1) Getting Started with AWS Security provides an overview of AWS security best practices including understanding AWS shared responsibility model, building strong compliance foundations, integrating identity and access management, enabling detective controls, establishing network security, implementing data protection, optimizing change management, and automating security functions. 2) Statoil migrated applications and infrastructure to AWS to achieve a cloud-first strategy. They established security automation, self-service provisioning, and continuous monitoring using native AWS services to securely manage their AWS environment. 3) Evolving security architecture practices involves treating security as part of the development process through automation, embedding architecture into code repositories, and ensuring solutions provide continuous audit and compliance.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Antonio Duma, Solutions Architect, AWS
Jon Ole Nome, Leading Advisor IT Network - Statoil
May 3, 2017
Getting Started with AWS Security

2. Prescriptive Approach
Understand
AWS
Security
Practice
Build Strong
Compliance
Foundations
Integrate Identity
& Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions

3. Understand AWS Security
Practice

4. Why is Enterprise Security Traditionally Hard?
Lack of visibility Low degree of automation

5. AND
Move
Fast
Stay
Secure

6. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

7. Build Strong Compliance
Foundations

8. AWS Assurance Programs
AWS maintains a formal control environment
• SOC 1 Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001, 27017, 27018 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Authorization
• Architect for HIPAA compliance

9. Integrate Identity & Access
Management

10. AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies

11. Enable Detective Controls

12. AWS CloudTrail & CloudWatch
AWS
CloudTrail
Amazon
CloudWatch
 Enable globally for all AWS Regions
 Encryption & Integrity Validation
 Archive & Forward
 Amazon CloudWatch Logs
 Metrics & Filters
 Alarms & Notifications

13. Establish Network Security

14. AWS Global Infrastructure
16 AWS Regions
• North America (6)
• Europe (3)
• Asia Pacific (6)
• South America (1)
73 AWS Edge Locations
Each Region has at least 2 Availability Zones
• 42 Availability Zones (AZs)
Availability
Zone A
Availability
Zone B
Availability
Zone C

15. VPC Public Subnet 10.10.1.0/24
VPC Public Subnet
10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud

16. Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)

17. Security Groups

18. Security Groups

19. Security Groups

20. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject

21. VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions

22. VPC Flow Logs – CloudWatch Alarms

23. Implement Data Protection

24. Cryptographic Services
Amazon
CloudHSM
 Deep integration with AWS Services
 CloudTrail auditing
 AWS SDK for application encryption
 Dedicated HSM
 Integrate with on-premises HSMs
 Hybrid Architectures
AWS
KMS

25. Optimize Change Management

26. AWS Config & Config Rules
AWS
Config
AWS
Config Rules
 Record configuration changes
continuously
 Time-series view of resource
changes
 Archive & Compare
 Enforce best practices
 Automatically roll-back unwanted
changes
 Trigger additional workflow

27. AWS Config Partners

28. AWS CloudFormation – Infrastructure as Code
AWS
CloudFormation
 Orchestrate changes across AWS
Services
 Use as foundation to Service Catalog
products
 Use with source code repositories to
manage infrastructure changes
 JSON or YAML-based text file
describing infrastructure
 Resources created from
a template
 Can be updated
 Updates can be
restricted
Template Stack

29. Statoil Cloud Journey

30. Statoil at a glance
We are a Norwegian-based
energy company with
operations in more than 30
countries.
Data centers in Norway, USA,
Canada and Brazil
… and in the cloud

31. Statoil cloud first strategy
Activities in many areas of IT
IT Infrastructure Cloud Team
established and work on AWS
started August 2016.
Clear goals and principles
Learn, automate, self-service

32. Goals and principles for the cloud team
Main Goals
• Move 10 applications
• Core infra established and
automated
• Self-service provisioning
• Customer in control of
maintenance
• Build using AWS core
components
Principles
• Automate everything
• Monitor everything
• Tag everything
• Security at every layer
• Architect for resilience

33. Self service and automation
DRM, an in-house tool used as
platform for self-service
Bots handle automation tasks
Self-service options: build
server, add disk, resize
instance, power operations,
firewall rules

34. Current status
161 standard servers built using self-service
Ready in 20 minutes - faster delivery than a pizza!
In addition 62 HPC clusters with a total of 1004 compute
nodes also built using self-service
45 applications with a total of 93 servers running in our
VPCs in Ireland, Virginia and Sao Paulo

35. Security design for the cloud
Network segmentation -> Zero Trust
Standard Procedures -> Automation
Requests -> Self-service

36. Security automation
Our standard VPC build
includes Cloud Trail, Config,
Cloud Watch and flow logs.
Provides great insight and
enables automation.
Automated security that runs
every day is better than audits!

37. Lessons learned
Beware of VPC limits,
eg. max 5 security groups per interface
Use AWS tools and services as much as possible
OR ELSE – you will not be able to automate!
Take training seriously, cloud is way more complicated than
onprem

38. Automate Security Functions

39. Evolving the Practice of Security Architecture
Security architecture as a separate function can no longer
exist
Static position papers,
architecture diagrams &
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice

40. Evolving the Practice of Security Architecture
Security architecture can now be part of the ‘maker’ team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline

41. AWS Marketplace Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection

42. Thank you!