The Australian Cyber Security Centre (ACSC) awarded PROTECTED certification to AWS for 42 cloud services in the AWS Asia-Pacific (Sydney) Region. This is the highest data security certification available in Australia for cloud, and AWS has the most PROTECTED services of any public cloud service provider. This session will cover the services that were certified, a reference architecture that allows you to build applications which handle highly sensitive government data, and the benefits this provides to public sector and commercial organisations in Australia.

1. S U M M I T
SYDNEY

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS PROTECTED: Why this
matters for Australia
Herman Coomans
Senior Manager, Solutions Architecture,
Amazon Web Services

3. Source: Wikimedia commons
Parliament House, Canberra

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
“Innovation and cloud help form
the basis on which we will
make the Australian
government more secure.
Innovation is good. Cloud is
good – because it helps us
move off from legacy
systems. Our biggest risk is
indeed legacy systems.”
Voice of our customers

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Quick acronym glossary
ACSC Australian Cyber Security Centre
https://www.acsc.gov.au/
ASD Australian Signals Directorate
https://asd.gov.au/
ISM Australian Government Information Security Manual
IRAP Information Security Registered Assessors Program

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS services assessed at PROTECTED
42 services across a broad range of categories
Standard services, standard pricing
Leverage familiar and established AWS Sydney region
Access to 3 availability zones
Consumer guide and reference architecture immediately available

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why is it important?
• to government
• to private enterprise
• to developers and partners
• to citizens

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Voice of our customers

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Let us do the heavy lifting
acsc.gov.au/infosec/ism

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Database subnetPrivate subnet
Lambda subnet
App subnet
Reference Architecture
VPC
Sydney Region
Auto Scaling
Users
Office
Amazon CloudWatch
AWS Direct Connect Amazon RDS
AWS WAF
AWS Lambda
(NLB ALB Sync)
Security group
AWS Lambda
(WAF updates)
Security group
Application Load
Balancer
Agent
MFA token
Network Load
Balancer
Amazon VPC
PrivateLink for
cross-VPC or
cross-agency
access
VPN Gateway
Security group
Role
Instances

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What about DR?
AWS Region
Availability Zone
Physical Sites
Availability Zone
Physical Sites
Availability Zone
Physical Sites
ap-southeast-2a ap-southeast-2b
ap-southeast-2c
Sydney Region
ap-southeast-2

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED
Why is it all uppercase?

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Classification
www.protectivesecurity.gov.au
Sensitive
information
Security classified information
UNOFFICIAL OFFICIAL
OFFICIAL:
Sensitive
PROTECTED SECRET TOP SECRET
Compromise
of information
confidentiality
would be
expected to
cause →
No business
impact
1 Low business
impact
2 Low to
medium
business
impact
3 High
business
impact
4 Extreme
business
impact
5 Catastrophic
business
impact
Not applicable.
This
information
does not form
part of official
duty.
Not applicable.
This is the
majority of
routine
information
created or
processed by
the public
sector.
Limited
damage to an
individual,
organisation or
government
generally if
compromised.
Damage to the
national
interest,
organisations
or individuals.
Serious
damage to the
national
interest,
organisations
or individuals.
Exceptionally
grave damage
to the national
interest,
organisations
or individuals.

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Markings
Sensitive
information
Security classified information
OFFICIAL
OFFICIAL:
Sensitive
PROTECTED SECRET TOP SECRET
1 Low business
impact
2 Low to medium
business impact
3 High business
impact
4 Extreme business
impact
5 Catastrophic
business impact
Identify information with
text-based markings used
unless impractical for
operational reasons
Marking not
required.
Text marking
required:
OFFICIAL:
Sensitive
Text marking
required:
PROTECTED
Text marking
required:
SECRET
Text marking
required:
TOP SECRET
If text-based markings
cannot be used, use
colour-based markings
Marking not
required.
Marking not
required.
Blue colour marking
required (if text
marking cannot be
used).
Salmon (pink) colour
marking required (if
text marking cannot
be used).
Red colour marking
required (if text
marking cannot be
used).
If text or colour based
markings cannot be used,
document the entity
Marking not
required.
Marking not
required.
Marking required. Marking required. Marking required.
www.protectivesecurity.gov.au

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What’s the difference?
Is there a checkbox? How do I order PROTECTED services?
… there is no difference!

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Security, Identity and Compliance
Amazon Identity and Access
Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Compute
Amazon EC2
Amazon Elastic Container Service
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Networking & Content Delivery
Amazon Virtual Private Cloud (VPC)
AWS Direct Connect
Amazon CloudFront

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Desktop
Amazon WorkSpaces
Amazon WorkDocs

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
PROTECTED Scope
Analytics
Amazon Elastic MapReduce (Amazon EMR)
Amazon Kinesis Data Streams
Amazon Kinesis Data Firehose
Desktop
Amazon WorkSpaces
Amazon WorkDocs
Storage
Amazon S3
Amazon S3 Transfer Acceleration
Amazon EBS
Amazon Glacier
Database
Amazon DynamoDB
Amazon Redshift
Amazon RDS
• MySQL
• PostgreSQL
• SQL Server
• Oracle
• MariaDB
• Aurora
Amazon ElastiCache
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager
Mobile
Amazon API Gateway
Compute
Amazon EC2
Amazon Elastic Container Service
(Amazon ECS)
Amazon EC2 Auto Scaling
Amazon ELB
AWS Lambda
AWS Lambda@Edge
Networking & Content Delivery
Amazon Virtual Private Cloud (Amazon VPC)
AWS Direct Connect
Amazon CloudFront
Security, Identity and Compliance
Amazon Identity and Access Management (IAM)
AWS Directory Services
Amazon Cognito
Amazon Inspector
AWS Key Management Service
AWS CloudHSM
AWS WAF
Amazon GuardDuty
Application Integration
Amazon Simple Workflow Service
AWS Step Functions
Amazon Simple Notification Service
Amazon Simple Queue Service
Management
Amazon CloudWatch
Amazon CloudWatch Logs
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems Manager

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS shared responsibility model
Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
ISM and IRAP
Extensive and highly detailed standard for Information Security
Rigorous audit standard is part and parcel of ISM
For more info see
https://acsc.gov.au/infosec/ism

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Additional services in reference architecture
Trusted
Advisor
AWS
Organisations
AWS
Shield

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
March 2019 ISM
Welcome re-name of Unclassified DLM (Dissemination Limiting Marker)
acsc.gov.au/infosec/ism

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Additional certification guidance
All PROTECTED certified services can be used at UNCLASSIFIED DLM
UNCLASSIFIED DLM certified services can be leveraged in
PROTECTED solutions
Specific global UNCLASSIFIED DLM certified services can leverage
AWS Regions outside of Australia, subject to ACSC Guidance.
(Please refer to the ACSC Certification Report and Consumer Guide
for more details.)

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Accessing AWS compliance reports
https://aws.amazon.com/compliance/ https://aws.amazon.com/artifact/

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Further reading…
Take a picture of this slide, and visit the URLs…
https://aws.amazon.com/compliance/
https://aws.amazon.com/security/
https://aws.amazon.com/guardduty/
https://aws.amazon.com/artifact/

31. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Herman Coomans