Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Architecting Security and Governance Across Multi Accounts

Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation and billing requirements. In this session, we discuss considerations, limitations, and security patterns when building out a multi-account strategy. We explore topics such as identity federation, cross-account roles, consolidated logging, and account governance.

At the end of the session, we present an enterprise-ready, multi-account architecture that you can start leveraging today.

  • Login to see the comments

Architecting Security and Governance Across Multi Accounts

  1. 1. Architecting Security and Governance Across a Multi-Account Strategy Dave Walker, Specialist Solutions Architect, Security and Compliance
  2. 2. What to expect from the session • "Everything Starts with a Threat Model" • Control Mapping • Existing Multi-Account Strategies, and Multi-Account Planning • Organizations • Baselining Individual Accounts • Putting it Together
  3. 3. “Start Here”
  4. 4. “Everything starts with a threat model” • STRIDE, DREAD, others • Identify: • Actors • Vectors • “Bad stuff that could happen when bad people get creative” • Probabilities and consequences of bad stuff happening • Apply technical and procedural mitigations • All the way up the OSI stack, from network to application • Dan Ionita's "Gazetteer of threat / risk modelling frameworks": http://eprints.eemcs.utwente.nl/23767/
  5. 5. “Everything starts with a threat model” • Constrain scope of potential threats to individual accounts • Plan for incident response and forensics • Protect your log records from tampering and unauthorised reads
  6. 6. What AWS Means by "Governance" SecurityRisk ComplianceGovernance
  7. 7. Attack vectors • Application-level and API-level attacks • “If it takes input, it likely has an in-band attack vector” • “If it has a control point, it likely has an out-of-band attack vector” • “Even if it doesn’t itself have a useful compromise, it might be a useful propagation vector” • A successful attack = disruption or corruption of service output, or reduction in responsiveness to future service calls, or being a conduit of “bad content” to vulnerable consumers of the service • Consider the OWASP Top 10 and other application-level attacks
  8. 8. Control Mapping
  9. 9. Why a Mapping of Security Controls? • PCI-DSS • standards for merchants which process credit card payments and have strict security requirements to protect cardholder data. A point- in-time certification. • SOC 1-3 • designed by the “big 4” auditors as an evolution of SSAE16, SAS70 etc, and to address perceived shortcomings in ISO27001. A continuous-assessment certification, covering process and implementation. • ISO 27001 • outlines the requirements for Information Security Management Systems. A point-in-time certification, but one which requires mature processes.
  10. 10. General Headings: • Infrastructure meta-security • Host security • Network security • Logging and Auditing • Resilience • User Access Control and Management • Cryptography and Key Management • Incident Response and Forensics • “Anti-Malware” • Separation of Duty • Data Lifecycle Management • Geolocation • Anti-DDoS
  11. 11. “Can our current Security Functions be mapped onto AWS?” AWS Environment Management Logging and Auditing Asset Management Management Access Control Configuration Management Configuration Monitoring AWS CloudTrail AWS Config, API AWS IAM, Organizations Web Console AWS CloudFormation AWS OpsWorks CLI API SDKs Amazon CloudWatch
  12. 12. “Can our current Security Functions be mapped onto AWS?” Network AWS to Customer Networks Layer 2 Network Segregation Stateless Traffic Management IPsec VPN Firewall/ Layer 3 Packet Filter IDS/IPS Managed DDoS Prevention Internet and/or Direct Connect Amazon VPC Network Access Control Lists VPC VGW, Marketplace Security Groups AWS CloudTrail, CloudWatch Logs,SNS, VPC Flow Logging Included in Amazon CloudFront
  13. 13. “Can our current Security Functions be mapped onto AWS?” Encryption, Key Management Data-In-Flight Volume Encryption Object Encryption Key Management Dedicated HSMs Database Encryption IPsec or TLS or your own Amazon EBS Encryption Amazon S3 Encryption (Server and Client Side) AWS Key Management Service AWS CloudHSM TDE (RDS / Oracle EE) Encrypted Amazon EBS (with KMS) Encrypted Amazon Redshift
  14. 14. “Can our Current Security Functions be mapped onto AWS?” Data Management Hierarchical Storage Deletion Protection Versioning Archiving Amazon S3 Lifecycle Amazon S3 MFA Delete Amazon S3 Versioning Amazon Glacier (optionally, with Vault Lock)
  15. 15. “Can our Current Security Functions be mapped onto AWS?” Host / Instance Security Traditional Controls Instance Management Incident Management Asset Management Instance Separation Traditional Controls (mostly) Delete-and-promote More alternatives! “What the API returns, is true” PCI Level 1 Hypervisor Dedicated Instances
  16. 16. “Can our Current Security Functions be mapped onto AWS?” Logging, Analysis, Alerting Traditional OS Sources Database Logs Traditional OS Sources CloudWatch Logs EC2 Systems Manager Inventory RDS / Redshift Logs
  17. 17. Logs→metrics→alerts→actions AWS Config CloudWatch / CloudWatch Logs CloudWatch alarms AWS CloudTrail Amazon EC2 OS logs Amazon VPC Flow Logs Amazon SNS email notification HTTP/S notification SMS notifications Mobile push notifications API calls from most services Monitoring data from AWS services Custom metrics
  18. 18. Existing Multi-Account Strategies, and Multi-Account Planning
  19. 19. The Story So Far • MASCOT • fully role- and identity-managed implementation from ProServe • Presented at Re:Invent 2016 SAC319 (https://www.youtube.com/watch?v=pqq39mZKQXU ), SAC320 (https://www.youtube.com/watch?v=xjtSWd8z_bE ) • Bertram Dorn's work from 2014 • similar structure, but a number of differences • https://youtu.be/CNSaJs7pWjA • Neither covers Organizations (quite yet) • MASCOT has coverage for KMS
  20. 20. What Needs Segregating from What? • Obvious cases first: • Read access to Billing and Log records from everyone, except Auditors and Security • ...and even then, access should be limited to appropriate cases • consider evidential weight • Prod from Dev, Test and Staging • remember Knight Capital? • also "bug ringfencing" • Compliance in-scope from out-of-scope • auditors need to see a hard scope boundary • you will want to keep in-scope environments as small as possible • use both AWS Accounts and VPCs for this
  21. 21. • Less obvious cases: • Look at your own org chart and body of policies • Consider how Separation of Duty and Need to Know operate • both within and between departments • Within org charts, policy, compliance scoping, and the need to ringfence dev accounts where bugs could impact API access, lies the answers to "how many: • AWS Organizations • KMS CMKs • AWS accounts • ...do I need?" What Needs Segregating from What?
  22. 22. Organizations
  23. 23. In the beginning… Your AWS Account You
  24. 24. Today Jump Account Your Cloud Team Dev Account Prod Account Data Science Account Audit Account Cross Account Trusts Cross Account Resource Access You
  25. 25. What do customers want to do? Use AWS account boundaries for isolation. Centrally manage policies across many accounts. Delegate permissions, but maintain guardrails. See combined view of all charges.
  26. 26. Introducing AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts. Consolidate billingAutomate AWS account creation
  27. 27. Typical Use Cases • Control the use of AWS services to help comply with corporate security and compliance policies. • Service Control Policies (SCPs) help you centrally control AWS service use across multiple AWS accounts. • Ensure that entities in your accounts can use only the services that meet your corporate security and compliance policy requirements.
  28. 28. • Automate the creation of AWS accounts for different resources. • API driven AWS account creation. • Use APIs to add the new account to a group and attach service control policies. • Use API response to trigger additional automation (eg deploy CloudFormation template) Typical Use Cases
  29. 29. • Create different groups of accounts for development and production resources. • Organise groups into a hierarchy. • Apply different policies to each group. • Alternatively, group according to lines-of-business or other desired dimensions. Typical Use Cases
  30. 30. Key Features • Policy framework for multiple AWS accounts. • Group-based account management. • Account creation and management APIs. • Consolidated billing for all AWS accounts in your organization. • Enable Consolidated Billing Only or All Features.
  31. 31. How is Organizations different from IAM? • Create groups of AWS accounts with AWS Organizations. • Use Organizations to attach SCPs to those groups to centrally control AWS service use. • Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account.
  32. 32. How to get started? • Revisit or create your account segmentation strategy. • Decide which type of organization is right for you. • Organize your AWS accounts according to it. • Test & begin to apply SCPs slowly. • Iterate on SCPs to achieve your desired state.
  33. 33. Pricing & Availability • Available at no additional charge. • Global service. • Accessed through endpoint in N. Virginia region.
  34. 34. Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
  35. 35. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
  36. 36. Best practices – AWS Organizations 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principal of “Least privilege” 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization 8. Create new AWS accounts for the right reasons
  37. 37. More on SCPs • Service Control Policies • ...which look like IAM policies • (but without support for Conditions, in v1.0) • Imposed by Master account on child accounts • essentially concatenate with per-child-account IAM policies • Allows / Denies access to specific per-service API calls, or whole services • as with IAM policies, a single explicit Deny overrides any number of explicit Allows • But: they are also applied to the root user in the child account • Here's where we get into Mandatory Access Control! J
  38. 38. More on SCPs • Also: • you don't have to apply an SCP before you populate your account with assets... • this lends the idea of "immutable infrastructure" to other services, from the point of view of the child accounts • (including Serverless) • eg: • S3 websites which can't have their contents changed • Lambda functions which are invoke-only "black boxes" • ACM cert / key pairs which can't be deleted • Prevent CloudTrail, Config ever being turned off • ...
  39. 39. More on SCPs • In Practice: • the imposer of the SCP in the Master account gets no privilege in the child account's service, as a function of this capability • this makes SCPs a neat 2-person rule mechanism, too
  40. 40. Baselining Individual Accounts
  41. 41. Industry Best Practices for Securing AWS Resources CIS Amazon Web Services Foundations Architecture agnostic set of security configuration best practices provides set-by-step implementation and assessment procedures
  42. 42. CIS AWS Foundation Automation is mostly there...
  43. 43. Now Add an Incident Response Baseline: • Have a small NACLed subnet per AZ, per VPC for isolation of misbehaving instances • flip their ENIs to it, as needed • Have a Forensics role like the Audit role, per-account • read-only access to (essentially) everything • Have a runbook so a Forensic Investigator can work with the network admin team to: • provision a forensic workstation AMI onto the isolation subnet • open a hole in the NACL to the workstation from an appropriate bastion (or use Run Command to remotely operate forensic CLI tools)
  44. 44. Potential Further Extensions • EC2 Systems Manager • Inventory: like OSQuery • State Manager: like OpenSCAP • DMZs • Bastions • Management networks
  45. 45. AWS Enterprise Accelerator: Compliance Architectures Sample Architecture – Security Controls Matrix Cloudformation Templates 5 x templates User Guide http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
  46. 46. Putting it Together
  47. 47. Billing Records Handled by Organizations Master ItemDescription UsageStart Date UsageEnd Date UsageQuanti ty Currency Code CostBefo reTax Cred its TaxAm ount TaxTy pe TotalCo st $0.000 per GB - regional data transfer under the monthly global free tier 01.04.14 00:00 30.04.14 23:59 0.00000675 USD 0.00 0.0 0.0000 00 None 0.00000 0 $0.05 per GB-month of provisioned storage - US West (Oregon) 01.04.14 00:00 30.04.14 23:59 1.126.666.5 54 USD 0.56 0.0 0.0000 00 None 0.56000 0 First 1,000,000 Amazon SNS API Requests per month are free 01.04.14 00:00 30.04.14 23:59 10.0 USD 0.00 0.0 0.0000 00 None 0.00000 0 First 1,000,000 Amazon SQS Requests per month are free 01.04.14 00:00 30.04.14 23:59 4153.0 USD 0.00 0.0 0.0000 00 None 0.00000 0 $0.00 per GB - EU (Ireland) data transfer from US West (Northern California) 01.04.14 00:00 30.04.14 23:59 0.00003292 USD 0.00 0.0 0.0000 00 None 0.00000 0 $0.000 per GB - data transfer out under the monthly global free tier 01.04.14 00:00 30.04.14 23:59 0.02311019 USD 0.00 0.0 0.0000 00 None 0.00000 0 First 1,000,000 Amazon SNS API Requests per month are free 01.04.14 00:00 30.04.14 23:59 88.0 USD 0.00 0.0 0.0000 00 None 0.00000 0 $0.000 per GB - data transfer out under the monthly global free tier 01.04.14 00:00 30.04.14 23:59 3.3E-7 USD 0.00 0.0 0.0000 00 None 0.00000 0
  48. 48. AWS CloudTrail logs can be delivered cross- account CloudTrail can help achieve many tasks Accounts can send their trails to a central account Central account can then do analytics Central account can: ‣ Redistribute the trails ‣ Grant access to the trails ‣ Filter and reformat Trails (to meet privacy requirements)
  49. 49. S3 Subtleties • S3 write-only cross-account sharing • Share write-only (no reading or listing of contents) from owner account via bucket policy • Writer accounts have IAM permissions to write
  50. 50. Multi-Account Aggregation of Delivered Data Region 1 Region 2 Region 3 Common S3 bucket Amazon S3 policies should permit accounts to write Config data SNS Topic: Region 1 SNS Topic: Region 2 SNS Topic: Region 3 Common SQS queue Amazon SQS/Amazon SNS publish/subscribe permissions should be set
  51. 51. Staging and Masking Logs • We can mask PII in CloudTrail logs • Bertram Dorn has a Lambda function for it • Originally intended as a proposal to address considerations in upcoming German privacy law • Can be generalised to other consistent AWS log formats
  52. 52. Staging and Masking Logs • Extend it to mask relevant fields in: • CloudWatch logs • ELB, CloudFront, Amazon VPC flow log, etc. records • ...all of which use CloudWatch Logs • If we use CloudWatch Events, we can use a Lambda function to land our logs in a local S3 bucket, then use a cross-account Lambda function to mask-and-forward • Config records can be forwarded as-is
  53. 53. Staging and Masking Logs • Flow Logs etc • in CW Logs Local masking Lambda Local S3 bucket Cross-acct Lambda Consolidated logs bucket
  54. 54. Log Analytics • Splunk, SumoLogic, other AWS Marketplace products • ElasticSearch and Kibana • https://aws.amazon.com/blogs/security/how-to-optimize-and-visualize- your-security-groups/ • Athena • "Run SQL against S3" • QuickSight • Intended for Business Intelligence, but bendable to purpose... ?
  55. 55. On-premise bucket AWS Account: Bill Aggregation IdP server Organization member account Organization non-member account API Endpoints Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  56. 56. On-premise bucket AWS Account: Bill Aggregation IdP server AWS Organizations Organization member account Organization non-member account API Endpoints Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  57. 57. On-premise AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket IdP server AWS Organizations Organization member account Organization non-member account API Endpoints AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  58. 58. AWS Account: Log aggregation On-premise bucket AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket IdP server AWS Organizations Organization member account Organization non-member account API Endpoints AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  59. 59. On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket IdP server AWS Organizations Organization member account Organization non-member account API Endpoints AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  60. 60. role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS Organizations Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  61. 61. role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS Organizations Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  62. 62. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS KMS AWS Organizations Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  63. 63. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS IAM AWS Account: Resources AWS KMS AWS Organizations Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  64. 64. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS IAM AWS Account: ResourcesAWS IAM AWS KMS AWS Organizations LDAP AWS Account: Shared Svcs AWS CloudHSM Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS Internal DNS Scanning tools AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  65. 65. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS Account: Audit (Internal) AWS IAM AWS Account: ResourcesAWS IAM AWS KMS AWS Organizations LDAP AWS Account: Shared Svcs AWS CloudHSM Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS Internal DNS Scanning tools AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Amazon QuickSight Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  66. 66. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS Account: Audit (Internal) AWS IAM AWS Account: Resources AWS Account: Audit (External) AWS IAM AWS KMS AWS Organizations LDAP AWS Account: Shared Svcs AWS CloudHSM Amazon Athena Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS Internal DNS Scanning tools AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Amazon QuickSight Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  67. 67. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS Account: Audit (Internal) AWS IAM AWS Account: Resources AWS Account: Audit (External) AWS Account: Regulator AWS IAM AWS KMS AWS Organizations LDAP AWS Account: Shared Svcs AWS CloudHSM Amazon Athena Amazon Redshift* Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS Internal DNS Scanning tools AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Amazon QuickSight Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  68. 68. AWS Account: Resources AWS IAM role On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS IAM IdP server AWS Account: Audit (Internal) AWS IAM AWS Account: Resources AWS Account: Audit (External) AWS Account: Regulator AWS IAM AWS KMS AWS Organizations LDAP AWS Account: Shared Svcs AWS CloudHSM Amazon Athena Amazon Redshift* AWS Account: Incident Response Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS Internal DNS Scanning tools AWS Account: Security Team AWS IAM Scanning tools Forensics tools AWS Account: Log aggregation and anonymisation AWS Account: Anonymised Bills Amazon QuickSight Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow
  69. 69. AWS Account: Resources AWS IAM role AWS Account: Log aggregation and anonymisation On-premise AWS Lambda role bucketbucket AWS Account: Anonymised Logs AWS Lambda role bucket AWS Account: Bill Aggregation and Anonymisation bucket AWS Account: Anonymised Bills AWS IAM IdP server AWS Account: Audit (Internal) AWS IAM AWS Account: Resources AWS Account: Audit (External) AWS Account: Regulator AWS IAM AWS KMS AWS Organizations LDAP AWS Account: Shared Svcs AWS CloudHSM Amazon Athena Amazon QuickSight Amazon Redshift* bucket AWS Account: Forensic Repo AWS Account: Incident Response bucket AWS Account: Forensic Working Repo Read-only, read-all flow API and IAM call flow Logging traffic flow Billing traffic flow Organization member account Organization non-member account AWS Account: IAM Federation API Endpoints AWS KMS Internal DNS Scanning tools AWS Account: Security Team AWS IAM Scanning tools Forensics tools
  70. 70. Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Centre Website: https://aws.amazon.com/compliance Security Centre: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/ AWS Audit Training: awsaudittraining@amazon.com Helpful Resources
  71. 71. The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U Encryption on AWS: https://youtu.be/DXqDStJ4epE Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8 Helpful Videos
  72. 72. Thank you!

×