Check for required tags Rule R2: Security Group

1. Compliance with AWS:
Verifying AWS Security
Dave Walker, Specialist Solutions
Architect, Security and Compliance

2. Agenda
• "Everything Starts with a Threat Model"
• The End Product
• How AWS Gets There
• What AWS Means by "Compliance"
• Getting Copy of Audit Reports: The Artifact Service
• Workbooks and White Papers
• Verifying Your AWS Security
• Geographical Considerations

3. “Everything starts with a threat model”
• STRIDE, DREAD, others
• Identify:
• Actors
• Vectors
• “Bad stuff that could happen when bad people get creative”
• Probabilities and consequences of bad stuff happening
• Apply technical and procedural mitigations
• All the way up the OSI stack, from network to application

4. The End Product

5. How We Get There
70+
services
7,710 Audit
Artifacts
3,030 Audit
Requirements
2,670
Controls

6. AWS Security Team
Operations
Application Security
Engineering
Compliance
Aligned for agility
How We Get There

7. • Promotes culture of “everyone is an owner” for security
• Makes security stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
How We Get There

8. Separation of duties
Different personnel across service lines
Least privilege
How We Get There

9. Visibility through log analytics
Shrinking the protection boundaries
Ubiquitous encryption
How We Get There

10. What AWS Means by "Compliance"
SecurityRisk ComplianceGovernance

11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS consistent
baseline controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications
What AWS Means by "Compliance"

12. The Artifact Service

13. The Artifact Service
{
"Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": [
"artifact:Get"
],
"Resource": [
"arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
"arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*",
"arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
]
}
]
}

14. The Artifact Service
• C5 (Germany)
• FedRAMP Partner package
• Global Financial Services Regulatory Principles
• IRAP Package (Australia)
• ISO 27001 Certification, Statement of Applicability
• ISO 27017 Certification, Statement of Applicability
• ISO 27018 Certification, Statement of Applicability
• ISO 9001 Certification
• MAS TRM Guidelines Workbook (Singapore)
• PCI DSS Attestation of Compliance and Responsibility Summary - Current and Previous
• PSN Connection Compliance Certificate (UK)
• PSN Service Provision Compliance Certificate (UK)
• Quality Management System Overview
• SOC 1 Reports (Current and Previous)
• SOC 2 Reports (Current and Previous)
• SOC 2 Report for Confidentiality
• SOC 3
• SOC Continued Operations Letter

15. Workbooks and White Papers
• Overview of Security Processes:
https://d1.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf
• UK G-Cloud / NCSC Security Principles, gov.uk:
https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_UK_Cloud_Security_Princi
ples.pdf
• IT-Grundschutz: Workbook at
https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschutz_TUV_Certification
_Workbook.pdf
• FFIEC Compliance Workbook:
https://d0.awsstatic.com/whitepapers/compliance/AWS_Coalfire_FFIEC_Audit_Compliance
_Workbook.pdf
• EU Data Protection Guidance:
https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Protection_Whitepaper.p
df

16. Compliance Resources
https://aws.amazon.com/compliance/resources/

17. Verifying Your AWS Security
Encryption &
Key Mgmt
Server &
Endpoint
Protection
Application
Security
Vulnerability
& Pen Testing
Advanced
Threat
Analytics
Identity and
Access Mgmt
Network
Security

18. • PCI-DSS
• standards for merchants which process credit card payments and
have strict security requirements to protect cardholder data. A point-
in-time certification.
• SOC 1-3
• designed by the “big 4” auditors as an evolution of SSAE16, SAS70
etc, and to address perceived shortcomings in ISO27001. A
continuous-assessment certification, covering process and
implementation.
• ISO 27001
• outlines the requirements for Information Security Management
Systems. A point-in-time certification, but one which requires
mature processes.
Verifying Your AWS Security

19. • Controls overlap between standards
• see eg https://www.unifiedcompliance.com
• AWS master control list and mappings
• 2670(ish) internal controls
• Mappings to external standards
• Engage auditors, and…
Verifying Your AWS Security

20. • “The magic’s in the Scoping”
• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a
compliant deployment
• …but it won’t be usable for a purpose which touches sensitive data
• See Re:Invent sessions, especially "Navigating PCI Compliance in the Cloud”,
https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr1KZp
dzukcJvl0e65MqqwycgpkCENmg
• Remember the Shared Responsibility Model
• “we do our bit at AWS, but you must also do your bit in what you build using our
services”
• Our audit reports make it easier for our customers to get approval from
their auditors, against the same standards
• Liability can’t be outsourced…
• "Security is 70% people, policy and procedure, and 30% what you do to the
computers" – and so is Compliance
Verifying Your AWS Security

21. • Time-based Subtleties:
• PCI, ISO: point-in-time assessments
• SOC: assessment spread over time, therefore more rigorous assessment of
procedures and operations
• (AWS Config allows you to make a path between these, for your own auditors)
• FedRAMP: Continuous Monitoring and Reporting – important proof
• If a service for defined sensitive data isn’t in scope of an audit report,
can this be designed around?
• Eg standing up a queue system on EC2 as a substitute for SQS…
• Be careful of what elements of a Service are in scope, too…
• Metadata is typically “out”
Verifying Your AWS Security

22. SOC 1
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon
DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon
ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon
Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage
Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Particularly good for:
• Datacentre management, talks about KMS for key management and encryption
at rest, discusses Engineering bastions
• Downsides:
• None

23. SOC 2
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB,
Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon
Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES,
Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Particularly good for:
• Risk assessment considerations, management visibility and process,
organisational structure
• Downsides:
• None

24. PCI-DSS
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct Connect,
Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon SimpleDB,
Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail, AWS CloudHSM, Amazon SQS,
Amazon CloudFront, AWS CloudFormation, AWS Elastic Beanstalk, AWS KMS, Amazon ECS, AWS WAF
• Sensitive data:
• CVV, PAN
• Particularly good for:
• Forensics cooperation, breach disclosure, explaining Shared Responsibility in
depth; also Hypervisor-based instance separation assurance
• Downsides:
• None (since the August 2015 update, when KMS was added)

25. ISO 27001
• Availability:
• Certificate is public at
http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of
Applicability via Artifact, full audit report available under NDA with a workshop
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory
Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon
EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon
S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• N/A
• Particularly good for:
• A broad-ranging “backstop” and important “tick box item” – ISMS considerations
• Downsides:
• None (we now have a detailed audit report available, but it needs a workshop)

26. ISO 27017
• Availability:
• Certificate available at
https://d0.awsstatic.com/certifications/iso_27017_certification.pdf
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory
Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon
EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon
S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• PII
• Particularly good for:
• Cloud Security Recommended Practices
• Downsides:
• No detailed audit report available

27. ISO 27018
• Availability:
• Certificate available at
https://d0.awsstatic.com/certifications/iso_27018_certification.pdf
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory
Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon
EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon
S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• PII
• Particularly good for:
• Assurance of protection of PII in AWS environments
• Downsides:
• No detailed audit report available

28. Industry Best Practices for
Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of security configuration
best practices
provides set-by-step implementation and assessment
procedures

29. CIS AWS Foundation Automation is mostly there...

30. AWS Enterprise Accelerator:
Compliance Architectures
Sample Architecture –
Security Controls Matrix
Cloudformation Templates
5 x templates
User Guide
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

31. “Familiar Functions, made Cloud Scale"
• IAM: “RBAC writ large”
• Fine-grained privilege
• Further access controls
• Source IP
• Time of day
• Use of MFA
• Region affected (a work in progress; works for EC2, RDS)
• Data Pipeline: “Cron writ large”
• (…and now, CloudWatch Events =
• “cron for Lambda”)

32. Asset Management, Logging and Analysis
• “What the API returns, is true”
• CloudTrail, Config, CloudWatch Logs
• “Checks and balances”
• S3 append-only, MFA delete
• SNS for alerting
• Easy building blocks for Continuous Protective Monitoring
AWS
Config
AWS CloudTrail CloudWatch

33. Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying offending
changes

34. Key Capabilities
• Normalized representation of your AWS resources
• Understand how different resources are connected and how a
configuration change to one affects others
• Continuous compliance with rules that you create!
• Continuous stream of configuration changes for resources you care
about
• Records configurations continuously, but only when they change

35. NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules

36. NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
Rule R1: TaggedEC2
Rule R3: CloudTrail enabled
Rule R2: ProductionVolumesEncrypted

37. Multi-region aggregation of delivered data
Region 1
Region 2
Region 3
Common S3 bucket
Amazon S3 policies should permit accounts to write Config data
SNS Topic: Region 1
SNS Topic: Region 2
SNS Topic: Region 3
Common SQS queue
Amazon SQS/Amazon SNS publish/subscribe permissions should be set

38. AWS CloudTrail logs can be delivered cross-
account
CloudTrail can help achieve many tasks
Accounts can send their trails to a central
account
Central account can then do analytics
Central account can:
‣ Redistribute the trails
‣ Grant access to the trails
‣ Filter and reformat Trails (to meet privacy
requirements)

39. Component Description Contains
Metadata Information about this
configuration item
Version ID, Configuration item ID,
Time when the configuration item
was captured, State ID indicating
the ordering of the configuration
items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, Resource type.
Amazon Resource Name (ARN)
Availability Zone, etc.
Relationships How the resource is related to
other resources associated with the
account
EBS volume vol-1234567 is
attached to an EC2 instance i-
a1b2c3d4
Current Configuration Information returned through a call
to the Describe or List API of the
resource
e.g. for EBS Volume
State of DeleteOnTermination flag
Type of volume. For example, gp2,
io1, or standard
Related Events The AWS CloudTrail events that are
related to the current configuration
of the resource
AWS CloudTrail event ID
Configuration Item

40. Sample Configuration Item
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2014…",
"configurationStateID": “….",
"configurationItemStatus": "OK",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-………",
"accountId": "12345678910",
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02..",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"relatedEvents": [
"06c12a39-eb35-11de-ae07-db69edbb1e4",
],
Metadata
Common Attributes
Relationships
Related Events

41. Sample Configuration Item
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-……",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
Configuration

42. Relationships
• Bi-directional map of
dependencies automatically
assigned
• Change to a resource propagates
to create Configuration Items for
related resources
EC2 Instance Elastic IP

43. Config Rule
• AWS managed rules
• Defined by AWS
• Require minimal (or no) configuration
• Rules are managed by AWS
• Customer managed rules
• Authored by you using AWS Lambda
• Rules execute in your account
• You maintain the rule
A rule that checks the validity of configurations recorded

44. Config Rules - Triggers
• Triggered by changes: Rules invoked when relevant resources change
Scoped by changes to:
• Tag key/value
• Resource types
• Specific resource ID
• e.g. EBS volumes tagged “Production” should be attached to EC2 instances
• Triggered periodically: Rules invoked at specified frequency
• e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs

45. Evaluations
The result of evaluating a Config rule against a resource
• Report evaluation of {Rule, ResourceType, ResourceID} directly from
the rule itself

46. How do I know what happened

47. Config Rules - Example
function evaluateCompliance(configurationItem, ruleParameters) {
if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) ||
(configurationItem.configuration.imageId === ruleParameters.approvedImage2))
return 'COMPLIANT';
else return 'NON_COMPLIANT';
}
exports.handler = function(event, context) {
var invokingEvent = JSON.parse(event.invokingEvent);
var ruleParameters = JSON.parse(event.ruleParameters);
...
compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context);
ComplianceResourceType: invokingEvent.configurationItem.resourceType,
ComplianceResourceId: invokingEvent.configurationItem.resourceId,
ComplianceType: compliance,
..,
config.putEvaluations(putEvaluationsRequest, function (err, data)

48. Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch Logs
CloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS
notifications
Mobile push
notifications
API calls
from most
services
Monitoring data
from AWS
services
Custom
metrics

50. Recommendations
• Consider separation mechanisms for in-scope vs out-of-scope
environments (which will be clear for your auditor)
• VPC
• AWS account
• Both!
• "If it moves, log it. If it doesn't move, watch it 'til it moves, then log it."
• CloudTrail, Config (especially), VPC Flow Logs, ELB Logs, RDS logs, EC2 System
Manager Inventory and EC2 System Manager State Manager are your friends
• Look at our Config Rules repo at https://github.com/awslabs/aws-config-
rules
• Look at commercial (AWS Marketplace) and open source (eg
https://github.com/capitalone/cloud-custodian ) tools for continuous
monitoring and automated response
• Don't forget your EC2 instance security!

51. AWS security tools: What to use?
AWS Security and Compliance
Security of the cloud
Services and tools to aid
security in the cloud
Service Type Use cases
On-demand evaluations
Security insights into your
application deployments running
inside your EC2 instance
Continuous evaluations
Codified internal best practices,
misconfigurations, security
vulnerabilities, or actions on
changes
Periodic evaluations
Cost, performance, reliability,
and security checks that apply
broadly
Inspector
Config
Rules
Trusted
Advisor

52. Configuration Monitoring:
Inside EC2 Instances
(With new enhancements from Re:Invent 2016!)

53. What is Inspector?
• Application security assessment
• Selectable built-in rules
• Security findings
• Guidance and management
• Automatable via APIs

54. Getting started

55. Rule packages
• CVE (common vulnerabilities and exposures)
• CIS OS-level Benchmarks
• AWS network security best practices
• AWS authentication best practices
• AWS OS security best practices
• AWS application security best practices

56. Prioritised findings

57. Detailed remediation recommendations

58. Amazon EC2 Systems Manager
• Announced at Re:Invent 2016
• See sessions WIN401
(https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402
(https://www.youtube.com/watch?v=L5TglwWI5Yo )

59. Systems Manager Capabilities
Run Command Maintenance
Windows
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities

60. Inventory

61. Inventory
What we heard:
• Accurate software inventory is critical for understanding fleet
configuration and license usage
• Legacy solutions not optimised for cloud
• Self-hosting requires additional overhead

62. Inventory
Introducing Inventory
• End-to-end inventory collection (EC2/on-premises/Workspaces)
• Linux / Windows
• Powerful query syntax
• Extensible inventory schema
• Integrated with AWS services

63. Inventory – System Diagram
SSMAgent
EC2 Windows
Instance
SSMAgent
EC2 Linux
Instance
SSMAgent
On-
Premises
Instance
AWS SSM Service
State Manager
EC2 Inventory SSM
document
Inventory
Store
EC2 Console,
SSM CLI/APIs
AWS Config
AWS Config
Console + CLI/APIs

64. Inventory – Getting Started
1. Configure Inventory
policy
2. Apply Inventory
policy
3. Query inventory

65. Inventory – Configuration
• Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
• Instance information
• Applications
• AWS Components
• Network configuration
• Windows Updates
• Custom Inventory

66. Inventory – Custom Inventory Type
• Custom Inventory Collection
• Extensible: record any attribute for a given instance
• On-premise Examples: rack location, BIOS version, firewall settings
• Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom inventory files
to a predefined path
2. API: Use PutInventory API

67. Inventory Manager
• Query
• Search by inventory attribute
• Partial and inverse searches
• eg "Windows 2012 r2 instances running SQL Server 2016 where Windows
Update KB112342 is not installed"
• Integration with AWS Config
• Record inventory changes over time
• Use AWS Config Rules to monitor changes, notify

68. State Manager

69. State Manager • Maintain consistent state of instances
• Reapply to keep instances from drifting
• Easily view status of configuration changes
• Define schedule – ad hoc, periodic
• Track aggregate status for your fleet

70. State Manager – Getting started
• Document: Author your intent
• Target: Instances or tag queries
• Association: Binding between a document and a
target
• Schedule: When to apply your association
• Status: Check the state of your association at an
aggregate or instance level

71. Creating an Association
• aws ssm create-association
• --document-name WebServerDocument
• --document-version $DEFAULT
• --schedule-expression cron(0 */30 * * * ? *)
• --targets “Key=tag:Name;Values=WebServer”
• --output-location "{ "S3Location": { "OutputS3Region": “us-east-1",
"OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" }
}“
• Configures all instances that match the tag query and reapplies every 30
minutes

72. Parameter Store

73. Parameter Store
• Centrally store and find config data
• Repeatable, automatable management (e.g. SQL connection
strings)
• Granular access control – view, use and edit values
• Encrypt sensitive data using your own AWS KMS keys

74. Parameter Store – Getting started
• Parameter: Key-value pair
• Secure Strings: Encrypt sensitive parameters with your own KMS or
default account encryption key
• Reuse: In Documents and easily reference at runtime across EC2
Systems Manager using {{ssm:parameter-name}}
• Access Control: Create an IAM policy to control access to specific
parameter

75. Creating and using a parameter
• aws ssm put-parameter
• --name mycommand
• --type string
• --value “dir C:Users”
• aws ssm send-command
• --name AWS-RunPowerShellScript
• --parameters commands=[“echo {{ssm:mycommand}}”]
• --target Key=tag:Name,Values=WebServer

76. Geographical Considerations

77. Geographical Considerations

78. Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Centre Website: https://aws.amazon.com/compliance
Security Centre: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/
AWS Audit Training: awsaudittraining@amazon.com
Helpful Resources

79. The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption on AWS: https://youtu.be/DXqDStJ4epE
Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8
Helpful Videos

80. Thank you!