Up-front design of your AWS account can be done in a way that creates a reliably secure and controlled environment no matter how the AWS resources are used. This session will focus on "Secure by Design" principles and show how an AWS environment can be configured to provide a reliable operational security control capability to meet the compliance needs across multiple industry verticals (e.g. HIPAA, FISMA, PCI, etc.). This will include operational reporting through the use of AWS services (e.g. Config/Config Rules, CloudTrail, Inspector, etc.) as well as partner integration capabilities with partner solutions such as Splunk and Allgress for real-time governance, risk, and compliance reporting. Key takeaways from this session include: learning AWS Security best practices and automation capabilities for securing your environment, Automation accelerators for configuration, compliance, and audit reporting using CloudFormation, Config/Config Rules, CloudTrail, Inspector, etc., and ISV integration for real-time notification and reporting for security, compliance, and auditing in the cloud.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Sandage, Senior Security Partner Strategist
Hemanth Jayaraman, Director of DevOps, Rent-A-Center
April 19, 2016
Compliance in the Cloud Using
Security by Design

2. Problem statement
Increasing complexity (mobility, system connectivity)
causes increasing difficulty in managing risk and security
and demonstrating compliance.

3. Current state—technology governance
Policies
Procedures and
guidelines
Standards

4. Issues—technology governance
The majority of technology governance processes relies
predominantly on administrative and operational security
controls with limited technology enforcement.
Assets
ThreatVulnerability
Risk
AWS has an opportunity to innovate and
advance technology governance services.

5. Flexibility and complexity
What is the regulatory
requirement?
What's in scope or out
of scope?
How to verify the
standards are met?

6. Security by Design
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
AWS Identity & Access
Management (IAM)
AWS CloudTrail
Amazon
CloudWatch
AWS Config
Rules
AWS Trusted
Advisor
AWS
CloudHSM
AWS Key
Management Service
(AWS KMS)
AWS Directory
Service

7. SbD—design principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat infrastructure as code
• Modular
• Versioned
• Constrained
Security by Design involves developing new risk mitigation capabilities, which go beyond
global security frameworks by treating risks, eliminating manual processes, and optimizing
evidence and audit ratifications processes through rigid automation.

8. SbD—ecosystem
Security by Design (SbD)
AWS CloudFormation
AWS Config Rules
Amazon Inspector

9. SbD—modernizing tech governance (MTG)
Why?
Complexity is growing, making the old way to
govern technology obsolete.
You need automation that AWS offers to manage
security.

10. Goal—modernizing tech governance
Adopt “prevent” controls; make
“detect” controls more powerful and
comprehensive.

11. SbD—modernizing tech governance
1.2 Identify your workloads moving to AWS
2.1 Rationalize
security requirements
2.2 Define data
protections and controls
2.3 Document
security architecture
3.1 Build/deploy
security architecture
1. Decide what
to do (strategy)
2. Analyze and
document
(outside of AWS)
1.1 Identify stakeholders
3. Automate,
deploy, and
monitor 3.2 Automate
security operations
4. Certify
3.3 Continuously
monitor
4.1 Audit and certify
3.4 Test and
have game days

12. SbD—rationalize security requirements
AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security
configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The benchmarks are:
• Recommended technical control rules
and values for hardening operating
systems, middleware and software
applications, and network devices.
• Distributed free of charge by CIS in
.PDF format.
• Used by thousands of enterprises as
the basis for security configuration
policies and the de facto standard for
IT configuration best practices.

13. SbD—AWS CIS benchmark scope
Foundational benchmark
CloudTrail
AWS Config &
Config Rules
AWS KMS
IAM CloudWatch
Amazon S3
Amazon SNS
Three-tier web architecture
Amazon EC2 Elastic Load
Balancing
Amazon VPC
AWS Direct
Connect
Amazon Elastic
Block Store
CloudHSM Amazon Glacier Amazon
Route 53
VPN
Gateway
Amazon
CloudFront

14. SbD—define data protections and controls

15. https://aws-poc.allgress.com/allgress/awsgc
SbD—document security architecture

16. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hemanth Jayaraman, Director of DevOps, Rent-A-Center
April 19, 2016
Security by Design
Evolution of Cloud Security @ RAC

17. Business case: Rent-A-Center
• Secure business-to-business (B2B) portal for our
Acceptance Now business unit, which enables our
partners to help grow their business by increasing sales
and expanding their customer base.
• Personally identifiable information (PII) and
payment card industry (PCI) compliance requirements.

18. Prod
Security
Apac
he
Apac
he
Web
Amazon RDS
CloudFormationS3
Jump
Log
Manager
Jenkins
Threat
Manager
HQ
Note: All tiers are designed for
automated Multi-AZ failover.
Apac
he
Apac
he
App
Shared SVC
Apac
he
Apac
he
AWS
WAF

19. Prod
Security
Apac
he
Apac
he
Web
Amazon RDS
CloudFormationS3
Jump
Log
Manager
Jenkins
Threat
Manager
HQ
Note: All tiers are designed for
automated Multi-AZ failover.
Apac
he
Apac
he
App
Shared SVC
Apac
he
Apac
he
AWS
WAF
Security:
1. Amazon RDS patching
2. Centralized logging
3. Threat management

20. Prod
Security
Apac
he
Apac
he
Web
Amazon RDS
CloudFormationS3
Jump
Log
Manager
Jenkins
Threat
Manager
HQ
Note: All tiers are designed for
automated multi-AZ failover.
Apac
he
Apac
he
App
Shared SVC
Apac
he
Apac
he
AWS
WAF
Availability:
1. No single point of failure
2. Minimal human intervention
3. Designed to auto-scale

21. Prod
Security
Apac
he
Apac
he
Web
Amazon RDS
CloudFormationS3
Jump
Log
Manager
Jenkins
Threat
Manager
HQ
Note: All tiers are designed for
automated Multi-AZ failover.
Apac
he
Apac
he
App
Shared SVC
Apac
he
Apac
he
AWS
WAF
Innovation:
1. Templated environments
2. Scripted configurations
3. Automated deployments

22. Benefits
• Security is not production mindset: no last-minute
surprises before go live.
• Least privilege access.
• Centralized logging.
• Encryption at rest and in motion.
• Infrastructure as code.
• Ansible playbooks as build docs.

23. Next steps
• Continue Security by Design approach—use AWS
CloudTrail and AWS WAF
• CIS-benchmarked Amazon Machine Image (AMI)
• Amazon EC2 Container Service for Docker
• Amazon Aurora with AWS Key Management Service for
encryption
• Content delivery network (CDN) for distributed denial-of-
service (DDoS)

24. SbD—automate security operations
Automate deployments, provisioning, and configurations of
the AWS customer environments.
CloudFormation AWS Service CatalogStack
Template
Instances AppsResources Stack
Stack
Design Package
Products Portfolios
DeployConstrain
IAM
Set Permissions

25. AWS CloudTrail
Amazon
EMR
Amazon
Kinesis
Amazon
VPC
Elastic Load
Balancing
Amazon
S3
AWS
Lambda
AWS ConfigAWS CloudWatch
AWS IoT
Other
Services
Add-on for AWS
Splunk app for AWS
Explore Analyze Dashboard Alert
Use cases for AWS:
Security intelligence (CloudTrail, CloudWatch, VPC)
Operational intelligence (CloudWatch, ELB, etc.)
DevOps intelligence (CloudWatch, Lambda)
Big data insights (Amazon Kinesis, EMR, IoT, S3)
SbD—continuously monitor—Splunk

26. AWS CloudTrail
resource activity
Splunk app for AWS—visualize and monitor
AWS CloudTrail
user activity

27. SbD—modernizing technology governance (MTG)
Automate
governance
Automate
deployments
Automate security
operations
Continuous
compliance

28. Closing the loop
SbD—modernizing technology governance
Result: Reliable technical implementation and enforcement
of operational and administrative controls

29. AWS resources
Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
SbD website and whitepaper—to wrap your head around this
• https://aws.amazon.com/compliance/security-by-design/

30. Allgress—getting started
1. Engage with Allgress in the field: Contact sales
2. Get started with the Allgress GetCompliant Portal to easily
pull compliance configurations from AWS customer accounts
3. Download the Allgress Module Breakdown

31. Splunk—Getting started
1. Engage with Splunk in the field: aws-splunk-team@amazon.com can
point you in the right direction, and you can request the Splunk
Playbook.
2. Download Splunk>Enterprise.
3. Download and set up the Splunk App for AWS (and supporting TA) to
easily configure Splunk for Config, CloudTrail, CloudWatch metrics,
VPC flog logging, S3, and Billing.
4. Take the self-paced Using Splunk tutorial and look at Splunk>Docs and
Splunk>Apps for more.
5. You can get started quickly with the Splunk search commands, and
then use supporting documentation to advance your skill. Our Quick
Reference Guide becomes an essential tool and cheat sheet. Other
search reference documentation is posted also.