Mais conteúdo relacionado Semelhante a AWS PROTECTED Certification - Lunch & Learn (20) Mais de Amazon Web Services (20) AWS PROTECTED Certification - Lunch & Learn1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
John Hildebrandt, Solutions Architect
PROTECTED on AWS
May 2019
2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Amazon Web Services now PROTECTED certified
Australian Government agencies can
use Amazon Web Service’s
PROTECTED services to innovate
faster while they manage risk and
compliance in a more efficient and
cost effective way.
3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
“Innovation and cloud help
form the basis on which we will
make the Australian
government more secure.
Innovation is good. Cloud is
good – because it helps us
move off from legacy
systems. Our biggest risk is
indeed legacy systems.”
Voice of our customers
4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Guidance Available3 Availability Zones Standard Public Pricing
Benefits of PROTECTED on AWS
5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Global Infrastructure
https://aws.amazon.com/about-aws/global-infrastructure/
21 Regions – 64 Availability Zones – 180 Network PoPs
6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Availability Zones
AWS Region
Availability Zone
Physical Sites
Availability Zone
Physical Sites
Availability Zone
Physical Sites
ap-southeast-2a ap-southeast-2b
ap-southeast-2c
Sydney Region
ap-southeast-2
7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Quick acronym glossary
ACSC Australian Cyber Security Centre
https://www.acsc.gov.au/
ASD Australian Signals Directorate
https://asd.gov.au/
ISM Australian Government Information Security Manual
IRAP Information Security Registered Assessors Program
8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
The process AWS took with the ACSC
Documentation
Review
(Phase 1)
Assess the
System
(Phase 2)
ACSC
Deep Dive
(Certification)
&
No shortcuts to PROTECTED
9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
PROTECTED services in scope
Analytics
Amazon EMR
Amazon Kinesis Data
Firehose
Amazon Kinesis Data
Streams
Amazon WorkSpaces
Desktop
Amazon WorkDocs
Amazon API
Gateway
Mobile
Storage
S3
Amazon S3 Glacier
Amazon EBS
Amazon
DynamoDB
Databases
Amazon
ElastiCache
Amazon Redshift
Amazon RDS
Management
Amazon CloudWatch
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems
Manager
Compute
Amazon EC2
Amazon ECS
ELB
AWS Lambda
Networking & Content
Delivery
Amazon CloudFront
Amazon VPC
AWS Direct Connect
Security
Application Integration
AWS Step Functions
Amazon Simple
Notification Service
Amazon Simple
Queue Service
Amazon Simple
Workflow Service
Amazon Cognito
Amazon
GuardDuty
Amazon
Inspector
AWS CloudHSM
AWS
Directory Service
IAM
AWS KMS
https://aws.amazon.com/compliance/services-in-scope/
10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
What’s the difference?
Is there a checkbox? How do I order PROTECTED services?
… there is no difference!
11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Additional Unclassified DLM services
All Protected services can be used
at Unclassified DLM
Unclassified DLM services can be
leveraged in Protected solutions.
Trusted Advisor
Amazon Route 53
AWS Organisations
AWS Shield
12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Shared Responsibility Model
Customers control their own security policies
Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS
13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS
AWS Shared Responsibility Model
14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS
AWS Shared Responsibility Model
5 Pages
13 Pages
67 Pages
57 Pages
15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Consumer Guide
ACSC developed guidance specifies the required mitigations and additional
security controls for using AWS in PROTECTED systems.
Available now on AWS Artifact.
May need to adapt for your design and business requirements. Talk to ACSC
and AWS.
Services that are certified UNCLASSIFIED DLM are not excluded from use in
PROTECTED systems, but must not contain or process PROTECTED
information themselves.
16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Consumer Guidance (cont)
Data-in-transit protection
Direct Connect + link encryption + application encryption
Data-at-rest protection
Enable where possible
Preference for KMS
Data Sovereignty
Commonwealth entities must deploy their PROTECTED workloads within
the Asia Pacific (Sydney) region, unless the specific service is not available
in this region.
17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Consumer Guidance (cont)
Incident response
Enable Amazon GuardDuty – all regions, all accounts.
AWS security bulletin page. Leverage AWS Support.
Commonwealth entities need to be aware, that they must also provide
monitoring and incident response services for their PROTECTED and
UDLM systems within their area of responsibility.
Logging, Monitoring, Audit
Implement ACSC government logging solution. Contact ACSC*.
This is in addition to own logging, monitoring and audit.
Enable CloudTrail in (SYD) with global events enabled.
* email: asd.assist@defence.gov.au
18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Consumer Guidance (cont)
Segmentation and Segregation
Amazon Virtual Private Cloud Security Groups and Network ACLs provide
layer 3 firewall capabilities which have been IRAP assessed and certified
by ASD at PROTECTED.
Leverage AWS Organisations Service Control Policies (SCP).
DNS configuration
19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Consumer Guidance (cont)
Service Hardening
Use latest EC2 instance generations (Nitro)
Lock down root account, MFA enable
Lock down IAM accounts including MFA and source IP controls.
Other documentation
ACSC Essential Eight Maturity Model
ACSC Cloud Security for Tenants
AWS Security and Compliance guidance
20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Additional certification guidance
All PROTECTED certified services can be used at UNCLASSIFIED DLM
UNCLASSIFIED DLM certified services can be leveraged in PROTECTED
solutions
Specific global UNCLASSIFIED DLM certified services can leverage AWS
Regions outside of Australia, subject to ACSC Guidance.
(Please refer to the ACSC Certification Report and Consumer Guide for more
details.)
21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Reference Architecture
Developed by AWS Solutions Architects in conjunction and reviewed by ACSC
technical staff.
Now available on AWS Artifact
An example application (Intranet Web application) to help get customers
started.
Leverages concepts from AWS Shared Responsibility Model, AWS Cloud
Adoption Framework, and AWS Well Architected framework.
You can leverage and adapt as starting point for your workloads.
Please provide feedback to guide future development.
22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Reference Architecture
23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Identity & Access
Management (IAM)
- Min priv. + MFA
AWS Organizations
- SCP’s
AWS Directory Service
- Federated ID
AWS CloudTrail
- All accounts and regions
AWS Config
Amazon
CloudWatch, CloudWatch
Logs, CloudWatch Events
Amazon GuardDuty
- All account and regions
VPC Flow Logs
ACSC Logging solution
Amazon EC2
Systems Manager
- Patching, automation,
session, parameters
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS CloudFormation
AWS Key Management
Service (KMS)
- Recommended on all
supported services
Server Side Encryption
Encryption in transit
- VPN and Application
AWS Config Rules
- e.g. KMS enforcement;
continuous compliance
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
Reference Architecture – CAF alignment
25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Reference Architecture
Amazon S3 buckets for logging receipt in separate logging and security
accounts.
AWS Lambda functions for security event processing and automation. For
example, respond to selected Amazon CloudWatch Events.
Business level or greater support enabled on all accounts to access AWS
Trusted Advisor security reports.
Logs from this solution will be sent to the Departments central logging solution.
Departments should have a centralized logging solution in place.
26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Resources
AWS and Essential 8 https://aws.amazon.com/blogs/publicsector/aws-and-the-
australian-signals-directorate-essential-eight/
AWS and ASD Cloud Security for Tenants
https://d1.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cl
oud_Computing_Security_for_Tenants_in_the_Context_of_AWS.pdf
Services in Scope https://aws.amazon.com/compliance/services-in-scope/
AWS Compliance IRAP page: https://aws.amazon.com/compliance/irap/
AWS Security and Compliance pages:
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Summary
ACSC awarded PROTECTED certification to AWS.
Now listed on CCSL at PROTECTED and UNCLASSIFIED DLM levels.
Broad range of services now in scope at PROTECTED.
All available at standard public pricing.
Leverage established AWS Sydney region with 3 Availability zones.
Reference Architecture and ACSC Consumer guidance immediately available.
28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
CALL FOR ACTION
Provide feedback on services in scope.
Provide feedback on Consumer Guidance and Reference Architecture.
Go Build!
Leverage other resources:
• Security Best Practices and Whitepapers
• Compliance Quickstarts.
• Provide feedback on what you need.