The document outlines best practices for building secure solutions in AWS, emphasizing the shared responsibility model and the importance of establishing a secure environment through requirements identification, architecture planning, and automation. It presents a phased approach for implementing security by leveraging AWS services and configuration management to achieve consistency and compliance. Key takeaways highlight the need for better planning, reducing manual security tasks through automation, and focusing on configuration management to enhance security efficiency.

1. BUILDING SECURE
SOLUTIONS IN AWS
Stephanie Tayengco, CIO
Logicworks | www.logicworks.com

2. About Logicworks
We are a global leader in cloud consulting and managed
services with 20+ years of experience in enterprise IT.
- Alert Logic Premier Partner
- AWS Premier Partner, Audited Managed Service Partner
- Leader in 2017 Gartner Magic Quadrant for Public Cloud MSPs
Cloud Strategy Private Cloud Cloud SecurityPublic Cloud

3. NetworkingStorageCompute
Customer Data
Platform
Management
Access Management Applications
Operating System, Network, and Firewall Configuration
Encryption, Network Traffic Protection
Database
AWS Global
Infrastructure
Regions, Availability Zones
AWS Foundation Services
AWS Shared Responsibility Model (Recap)
CUSTOMERAWS
Responsible
for security
“in” the cloud
Responsible
for security
“of” the cloud

4. AWS Security by Design Approach
Identify
Requirements
Build a “Secure
Environment”
Enforce Use
of Templates
Perform Validation
Activities
PHASE 1 PHASE 2 PHASE 3 PHASE 4

5. Phase 1: Identify Requirements
• Document requirements
• Map AWS’ and your controls
• Decide what security rules you
want to enforce in the
environment
• Get GRC/security team involved
at the beginning
• Plan how you will perform
security-related operational tasks

6. NetworkingStorageCompute
Customer Data
Platform
Management
Access Management Applications
Operating System, Network, and Firewall Configuration
Encryption, Network Traffic Protection
Database
AWS Global
Infrastructure
Regions, Availability Zones
AWS Foundation Services
AWS Shared Responsibility Model (Recap)
CUSTOMER

7. Phase 2: Build a “Secure Environment”
• Reference Architectures
o Understand pattern/anti-patterns &
security templates
• Things to keep in mind:
o Access Management
o Network Segmentation
o Resource Constraints & Monitoring
o Encryption
• Enforce requirements with
automation
• Take advantage of security built
into AWS services

8. Phase 2: AWS CloudFormation Fundamentals
• Build network foundation
• Configure gateways and access points
• Install management services, like Puppet
• Allocate Amazon S3 buckets
• Attach encrypted volumes
• Control and manage access though IAM
• Register DNS names with Amazon
Route 53
• Configure log shipping and retention

9. Phase 2: AWS CloudFormation Fundamentals
QA Stage Production
ASGs
Security
Groups
Layered Architecture
Instances ELBs
Various
Substacks

10. Phase 2: AWS CloudFormation Fundamentals
Instances,
ASGs, ELBs,
etc.
Service Oriented Architecture
Networks
(VPCs, routes,
subnets, etc.)
Security
Groups
IAM
(Global
Resource)

11. Phase 2: Configuration Management
The goal of configuration management is to
create and maintain system configurations.
• “One-Two Punch” to configure environment
• Every instance gets configured in same way
• Encourages the adoption of evolving security standards
• Ability to enforce state
• New tools from AWS SSM

12. Phase 2: Build Process
Every instance follows the same process.
No “snowflake” systems.

13. Phase 3: Enforce the Use of Templates
• Enable agility but decrease risk
• Use AWS Service Catalog
• Appropriate access controls to
make sure only approved IT assets
are launched

14. Phase 3: AWS Service Catalog

15. Phase 4: Perform Validation Activities
• Enable the right monitoring
o AWS CloudTrail
o AWS Config
• Analyze your security data
at scale
• Automation enabled audit
evidence
AWS CloudTrail AWS Config

16. 3 Key Takeaways
1) Better planning, no ad hoc environments that lead to an
unknown risk profile.
2) Get from heavyweight manpower & repeated tasks to software
orchestrating security.
3) Overwhelmed? Start with configuration management.
Throw people and money
at security.
• More hardware
• More engineers
• More complex processes
Develop software to
orchestrate security.
• Automated controls
• Repeatable templates
• Less manual work
OLD WORLD AWS CLOUD

17. References
• AWS Security by Design Whitepaper
- https://d0.awsstatic.com/whitepapers/compliance/Intro_to_Security_by_Design.pdf
• AWS Security Whitepaper
- https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
• AWS Quick Start Guides
- https://aws.amazon.com/quickstart/
• Continuous Compliance on AWS eBook
- http://go.logicworks.net/aws-continuous-compliance
• DevOps on AWS eBook
- http://go.logicworks.net/devops-on-aws-cloud-ebook
• Security on AWS Case Studies
- http://www.logicworks.com/about-us/#our-customers
• Log Management Best Practices
- https://www.alertlogic.com/resources/whitepapers/log-management-best-practices/

18. Thank you.

19. Thank you.