Because the entire AWS cloud platform is programmable, it turns out that you can program security and compliance in advance of actually instantiating any actual workloads. In this session, we show how you can design a secure and compliant workload and even have it audited by a third-party auditor before creating it for the first time! Once it's created, other facilities provide mechanisms for detecting and alerting a drift from your baseline, and even automatically remediating the drift. Learn how the comprehensive automation available in AWS provides security and compliance professionals an entire new, more efficient, and more effective way to work.
Speaker: John Hildebrand, Solutions Architect, Amazon Web Services
2. The AWS cloud allows for advanced governance
Manual auditing in a simple
world
Governance in a complex
world
Thick procedure manuals Software-enforced processes
Periodic surveys Alarming/triggering
Few truly automated controls Ubiquitous, software-driven,
predictable controls
Sample testing, hoping Full population monitoring,
test of 1
3. Evolution of compliance at AWS
AWS
certifications
Customer
enabler docs
Customer
case studies
Security and
Compliance via
Automation
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
4. Shared Responsibility Model
Customers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption/
Integrity/Identity)
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customer
Responsible for
security in the Cloud
Responsible for
security of the Cloud
AWS
5. Compliance & Accreditation – Common Challenges
How do I architect for compliance in AWS?
Meet my compliance requirements (IRAP, NIST, PCI, HIPAA, CJIS, etc.)
Make critical decisions to ensure a secure application when using the AWS
Shared Responsibility Model.
Take advantage of new services and features when designing for Cloud
How can I make architecting for compliance repeatable?
How can I validate that my architecture is compliant before deployment?
How can I ensure continuous compliance in production?
Mapping security controls to numerous AWS services
How can I simplify my accreditation process and get to ATO?
6. Shared Responsibility Model
Compliance in the Cloud: Examples
Framework Control Description Implementation in AWS Architecture (Example)
NIST 800-53 AU-9 The information system protects
audit information and audit tools from
unauthorized access, modification,
and deletion
AWS CloudTrail and/or log files in S3 buckets which have
S3 bucket policies to prevent modification or deletion (write
once read many)
PCI DSS Requirement 4 Encrypt transmission of cardholder
data
Elastic load balancers must enforce HTTPS encryption
using strong security policies enforcing TLS
HIPAA - Tenancy requirement Requirement to use “dedicated” tenancy for EC2 instances
storing or processing PHI data
CJIS Policy Area 7 Configuration management Enforce use of hardened EC2 instance operating systems
and/or pre-approved Amazon Machine Images (AMIs)
DoD CSM Levels 4-5 No direct access from VPC to the
Internet
Amazon VPCs for Impact Levels 4-5 data require VPN
connection, no Internet gateway (IGW)
7. Simplifying Compliance: Key Concepts
Know your compliance framework(s)
• Translate compliance controls to technical implementation
• Create and manage a pre-approved common security controls
mapping to use when architecting for security and compliance
Take advantage of capabilities the Cloud provides
• Infrastructure as Code
• AWS services (CloudTrail, AWS Config, Amazon Inspector, etc.)
• Partner solutions
Automate standard implementations
9. Automating Compliance in AWS
Infrastructure As Code
• Managed and controlled like software
• Validate pre-deployment
• Test-driven development (TDD) for security and compliance
Standardization
• Predefined guidelines, mapped to security controls
• Consistent, reusable architecture and configuration
Compliance at scale
• Enforce policies across accounts, workloads, systems
• Shared services for security, logging, monitoring, access control
Transparency
• Everything is an API call!
• Auditability, logging
• Continuous monitoring (CM) for both applications and infrastructure
14. Pre-Development
Development
Testing
Production
Architect for
Compliance
Architect for
Compliance
Provide
Baselines
Enterprise
Accelerator for
Compliance
IATT ATO
Develop
Applications
Enterprise
Accelerator for
Compliance
AWS Service
Catalog
Submit SSP
Validate
Architecture for
Compliance
Continuous
Monitoring
Manage Security-
Relevant
Changes
Integration
Testing for
Compliance
Submit for ATO
Accelerating the Journey to ATO
Vulnerability
Scanning
AWS Code
Pipeline
Compliance Control
Mapped to
Implementation Method
Developing with a
predefined baseline
implementing control
Validation & Testing
for Requirement
Continuous
Monitoring for Control
Implementation
Amazon InspectorAWS Config
AWS Config
AWS
OpsWorks
AWS Elastic
Beanstalk
15. Pre-Development
Understand your compliance requirements
• Compliance type(s): IRAP, NIST 800-53,
ICD 503, DoD CSM, PCI, HIPAA, etc.
Architect for compliance
• Map security controls to technical
implementation
Predefine baselines
• Examples: VPC configuration, connectivity,
AWS Identity and Access Management
(IAM) configuration, logging/monitoring
• Baselines align with governance model
Pre-Development
Architect for
Compliance
Provide
Baselines
Enterprise
Accelerator for
Compliance
AWS Service
Catalog
Compliance Control
Mapped to
Implementation Method
16. Enforced Deployment with AWS Service Catalog
§ Standardize deployment
§ Allow push-button build of common architectures based on compliance
and use case
§ Provide a self-service model for workload owners
17. Development
Deploy predefined baseline environment
• Service Catalog, CloudFormation
Manage all AWS components as code
• E.g. Version Control (AWS CodeCommit,
Git, SVN)
Take advantage of AWS services
• AWS CodeDeploy/AWS CodePipeline
• Elastic Beanstalk
• CloudFormation, OpsWorks
Development
Architect for
Compliance
Develop
Applications
Enterprise
Accelerator for
Compliance
Submit SSP
Developing with a
predefined baseline
implementing control
AWS
OpsWorks
AWS Elastic
Beanstalk
18. AWS CloudFormation
§ Basic standard in AWS for automating
deployment of resources
§ CloudFormation Template
− JSON-formatted document which
describes a configuration to be
deployed in an AWS account
− When deployed, refers to a “stack”
of resources
AWS
CloudFormation
19. Example: Multi-tier Security Groups
HTTP
SSH
DB-sync
Ports 80 and
433 only open
to the internet
Engineering
staff have
SSH access to
the App Tier,
which acts as
Bastion
Authorized 3rd
parties can be
granted SSH
access, such
as the
Database Tier
All other
internet ports
blocked by
default
EC2
EC2
EC2
EBS
Control: 0520; Revision: 5;
Updated: Apr-15; should;
Authority: AA
Network access controls
should be implemented on
networks.
Control: 1182; Revision: 2;
Updated: Apr-15; should;
Authority: AA
Network access controls
should be implemented to limit
traffic within and between
network segments to only
those that are required for
business operations.
20. Testing
Unit testing
• Validate before deployment
• Check AWS CloudFormation templates for non-
compliant configurations
Integration testing
• Deploy infrastructure code into AWS account
• Run tests for validation (Config, Inspector,
HBSS, partner products, etc.)
Prepare for ATO
• Submit predefined security controls mapping for
simplified approval
Testing
Validate
Architecture for
Compliance
Integration
Testing for
Compliance
Submit for ATO
Validation & Testing
for Requirement
21. Testing Infrastructure Code
Identify resource configurations
in code that violate compliance
• Example tools:
https://github.com/stelligent/cfn_nag
Common points of compliance
validation
• Security group rules
• Network Access Control List (network ACL)
rules
• IAM policies
• S3 bucket policies
• Elastic Load Balancing security policies
"sg": {
"Type":
"AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": {
"CidrIp": “0.0.0.0/0",
"FromPort": 22,
"ToPort": 22,
"IpProtocol": "tcp"
},
"VpcId": "vpc-12345678"
}
}
}
}
Example: AWS CloudFormation template
contains security group allowing
unrestricted access to SSH
22. Production
Authority to Operate (ATO)
• …but compliance doesn’t end with ATO
Continuous monitoring
• Security-relevant changes to configuration
Non-compliance
• Continuously monitor for changes that violate compliance
• Immediate notifications
• Event-driven, automated remediation
Production
Continuous
Monitoring
Manage
Security-
Relevant
Changes
Vulnerability
Scanning
Continuous
Monitoring for Control
Implementation
Amazon InspectorAWS Config
23. Validation – Closing the loop
AWS Config Rules
• AWS Config Rules: check whether your
security design is deployed in existing
environments
• Accurate, complete audit
• Continuous assessment, history
• Cloud Governance Dashboard
AWS Inspector
• Identify Security Issues in Your Applications
• Enforce your Organization’s Security
Standards
24. Lifecycle of a Compliance Control: Example
Control Pre-Development Development Testing Production
SC-7(5)
Boundary Protection - DENY
BY DEFAULT/ALLOW BY
EXCEPTION: The information
system at managed interfaces
denies network
communications traffic by
default and allows network
communications traffic by
exception (that is, deny all,
permit by exception).
Enterprise
Accelerator defines
required NIST 800-
53 compliance
control and maps
predefined to
implementation in
CloudFormation
template
Enterprise
Accelerator as
starting point for
CloudFormation
template
development
Automated unit
testing with cfn-nag
tool validates that
control is not being
violated in a
template
Integration testing
with Config verifies
Config rule
continuously
monitors for
violations of this
control and takes
corrective action if
a violation is
detected
Requirement: Rules with
“ALL TRAFFIC” not
permitted in security
groups
Base templates by default
deny all ports except
those required to be open
Starting point in
development with
templates which
Testing for security
groups where all ports are
open
If security group changes,
Config rule immediately
evaluates and determines
if rule changes violate
control
25. Version Control
Build/
Compile
Code
Dev
Unit Test
App Code
IT Ops
Test
Prod
Dev
Application
Write
App
Code
Deploy
App
Package
Application
Continuous Integration/Delivery + Compliance Automation
AMI
Build
AMIs
Validate
Infra
Code
Write
Infra
Code
Deploy
Infras
Automate
Deployment
Artifact Repository
Start with predefined baselines built for compliance Service Catalog portfolio of predefined architecture
patterns
Maintain a library of pre-validated base architectures
for dev users to modify and deploy
Validate infrastructure code using
automated testing tools
26. Automating Compliance: Tools & Services
§ AWS Compliance Enterprise Accelerator
§ CloudFormation based customisable quickstart
§ Address security/compliance requirements and AWS best practices
§ Knowledge transfer on AWS security model
§ Standardized for specific use cases
§ Ready to be pre-approved by customer assessment organizations
§ Ready to deploy “out of the box”
§ CloudTrail, Config/Config rules, Inspector
§ AWS Trusted Advisor
§ Partner Solutions
27. AWS Enterprise Accelerator for Compliance
Currently Available Quick Starts
§ NIST High baseline
§ (Featuring Trend Micro Deep Security)
§ NIST SP 800-53 (version 2.0)
§ DoD SRG (GovCloud)
§ Trusted Internet Connection
§ 800-171
§ PCI DSS
§ Secure Commercial Cloud Architecture (SCCA)
§ Late July preview
http://aws.amazon.com/quickstart
29. Healthdirect Australia
Healthdirect Australia designs and delivers innovative services
for governments to provide every Australian with 24/7 access to
the trusted information and advice they need to manage
their own health and health-related issues.
About us
30. Healthdirect Australia
No matter where people live, or what time of the day or night it is, they can talk to a professional, find trusted advice
online about how to manage their issue, and locate the closest appropriate and open service that meets their
needs.
Sharing trusted knowledge
mindhealthconnectMy Aged Care
healthdirect
Pregnancy, Birth and Baby
Carer Gateway
after hours GP helpline Quitline
Get HealthyNational Health Services Directory
31. Current State
• Platform accredited to ISM Unclassified DLM
• Currently hold data up to Sensitive:Personal
• 99.95% availability per month, missed once in 4 years in AWS
• Host 8 major service lines and corporate IT in AWS
• 1.6 million visits to websites and 30 million transactions against
the National Health Services Directory per month
• Direct integrations to 160+ content partners and 100+ directory
partners
• All services certified or in IRAP assessment to Unclassified DLM
Healthdirect Platform and Services
34. Healthdirect Patterns for Security
1. Standard build and configuration
2. Configuration change management
3. Privileged access management
4. Vulnerability management
Where automation in AWS helps address key ISM controls
35. Standard Build and Configuration
Sample ISM Controls
Section Topic Ctrl. Rev. Applicability Req. Auth. Control Statement
Developing SOEs
1406 0 Apr-15 UD, P, C, S, TS must AA
When developing a new SOE, agencies must use the Common Operating Environment
Policy produced by the Department of Finance.
1407 1 May-16 UD, P, C, S, TS should AA Agencies should use the latest release of the operating system.
Hardening SOE
configurations
0383 4 Apr-15 UD, P, C, S, TS must AA
Agencies must ensure that default operating system accounts are disabled, renamed
or have their passphrase changed.
0380 5 Apr-15 UD, P, C, S, TS must AA
Agencies should remove or disable unneeded operating system accounts, software,
components, services and functionality.
1410 0 Apr-15 UD, P, C, S, TS must AA Local administrator accounts must be disabled.
0382 4 Apr-15 UD, P, C, S, TS
must
not
AA Users must not have the ability to install, uninstall or disable software.
Hardening
application
configurations
1411 0 Apr-15 UD, P, C, S, TS should AA
Agencies should enable and configure any in-built security functionality in
applications, and disable any unrequired functionality.
Application
whitelisting
0843 5 Apr-15 UD, P, C, S, TS must AA
Agencies must use an application whitelisting solution within SOEs to restrict the
execution of programs and DLLs to an approved set.
0845 5 Apr-15 UD, P, C, S, TS should AA
Agencies should restrict users and system administrators to a subset of approved
programs, DLLs, scripts and installers based on their specific duties.
Software-based
application firewalls
1416 0 Apr-15 UD, P, C, S, TS must AA
Agencies must use software-based application firewalls within SOEs to limit both
inbound and outbound network connections.
Antivirus and
internet security
software
1417 0 Apr-15 UD, P, C, S, TS must AA Agencies must use antivirus or internet security software within SOEs.
36. Standard Operating Environment
A sample of Healthdirect’s stack for SOE
CIS Base AMI
Host Intrusion Prevention/Detection/Antivirus/Antimalware
Configuration Management Agent
Monitoring Agent
Logging Agent
Privileged Access Management Agent
Encryption Agent
Hardening configuration
37. Standard Build and Configuration
Continuous delivery of infrastructure as code
Orchestration Manager
Provisionin
g Server
Configuration
Manager
Configuration
Repository
CIS
Hardenin
g Config.
Tomcat
Config.
Provisioning
Repository
Stack
template
Existing Environment VPC
Nginx
Config.
Database
Config.
Provision
Configure
Test Server
Test
38. Change Management
ISM Control
Section Topic Cntrl. Revision Applicability Req. Auth. Control Statement
Change
management
process
1211 0 Sep-12 UD, P, C, S, TS must AA Agencies must have a formal change management process in place.
0912 4 Sep-12 UD, P, C, S, TS should AA
Agencies should ensure their change management process includes:
• a policy which identifies which changes need to go through the formal change
management process
• documenting the changes to be implemented
• formal approval of the change request
• maintaining and auditing logs of all changes
• conducting vulnerability management activities when significant changes have
been made to the system
• testing and implementing the approved changes
• updating the relevant information security documentation including the SRMP,
SSP and SOPs
• notifying and educating users of the changes that have been implemented as
close as possible to the time the change is applied
• continually educating users in regard to changes.
0115 2 Nov-10 UD, P, C, S, TS must AA
Agencies must ensure that for routine and urgent changes:
• the change management process, as defined in the relevant information security
documentation, is followed
• the proposed change is approved by the relevant authority
• any proposed change that could impact the security of a system is submitted to
the accreditation authority for approval
• all associated information security documentation is updated to reflect the
change.
0117 2 Nov-10 UD, P, C, S, TS must AA
The change management process must define appropriate actions to be followed
before and after urgent changes are implemented.
40. Privileged Access Management
Sample ISM Controls
Section Topic Cntrl. Revision Applicability Req. Auth. Control Statement
Use of
privileged
accounts
1175 2 May-16 UD, P, C, S, TS must AA
Agencies must prevent users from using privileged accounts to read emails, open
attachments, browse the Web or obtain files via internet services such as instant
messaging or social media.
0445 5 Apr-15 UD, P, C, S, TS must AA
Agencies must restrict the use of privileged accounts by ensuring that:
• the use of privileged accounts are controlled and auditable
• system administrators are assigned a dedicated account to be used solely for the
performance of their administration tasks
• privileged accounts are kept to a minimum
• privileged accounts are used for administrative work only
• passphrases for privileged accounts are regularly audited to check they meet
• passphrase selection requirements
• passphrases for privileged accounts are regularly audited to check the same
• passphrase is not being reused over time or for multiple accounts (particularly
between privileged and unprivileged accounts)
• privileges allocated to privileged accounts are regularly reviewed.
Restriction of
management
traffic flows
1386 1 Apr-15 UD, P, C, S, TS should AA
Agencies should only allow management traffic to originate from network zones that
are used to administer systems and applications.
Hardening SOE
configurations
1345 1 Apr-15 UD, P, C, S, TS must AA
Agencies must disable devices from simultaneously connecting to two different
networks.
41. Privileged Access Management
Centralised Control and Audit of Privileged Users
Privileged
Access
Manager
User
Policy
Agent
User
Audit
Agent
Policy
A
Policy
B
Strong
authentication,
including MFA
Credential
managementPolicy based,
least privilege
access
control
Session
recording,
auditing,
attribution
Command
filtering
Application
password
management
42. Vulnerability Management
Sample ISM Controls
Section Topic Ctrl. Rev. Applicability Req. Auth. Control Statement
Vulnerability
management
strategy
1163 1
Sep-
12
UD, P, C, S, TS should AA
Agencies should implement a vulnerability management strategy by:
• conducting vulnerability assessments on systems throughout their life cycle to identify
vulnerabilities
• analysing identified vulnerabilities to determine their potential impact and appropriate
mitigations or treatments based on effectiveness, cost and existing security controls
• using a risk-based approach to prioritise the implementation of identified mitigations or
treatments
Patching
vulnerabilities
1143 4 Apr-15 UD, P, C, S, TS must AA
Agencies must develop and implement a patch management strategy covering the patching of
vulnerabilities in operating systems, applications, drivers and hardware devices.
0297 3 Apr-15 UD, P, C, S, TS should AA
Agencies should monitor relevant sources for information about new vulnerabilities and associated
patches for operating systems, applications, drivers and hardware devices.
When to patch
vulnerabilities
1144 7 May-16 UD, P, C, S, TS must AA
Security vulnerabilities in operating systems, applications, drivers and hardware devices assessed as
extreme risk must be patched or mitigated within 48 hours of the security vulnerabilities being identified by
vendors, independent 3rd parties, owners or users.
0940 6 Apr-15 UD, P, C, S, TS must AA
Vulnerabilities in operating systems, applications, drivers and hardware devices assessed as below
extreme risk must be patched or mitigated as soon as possible.
How to patch
vulnerabilities
0298 5 Apr-15 UD, P, C, S, TS should AA
Where possible, a centralised and managed approach should be used to patch operating systems,
applications, drivers and hardware devices.
0303 4 Apr-15 UD, P, C, S, TS must AA
Agencies must use an approach for patching operating systems, applications, drivers and hardware
devices that ensures the integrity and authenticity of patches as well as the processes used to apply
them.
43. Vulnerability Management
Automated Linux Patching Pattern
RPM
Repos
Local
RPM
Repo
Patch
Manager
ap-southeast-1 ap-southeast-2
Sync
Configuration
Manager
Orchestration
Manager
Remove AZ1
nodes from ELB
Test Server
Provisioning
Manager Provision
new ELBs
and routes
Run automated
test suite
Patch nodes
Update
against Local
RPM
Restore original
configuration
45. What does this mean?
• Smarter continuous compliance through automation
• Staff time spent on review and exception management NOT
maintenance
• More consistent application of controls
• Detailed documentation through codification
• Faster deployments – from weeks to minutes
• Fewer mistakes, misconfiguration and mismatches between
environments
• Security designed and built into each iteration of a solution
• Read-only access to Production for humans
Benefits for Healthdirect in AWS
46. Where to next?
• Containerised micro-services
• Easier patch management
• Improved security testing
• Holistic change management
• Better use of resources
• Logging and monitoring for behavioural visibility
• Metacontainer environments
In progress at Healthdirect Australia
47. Summary
• Choose products that have open APIs
• Use AWS and Marketplace options
• Design for human touchpoints in the process
• Look to standardise and reuse
• Start simple and iterate - evolve the code through Development,
Test and Production
• Look for the high-value low-effort fit
• Manage everything in a repository – configuration = documentation
• Build testing into the process
Think like a coder!
50. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work with
30+ AWS services –
in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work together
AWS Certification
Validate technical skills
and expertise - identify
qualified IT talent or show
you are AWS cloud ready
Learn more: aws.amazon.com/training