-Learn how to use AWS services to protect highly classified information -Learn about compliance and governance with AWS -Learn how to use AWS CloudTrail to gain visibility into your AWS account activity

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sid Gupta, Sr. Product Manager, AWS Management Tools
September 12, 2017
Using AWS CloudTrail to
Enhance Governance and
Compliance of Amazon S3

2. What to expect from the session?
• Overview of:
• Governance and compliance
• AWS Config and Config rules
• AWS CloudTrail
• AWS CloudTrail S3 Data Events
• Use cases and examples
• S3 Data Events demo
• Amazon Macie

3. What is Governance and Compliance?
Governance is the oversight role and the process by which
companies manage and mitigate business risks.
Compliance ensures that an organization has the process
and internal controls to meet the requirements imposed by
the governance body.

4. So what does this mean?
To effectively use IT in enabling an organization to achieve its governance and
compliance goals, you need to:
• Define and control what IT is supposed to do
• Monitor what IT is doing
• Respond to changes, report and remediate as appropriate

5. AWS shared responsibility model

6. Customer Data in Amazon S3
What do you have in your S3 buckets?
• Static website content
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• Logs
• Sensitive data
• Password files

7. Amazon S3 features to help you with governance and
compliance
• S3 bucket policies
• MFA delete
• Versioning and lifecycle policies
• Object tags
• S3 access logs
• Encryption options

8. AWS services that can further enhance your efforts
AWS Config AWS CloudTrail Amazon Macie

9. Gain visibility with AWS Config
• Get inventory of all your AWS resources
• Discover resources that exist in your account and capture configurations
• Provide rules to ensure resource configurations conform to your internal
best practices and guidelines

10. AWS Config key benefits
• Enables you to assess, audit, and evaluate the configurations of your AWS resources
• Continuously monitors and records your AWS resource configurations
• Allows you to automate the evaluation of recorded configurations against desired
configurations with Config rules
Continuous Monitoring
Change Management
Continuous Assessment
Operational Troubleshooting

11. AWS Config rules
Configurable and customizable rules:
• Check whether logging is enabled for your S3 buckets.
• Check whether S3 buckets have policies that require requests to
use Secure Socket Layer (SSL).
• Check whether versioning is enabled for your S3 buckets.
Optionally, you can check if MFA delete is enabled for your S3
buckets.

12. New AWS Config rules
• AWS Config now supports two new managed rules to detect overly
permissive Amazon S3 bucket policies

13. Track account activity with AWS CloudTrail
• Increase visibility into your user and resource activity
• Discover and troubleshoot security and operational issues by capturing a
comprehensive history of changes that occurred in your AWS account
• Simplify your compliance audits by automatically recording and storing
activity logs for your AWS account

14. AWS CloudTrail key benefits
• Allows you to log, continuously monitor, and retain events related to API calls across your
AWS infrastructure
• Provides a history of AWS API calls for your account, including API calls made through the
AWS Management Console, AWS SDKs, command line tools, and other AWS services
Simplified Compliance
Security Analysis and
Troubleshooting
Visibility Into User and
Resource Activity
Security Automation

15. AWS CloudTrail features
• Management Event and S3 Data Event logging
• Multi region and multi trail enabled
• S3 log delivery
• Log file encryption
• Integrity validation
• SNS notification
• Cross-account S3 delivery
• CloudWatch Logs integration
• CloudWatch Events integration
• Personal Health Dashboard integration
• Support for multi-region configurations
• Event filters for read/write event actions

16. AWS CloudTrail S3 Data Events
S3 Data events are object-level API operations that access S3
objects, such as GetObject, DeleteObject, and PutObject. By
default, trails don't log data events, but you can configure trails to
log data events for S3 buckets and objects that you specify.
• S3 bucket-level operations are still captured by default as part
of CloudTrail Management Events.
How it works:
• Enable at the bucket or bucket/prefix level
• Captures S3 object-level API activities
• Event logs delivered to your S3 bucket designated in your trail
• $0.10 per 100,000 data events

17. AWS CloudTrail S3 Data Events
S3 Data events differ from S3 access logs in the following
ways:
• Delivered to CloudWatch Events within seconds of the
activity occurring and to S3 log storage and CloudWatch
Logs within minutes
• Include additional information such as additional user
identity details, error messages, request parameters, and
regional information
• JSON format, consistent with all other CloudTrail event logs
• Inherit all the CloudTrail features including log file integrity
validation

18. Use case:
• Detect data exfiltration
• You can detect data exfiltration by collecting activity data on S3
objects through object-level API events recorded in CloudTrail.
After the activity data is collected, you can use other AWS
services, such as Macie, CloudWatch Events, and Lambda, to
trigger response procedures.
Example: Detect access to sensitive data from unauthorized networks or
IP addresses.
AWS CloudTrail S3 Data Events

19. Use case:
• Perform security analysis
• You can quickly detect misconfiguration and perform security
analysis by ingesting AWS CloudTrail S3 Data Events into your
log management and analytics solutions such as Macie,
CloudWatch Logs, CloudWatch Events, Athena, ElasticSearch
Service, or 3rd party solution
Example: Identify who changed the permissions on a confidential financial
file to public.
AWS CloudTrail S3 Data Events

20. Detect if an S3 object becomes public, auto-remediate the issue by removing
the public read/write permissions, and notify the Security team with full details
of the event.
Demo scenario (S3 Data Event – ACL Change)

21. Step 1. Setup CloudTrail S3 Data Events
Demo scenario (S3 Data Event – ACL Change)

23. Step 2. Create your Lambda function
Demo scenario (S3 Data Event – ACL Change)

25. Step 3. Create a CloudWatch Event rule
Demo scenario (S3 Data Event – ACL Change)

27. Step 4. Change the file ‘Jan2017-profit-loss.xlsx” from private to publically
accessible.
This change will trigger the Lambda function ‘CheckandCorrectObjectACL’
which will log activity to CloudWatch Logs, revert the file ACL back to private,
and fire off an SNS notification to generate an email containing the details.
Demo scenario (S3 Data Event – ACL Change)

30. • Currently available in all commercial regions
• Easily enabled via the CloudTrail console or AWS CLI
• Ability to log read, write, or all S3 object-level events
AWS CloudTrail S3 Data Events

31. What is it?
• Amazon Macie is a security service that uses
machine learning to automatically discover, classify,
and protect sensitive data in AWS.
• What data do I have in the cloud?
• Where is it located?
• How is data being shared and stored?
• How can I classify data in near-real time?
• What PII/PHI is possibly exposed?
• How do I build workflow remediation for my
security and compliance needs?
Macie helps answer questions such as:
Amazon Macie

32. Summary
Config, CloudTrail, and Macie provide:
• Broad and deep visibility for S3 compliance and governance
• Governance and Compliance as code
• Enable: standardization, self-service, and automation
Find out more here:
https://aws.amazon.com/config/
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/macie/

33. Thank you!
bobodell@amazon.com