The document discusses automating security governance in the cloud. It recommends establishing foundational security controls by leveraging native AWS services for identity, visibility, and encryption. It also advocates implementing continuous compliance by automating assessments using AWS Config and other services. The "governance layer cake" model involves assessing AWS services, implementing baseline controls, and adding workload-specific controls to provide automated yet flexible governance that scales with the cloud.
30. Layer Cake – the tasty topping
AWS Shared Responsibility model & compliance documents
Service assessment and foundational security controls
Workload specific security governance and controls
34. Foundations in the platform
Identity
Federation is the basis for the identity controls
Removing long lived API keys/IAM users raises the bar
Role broker & self-service for ephemeral resources
Identity lifecycle
Roles for coarse grained access can also map to
Splunk/Jira/GitHub
35. Foundations in the platform
Visibility
Monitor all the things
As you add services, add the config rules
Analytics for feedback
Someone’s fulltime job needs to be SecOps
Private link helps with plumbing
36. Foundations in the platform
Encryption
KMS is awesome – volumes & credentials
SEC405: Ubiquitous Encryption (Wednesday)
Keep the humans away from the data
Identity for KMS functions
Account boundary for data leakage
Pay attention to data replication & backup
38. Continuous Compliance
Get started with CIS Benchmarks accelerator
Automate compliance using AWS native services
Let the data drive your policy decisions