"Cloud first" and "cloud native" are the new mindsets for many IT & business teams operating on AWS. In this new world, security functions need to scale for rapidly growing AWS accounts and VPCs in the organization. In this session, we show you how to build a world-class security operations organization with the same "cloud native" mindset using AWS tools. By the end of this session, you will understand how to run a lean and clean SecOps center for a fast-paced organization. The key objective of this session is to transform the security team from "no” to everything, to "know” everything. By knowing everything, you will sleep better.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lean and clean SecOps using AWS
native services cloud
Ramesh Adabala
Solutions Architect
Amazon Web Services
S D D 3 0 1

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Security reference architecture
Security baseline using AWS landing zone
Additional security baseline items
Application security

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered security on AWS
AWS Compliance
Program
Third-Party
Attestations
Compliance
VPC Configuration
Security Groups
Network
Network & Web App
Firewalls
Encryption
In-Transit
Hardened AMIs
OS and App
Patch Mgmt.
AWS Identity and
Access Management
(IAM) Roles for Amazon
EC2
Bastion Hosts
HostSecurity
Data Classification
Key Management
Encryption
At-Rest
DataSecurity
Identity & Access
Management Security Operations & Audit
Third-Party
Attestations
1
2
3
4
5 6

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered security – AWS Services
1
2
3
4
5
6

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the NIST Cybersecurity Framework?
7
Executive Order
Presidential
Executive Order
13636, “Improving
Critical Infrastructure
Cybersecurity,”
charges NIST in Feb.
2013
Legislation
Cybersecurity
Enhancement Act of
2014 reinforced the
legitimacy and
authority of the CSF
by codifying it and its
voluntary adoption
into law
In February 2014, the National
Institute of Standards and Technology
(NIST) published the “Framework for
Improving Critical Infrastructure
Cybersecurity” (or CSF), a voluntary
framework to help organizations of
any size and sector improve the
cybersecurity, risk management, and
resilience of their systems.
Originally intended for critical
infrastructure, but broader
applicability across all organization
types.
Executive Order
Presidential EO 13800,
“Strengthening the
Cybersecurity of
Federal Networks and
Critical Infrastructure”
mandates the use of
CSF for all federal IT

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aligning to AWS services
Identify
Protect
DetectRespond
Recover
What processes and
assets need protection?
What safeguards
are available?
What techniques can
identify incidents?
What techniques can
contain impacts of
incidents?
What techniques can
restore capabilities?

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST CSF–based security reference architecture
Protect Detect Respond
Automate
Investigate
RecoverIdentify
ArchiveSnapshot

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security baseline reference architecture - checklist
Centralized logging
Centralized VPC management Centralized IAM role management
Centralized Config Rules
Centralized GuardDuty
Centralized WAF
Centralized AMI build
Centralized Macie
Centralized monitoring
Centralized SecurityHub
Network security
Infrastructure security
Centralized Inspector
Centralized patching
Data protection
Identity
Security operations
Compliance
Centralized Access federation
Centralized Config

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS landing zone structure — basic
Amazon S3 Bucket
(manifest file)
AWS CodePipeline
AWS
Service Catalog
Account
Baseline
Core OU
AWS SSOOrganizations
Organizations account
shared services account log archive account
Account
Baseline
security account
Network
Baseline
Account
Baseline
Aggregate
CloudTrail and
AWS Config
Logs
Account
Baseline
Security Cross-
Account Roles
Security
Notifications
Organizations account
• Account provisioning
• Account access (AWS SSO)
Shared services account
• Active directory
• Log analytics
Log archive
• Security logs
Security account
• Audit/Break-glassGuardDuty Master
Parameter
Store

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account vending machine
AWS
Service Catalog
Account vending machine (AWS Service Catalog)
• Account creation factory
• User interface to create new accounts
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account vending
machine
Organizations
Security
AWS
Log Archive
AWS
Shared Services
AWS
AWS
New AWS

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Optional Network Path
Network Path Log Flow
Data CenterDeveloper Accounts
Orgs: Account management
Log Archive: Security logs
Shared Services: Directory, limit monitoring
Network: AWS Direct Connect
Dev Sandbox: Experiments, learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team shared services, data lake
Security: Security Tooling: GuardDuty, AWS
Firewall Manager, Amazon Inspector, Security
Hub, ELK dashboard

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security baseline reference architecture - checklist
Centralized logging
Centralized VPC management Centralized IAM role management
Centralized Config Rules
Centralized GuardDuty
Centralized WAF
Centralized AMI build
Centralized Macie
Centralized monitoring
Centralized SecurityHub
Network Security
Infrastructure security
Centralized Inspector
Centralized patching
Data protection
Identity
Security Operations
Compliance
Centralized Access federation
Centralized Config

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized AMI management – GoldenAMIPipeline
https://d1.awsstatic.com/whitepapers/aws-building-ami-factory-process-using-ec2-ssm-marketplace-and-service-catalog.pdf

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vulnerability assessment and patch management

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized patch management using SSM
https://aws.amazon.com/blogs/mt/tcs-hybrid-cloud-patch-management-at-scale-using-aws-systems-manager/

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Macie

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized WAF
Users
Dynamic web
application
Amazon S3 Bucket
for staticcontent
Amazon
CloudFront
Amazon
Route 53
Amazon VPC
Amazon
CloudFront
Amazon
Route 53
AWS
WAF
AWS Firewall Manager
AWS
WAF
AWS Shield
AWS Shield
Dynamic web
application
Amazon S3 Bucket
for staticcontent
Amazon VPC

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security baseline reference architecture - checklist
Centralized logging
Centralized VPC management Centralized IAM role management
Centralized Config Rules
Centralized GuardDuty
Centralized WAF
Centralized AMI build
Centralized Macie
Centralized monitoring
Centralized SecurityHub
Network Security
Infrastructure security
Centralized Inspector
Centralized patching
Data protection
Identity
Security Operations
Compliance
Centralized Access federation
Centralized Config

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Monitoring
Amazon
Inspector
Macie
GuardDuty
Security Hub
AWS
Shield
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
AWS
WAF
AWS
Firewall
Manager
Perimeter Protection External Security Services

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security baseline reference architecture - checklist
Centralized logging
Centralized VPC management Centralized IAM role management
Centralized Config Rules
Centralized GuardDuty
Centralized WAF
Centralized AMI build
Centralized Macie
Centralized monitoring
Centralized SecurityHub
Network Security
Infrastructure security
Centralized Inspector
Centralized patching
Data protection
Identity
Security Operations
Compliance
Centralized Access federation
Centralized Config

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundational VPC
Public Web Subnet
Availability Zone 1 Availability Zone 2
Public Web Subnet
Private Database Subnet
Private Application SubnetPrivate Application Subnet
Private Database Subnet

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compute services for your workloads
• VMs
• Machine as the unit of scale
• Abstracts the hardware
• Containers
• Application as the unit of scale
• Abstracts the OS
• Serverless
• Functions as the unit of scale
• Abstracts the language runtime
Amazon ECS/EKS
Amazon EC2
AWS Lambda

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample infrastructure/ application deployed VPC
Public web subnet
Availability zone 1 Availability zone 2
Public web subnet
Private database subnet
Private application subnetPrivate application subnet
Private database subnet
Amazon
Route 53User
Amazon
CloudFront
AWS WAF

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Typical application/API layers
Mobile apps
Websites
Services

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Typical application/API Security requirements
Mobile apps
Websites
Services
(CloudFront,
ALB/ELB/API
Gateway)
(RDS/Aurora/Dyna
moDB/S3)
(EC2/Containers/La
mbda)

35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Typical application/API Security – AWS Services
Mobile apps
Websites
Services
(CloudFront,
ALB/ELB/API
Gateway)
(RDS/Aurora/Dyna
moDB/S3)
(EC2/Containers/La
mbda)

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuousdeliverypipeline
Application
Infrastructure
Code
Production
QA
Development
Version
Control
Testing
Tools & processes
Security
ArtifactsBuild Deployment
- Blue / Green (app)
- Automation (infra)
Pipeline

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source Build Deploy Test/Monitor
Release Steps
CodeCommit
CodeBuild CodeDeploy
AWS CodePipeline
Application
Infrastructure
Systems manager
Automation
CloudFormation Inspector Lambda
DevSecOps CI/CD pipeline

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Implementation references
Acceptance
(Engineering)
Commit
(Github)
Capacity
(Test)
Production
Static code analysis:
• Stelligent: CFN-NAG
• AWS re:Invent 2016: 5 Security
Automation Improvements
Dynamic analysis:
CIS controls:
https://d0.awsstatic.com/whitepapers/co
mpliance/AWS_CIS_Foundations_Bench
mark.pdf
IAM policy validations:
• Critical resources
• Powerful Actions
Unit tests and Integration tests:
• Sample tests blog
Network testing:
• SSH testing
• Pen testing
• OS validations
Ongoing monitoring:
CIS controls:
https://d0.awsstatic.com/whitepapers/c
ompliance/AWS_CIS_Foundations_Benc
hmark.pdf
IAM policy validations:
• Critical resources
• Powerful Actions
• https://d0.awsstatic.com/whitepap
ers/compliance/AWS_Auditing_Sec
urity_Checklist.pdf
• Security self-healing:
http://docs.aws.amazon.com/AWSE
C2/latest/WindowsGuide/systems-
manager-state.html

39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample infrastructure/ application deployed VPC
Public web subnet
Availability zone 1 Availability zone 2
Public web subnet
Private database subnet
Private application subnetPrivate application subnet
Private database subnet
Amazon
Route 53User
Amazon
CloudFront
AWS WAF

40. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.