The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help security professionals thwart cyber security incidents. Within this list of strategies, eight have been identified as essential for government agencies to implement as a security baseline starting point. This session offers customers practical guidance for meeting the ASD Essential Eight using AWS services to help them achieve compliance goals faster and more cost effectively.
4. Strategies to mitigate Cyber Security incidents
Australian Signals Directorate (ASD) developed prioritised
mitigation strategies.
No single strategy is guaranteed to prevent incidents.
Includes eight mitigation strategies with an 'essential'
effectiveness rating that ASD considers them to be the cyber
security baseline for all organisations.
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm
5. The Essential Eight
To prevent malware running:
• Patch Applications (Top 4)
• Application Whitelisting (Top 4)
• Disable untrusted Microsoft Office macros
• User application hardening
To limit the extent of incidents and recover data:
• Patch operating systems (Top 4)
• Restrict administrative privileges (Top 4)
• Multi-factor authentication
• Daily backup of important data
https://www.asd.gov.au/publications/protect/essential-eight-explained.htm
7. Security is Job Zero
Network
Security
Physical
Security
Platform
Security
People &
Procedures
8. AWS Security & Compliance – Every Customer benefits
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
AWS is
responsible for
the security OF
the Cloud
https://www.asd.gov.au/infosec/irap/certified_clouds.htm
10. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
Customers have
their choice of
security
configurations IN
the cloud
AWS is
responsible for
the security OF
the cloud
Customers decide how to implement their own security policies
11. Sources of Best Practices
AWS Cloud Adoption
Framework (CAF)
AWS Security Best
Practices
Center for Internet
Security (CIS)
Benchmarks
How to move to the cloud securely
including the “Core Five Epics”:
• Identity and Access Management
• Detective control
• Infrastructure Security
• Data Protection
• Incident Response
Whitepaper with 44 best practices
including:
• Identity and Access Management
(10 best practices)
• Logging and Monitoring (4)
• Infrastructure Security (15)
• Data Protection (15)
148 detailed recommendations for
configuration and auditing covering:
• “AWS Foundations” with 52
checks aligned to AWS Best
Practices
• “AWS Three-Tier Web
Architecture” with 96 checks for
web applications
13. Patching
Security In the Cloud
Existing Tools
• Existing Linux
and Windows
tooling.
Leverage AWS
services
• Amazon EC2
SSM Patching
• AWS Elastic
Beanstalk
• Amazon RDS
• Amazon
Redshift
Cloud native
approaches
• Immutable
Infrastructure,
“Image baking”,
AWS
CloudFormation
• Serverless: AWS
Lambda
14. Introducing Amazon EC2 Systems Manager
A set of capabilities that enable automated
configuration and ongoing management of
systems at scale, across all of your Windows
and Linux workloads, running in Amazon EC2
or on-premises
15. Systems Manager capabilities
Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,
and Administer
Track and
Update
Shared
Capabilities
16. Patch Manager
• Express custom patch policies as patch baselines, e.g., apply critical
patches on day 1 but wait 7 days for non-critical patches
• Perform patching during scheduled maintenance windows
• Built-in patch compliance reporting
• Eliminates manual intervention and reduces time-to-deploy for critical
updates and zero-day vulnerabilities
Roll out patches using custom-defined rules and pre-
scheduled maintenance windows
18. Immutable Infrastructure - AMI Build Pipeline
Base AMI
AMI
Registry
AMI Builder
instances
Foundational
AMI
Full-Stack AMI
Developer
CI/CD Pipeline
Code Repository
Configuration
Service
19. AWS Lambda: Serverless computing
Run code without servers. Pay only for the compute time you consume.
Triggered by events or called from APIs:
• PUT to an Amazon S3 bucket
• Updates to Amazon DynamoDB table
• Call to an Amazon API Gateway endpoint
• Mobile app back-end call
• And many more…
Makes it easy to:
• Perform real-time data processing
• Build scalable back-end services
• Glue and choreograph systems
20. Application Whitelisting
Security In the Cloud
Existing Tools
• Existing Linux and
Windows tooling.
• GPO
• Windows
Applauncher
• PowerShell DSC
Leverage AWS
services to augment
• AWS Directory
Service, SSM Run
command and
Automation.
• Amazon EC2 SSM
Inventory, SSM
State Manager
• AWS Config Rules
• Security Groups
Cloud native
approaches
• Immutable
Infrastructure,
“Image baking”,
AWS
CloudFormation
• Serverless: AWS
Lambda
• Amazon
AppStream 2.0
21. SSM - State Manager
• Example: Configuring firewall and updating anti-malware definitions
• Define new policies using simple JSON-based Documents
• Control how and when a configuration is applied and maintained
• Helps enforce enterprise-wide compliance of configuration policies
Define and maintain a consistent configuration of OS and
applications
22. SSM - Inventory
• Instance and OS details, network configuration, list of files, installed
software and patches
• Collect data from predefined inventory types or write a custom one
using JSON Document
• AWS Config integration enables tracking the history of changes
• Use AWS Config Rules to monitor changes, notify
• Simplifies management scenarios, such as licensing usage tracking
and identifying zero-day vulnerabilities
Scalable way of collecting, querying, and auditing detailed
software inventory information
23. Inventory – System Diagram
SSMAgent
Amazon
EC2
Windows
Instance
SSMAgent
Amazon
EC2
Linux
Instance
SSMAgent
On-
Premises
Instance
AWS SSM Service
State Manager
Amazon EC2
Inventory SSM
document
Inventory
Store
Amazon EC2
Console,
SSM CLI/APIs
AWS Config
AWS Config
Console + CLI/APIs
26. Restrict administrative privileges and multi-
factor authentication
Security In the Cloud
Existing Tools
• Existing Linux and
Windows tooling.
• AD and MFA
• OS controls and
best practices at
Amazon EC2 OS
level.
Leverage AWS services
• AWS API layer
• AWS IAM
• AWS Organisations
• MFA - AWS Console, CLI, and
API
• Follow best practices.
• Federation
• Amazon Workspaces
• AWS Directory Services
• Automate validation
• Amazon Inspector
• AWS Config Rules
• AWS IAM
• AWS CloudTrail
Cloud native approaches
• Immutable
Infrastructure, “Image
baking”, AWS
CloudFormation
• Run command
• Serverless approaches
• AWS Service Catalog
• Restrict based on
usage
https://aws.amazon.com/iam/details/mfa/
28. Amazon Inspector
Detect and Remediate
Security Issues Early and
Often
Built-In Content
Library
Check common security
standards & vulnerabilities
Detailed
Reports
Prioritize potential issues &
get remediation
recommendations
29. Daily backup of important data
Security In the Cloud
Existing Tools
• Existing Linux and
Windows tooling.
• Amazon EC2,
Amazon EBS
• Existing
backup tools
• Amazon S3
and Amazon
Glacier target
support
Leverage AWS services
• Amazon RDS: automated
backups and database
snapshots (DB
Snapshots).
• Amazon Redshift: data
continuously backed up to
Amazon S3. Stores
automated snapshots.
Can take your own
snapshots at any time.
Cloud native
approaches
• Immutable
Infrastructure,
“Image baking”,
AWS
CloudFormation
• Reduce server
backup sizes
• Amazon S3
versioning, MFA
delete.
30. User application hardening
Disable untrusted Microsoft Office macros
Security In the Cloud
Existing Tools
• Amazon EC2, Amazon
Workspaces
• Customers
control their own
guest operating
systems,
software and
applications.
• Leverage
existing tools
and processes.
Leverage AWS services
• Leverage SSM
• CIS images
• VPC controls – NACL,
Security groups
Cloud native approaches
• Isolate applications and
deliver securely.
• A separate Amazon
Workspace
• Known set of ports
to desktop (or Web
access)
• Amazon AppStream 2.0
• Secure application
streaming to HTML5
browser.
31. Summary
ASD Essential Eight provides practical actions for
organisations to secure IT environments.
Develop an understanding of the Shared Responsibility
Model when leveraging AWS.
Meet Essential 8 in AWS via:
Existing tools and knowledge
AWS features and services
Leveraging Cloud Native concepts
https://d0.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cloud_Computing_Security_for_
Tenants_in_the_Context_of_AWS.pdf