As with everything in life there is an easy way and a hard way when it comes to adopting security framework recommendations. Featuring the AWS Well-Architected and Cloud Adoption Frameworks, we will walk you through a complete security journey. We'll start with identification of requirements, then move through a series of how-tos from classifying your data, automating controls, to running fun incident response game days. There will be code giveaways and more!

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Framework Shakedown
Chart Your Journey with AWS Best Practices
Ben Potter | Security Lead, AWS Well-Architected
Ivan Sekulic | IT Security Architect, National Australia Bank
Steven Laino | CISSP/ISSAP, CISM, CCSP Global Security Architect
S E C 2 0 1

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objectives
• Define a security strategy, deliver a security program and develop
robust security operations on AWS
• Implement Explain AWS security best practices
• AWS security services at an accelerated pace
• Get some code!

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• NAB Cloud security journey
• Cloud adoption framework security perspective
• AWS well-architected framework security pillar

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
National Australia
Bank
Our vision: To be Australia's
leading bank, trusted by
customers for exceptional
service
• One of Australia’s four major
banks and largest business bank
• More than 30,000 employees
and 9 million customers across
900 locations

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our cloud security strategy
Objectives
• Extend our existing Security
Services to the Cloud
• Integrated and Secure by Default
• Continuous Security Governance

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our cloud security strategy
Objectives
• Extend our existing Security
Services to the Cloud
• Integrated and Secure by Default
• Continuous Security Governance
Insights
• We had to change our approach
• Scale with automation and
decentralization
• Security compliments agile

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundations of continuous compliance
Baseline Compliance Portfolio
AWS Service Compliance Portfolio
Application Compliance Portfolio
Service A Service B
API Gateway Amazon RDS Amazon EBS
Prod Account Non-Prod
Account
Application
Security
Assessment
AWS
Service
Control
Review
Security Posture

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS cloud adoption framework

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CAF security perspective
Security Perspective
Directive
Preventative Detective
Responsive

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Core five epics

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Define a strategy
Identify your workloads moving to AWSIdentify stakeholders

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deliver a security program
Rationalize security
requirements
Define data protections
and controls
Document security
architecture

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security cartography

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CAF best practices
Inventory current security requirements
Adopt a security framework
Identify workload security controls
Map current security controls cloud controls
Create a security RACI
Create a risk register

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Robust security operations
Deploy architecture Automation Continuous
monitoring
Testing and
Gamedays

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity & Access Mgmt
Detective Control
Infrastructure Security
Data Protection
Incident Response
Week 1 Week 2 Week 5Week 3 Week 4
Sample security Epics journey

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the AWS Well-Architected Framework?
Pillars Design Principles Questions

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pillars of AWS Well-Architected
Security Reliability
Performance
Efficiency
Cost
Optimization
Operational
Excellence

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A mechanism for your cloud journey
Learn Measure Improve

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security design principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Strong identity foundation
Root account should never be used
Consider AWS Organizations
Set account security questions & contacts
Centralize identities
Audit periodically

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Strong identity foundation
Never store credentials or secrets in code
Enforce MFA on everything
Use IAM roles for users and services
Establish least privileged policies
Use temporary credentials

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Enforce MFA
User can only assume a role with MFA
MFA token
Permissions RoleUser AWS CloudPermissions
http://bit.ly/AWSWALabs

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Enable traceability
Consider Amazon GuardDuty
Configure application & infrastructure logging
Centralize using a SIEM
Proactively monitor
Regular reviews of news & best practices

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Enable traceability
Use AWS CloudFormation!
http://bit.ly/D3T3cT

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Network protection
Amazon CloudFront + AWS WAF
Amazon VPC and security groups
Private connectivity - VPC peering, VPN, AWS Direct Connect
Service endpoints
Enforce service level permission

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Network protection
Bucket
Instances
Region
VPC
Users
https://amzn.to/2PbHOpz
WAF Automation
www.example.com

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Apply security at all layers
Harden operating systems & defaults
Use anti-malware + intrusion detection
Scan infrastructure
Scan code
Patch vulnerabilities

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: compute protection

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Scan vulnerabilities
Scan instances with Amazon Inspector
https://amzn.to/2DT9jyg
Scan code in the pipeline
Dependency Check: http://bit.ly/2SPzUAp
Testing
OWASP Zap: http://bit.ly/2yWwzqN

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Serverless
• Authorization and authentication - API
• Enforce boundaries - AWS services & network
• Input validation
• Protect sensitive data

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Automate security best practices
Template infra: AWS CloudFormation / AWS SAM
Automate build and test
AWS Config rules for verification
Automate response to non-compliance
Automate response to events

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Automate management
Automation
Patch
manager
State
manager
https://amzn.to/2AaOwSg
https://amzn.to/2DSTLdK
https://amzn.to/2Qihzxm

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Automate checks
Config Rules

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Protect data
Encryption mechanisms are enforced
Verify accessibility of data, e.g. Amazon S3 & EBS
Consider AWS Certificate Manager
Consider tokenization to substitute sensitive data
Data segmentation and isolation

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Classify your data
• Start classifying data based on sensitivity
• Use resource tags to help define the policy
Amazon Macie discover, classify, and protect sensitive data in AWS
IAM control: http://bit.ly/IAMctrlTAG

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Keep people away from data
Dashboards for users
Tools for administrators

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top best practices: Incident response
Prepare for different scenarios
Pre-deploy tools using automation
Pre-provision access for response teams
Practice responding through game days
Continuously improve your processes

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Run incident response game day
1. Schedule a four to eight hour block
2. Find a prize (bribery)
3. Supply junk food & beverages
4. Pick relevant scenarios from:
https://amzn.to/2PetNro
5. Create a runbook
6. Practice
7. Have fun!

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to: Simple run book
Event description
[Attack Type]
[Attack Description]
Data to gather for troubleshooting
[Evaluation of current data]
Steps to troubleshoot and fix
[Contain / impact / recovery / forensics]
Urgency category
[Critical, Important, moderate, informational]
Communications & escalation

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Take action!
CAF: aws.amazon.com/professional-services/CAF/
W-A: aws.amazon.com/well-architected
W-A Labs: http://bit.ly/AWSWALabs
AWS sec twitter: @AWSSecurityInfo
AWS sec blog: https://aws.amazon.com/blogs/security/

49. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.