The Department of Defense's Secure Cloud Computing Architecture (SCCA) guidance provides DoD mission owners the security requirements for building a DoD compliant and secure application environment in the cloud. This session will review the DoD Cloud Security Requirements Guide and the DoD SCCA pillars and how they apply to AWS services. We will demonstrate how to build a DoD SCCA environment through automation and configuration management tools as well as discuss how to document security controls implementations. We will answer common questions, such as: how do we connect to a DoD Cloud Access Point? How do we implement a least privilege access control model? And how do we automate security event notifications and remediate issues? This session is designed for both technical and information assurance professionals that want to understand the process to move DoD systems into AWS, secure them, and get them accredited.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jim Caggy
Sr. Manager, DoD Solutions, Amazon Web Services
194336
Deploy a DoD Secure Cloud
Computing Architecture Environment in
AWS

2. • AWS has achieved FedRAMP HIGH in the AWS GovCloud (US) Region
• DoD Provisional Authorizations (PA) for IL5 under the DoD Cloud Security
Requirements Guide
• Connectivity to DODIN on both the East Coast and West Coast
• NIPRNET/DREN-connected Amazon Virtual Private Clouds since 2014
• DoD PA for IL6 for the AWS Secret Region in November 2017 and SIPRNET
connected.
AWS accreditations and authorizations in DoD

3. DoD Secure Cloud Computing Architecture
• DoD Secure Cloud Computing
Architecture (SCCA) Functional
Requirements Document (FRD)
• Released March 9, 2017
• Provides implementation flexibility
• Freedom to architect and manage
as a shared services enclave

4. DoD SCCA component functional requirements
Virtual Data Center Security Stack (VDSS)
Provides network and application security capabilities, such as an
application-aware firewall and/or intrusion prevention system.
Virtual Data Center Management Stack (VDMS)
Provides system support services for mission owner environments
(AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well.
Trusted Cloud Credential Manager (TCCM)
An individual or entity appointed by the Authorizing Official to establish
policies for controlling privileged user access to connect Virtual Private
Clouds to DISN and for administrating cloud services.
Cloud Access Point (CAP)
Provides network access to the cloud and boundary protection of DISN from
the cloud.

5. DoD SCCA FRD Detailed Guidance
Virtual Data Center Security Stack (VDSS)
Leveraged network and application security services:
• WAF - application-aware firewall
• Network intrusion prevention/detection system
• Network firewall w/ full packet capture
• Network flow logs
Virtual Data Center Management Stack (VDMS)
Leveraged infrastructure management support services:
• ACAS / Vulnerability scanning
• HBSS / Endpoint protection
• AD / LDAP / SSO / OCSP
• DHCP / DNS / NTP
• Patching services
• Log management

6. Moving 3-tier web app to AWS
Amazon Virtual Private Cloud (VPC)
AWS Region Production data center
WEB
APP
DB
WEB
LB
FW
COOP data center
WEB
APP
DB
WEB
LB
FW
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
AZ Data Center
Subnet VLAN
EC2 instance Server/VM
Security group FW
ELB Load Balancer

7. Architectural features & AWS services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
Amazon VPC
• Your private network within AWS
AWS security groups (SG)
• Host firewalls
• Network isolation at the host
AWS network ACLs (NACL)
AWS routing tables
• Network isolation at subnet
Multi-Availability Zones (AZs)
AWS Elastic Load Balancing (ELB)
AWS Auto Scaling Groups (ASG)
• High availability & failover
• Elasticity & scalability
• Synchronous replication capable

8. AWS storage & database services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
Amazon Simple Storage Service (S3)
• Highly durable object store
Amazon Elastic Block Store (EBS)
• Durable high speed storage for your servers
• 1:1 – EBS:Server/Instance
Amazon Elastic File System (EFS)
• Durable high-speed shared files system
• 1:Many – EFS:Servers/Instances
Amazon Relational Database Service (RDS)
• Fully managed database service

9. AWS log management & automation services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
Amazon CloudWatch
• CloudWatch Logs – AWS, O/S, & app logs
• CloudWatch Alarms – monitoring & alerting
AWS CloudTrail
• Collection & logging of all AWS API calls
AWS Config
• Point-in-time snapshots of AWS configuration
AWS CloudFormation
• Define & deploy configuration as code

10. AWS supporting services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
VPG
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Log management, analysis, & alerting
• AWS CloudTrail
• Amazon CloudWatch
• Amazon VPC Flow Logs
Configuration management & visibility
• AWS Config
• AWS Management Console
Backup
• Amazon Simple Storage Service (S3)
• Amazon Glacier
Identity and access management
• AWS Identity and Access Management
(IAM)

11. Production data center
Review your existing infrastructure components
WEB
APP
DB
WEB
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Backup
COOP data center
WEB
APP
DB
WEB
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Backup
FW
FW
In addition to
application & networking
requirements, we need to
address these services!

12. How do we address these infrastructure needs? → SCCA
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
VPG
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Web application firewall
Network firewall – Full packet capture
Network intrusion detection/prevention
ACAS – Vulnerability scanning
HBSS – Endpoint protection
AD / SSO / LDAP / OCSP
DNS / NTP / DHCP
Log management / SEIM
Patching services

13. SCCA approach in AWS
GovCloud Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
VGW
Mission Owner Virtual Private Cloud (VPC)
Virtual Data Center Security Stack (VDSS)
Availability Zone BAvailability Zone A
Network Firewall Services
Network Intrusion Detection/Prevention Services
Full Packet Capture Services
Web Application Firewall Services
Availability Zone B
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services
Availability Zone A
VGW
VGW
Virtual Data Center Management Stack (VDMS)Internet

14. Infrastructure Security
Inventory & Configuration
Data EncryptionIdentity & Access Control
Monitoring & Logging
AWS Partner Solutions
AWS Security Tools and Features

15. A full range of capabilities for Mission Owners
Key Management
Service
Manage creation and
control of encryption keys
CloudHSM
Hardware-based key
storage
Server-Side
Encryption
Flexible data encryption
options
Encryption
IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to
allow on-prem identities
Directory Service
Host and manage
Microsoft Active Directory
Organizations
Manage settings for
multiple accounts
Identity & Access Mgmt
Virtual Private Cloud
Network-isolated cloud
resources
Web Application
Firewall
Filter Malicious Web
Traffic
AWS Shield
DDoS protection
Certificate Manager
Provision, manage, and
deploy SSL/TSL
certificates
Networking
VPC Flow Logs
Comprehensive netflow
data with click of button
AWS Service Catalog
Create and use
standardized products
AWS Config
Track resource inventory
and changes
CloudTrail
Track user activity and
API usage
CloudWatch
Monitor resources and
applications
GuardDuty
Intrusion detection and
analysis
Trusted Advisor
Warning and reports on
proper configuration
Visibility and Control

16. Unusual Ports
DNS ExfiltrationRDP Brute Force
Temp credentials used off-instance
Unusual Instance Launch
Malicious or Suspicious IP Unusual Traffic Volume
Connect to Blacklisted SiteRecon Anonymizing Proxy
Unusual ISP Caller
Bitcoin Activity
Attempt to
compromise
account
Probe API
with temp
creds
RDP Brute
Force
Exfiltrate temp
IAM creds
over DNS
RAT installed
Amazon GuardDuty – A cloud IDS

17. Automated API Actions
API calls (CloudTrail) are
logged
Prevent Detect Respond
SSH only from bastion
subnet
Create/Change Firewalls
validate source if port == 22
All instances are patched OS-Level Change and
Cloud Resource Change
No root access
CloudWatch Logs + Syslog
No public objects in Amazon
S3 Data Object level logging in
CloudTrail
Prevent external network
access
Capture Image
Change Firewall/ACL
Patch via AWS Systems
Manager
Isolate and investigate
Make data objects private

18. AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) enables you to
securely control access to AWS services and resources for your
users
Using IAM, you can create and manage AWS users, groups, and
roles
Use permissions (policies) to allow and deny users, groups, and
roles access to AWS resources

19. IAM best practices
• Lock away your AWS account (root) access keys
• Create individual IAM users
• Use groups to assign permissions to IAM users
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Delegate by using roles instead of by sharing credentials
• Rotate credentials regularly

20. IAM best practices
• Grant least privilege with IAM policies
• Use roles for applications that run on Amazon EC2 instances
• Remove unnecessary credentials
• Use policy conditions for extra security

21. Increase your visibility of what happened in your AWS
environment
• CloudTrail will record API calls and save logs in your S3
buckets, no matter how those API calls were made
• Who did what and when and from what IP address
• Be notified of log file delivery using Amazon Simple Notification
Service
• Support for many AWS services, including Amazon EC2,
Amazon EBS, Amazon VPC, Amazon RDS, IAM, AWS STS, and
Amazon RedShift
• Aggregate log information into a single S3 bucket
Out-of-the-box integration with log analysis tools from AWS
partners, including Splunk, Alert Logic, and Sumo Logic
Auditing: Use AWS CloudTrail to track API calls

22. Amazon VPC
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically
isolated section of the Amazon Web Services (AWS) Cloud where you can
launch AWS resources in a virtual network that you define.

23. Use cases enabled by VPC
Extending DODIN: Bring your own NIPRNET/DREN IP space into AWS
Communicate with other Amazon VPCs: Use VPC peering to
communicate across the AWS network infrastructure
Layered security: Use subnets, route tables, and NACLs to control access
to your resources

24. • VPC adds network access control lists (ACLs):
• (Optional) layer of security that acts as a stateless firewall for
controlling traffic in and out of a subnet
• Port/protocol defined with Action (Allow/Deny)
• Security groups
• Stateful virtual firewall applied to an instance (e.g., EC2, ELB)
• Traffic must be explicitly specified by protocol, port, and
security group
• Can reference other security group(s) in Inbound Source
and/or Outbound Destination
• OS Firewall (e.g., iptables) may be implemented
• Completely user-controlled security layer
• Granular access control of discrete hosts
• Logging network events
EC2
OS Firewall
AWS Security Group
Inbound
traffic
VPC Network ACLs
Region
VPC defense in depth for the endpoint

25. VPC Flow Logs
• See all of the traffic at
your instances
• Visibility into effects of security
group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
• At VPC, subnet, and ENI level

26. SSH traffic allowed
Sample CloudWatch Logs query:
[version, acct, eni, srcaddr, destaddr, srcport, destport=22, prot, packets, bytes, start, end, action=REJECT, status]
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK
VPC Flow Logs (Netflow)

27. VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions

28. DoD IL4/5 Web Application Reference Architecture
Co-Location
CAP/
BCD
Direct
Connect
DODIN
NIPRNET
Admin
Access
Static Web
Content,
Logs, and
Snapshots
Region
Virtual
Private
Gateway
VDMS/CSSP Enclave
HBSS
Server
CSSP Managed
ACAS
Server
User
Access
Private S3 Access
MISSION VLAN(S)
IAP
CAP/CSSP
Internal
Routing
VDSS
Pub Pub
Priv Priv
Priv Priv
Internet
Web
Applica
tion
P
u
b
P
u
b
P
r
i
v
P
r
i
v
P
r
i
v
P
r
i
v
Web
Applica
tion
P
u
b
P
u
b
P
r
i
v
P
r
i
v
P
r
i
v
P
r
i
v
AWS –DoD Mission Owner
DoD Mission Owner Application
BCD Managed

29. Security through automation
Programmable infrastructure means that infrastructure can for the first
time be scripted, code-reviewed, and checked into a source control
system
– “Infrastructure as code” taken seriously can massively improve security
posture
– SDL (secure development lifecycle) now applies to infrastructure

30. AWS CloudFormation
AWS CloudFormation gives developers and systems administrators a way to
create and manage a collection of related AWS resources, provisioning and
updating them in an orderly and predictable fashion.

31. Use cases enabled by AWS CloudFormation
• Security templates: Start with a known good security configuration
• Infrastructure management: Manage collections of resources as stacks
• Audit: Compare what you do have to what you should have

32. Compliance through automation
• How can you get your System ATO faster?
• Answer: Develop automation around your system build, artifact generation,
and documentation.
• Are their any reference architectures available to automate the build
of the DOD SCCA and documentation process?
• Answer: Yes!

33. How Does AWS simplify this?
The Enterprise Accelerator Compliance Quick Start
https://aws.amazon.com/quickstart

34. AWS Enterprise Accelerator Quick Start website

35. Enterprise Accelerator Quick Start Packages:
What’s in the box?
Architecture diagram
Security Controls Matrix (SCM)
AWS CloudFormation
templates
Deployment guide

36. Security Controls Matrix

37. AWS Quick Start CloudFormation templates
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Templates
• AWS CloudFormation templates
− Customize and deploy through automation
• Templates deliver infrastructure as code
– Each template deploys a resource stack
– Templates can be managed and version controlled
using source code repositories (e.g., GitHub)

38. Deployment options
 AWS Management Console
 CLI deployment
− Deployment scripts included with package
 AWS Service Catalog (where available)
− As a Service Catalog “Product”

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
Email: jcaggy@amazon.com