Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).

1. Implementing FISMA Moderate
Applications
Nathan Beach
Principle Solution Architect
AWS Worldwide Public Sector

2. Session Topics
Resources Available Online
Hi! We’re Here to Help You
Things to Consider
FISMA Primer
Where to Begin
We’re In This Together
Putting the Solution Together
Public Sector Security Ecosystem

3. Resources Available Online
GSA: FedRAMP Home Page
 http://www.gsa.gov/portal/category/102371
NIST: Computer Security Division – Resource Center
 http://csrc.nist.gov/publications/PubsSPs.html
AWS Security and Compliance Center
 http://aws.amazon.com/security/
 New AWS: Risk Compliance Whitepaper, July 2012
AWS Architecture Center
 http://aws.amazon.com/architecture/
AWS U.S. Federal Government
 http://aws.amazon.com/federal/
Find AWS Partner Solution Providers
 https://aws.amazon.com/solution-providers

4. Hi! We’re Here to Help You
Getting Started
 Account Representatives
 Partner Representatives
 Solution Architects
 Security and Compliance Team
Up and Running
 Technical Account Managers
 Premium Support Services
But most of all….

5. Our Public Sector Security Ecosystem
https://aws.amazon.com/solution-providers/

6. Things to Consider
You Understand Applicable Federal Regulations and
Data Protection Policies
 FISMA, FERPA, HIPAA, CUI, PCI,...
Your Solution Is Suitable for Accreditation
Your Government Sponsor is a Full-Partner in the
Process
 Business Owner
 Information Assurance Team

7. Applicable CUI Information Domains
CUI Category CUI Category CUI Category
Agriculture Copyright Critical Infrastructure
Export Control (ITAR) Financial Immigration
Intelligence Law Enforcement Legal
Nuclear Patent Privacy
Proprietary (IP) Statistical Tax
Transportation

8. Solution Suitability for Accreditation
Designed and Implemented with FISMA Accreditation
as a primary goal.
Ability to configure or customize relevant control
areas:
 Access Controls
 Identification and Authorization
 Audit Points and Audit Integrity
 System and System Communication Protection
 Etc…

9. FISMA Primer – 18 Controls
AC – Access Control PE - Physical and
AT – Awareness and Training Environmental Protection
AU – Audit and Accountability PL – Planning
CA – Security Assessment and PS – Personnel Security
Authorization RA – Risk Assessment
CM – Configuration SA – System and Services
Management Acquisition
CP – Contingency Planning SC – System and
IA – Identification and Communications Protection
Authentication SI – System and Information
IR – Incident Response Integrity
MA – Maintenance PM – Program Management
MP – Media Protection

10. FISMA Primer (cont.)
Customer Configured
 Definition: The workload operator seeking accreditation
is required to proactively use and configure capabilities
implemented and maintained by AWS to be in
compliance with the control.
Customer Provided
 Definition: The workload operator seeking accreditation
is required to implement, maintain, proactively use and
configure capabilities independently of AWS to be in
compliance with the control.

11. FISMA Primer (cont.)
Hybrid Controls
 Definition: Shared implementation responsibility
between AWS and the workload operator seeking
accreditation.

12. We’re In This Together: Shared
Software
Responsibility
Firewalls/IDS/AV
Application
Customer Control &
Customer Responsibility
Data
Guest Operating System
Hypervisor
AWS Control &
Hardware
AWS Responsibility
Physical Infrastructure

13. Examples of “Customer Responsibilities”
Apply Your Information Management Program - that
integrates Information Assurance
Standardize Machine Images – create gold copy images
for production deployment/to launch new instances
Build and test in a sandbox environment – work out
the bugs, figure out how to break it, architect to be resilient
Do the same stuff you do in-house – quarterly patch
management, IDS/IPS, logging, tripwire, etc.
Conduct a Risk Assessment - to determine level of
security controls you require
Role Based Access Controls – restrict access to system
components based upon need to know

14. Examples of “Customer Responsibilities” (cont.)
Use Encryption – for data in transit, for data at rest,
file system
Key Management – rotate keys used to access your
resources (AWS does not hold these…you do)
Setup Monitoring/Alerting – collect metrics and
enable alerting for when events occur
Vulnerability Scans – allowed via a permission
process (else we’ll kill/block the source of scans)
Prepare for Failure – create backups, store data
in more than one location, test backups, have a
contingency system ready

15. Together
Putting the Solution
Physical Security HW, SW, Network Certifications
Datacenters in Systematic change SOC 1 Type 2
nondescript facilities management (formerly SAS-70)
Physical access Phased updates ISO 27001
strictly controlled deployment
PCI DSS for
Must pass two-factor Safe storage EC2, S3, EBS, VPC,
authentication at decommission RDS, ELB, IAM
least twice for floor
Automated FISMA Moderate
access
monitoring and self- Compliant Controls
Physical access audit
HIPAA & ITAR
logged and audited
Advanced network Compliant
protection Architecture
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.

16. Together
Putting the Solution
Amazon VPC Architecture
with DirectConnect
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.

17. Users and Groups within Accounts
Together
Putting the Solution
Unique security credentials
 Access keys
 Login/Password
 MFA device
Policies control access to AWS APIs
Deep integration into S3
 policies on objects and buckets
AWS Management Console now supports User log on
Not for Operating Systems or Applications
 use LDAP, Active Directory, ADFS, etc...
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.

18. AWS Multi-Factor Authentication
• Helps prevent anyone with unauthorized knowledge of your
credentials from impersonating you
• Additional protection for account information and critical APIs
• Physical and virtual MFA devices supported via RFC 6238
• Works with
 Account (root) identity
 IAM Users
• Integrated into
 AWS Management Console
 Key pages on the AWS Portal
 MFA-protected API access (new feature)
 S3 secure delete
A recommended opt-in security feature!

19. Customer Workload Business/
AWS Network Layer – Configuration Touch Points Mission
Together
Putting the Solution
Services
Libraries and SDKs1 Web Interface2 Command Line Tools to Access
Java, .Net, Ruby, PHP Management Console Interface1 AWS Services
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.

20. Amazon VPC Architecture
NAT Private Customer’s isolated
AWS resources
Public Private Subnets
Internet Router
VPN
Gateway
Amazon
Web Services
Cloud
Secure VPN
Connection over
AWS DirectConnect
Customer’s
Network

21. Business/
Together
Putting the Solution
Customer Workload
AWS Network Layer – Configuration Touch Points Mission
Services
Customer Operating Systems
AWS Virtualization Layer – Configuration Touch Points
Customer Storage
AWS Storage Layer – Configuration Touch Points
Libraries and SDKs1 Web Interface2 Command Line Tools to Access
Java, .Net, Ruby, PHP Management Console Interface1 AWS Services
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.

24. Business/
Together
Putting the Solution
Customer Workload
AWS Network Layer – Configuration Touch Points Mission
Services
Customer Application
Customer Operating Systems
AWS Virtualization Layer – Configuration Touch Points
Customer Storage
AWS Storage Layer – Configuration Touch Points
Libraries and SDKs1 Web Interface2 Command Line Tools to Access
Java, .Net, Ruby, PHP Management Console Interface1 AWS Services
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.

25. Virtual Firewall & IDS
Appliance
AWS VPC Gateway Company
Over DirectConnect Network
Company VPN Gateway
Security Group A
HTTP/HTTPS DMZ - 10.254.1.0/24 , 10.254.2.0/24
Policy B
53
”
DNS
ud
lo
SC
Company.com AWS Management MFA
”
W
PC
Console
“A
“V
Elastic Load Balancer
Logs IAM Add-on
Security Group B Security Group B
WEB
10.30.1.X Policy C IAM
Security Policy
Auto Scaling Group A
Security Group
Security Group C Security Group C S3 Bucket
Business
10.20.1.X Policy D
Auto Scaling Group B
LDAP DC
S3 Bucket
Security Group D Security Group D Backups IAM Add-on
Data Svc
10.10.1.X
Backups
YourDBSvr YourDBSvr
Availability Zone #1 Availability Zone #2
AWS Virtual Private Cloud

26. AWS Public Sector Security Ecosystem