2. Agenda
• "Everything Starts with a Threat Model"
• The End Product
• How AWS Gets There
• What AWS Means by "Compliance"
• Getting Copy of Audit Reports: The Artifact Service
• Workbooks and White Papers
• Verifying Your AWS Security
• Geographical Considerations
3. “Everything starts with a threat model”
• STRIDE, DREAD, others
• Identify:
• Actors
• Vectors
• “Bad stuff that could happen when bad people get creative”
• Probabilities and consequences of bad stuff happening
• Apply technical and procedural mitigations
• All the way up the OSI stack, from network to application
11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS consistent
baseline controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications
What AWS Means by "Compliance"
18. • PCI-DSS
• standards for merchants which process credit card payments and
have strict security requirements to protect cardholder data. A point-
in-time certification.
• SOC 1-3
• designed by the “big 4” auditors as an evolution of SSAE16, SAS70
etc, and to address perceived shortcomings in ISO27001. A
continuous-assessment certification, covering process and
implementation.
• ISO 27001
• outlines the requirements for Information Security Management
Systems. A point-in-time certification, but one which requires
mature processes.
Verifying Your AWS Security
19. • Controls overlap between standards
• see eg https://www.unifiedcompliance.com
• AWS master control list and mappings
• 2670(ish) internal controls
• Mappings to external standards
• Engage auditors, and…
Verifying Your AWS Security
20. • “The magic’s in the Scoping”
• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a
compliant deployment
• …but it won’t be usable for a purpose which touches sensitive data
• See Re:Invent sessions, especially "Navigating PCI Compliance in the Cloud”,
https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr1KZp
dzukcJvl0e65MqqwycgpkCENmg
• Remember the Shared Responsibility Model
• “we do our bit at AWS, but you must also do your bit in what you build using our
services”
• Our audit reports make it easier for our customers to get approval from
their auditors, against the same standards
• Liability can’t be outsourced…
• "Security is 70% people, policy and procedure, and 30% what you do to the
computers" – and so is Compliance
Verifying Your AWS Security
21. • Time-based Subtleties:
• PCI, ISO: point-in-time assessments
• SOC: assessment spread over time, therefore more rigorous assessment of
procedures and operations
• (AWS Config allows you to make a path between these, for your own auditors)
• FedRAMP: Continuous Monitoring and Reporting – important proof
• If a service for defined sensitive data isn’t in scope of an audit report,
can this be designed around?
• Eg standing up a queue system on EC2 as a substitute for SQS…
• Be careful of what elements of a Service are in scope, too…
• Metadata is typically “out”
Verifying Your AWS Security
22. SOC 1
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon
DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon
ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon
Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage
Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Particularly good for:
• Datacentre management, talks about KMS for key management and encryption
at rest, discusses Engineering bastions
• Downsides:
• None
31. “Familiar Functions, made Cloud Scale"
• IAM: “RBAC writ large”
• Fine-grained privilege
• Further access controls
• Source IP
• Time of day
• Use of MFA
• Region affected (a work in progress; works for EC2, RDS)
• Data Pipeline: “Cron writ large”
• (…and now, CloudWatch Events =
• “cron for Lambda”)
32. Asset Management, Logging and Analysis
• “What the API returns, is true”
• CloudTrail, Config, CloudWatch Logs
• “Checks and balances”
• S3 append-only, MFA delete
• SNS for alerting
• Easy building blocks for Continuous Protective Monitoring
AWS
Config
AWS CloudTrail CloudWatch
39. Component Description Contains
Metadata Information about this
configuration item
Version ID, Configuration item ID,
Time when the configuration item
was captured, State ID indicating
the ordering of the configuration
items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, Resource type.
Amazon Resource Name (ARN)
Availability Zone, etc.
Relationships How the resource is related to
other resources associated with the
account
EBS volume vol-1234567 is
attached to an EC2 instance i-
a1b2c3d4
Current Configuration Information returned through a call
to the Describe or List API of the
resource
e.g. for EBS Volume
State of DeleteOnTermination flag
Type of volume. For example, gp2,
io1, or standard
Related Events The AWS CloudTrail events that are
related to the current configuration
of the resource
AWS CloudTrail event ID
Configuration Item
43. Config Rule
• AWS managed rules
• Defined by AWS
• Require minimal (or no) configuration
• Rules are managed by AWS
• Customer managed rules
• Authored by you using AWS Lambda
• Rules execute in your account
• You maintain the rule
A rule that checks the validity of configurations recorded
48. Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch Logs
CloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS
notifications
Mobile push
notifications
API calls
from most
services
Monitoring data
from AWS
services
Custom
metrics
49.
50. Recommendations
• Consider separation mechanisms for in-scope vs out-of-scope
environments (which will be clear for your auditor)
• VPC
• AWS account
• Both!
• "If it moves, log it. If it doesn't move, watch it 'til it moves, then log it."
• CloudTrail, Config (especially), VPC Flow Logs, ELB Logs, RDS logs, EC2 System
Manager Inventory and EC2 System Manager State Manager are your friends
• Look at our Config Rules repo at https://github.com/awslabs/aws-config-
rules
• Look at commercial (AWS Marketplace) and open source (eg
https://github.com/capitalone/cloud-custodian ) tools for continuous
monitoring and automated response
• Don't forget your EC2 instance security!
61. Inventory
What we heard:
• Accurate software inventory is critical for understanding fleet
configuration and license usage
• Legacy solutions not optimised for cloud
• Self-hosting requires additional overhead
62. Inventory
Introducing Inventory
• End-to-end inventory collection (EC2/on-premises/Workspaces)
• Linux / Windows
• Powerful query syntax
• Extensible inventory schema
• Integrated with AWS services
65. Inventory – Configuration
• Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
• Instance information
• Applications
• AWS Components
• Network configuration
• Windows Updates
• Custom Inventory
66. Inventory – Custom Inventory Type
• Custom Inventory Collection
• Extensible: record any attribute for a given instance
• On-premise Examples: rack location, BIOS version, firewall settings
• Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom inventory files
to a predefined path
2. API: Use PutInventory API
67. Inventory Manager
• Query
• Search by inventory attribute
• Partial and inverse searches
• eg "Windows 2012 r2 instances running SQL Server 2016 where Windows
Update KB112342 is not installed"
• Integration with AWS Config
• Record inventory changes over time
• Use AWS Config Rules to monitor changes, notify
70. State Manager – Getting started
• Document: Author your intent
• Target: Instances or tag queries
• Association: Binding between a document and a
target
• Schedule: When to apply your association
• Status: Check the state of your association at an
aggregate or instance level
71. Creating an Association
• aws ssm create-association
• --document-name WebServerDocument
• --document-version $DEFAULT
• --schedule-expression cron(0 */30 * * * ? *)
• --targets “Key=tag:Name;Values=WebServer”
• --output-location "{ "S3Location": { "OutputS3Region": “us-east-1",
"OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" }
}“
• Configures all instances that match the tag query and reapplies every 30
minutes
73. Parameter Store
• Centrally store and find config data
• Repeatable, automatable management (e.g. SQL connection
strings)
• Granular access control – view, use and edit values
• Encrypt sensitive data using your own AWS KMS keys
74. Parameter Store – Getting started
• Parameter: Key-value pair
• Secure Strings: Encrypt sensitive parameters with your own KMS or
default account encryption key
• Reuse: In Documents and easily reference at runtime across EC2
Systems Manager using {{ssm:parameter-name}}
• Access Control: Create an IAM policy to control access to specific
parameter
79. The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption on AWS: https://youtu.be/DXqDStJ4epE
Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8
Helpful Videos