCybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud Adoption
Amazon Web Services
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
Amazon Web Services
 
Generational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To InsureGenerational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To Insure
Amazon Web Services
 
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionInnovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Amazon Web Services
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
ControlCase
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
Amazon Web Services
 
Performing a Security Assessment of the Cloud using the Risk Management Frame...
Performing a Security Assessment of the Cloud using the Risk Management Frame...Performing a Security Assessment of the Cloud using the Risk Management Frame...
Performing a Security Assessment of the Cloud using the Risk Management Frame...
Amazon Web Services
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Amazon Web Services
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
Amazon Web Services
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Amazon Web Services
 
ENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated IndustriesENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated Industries
Amazon Web Services
 
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace SoftwareCloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
Amazon Web Services
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About Compliance
Amazon Web Services
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Amazon Web Services
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
Martin Klie
 

Similar to Cloud control fitness - GRC202 - AWS re:Inforce 2019 (20)

Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
 
SEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptxSEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptx
 
Why Your Customers Care About Compliance and You Should Too
Why Your Customers Care About Compliance and You Should TooWhy Your Customers Care About Compliance and You Should Too
Why Your Customers Care About Compliance and You Should Too
 
Cybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionCybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud Adoption
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
Generational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To InsureGenerational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To Insure
 
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionInnovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
 
Performing a Security Assessment of the Cloud using the Risk Management Frame...
Performing a Security Assessment of the Cloud using the Risk Management Frame...Performing a Security Assessment of the Cloud using the Risk Management Frame...
Performing a Security Assessment of the Cloud using the Risk Management Frame...
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
 
ENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated IndustriesENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated Industries
 
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace SoftwareCloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About Compliance
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Cloud control fitness - GRC202 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud control fitness Brian Wagner Head of FSI Compliance, EMEA AWS G R C 2 0 2 Kristen Haught FSI Compliance Specialist, Americas AWS
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and compliance are shared responsibilities
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS control plane is ubiquitous 21 Regions 66 Availability zones 158 Edge locations
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance with global standards Certifications & Attestations Laws, Regulations, and Privacy Alignments & Frameworks Cloud Computing Compliance Controls Catalogue (C5) DE ✓ CISPE EU ✓ CIS (Center for Internet Security) 🌐 ✓ Cyber Essentials Plus GB ✓ EU Model Clauses EU ✓ CJIS (US FBI) US ✓ DoD SRG US ✓ FERPA US ✓ CSA (Cloud Security Alliance) 🌐 ✓ FedRAMP US ✓ GLBA US ✓ Esquema Nacional de Seguridad ES ✓ FIPS US ✓ HIPAA US ✓ EU–US Privacy Shield EU ✓ IRAP AU ✓ HITECH 🌐 ✓ FISC JP ✓ ISO 9001 🌐 ✓ IRS 1075 US ✓ FISMA US ✓ ISO 27001 🌐 ✓ ITAR US ✓ G-Cloud GB ✓ ISO 27017 🌐 ✓ My Number Act JP ✓ GxP (US FDA CFR 21 Part 11) US ✓ ISO 27018 🌐 ✓ Data Protection Act – 1988 GB ✓ ICREA 🌐 ✓ MLPS Level 3 CN ✓ VPAT/Section 508 US ✓ IT-Grundschutz DE ✓ MTCS SG ✓ Data Protection Directive EU ✓ MITA 3.0 (US Medicaid) US ✓ PCI DSS Level 1 💳 ✓ Privacy Act (Australia) AU ✓ MPAA US ✓ SEC Rule 17-a-4(f) US ✓ Privacy Act (New Zealand) NA ✓ NIST US ✓ SOC 1, SOC 2, SOC 3 🌐 ✓ PDPA – 2010 (Malaysia) MY ✓ Uptime Institute Tiers 🌐 ✓ PDPA – 2012 (Singapore) SG ✓ Cloud Security Principles GB ✓ 🌐 = industry or global standard PIPEDA (Canada) CA ✓ Agencia Española de Protección de Datos ES ✓
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: Global CSA Cloud Security Alliance controls Annual ISO 9001 Global quality standard Annual ISO 27001 Security management controls Annual ISO 27017 Cloud-specific controls Annual ISO 27018 Personal data protection Annual PCI DSS Level 1 Payment card standards Annual SOC 1 Audit controls report Biannual SOC 2 Security, availability, & confidentiality report Biannual SOC 3 General controls report Annual
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: Europe C5 (Germany) Operational security attestation Cyber Essentials Plus (UK) Cyber threat protection ENS High (Spain) Spanish government standards G-Cloud (UK) UK government standards IT-Grundschutz (Germany) Baseline protection methodology TISAX Automotive industry standard
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: United States CJIS Criminal Justice Information Services DoD SRG DoD Data Processing FedRAMP GovernmentData Standards FERPA Educational Privacy Act FFIEC Financial Institutions Regulation FIPS GovernmentSecurity Standards FISMA Federal Information Security Management GxP Quality Guidelines and Regulations HIPAA Protected Health Information ITAR International Arms Regulations MPAA Protected Media Content NIST National Institute of Standards and Technology SEC Rule 17a-4(f) Financial Data Standards VPAT / Section 508 Accessibility Standards
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Audit and certification programs: Asia Pacific FISC (Japan) Financial industry information systems IRAP (Australia) Australian security standards K-ISMS (Korea) Korean information security MTCS Tier 3 (Singapore) Multi-tier cloud security standard My Number Act (Japan) Personal information protection
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance is a shared responsibility Your cloud control framework # Domain Objective Implementation 1 2 3 4 5 6
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. ISO 11 12 13 14 15 16 Use AWS services to create your own controls PCI # Req Summary 99.52 ✓ ✓ 99.53 ✓ 99.54 ✓ ✓ ✓ 99.55 ✓ 99.56 ✓ ✓ ✓ ✓ SOC Control Criteria Test Result CTRL5 CC1; CC2 CTRL6 CC3; CC4 CTRL7 CC5; CC6; CC7; CC8; CC9 CTRL8 CC6; CC7 CTRL9 CC5; CC6; CC11 Your cloud control framework # Domain Objective Implementation 1 2 3 4 5 6 def lambda_handler(event`, context): global AWS_CONFIG_CLIENT AWS_CONFIG_CLIENT = get_client(‘config', event) check_defined(event, ‘event’) invoking_event = json.loads(event[‘invokingEvent’]) rule_parameters = {} if ‘ruleParameters' in event: rule_parameters = json.loads(event[‘ruleParameters’])
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control-risk relationship Strategic objective n Risk n Control objective n Control nControl 5Control 4Control 3Control 2Control 1 Control objective n Control objective 3 Control objective 2 Control objective 1 Risk 3Risk 2Risk 1 Strategic objective 3 Strategic objective 2 Strategic objective 1 Declarative statement of intent Explicit identification of risk Outcome-specific AWS controls Customer controls
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a “good” control? Controls should Mitigate a specific risk Have clear acceptance criteria Controls should not Define implementation Control Is it testable? Is the result binary? End Refactor Split into multiple controls Yes No No Does the risk still apply? DiscardNo Yes Yes
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control lineage: Example New applications with PII in scope will be designed for the cloud Unauthorized access to data Data at rest will be encrypted with an AES-256 key Strategic objective n Risk n Control objective n Control n Declarative statement of intent Explicit identification of risk Outcome-specific AWS controls Customer controls AWS services that integrate with AWS KMS for key management use a 256-bit data key locally to protect customer content. Amazon EBS volumes will use AWS KMS to encrypt with an approved CMK.
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volumes will use AWS KMS to encrypt with an approved CMK def test_Scenario_12_volumeEncryptedNotWithProperKMSNoSubnetExceptionNoVolumeException(se ec2_mock.describe_instances = MagicMock(return_value={"Reservations":[{"Instances":[{"S rule_parameters = { "VolumeExceptionList": "vol-0003", "SubnetExceptionList": "subnet-01", "KmsIdList": "115ff9cc-9beb-4517-bec8-45cabmfrbee6f” } configuration = constructConfiguration( // Truncated. Code can be found at https://github.com/awslabs/aws-config-rules/ resp_expected.append(build_expected_response( 'NON_COMPLIANT’, 'vol-02’, annotation='This EBS volume is encrypted, but not with a KMS Key listed in the param assert_successful_evaluation(self, response, resp_expected) EBSVolume: Type: AWS::EC2::Volume DeletionPolicy: Snapshot Properties: AutoEnableIO: true AvailabilityZone: eu-west-1a Encrypted: true KmsKeyId: !Ref KmsKeyId Size: !Ref SizeInGB
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control–risk relationship: Example Strategic Objective n Risk n Control Objective n Control n • Declarative statement of intent • Explicit identification of risk • Outcome specific • AWS controls • Customer controls Detect anomalous activity Tampering of data Capital analysis stress testing using company data Logging enabled Role-based policies Prevent changes to IAM policies AWSCA 2.1 – 2.4 in SOC Employ least privilege Segregation of duties Unauthorized changes to source code Market risk analysis using public data sets Data is encrypted end to end Unauthorized access to PII Credit risk analysis using customer data Data is encrypted at rest
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Types of controls to create using AWS ISO 11 12 13 14 15 16 PCI # Req Summary 99.52 ✓ ✓ 99.53 ✓ 99.54 ✓ ✓ ✓ 99.55 ✓ 99.56 ✓ ✓ ✓ ✓ SOC Control Criteria Test Result CTRL5 CC1; CC2 CTRL6 CC3; CC4 CTRL7 CC5; CC6; CC7; CC8; CC9 CTRL8 CC6; CC7 CTRL9 CC5; CC6; CC11 Your Cloud Control Framework # Domain Objective Implementatio n 1 2 3 4 5 6 Enterprise-wide controls Service-specific controls Workload-specific controls Controls Library
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workload-specific controls Whenanewstrategicobjectiveisidentified,assesstheriskandidentifythepropercontrolstosecuretheworkload. All production accounts: Enable Amazon GuardDuty for intelligent threat detection and continuous monitoring of your AWS accounts and resources. Log archive account: Enable S3 Object Lock for Write Once, Read Many (WORM) data storage. Public website: Exception to allow public S3 bucket.
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Service-specific controls Addasteptoyourserviceadoptionframeworktoidentifythecontrolsneededtousetheservicesecurely. https://docs.aws.amazon.com/AmazonS3/latest/dev/security.html
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enterprise-wide controls Establishbaselinecontrolsthatshouldbeimplementedacrossyourorganizationregardlessofworkloadandservice. Logging activity: Enable AWS CloudTrail and send all the AWS service API calls to an Amazon S3 bucket in the log archive account. Logging configuration changes: Enable AWS Config and forward the configurations of AWS resources to the log archive S3 bucket. Detect unauthorized access attempts: Configure Amazon CloudWatch alarms and events to send a notification of API authentication failures within an account.
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS benchmarks are technical industry best practices. This removes guesswork for security professionals about how to implement foundational security measures in your AWS account. The prescribed best practices make implementation of core AWS security measures straightforward for security teams and AWS account owners. Industry best practices for securing AWS resources: https://aws.amazon.com/blogs/security/announcing-industry-best-practices-for- securing-aws-resources/ CIS foundations benchmark: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benc hmark.pdf CSA is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.” AWS CSA landing page: https://aws.amazon.com/compliance/csa/ CSA Consensus Assessments Initiative Questionnaire (CAIQ): https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative- questionnaire-v3-0-1/ The NIST 800-53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems. AWS NIST landing page: https://aws.amazon.com/compliance/nist/ NIST cybersecurity framework (CSF): https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framew ork_CSF.pdf Quick start: NIST compliance on AWS: https://docs.aws.amazon.com/quickstart/latest/compliance-nist/welcome.html Starting from scratch
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Growing your control environment • What business outcome are you trying to achieve? • What is the nature of the data involved? • What are the resiliency requirements? Control 5Control 4Control 3Control 2Control 1 Control objective n Control objective 3 Control objective 2 Control objective 1 Risk 3Risk 2Risk 1 Strategic objective 3 Strategic objective 2 Strategic objective 1 Controls library
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Risk Take a risk-based approach to your cloud control environment Scope Focus on the controls needed to fulfill strategic objectives Head start Use industry-standard frameworks that AWS already aligns with Share the responsibility Use the AWS tools and services to meet your objectives
  • 26. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.