3. exactly
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
4. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
5. Availability Zone A
Resilient applications architecture
Customer content backups, archives and continuity solutions
Resilient infrastructure configurations
Customer resilience and recovery processesCustomers
Customers
control how they
manage
continuity and
recovery
AWS builds
resilient services
and features to
help customers
Availability Zone B
AWS business resiliency processes
Customer content, transactions and data-stores
6. NIST 800-53PCI-DSS
AWS managed and audited controls
Customers control
SOC 2SOC 1 ISO 27001
Other AWS service featuresLogging
AWS provided, customer configured and managed controls
Key
management
Virtual Private
Cloud
Customer provided and managed controls
Technology
risks
Customer risk appetite and desired control environment
Sourcing risksBusiness risks Security risks Compliance
IDaMEncryptionClassification Monitoring
ITSMGovernanceSecurity policy Operations
Malware
Risk
management
Customers
decide on the
appropriate
controls and
manage and
monitor the
effectiveness
of those
controls
Customers take
reliance on
AWS control
reports
11. You are making
API calls...
On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
AWS CLOUDTRAIL
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
15. control of privacy
you choose to
do so
encryption any
way that you choose
access
lifecycle and disposal
Customers retain full ownership and control of their content
16. US-WEST (Oregon)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
US-WEST (N. California)
SOUTH
AMERICA (Sao
Paulo)
US-EAST (Virginia)
AWS GovCloud (US)
ASIA PAC
(Sydney)
ASIA PAC
(Singapore)
CHINA (Beijing)
EU-CENTRAL (Frankfurt)
you put it
Regions
ASIA PAC (Seoul)
18. segregate duties
With AWS IAM you get to control who can do
what in your AWS environment and from where
Fine-grained control of your AWS cloud with two-
factor authentication
Integrated with your existing corporate directory
using SAML 2.0 and single sign-on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management
20. AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private Cloud
• Provision a logically
isolated section of the
AWS cloud
• You choose a private IP
range for your VPC
• Segment this into subnets
to deploy your compute
instances
AWS network security
• AWS network will prevent
spoofing and other
common layer 2 attacks
• You cannot sniff anything
but your own EC2 host
network interface
• Control all external routing
and connectivity
23. Launch
instance
EC2
AMI
catalogue
Running instance Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
You get to apply your existing security policy
Create or import your own ‘gold’ images
• Import existing VMs to AWS or save your own
custom images
Choose how to build your standard host security
environment
Apply your existing host controls and configurations
24. First class security and compliance
starts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
26. you fully control the keys
Increase performance
Comply with stringent regulatory
single tenant for you
EC2 Instance
AWS CloudHSM
AWS CloudHSM
You can also store your encryption keys in AWS CloudHSM
28. CloudWatch Logs log everything and
monitor events in those logs
• Storage is cheap - collect and keep your logs
• Store logs durably in write-only storage
• Integration with Cloudwatch Metrics and Alarms means you
can continually scan for events you know might be suspicious
IF (detect web attack > 10 in a 1 minute period)
ALARM - INCIDENT IN PROGRESS
NOTIFY CERT
33. OPS
SEC
DEV
AppSec • Security as Code
• Self-Service Testing
• Red Team/Blue Team
• Inline Enforcement
• Analytics & Insights
• Detect & Contain
• Incident Response
• Investigations
• Forensics
34.
35. • Fun: Scan API + Ingest Config/Cloudtrail, trigger fw
audits and revert unapproved changes
• Fun: Track known good CF stacks & AMIs, alert or
neutralize non-compliant/non-approved deploys.
36. • Fun: Enforce encryption of all assets with HIPAA or data
classification tags. Continuous enforcement! (KMS!)
• Fun: Cloudtrail/Config user attribution of use/abuse.
• More Fun: Maps to PCI DSS7.1.3, COBIT DS5.4, ISO17799, and
more!
AWS allows you to see your ENTIRE infrastructure at the click of a mouse
Can you map your current network?
Also, you can do that automatically via the API, as many times as you need.
Exciting new service – OK, exciting if you’re a security professional like me, perhaps not exciting as my kids view the world. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
AWS KMS provides a single place to manage your organization’s encryption keys. KMS presents a single view for all of the key usage, and allows you to easily implement key creation, rotation, usage policies, and auditing to help keep all of your encryption key management in check.
The AWS Key Management Service provides audit trail information directly to AWS CloudTrail. These audit trails help you meet compliance and regulatory requirements by providing logs of who used which key to access which data and when that access occurred.
Enterprises segregate important duties to reduce risk of accidental or malicious changes
AWS allows fine-grained segregation across virtually all aspects of the service
For example, you can segregate
Who can change network configuration
Who can change firewalls
Who can change how the VPC connects to the Internet or back to your corporate premises
Who can start and stop servers
Who can snapshot and restore storage volumes
AWS IAM offers a programatic level of control and granularity that would not be possible to implement in traditional on-premise environments
You can use storage services, such as S3 and EBS, which allow you to encrypt data automatically, where we manage the keys on your behalf, so you don’t have to worry about them. You can also bring your own keys to use with S3 or EBS encryption, or you can use CloudHSM services, where you can store your keys in a physical piece of hardware which is specifically designed to be tamper proof - if someone tries to break in, it shuts down and self-destructs.
For a lot of customers, they are happy to let us manage the keys for them, however, other customers want more control over how keys are managed, and how they are put to use in their applications, across their data and within the organization.
AWS KMS provides a single place to manage your organization’s encryption keys. KMS presents a single view for all of the key usage, and allows you to easily implement key creation, rotation, usage policies, and auditing to help keep all of your encryption key management in check.
The AWS Key Management Service provides audit trail information directly to AWS CloudTrail. These audit trails help you meet compliance and regulatory requirements by providing logs of who used which key to access which data and when that access occurred.
These are services that can be directly used during an audit
AWS Config
This new service will really help you understand what is your current state of systems and relationships, and how they change over time.
KMS
Customer-managed key service
CloudTrail
API activity logs
Trusted Advisor
Automated security checks
IAM console: at a glance view of Last AWS Sign-in
A quick at-a-glance view from the IAM console showing those who have logged into AWS and how they did it.
IAM Credential Reports
This is in case you want evidence that your users are following security best practices, such as requiring MFA for administrative-level users.
I’m going to spend a little time talking about some of these innovations for auditors.
Monitors information system accounts for and reports atypical usage of information system accounts.
Beetle: And if you click “Continue”, then when you look at a CloudTrail configuration screen, you can see that Logging is “OFF”.
Speaking from the perspective of a security geek, it is probably a good idea to know if and when CloudTrail is turned off. But I would like to not have to visit each Cloudtrail account configuration to figure that out.
Josh, there has to be a better way for knowing if and when CloudTrail is turned off.
Josh: There is. With CloudTrail turned on, you have a record of the API request that turned CloudTrail OFF.
Here is what that API request would look like. You will notice that the “StopLogging” API request was made to the CloudTrail service in the us-west-2 region.
Josh:
So if we looked in that CloudFormation template, you would see something like this. This is a AWS CloudWatch Metric Filter that is defined within a CloudFormation template in JSON format.
The important thing to notice is what is highlighted in white there – I’m filtering CloudTrail event records for the “EventName” of StopLogging.
I can then use this metric in combination with an alarm to send me a notification when it is detected.
Josh:
Here is a CloudWatch Alarm for the previous metric filter
Josh
Now let’s investigate. As CloudTrail will log the event “StopLogging”, we can see who made the request to do this. So if we pull up the CloudTrail event, we can see the IAM user named ‘reinvent-sc308’ was the user who made this request and the request originated from 55.55.55.55 .
Josh: So now that we know what happened, how could we protect this from happening in the future. Well, we could simply add an IAM policy to our AM Groups or Roles in order to deny permissions we don’t want our users to have.
Beetle: When you look in your CloudTrail logs, this is a snippet of what the MFA Deactivate request would look like. Notice the EventName is “DeactivateMFADevice”.
Josh:
But how can we force individuals to use their MFA devices? Well, we have a blog post that talks about that specifically. I’d recommend you check it out :
http://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users
----- Meeting Notes (10/6/15 11:53) -----
screenshot of blog post?
[Josh]
So some customers would prefer to know when unapproved AMIs are launched. So how can we detect this?
Well, we’d want to compare each launched instance’s AMI against a whitelist of approved AMI ID’s.
What is the best way? A whitelist could be rather long…
[Josh]
So let’s look at a flow diagram of how this works. We configure AWS CloudTrail to send logs to our Amazon S3 bucket. We then want Amazon S3 to send event notifications to Amazon SNS whenever a new log is deposited in the bucket. The SNS topic can have multiple Lambda subscribers, which can then each check and react to different things.