SlideShare a Scribd company logo

The Automation of Supervision Governance in the Cloud

Amazon Web Services
Amazon Web Services

The document discusses automating security governance in the cloud. It recommends establishing foundational security controls by leveraging native AWS services for identity, visibility, and encryption. It also advocates implementing continuous compliance by automating assessments using AWS Config and other services. The "governance layer cake" model involves assessing AWS services, implementing baseline controls, and adding workload-specific controls to provide automated yet flexible governance that scales with the cloud.

1 of 41
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Automation of Supervision: Governance in the Cloud Brian Wagner, Compliance Specialist AWS Financial Services
Common Pattern Framework Policies Business Outcomes Manage Risks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security governance is meant to support business objectives by defining policies & controls to manage risk
Traditional governance flow Project Team Governance Check Policy Archive Policy Audit Release! Strategy Governance
AUTOMATING SUPERVISION
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Data Automated Checks Release! Ops Audit Project Team Strategy Governance Policy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Data Automated Checks Release! Ops Audit Project Team Strategy Governance Policy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CodeBuild AWS Lambda AWS CloudFormation AWS Config AWS CodePipeline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Awareness at Scale
Multi-Account structure Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security Core Accounts AWS Organizations Account Billing Tooling Shared Services Sandbox Networking Internal Audit Logging Prod Shared Services Developer Sandbox Data Center Orgs: Account management Logging: Centralized logs Security: AWS Config Rules, security tools Shared services: Directory, DNS, limit monitoring Billing Tooling: Cost monitoring Sandbox: Experiments Dev: Development Pre-Prod: Staging Prod: Production
Leveraging the AWS Account Boundary Organizations account: Account Provisioning Account Access (SSO) Shared Services account: Active Directory Log Analytics Logging account: CloudTrail/Config logs Security account: Audit/Break-glass AWS Organizations AWS SSMAWS Service Catalog Core OU SharedServices account Logging account Security account AWS Organizations account Network Baseline Account Baseline Account Baseline Account Baseline Security Cross- Account Roles AWS Microsoft AD Aggregate CloudTrail and Config Logs Log Reporting Amazon S3 bucket (manifest file) AWS CodePipeline Stacksets AWS SSO
AWS Service Catalog Account Vending Machine New AWS Account Network Baseline Account Baseline AWS Organizations OUCore Security Account Security Roles Logging Account Audit Bucket Shared Services Account Shared Network Account Vending Machine • Account Vending Machine (AWS Service Catalog) • Account creation UI • Account Baseline Versioning • Launch Constraints • Creates/Updates AWS Account • Apply Account Baseline stack sets • Create Network Baseline • Apply account Security Control Policy
Deployment and configuration update pipeline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of the AWS Automated Landing Zone Automated Scalable Self-Service Guardrails NOT Blockers Auditable Flexible
ENTER THE LAYER CAKE The governance model is key
Governance At The Speed Of Cloud Governance layer cake
Layer Cake AWS Shared Responsibility model & compliance documents
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model
Layer Cake AWS Shared Responsibility model & compliance documents Service assessment and foundational security controls
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Governance - compliance ISO 27001 SOC Reports • Especially SOC2 Understand how the service is run White papers & public documents Your friendly AWS contact AWS Artifact
• IAM Policies for API access • Service Role Definition • User Identity Management • API Calls • Application Logging • Default Config Rules • VPC Flow Logs • Guard Duty • VPC Endpoints • Private Link • Security Groups • Edge Services • KMS Integration • Client Side Requirements • Tokenisation • AWS Config Rules • Automated Remediation • SIEM • SecOps Identity Detective control Infrastructure security Incident response Data protection Assessment Criteria
Quickly get to controls for the service IAM AWS CloudTrail AWS Config Amazon VPC AWSKMS AWS Lambda
BUILDERS Security people have to become
What’s in a platform? Direct Connect Dev Pre-Prod BU/Product/Resource Accounts Security Enterprise Accounts AWS Organizations Master Billing Identity PoC Evil Account Data Center Logging Prod Shared Services Orgs: Account management Logging: Centralized logs Security: AWS Config Rules, security tools Shared services: Directory, DNS, AMI Factory PoC: Experiments Dev: Development Pre-Prod: Staging Prod: Production Evil: Security Testing
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Platform – foundational controls • Federate all the users • Leverage native encryption services • Ubiquitous logging • Trusted AMI builds • Default networking – application patterns • Standardised Edge Services • When a service is enabled so are the config rules Foundational security controls
Layer Cake – the tasty topping AWS Shared Responsibility model & compliance documents Service assessment and foundational security controls Workload specific security governance and controls
Workload specifics Testing in the pipeline Project Team Automated Checks Communicate the requirements Policy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. On Nutrition • Atomic assessment of AWS services defines the controls • Bake as many into the platform as possible • Automation helps scale • Don’t let the governance process become a blocking one • Communication is critical Governance layer cake
YOU NEED TO GET RIGHT Three things
Foundations in the platform Identity Federation is the basis for the identity controls Removing long lived API keys/IAM users raises the bar Role broker & self-service for ephemeral resources Identity lifecycle Roles for coarse grained access can also map to Splunk/Jira/GitHub
Foundations in the platform Visibility Monitor all the things As you add services, add the config rules Analytics for feedback Someone’s fulltime job needs to be SecOps Private link helps with plumbing
Foundations in the platform Encryption KMS is awesome – volumes & credentials SEC405: Ubiquitous Encryption (Wednesday) Keep the humans away from the data Identity for KMS functions Account boundary for data leakage Pay attention to data replication & backup
MECHANISMS
Continuous Compliance Get started with CIS Benchmarks accelerator Automate compliance using AWS native services Let the data drive your policy decisions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security governance is meant to support business objectives by defining policies & controls to manage risk
Conclusion Foundational security controls Continuous compliance Governance layer cake
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you Brian Wagner, Compliance Specialist AWS Financial Services

Recommended

AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAleksandr Maklakov
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...Amazon Web Services
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-securitykartikaryan4
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 

Recommended

AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAleksandr Maklakov
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...Amazon Web Services
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-securitykartikaryan4
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
 
HIPAA Compliance in the AWS Cloud
HIPAA Compliance in the AWS CloudHIPAA Compliance in the AWS Cloud
HIPAA Compliance in the AWS CloudNoah Jaehnert
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Compliance with AWS
Compliance with AWSCompliance with AWS
Compliance with AWSAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation OverviewAmazon Web Services
 
Securing enterprise big data workloads on AWS
Securing enterprise big data workloads on AWSSecuring enterprise big data workloads on AWS
Securing enterprise big data workloads on AWSAmazon Web Services
 
Understanding AWS security
Understanding AWS securityUnderstanding AWS security
Understanding AWS securityAmazon Web Services
 
Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
 
Using Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSUsing Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSAmazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS SecurityAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...Amazon Web Services
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 

More Related Content

What's hot

Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
 
HIPAA Compliance in the AWS Cloud
HIPAA Compliance in the AWS CloudHIPAA Compliance in the AWS Cloud
HIPAA Compliance in the AWS CloudNoah Jaehnert
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Securing enterprise big data workloads on AWS
Securing enterprise big data workloads on AWSSecuring enterprise big data workloads on AWS
Securing enterprise big data workloads on AWSAmazon Web Services
 
Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
 
Using Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSUsing Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSAmazon Web Services
 
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...Amazon Web Services
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteAmazon Web Services
 

What's hot (20)

Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
 
HIPAA Compliance in the AWS Cloud
HIPAA Compliance in the AWS CloudHIPAA Compliance in the AWS Cloud
HIPAA Compliance in the AWS Cloud
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrail
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Compliance with AWS
Compliance with AWSCompliance with AWS
Compliance with AWS
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - Beach
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation Overview
 
Securing enterprise big data workloads on AWS
Securing enterprise big data workloads on AWSSecuring enterprise big data workloads on AWS
Securing enterprise big data workloads on AWS
 
Understanding AWS security
Understanding AWS securityUnderstanding AWS security
Understanding AWS security
 
Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads
 
Using Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSUsing Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWS
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
Unlock Highly Regulated Enterprise Workloads with SaaS on AWS GovCloud (US) (...
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - Keynote
 

Similar to The Automation of Supervision Governance in the Cloud

Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxAmazon Web Services
 
AWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_SingaporeAWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_SingaporeAmazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 

Similar to The Automation of Supervision Governance in the Cloud (20)

Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
AWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_SingaporeAWS Governance at Scale_AWSPSSummit_Singapore
AWS Governance at Scale_AWSPSSummit_Singapore
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

The Automation of Supervision Governance in the Cloud

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Automation of Supervision: Governance in the Cloud Brian Wagner, Compliance Specialist AWS Financial Services
  • 2. Common Pattern Framework Policies Business Outcomes Manage Risks
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security governance is meant to support business objectives by defining policies & controls to manage risk
  • 4. Traditional governance flow Project Team Governance Check Policy Archive Policy Audit Release! Strategy Governance
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Data Automated Checks Release! Ops Audit Project Team Strategy Governance Policy
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Data Automated Checks Release! Ops Audit Project Team Strategy Governance Policy
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CodeBuild AWS Lambda AWS CloudFormation AWS Config AWS CodePipeline
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Awareness at Scale
  • 13. Multi-Account structure Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security Core Accounts AWS Organizations Account Billing Tooling Shared Services Sandbox Networking Internal Audit Logging Prod Shared Services Developer Sandbox Data Center Orgs: Account management Logging: Centralized logs Security: AWS Config Rules, security tools Shared services: Directory, DNS, limit monitoring Billing Tooling: Cost monitoring Sandbox: Experiments Dev: Development Pre-Prod: Staging Prod: Production
  • 14. Leveraging the AWS Account Boundary Organizations account: Account Provisioning Account Access (SSO) Shared Services account: Active Directory Log Analytics Logging account: CloudTrail/Config logs Security account: Audit/Break-glass AWS Organizations AWS SSMAWS Service Catalog Core OU SharedServices account Logging account Security account AWS Organizations account Network Baseline Account Baseline Account Baseline Account Baseline Security Cross- Account Roles AWS Microsoft AD Aggregate CloudTrail and Config Logs Log Reporting Amazon S3 bucket (manifest file) AWS CodePipeline Stacksets AWS SSO
  • 15. AWS Service Catalog Account Vending Machine New AWS Account Network Baseline Account Baseline AWS Organizations OUCore Security Account Security Roles Logging Account Audit Bucket Shared Services Account Shared Network Account Vending Machine • Account Vending Machine (AWS Service Catalog) • Account creation UI • Account Baseline Versioning • Launch Constraints • Creates/Updates AWS Account • Apply Account Baseline stack sets • Create Network Baseline • Apply account Security Control Policy
  • 16. Deployment and configuration update pipeline
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of the AWS Automated Landing Zone Automated Scalable Self-Service Guardrails NOT Blockers Auditable Flexible
  • 19. ENTER THE LAYER CAKE The governance model is key
  • 20. Governance At The Speed Of Cloud Governance layer cake
  • 21. Layer Cake AWS Shared Responsibility model & compliance documents
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model
  • 23. Layer Cake AWS Shared Responsibility model & compliance documents Service assessment and foundational security controls
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Governance - compliance ISO 27001 SOC Reports • Especially SOC2 Understand how the service is run White papers & public documents Your friendly AWS contact AWS Artifact
  • 25. • IAM Policies for API access • Service Role Definition • User Identity Management • API Calls • Application Logging • Default Config Rules • VPC Flow Logs • Guard Duty • VPC Endpoints • Private Link • Security Groups • Edge Services • KMS Integration • Client Side Requirements • Tokenisation • AWS Config Rules • Automated Remediation • SIEM • SecOps Identity Detective control Infrastructure security Incident response Data protection Assessment Criteria
  • 26. Quickly get to controls for the service IAM AWS CloudTrail AWS Config Amazon VPC AWSKMS AWS Lambda
  • 28. What’s in a platform? Direct Connect Dev Pre-Prod BU/Product/Resource Accounts Security Enterprise Accounts AWS Organizations Master Billing Identity PoC Evil Account Data Center Logging Prod Shared Services Orgs: Account management Logging: Centralized logs Security: AWS Config Rules, security tools Shared services: Directory, DNS, AMI Factory PoC: Experiments Dev: Development Pre-Prod: Staging Prod: Production Evil: Security Testing
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Platform – foundational controls • Federate all the users • Leverage native encryption services • Ubiquitous logging • Trusted AMI builds • Default networking – application patterns • Standardised Edge Services • When a service is enabled so are the config rules Foundational security controls
  • 30. Layer Cake – the tasty topping AWS Shared Responsibility model & compliance documents Service assessment and foundational security controls Workload specific security governance and controls
  • 31. Workload specifics Testing in the pipeline Project Team Automated Checks Communicate the requirements Policy
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. On Nutrition • Atomic assessment of AWS services defines the controls • Bake as many into the platform as possible • Automation helps scale • Don’t let the governance process become a blocking one • Communication is critical Governance layer cake
  • 33. YOU NEED TO GET RIGHT Three things
  • 34. Foundations in the platform Identity Federation is the basis for the identity controls Removing long lived API keys/IAM users raises the bar Role broker & self-service for ephemeral resources Identity lifecycle Roles for coarse grained access can also map to Splunk/Jira/GitHub
  • 35. Foundations in the platform Visibility Monitor all the things As you add services, add the config rules Analytics for feedback Someone’s fulltime job needs to be SecOps Private link helps with plumbing
  • 36. Foundations in the platform Encryption KMS is awesome – volumes & credentials SEC405: Ubiquitous Encryption (Wednesday) Keep the humans away from the data Identity for KMS functions Account boundary for data leakage Pay attention to data replication & backup
  • 38. Continuous Compliance Get started with CIS Benchmarks accelerator Automate compliance using AWS native services Let the data drive your policy decisions
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security governance is meant to support business objectives by defining policies & controls to manage risk
  • 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you Brian Wagner, Compliance Specialist AWS Financial Services