SlideShare uma empresa Scribd logo

AWS PROTECTED Certification - Lunch & Learn

Amazon Web Services
Amazon Web Services

Discover what the PROTECTED certification means for your organisation and how the status can help you build applications on Amazon Web Services (AWS) that meet the Australian government’s security requirements for highly sensitive workloads.

1 de 28
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark John Hildebrandt, Solutions Architect PROTECTED on AWS May 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon Web Services now PROTECTED certified Australian Government agencies can use Amazon Web Service’s PROTECTED services to innovate faster while they manage risk and compliance in a more efficient and cost effective way.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark “Innovation and cloud help form the basis on which we will make the Australian government more secure. Innovation is good. Cloud is good – because it helps us move off from legacy systems. Our biggest risk is indeed legacy systems.” Voice of our customers
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Guidance Available3 Availability Zones Standard Public Pricing Benefits of PROTECTED on AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Global Infrastructure https://aws.amazon.com/about-aws/global-infrastructure/ 21 Regions – 64 Availability Zones – 180 Network PoPs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Availability Zones AWS Region Availability Zone Physical Sites Availability Zone Physical Sites Availability Zone Physical Sites ap-southeast-2a ap-southeast-2b ap-southeast-2c Sydney Region ap-southeast-2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Quick acronym glossary ACSC Australian Cyber Security Centre https://www.acsc.gov.au/ ASD Australian Signals Directorate https://asd.gov.au/ ISM Australian Government Information Security Manual IRAP Information Security Registered Assessors Program
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark The process AWS took with the ACSC Documentation Review (Phase 1) Assess the System (Phase 2) ACSC Deep Dive (Certification) & No shortcuts to PROTECTED
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark PROTECTED services in scope Analytics Amazon EMR Amazon Kinesis Data Firehose Amazon Kinesis Data Streams Amazon WorkSpaces Desktop Amazon WorkDocs Amazon API Gateway Mobile Storage S3 Amazon S3 Glacier Amazon EBS Amazon DynamoDB Databases Amazon ElastiCache Amazon Redshift Amazon RDS Management Amazon CloudWatch AWS CloudFormation AWS CloudTrail AWS Config AWS Systems Manager Compute Amazon EC2 Amazon ECS ELB AWS Lambda Networking & Content Delivery Amazon CloudFront Amazon VPC AWS Direct Connect Security Application Integration AWS Step Functions Amazon Simple Notification Service Amazon Simple Queue Service Amazon Simple Workflow Service Amazon Cognito Amazon GuardDuty Amazon Inspector AWS CloudHSM AWS Directory Service IAM AWS KMS https://aws.amazon.com/compliance/services-in-scope/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What’s the difference? Is there a checkbox? How do I order PROTECTED services? … there is no difference!
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Additional Unclassified DLM services All Protected services can be used at Unclassified DLM Unclassified DLM services can be leveraged in Protected solutions. Trusted Advisor Amazon Route 53 AWS Organisations AWS Shield
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Shared Responsibility Model Customers control their own security policies Security IN the Cloud Managed by customers Security OF the Cloud Managed by AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Security IN the Cloud Managed by customers Security OF the Cloud Managed by AWS AWS Shared Responsibility Model
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Security IN the Cloud Managed by customers Security OF the Cloud Managed by AWS AWS Shared Responsibility Model 5 Pages 13 Pages 67 Pages 57 Pages
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guide ACSC developed guidance specifies the required mitigations and additional security controls for using AWS in PROTECTED systems. Available now on AWS Artifact. May need to adapt for your design and business requirements. Talk to ACSC and AWS. Services that are certified UNCLASSIFIED DLM are not excluded from use in PROTECTED systems, but must not contain or process PROTECTED information themselves.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Data-in-transit protection Direct Connect + link encryption + application encryption Data-at-rest protection Enable where possible Preference for KMS Data Sovereignty Commonwealth entities must deploy their PROTECTED workloads within the Asia Pacific (Sydney) region, unless the specific service is not available in this region.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Incident response Enable Amazon GuardDuty – all regions, all accounts. AWS security bulletin page. Leverage AWS Support. Commonwealth entities need to be aware, that they must also provide monitoring and incident response services for their PROTECTED and UDLM systems within their area of responsibility. Logging, Monitoring, Audit Implement ACSC government logging solution. Contact ACSC*. This is in addition to own logging, monitoring and audit. Enable CloudTrail in (SYD) with global events enabled. * email: asd.assist@defence.gov.au
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Segmentation and Segregation Amazon Virtual Private Cloud Security Groups and Network ACLs provide layer 3 firewall capabilities which have been IRAP assessed and certified by ASD at PROTECTED. Leverage AWS Organisations Service Control Policies (SCP). DNS configuration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Service Hardening Use latest EC2 instance generations (Nitro) Lock down root account, MFA enable Lock down IAM accounts including MFA and source IP controls. Other documentation ACSC Essential Eight Maturity Model ACSC Cloud Security for Tenants AWS Security and Compliance guidance
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Additional certification guidance All PROTECTED certified services can be used at UNCLASSIFIED DLM UNCLASSIFIED DLM certified services can be leveraged in PROTECTED solutions Specific global UNCLASSIFIED DLM certified services can leverage AWS Regions outside of Australia, subject to ACSC Guidance. (Please refer to the ACSC Certification Report and Consumer Guide for more details.)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Reference Architecture Developed by AWS Solutions Architects in conjunction and reviewed by ACSC technical staff. Now available on AWS Artifact An example application (Intranet Web application) to help get customers started. Leverages concepts from AWS Shared Responsibility Model, AWS Cloud Adoption Framework, and AWS Well Architected framework. You can leverage and adapt as starting point for your workloads. Please provide feedback to guide future development.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Reference Architecture
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Identity & Access Management (IAM) - Min priv. + MFA AWS Organizations - SCP’s AWS Directory Service - Federated ID AWS CloudTrail - All accounts and regions AWS Config Amazon CloudWatch, CloudWatch Logs, CloudWatch Events Amazon GuardDuty - All account and regions VPC Flow Logs ACSC Logging solution Amazon EC2 Systems Manager - Patching, automation, session, parameters AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS CloudFormation AWS Key Management Service (KMS) - Recommended on all supported services Server Side Encryption Encryption in transit - VPN and Application AWS Config Rules - e.g. KMS enforcement; continuous compliance AWS Lambda Identity Detective control Infrastructure security Incident response Data protection Reference Architecture – CAF alignment
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Reference Architecture Amazon S3 buckets for logging receipt in separate logging and security accounts. AWS Lambda functions for security event processing and automation. For example, respond to selected Amazon CloudWatch Events. Business level or greater support enabled on all accounts to access AWS Trusted Advisor security reports. Logs from this solution will be sent to the Departments central logging solution. Departments should have a centralized logging solution in place.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resources AWS and Essential 8 https://aws.amazon.com/blogs/publicsector/aws-and-the- australian-signals-directorate-essential-eight/ AWS and ASD Cloud Security for Tenants https://d1.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cl oud_Computing_Security_for_Tenants_in_the_Context_of_AWS.pdf Services in Scope https://aws.amazon.com/compliance/services-in-scope/ AWS Compliance IRAP page: https://aws.amazon.com/compliance/irap/ AWS Security and Compliance pages: https://aws.amazon.com/security/ https://aws.amazon.com/compliance/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Summary ACSC awarded PROTECTED certification to AWS. Now listed on CCSL at PROTECTED and UNCLASSIFIED DLM levels. Broad range of services now in scope at PROTECTED. All available at standard public pricing. Leverage established AWS Sydney region with 3 Availability zones. Reference Architecture and ACSC Consumer guidance immediately available.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark CALL FOR ACTION Provide feedback on services in scope. Provide feedback on Consumer Guidance and Reference Architecture. Go Build! Leverage other resources: • Security Best Practices and Whitepapers • Compliance Quickstarts. • Provide feedback on what you need.

Recomendados

Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
Amazon Web Services
 
Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019
Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019 Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019
Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019
Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Amazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
Amazon Web Services
 

Recomendados

Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
Amazon Web Services
 
Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019
Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019 Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019
Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019
Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Amazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
Amazon Web Services
 
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Amazon Web Services
 
How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...
Amazon Web Services
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Amazon Web Services
 
Cloud control fitness - GRC202 - AWS re:Inforce 2019
Cloud control fitness - GRC202 - AWS re:Inforce 2019 Cloud control fitness - GRC202 - AWS re:Inforce 2019
Cloud control fitness - GRC202 - AWS re:Inforce 2019
Amazon Web Services
 
Migrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWSMigrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWS
Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Amazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
Amazon Web Services
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...
Amazon Web Services
 
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019 Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Amazon Web Services
 
Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...
Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...
Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...
Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
 
AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit SydneyAWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
Amazon Web Services
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Riyadh User Group
 

Mais conteúdo relacionado

Mais procurados

How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
 

Mais procurados (20)

Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
 
How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
 
Cloud control fitness - GRC202 - AWS re:Inforce 2019
Cloud control fitness - GRC202 - AWS re:Inforce 2019 Cloud control fitness - GRC202 - AWS re:Inforce 2019
Cloud control fitness - GRC202 - AWS re:Inforce 2019
 
Migrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWSMigrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWS
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...
 
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019 Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
 
Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...
Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...
Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation...
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
 

Semelhante a AWS PROTECTED Certification - Lunch & Learn

Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
Amazon Web Services
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Amazon Web Services
 

Semelhante a AWS PROTECTED Certification - Lunch & Learn (20)

AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit SydneyAWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the Cloud
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF Loft
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
 
AWSome Day Bethesda - February 2019
AWSome Day Bethesda - February 2019AWSome Day Bethesda - February 2019
AWSome Day Bethesda - February 2019
 
Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Introduction to the AWS Cloud - AWSome Day 2019 - Toronto
Introduction to the AWS Cloud - AWSome Day 2019 - TorontoIntroduction to the AWS Cloud - AWSome Day 2019 - Toronto
Introduction to the AWS Cloud - AWSome Day 2019 - Toronto
 
AWSome Day 2019 - New Jersey
AWSome Day 2019 - New JerseyAWSome Day 2019 - New Jersey
AWSome Day 2019 - New Jersey
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
 
AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.
 
Introduction to the AWS Cloud - AWSome Day 2019 - Vancouver
Introduction to the AWS Cloud - AWSome Day 2019 - VancouverIntroduction to the AWS Cloud - AWSome Day 2019 - Vancouver
Introduction to the AWS Cloud - AWSome Day 2019 - Vancouver
 
Introduction to the AWS Cloud - AWSome Day 2019 - Charlotte
Introduction to the AWS Cloud - AWSome Day 2019 - CharlotteIntroduction to the AWS Cloud - AWSome Day 2019 - Charlotte
Introduction to the AWS Cloud - AWSome Day 2019 - Charlotte
 
Introduction to the AWS Cloud - AWSome Day 2019 - Chicago
Introduction to the AWS Cloud - AWSome Day 2019 - ChicagoIntroduction to the AWS Cloud - AWSome Day 2019 - Chicago
Introduction to the AWS Cloud - AWSome Day 2019 - Chicago
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS PROTECTED Certification - Lunch & Learn

  • 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark John Hildebrandt, Solutions Architect PROTECTED on AWS May 2019
  • 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon Web Services now PROTECTED certified Australian Government agencies can use Amazon Web Service’s PROTECTED services to innovate faster while they manage risk and compliance in a more efficient and cost effective way.
  • 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark “Innovation and cloud help form the basis on which we will make the Australian government more secure. Innovation is good. Cloud is good – because it helps us move off from legacy systems. Our biggest risk is indeed legacy systems.” Voice of our customers
  • 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Guidance Available3 Availability Zones Standard Public Pricing Benefits of PROTECTED on AWS
  • 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Global Infrastructure https://aws.amazon.com/about-aws/global-infrastructure/ 21 Regions – 64 Availability Zones – 180 Network PoPs
  • 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Availability Zones AWS Region Availability Zone Physical Sites Availability Zone Physical Sites Availability Zone Physical Sites ap-southeast-2a ap-southeast-2b ap-southeast-2c Sydney Region ap-southeast-2
  • 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Quick acronym glossary ACSC Australian Cyber Security Centre https://www.acsc.gov.au/ ASD Australian Signals Directorate https://asd.gov.au/ ISM Australian Government Information Security Manual IRAP Information Security Registered Assessors Program
  • 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark The process AWS took with the ACSC Documentation Review (Phase 1) Assess the System (Phase 2) ACSC Deep Dive (Certification) & No shortcuts to PROTECTED
  • 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark PROTECTED services in scope Analytics Amazon EMR Amazon Kinesis Data Firehose Amazon Kinesis Data Streams Amazon WorkSpaces Desktop Amazon WorkDocs Amazon API Gateway Mobile Storage S3 Amazon S3 Glacier Amazon EBS Amazon DynamoDB Databases Amazon ElastiCache Amazon Redshift Amazon RDS Management Amazon CloudWatch AWS CloudFormation AWS CloudTrail AWS Config AWS Systems Manager Compute Amazon EC2 Amazon ECS ELB AWS Lambda Networking & Content Delivery Amazon CloudFront Amazon VPC AWS Direct Connect Security Application Integration AWS Step Functions Amazon Simple Notification Service Amazon Simple Queue Service Amazon Simple Workflow Service Amazon Cognito Amazon GuardDuty Amazon Inspector AWS CloudHSM AWS Directory Service IAM AWS KMS https://aws.amazon.com/compliance/services-in-scope/
  • 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What’s the difference? Is there a checkbox? How do I order PROTECTED services? … there is no difference!
  • 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Additional Unclassified DLM services All Protected services can be used at Unclassified DLM Unclassified DLM services can be leveraged in Protected solutions. Trusted Advisor Amazon Route 53 AWS Organisations AWS Shield
  • 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Shared Responsibility Model Customers control their own security policies Security IN the Cloud Managed by customers Security OF the Cloud Managed by AWS
  • 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Security IN the Cloud Managed by customers Security OF the Cloud Managed by AWS AWS Shared Responsibility Model
  • 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Security IN the Cloud Managed by customers Security OF the Cloud Managed by AWS AWS Shared Responsibility Model 5 Pages 13 Pages 67 Pages 57 Pages
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guide ACSC developed guidance specifies the required mitigations and additional security controls for using AWS in PROTECTED systems. Available now on AWS Artifact. May need to adapt for your design and business requirements. Talk to ACSC and AWS. Services that are certified UNCLASSIFIED DLM are not excluded from use in PROTECTED systems, but must not contain or process PROTECTED information themselves.
  • 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Data-in-transit protection Direct Connect + link encryption + application encryption Data-at-rest protection Enable where possible Preference for KMS Data Sovereignty Commonwealth entities must deploy their PROTECTED workloads within the Asia Pacific (Sydney) region, unless the specific service is not available in this region.
  • 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Incident response Enable Amazon GuardDuty – all regions, all accounts. AWS security bulletin page. Leverage AWS Support. Commonwealth entities need to be aware, that they must also provide monitoring and incident response services for their PROTECTED and UDLM systems within their area of responsibility. Logging, Monitoring, Audit Implement ACSC government logging solution. Contact ACSC*. This is in addition to own logging, monitoring and audit. Enable CloudTrail in (SYD) with global events enabled. * email: asd.assist@defence.gov.au
  • 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Segmentation and Segregation Amazon Virtual Private Cloud Security Groups and Network ACLs provide layer 3 firewall capabilities which have been IRAP assessed and certified by ASD at PROTECTED. Leverage AWS Organisations Service Control Policies (SCP). DNS configuration
  • 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Consumer Guidance (cont) Service Hardening Use latest EC2 instance generations (Nitro) Lock down root account, MFA enable Lock down IAM accounts including MFA and source IP controls. Other documentation ACSC Essential Eight Maturity Model ACSC Cloud Security for Tenants AWS Security and Compliance guidance
  • 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Additional certification guidance All PROTECTED certified services can be used at UNCLASSIFIED DLM UNCLASSIFIED DLM certified services can be leveraged in PROTECTED solutions Specific global UNCLASSIFIED DLM certified services can leverage AWS Regions outside of Australia, subject to ACSC Guidance. (Please refer to the ACSC Certification Report and Consumer Guide for more details.)
  • 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Reference Architecture Developed by AWS Solutions Architects in conjunction and reviewed by ACSC technical staff. Now available on AWS Artifact An example application (Intranet Web application) to help get customers started. Leverages concepts from AWS Shared Responsibility Model, AWS Cloud Adoption Framework, and AWS Well Architected framework. You can leverage and adapt as starting point for your workloads. Please provide feedback to guide future development.
  • 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Reference Architecture
  • 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
  • 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Identity & Access Management (IAM) - Min priv. + MFA AWS Organizations - SCP’s AWS Directory Service - Federated ID AWS CloudTrail - All accounts and regions AWS Config Amazon CloudWatch, CloudWatch Logs, CloudWatch Events Amazon GuardDuty - All account and regions VPC Flow Logs ACSC Logging solution Amazon EC2 Systems Manager - Patching, automation, session, parameters AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS CloudFormation AWS Key Management Service (KMS) - Recommended on all supported services Server Side Encryption Encryption in transit - VPN and Application AWS Config Rules - e.g. KMS enforcement; continuous compliance AWS Lambda Identity Detective control Infrastructure security Incident response Data protection Reference Architecture – CAF alignment
  • 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Reference Architecture Amazon S3 buckets for logging receipt in separate logging and security accounts. AWS Lambda functions for security event processing and automation. For example, respond to selected Amazon CloudWatch Events. Business level or greater support enabled on all accounts to access AWS Trusted Advisor security reports. Logs from this solution will be sent to the Departments central logging solution. Departments should have a centralized logging solution in place.
  • 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resources AWS and Essential 8 https://aws.amazon.com/blogs/publicsector/aws-and-the- australian-signals-directorate-essential-eight/ AWS and ASD Cloud Security for Tenants https://d1.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cl oud_Computing_Security_for_Tenants_in_the_Context_of_AWS.pdf Services in Scope https://aws.amazon.com/compliance/services-in-scope/ AWS Compliance IRAP page: https://aws.amazon.com/compliance/irap/ AWS Security and Compliance pages: https://aws.amazon.com/security/ https://aws.amazon.com/compliance/
  • 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Summary ACSC awarded PROTECTED certification to AWS. Now listed on CCSL at PROTECTED and UNCLASSIFIED DLM levels. Broad range of services now in scope at PROTECTED. All available at standard public pricing. Leverage established AWS Sydney region with 3 Availability zones. Reference Architecture and ACSC Consumer guidance immediately available.
  • 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark CALL FOR ACTION Provide feedback on services in scope. Provide feedback on Consumer Guidance and Reference Architecture. Go Build! Leverage other resources: • Security Best Practices and Whitepapers • Compliance Quickstarts. • Provide feedback on what you need.