NIST Compliance, AWS Federal Pop-Up Loft

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automating Compliance:
Architecting for NIST Workloads in AWS GovCloud

Today’s Mission
• Achieve an ATO for an Information System in AWS
• This Mission is of Critical Importance to the future of your organization
• We are entrusting you to carry out this Critical Mission because you
are the best of the best of the best…(you get the idea)
• Yes, it may seem daunting – but you are not alone …
• Your AWS Mission Support Team:
• Michael Alpaugh – Solution Architect, AWS WWPS
• Priyanka Mahankali – Solution Architect, AWS WWPS
• Shaked Rotlevi – Solution Architect, AWS WWPS

This is your safety briefing …
• Warning: Information Overload May Occur
• Many cloud concepts will be new
• Keep you harness strapped and your helmet on
• Cut in extra cooling water to your laptops
• Please ask questions!
• This event is for you
• We are always available for a deep dive
• Email Us

Objectives for Today
• Gain confidence to build systems in the AWS cloud that meet
Security/Compliance requirements
• Understand the components of the AWS FedRAMP Package
• Learn how compliance automation can help an ATO
• See how AWS Compliance Quick Starts can help make your
job easier while improving your system security posture
• Have fun. Security and compliance doesn’t have to be boring,
tedious, and/or difficult

YOUR MISSION
Should you Choose to Accept It
AWS GovCloud (US)

YOUR MISSION… (Should you chose to accept it)
Move a 2 Tier Web App to the AWS Cloud & Attain an ATO
• Can you do this? … Yes, YOU CAN!
ü AWS makes it easier for you to move your workload to the Cloud.
• Should you do this? … Yes, YOU SHOULD!
ü AWS lowers cost, improves performance & allow agility
• Am I authorized to do this? … Yes, YOU ARE!
ü FedRAMP Guidance provides the roadmap to move to the Cloud
• Are other people doing this? … Yes, THEY ARE!
ü Examples include DISA IASE web site or NASA JPL

Production data center
Mission Scope:
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
1. Move a 2 tier non-cloud
web application to the
Commercial Cloud
2. Attain an ATO to support
production operations
APP
DB
APP
COOP data center
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
LB
Asynchronous Replication

What is Cloud Computing ?
The on-demand delivery of:
• rapidly elastic, pooled IT resources
• over public or private networks
• no long-term contracts
• pay-as-you-go pricing
• easily managed with self service tools
• provides appropriate security

No Up Front Expense
Pay for what you Use
Improve Agility
Scale Up and
Down
Self-Service
Infrastructure
AWS Cloud
Equipment
Resources and
Administration
Contracts Cost
Traditional
Infrastructure

Using Cloud for DoD: Why now?
• Federal, DoD & Agency Cloud Strategy
• Lower Cost
• New funding model
• Large & growing feature set
• Performance & Reliability
• Security
• SPEED & AGILITY
CAP EX OP EX
$$
1010
0010
1011
DevSecOps CI/CD - micro -
services
AUTOMATE
INNOVATE
EXPERIMENT
80 160
280
516
722
1017
1430
1957
2011 2012 2013 2014 2015 2016 2017 2018
AWS New Services & Features

© 2019, Amazon Web Services, Inc. or its Aﬃliates. All rights reserved.
How does Cloud Computing work in AWS?
“Isn’t it just someone else’s computer? No, it is much more than that!”
Managed Large Scale Infrastructure
• Data Centers / Security / Facilities
• Networks / Compute / Storage / Databases
• Integrated Management Tools & Services
Remotely accessible & manageable by the customer
Elastic & Scalable (automated, dynamic, responsive)
Extensive visibility and transparency capabilities
Security & Compliance built-in

AWS Global Infrastructure … its really really BIG
22Regions
66
Availability
Zones
176
Edge
Locations
Millions of
Active
Customers
190+
Countries
5000+
Government
Agencies
10,000+
Educational
Institutions
#
Region and
Number of Availability Zones
New Region
(coming soon)
AWS GovCloud (US)
3
X24
Announced Regions Bahrain, Cape Town, Milan, Jakarta
3
Amazon
Secret
Region
3

• Redundant 100 GbE network
• Private network capacity between all AWS region, except China
Amazon Global Network

AWS Region
AWS Region
Availability Zone
datacenter
datacenter datacenter
datacenter
Availability Zone
Availability Zone
Transit Center 2Transit Center 1
datacenter
datacenter

- Regions = metropolitan area
- Fully Isolated (security boundary)
- Customer chooses Region.
- Data Stays within Region.
- Regions comprised of multiple Availability Zones
- AZ’s connected through redundant low-latency links
- Discrete UPS & Onsite backup
- Redundant connections to multiple tier-1 ISP’s
- Built for Continuous Availability
- PB’s of Logs daily
Availability
Zone A
Availability
Zone B
Availability
Zone C
Sample US Region
~ Data Center
AWS Region and Availability Zone View

Architected for Government Security Requirements
And many more…
https://aws.amazon.com/compliance/

US AWS Regions
# Commercial Region and Number of Availability Zones
Amazon
Secret
Region
3
3
3
6
3
3
3
3
# GovCloud Region and Number of Availability Zones
# Classified Region and Number of Availability Zones
HIGH MOD
DoD
IL
2/4/5
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
ICD
503
TS/SCI
USEast(VA)
USEast(OH)
USWest(OR)
USWest(CA)
GOVCLOUDWest
(OR)
GOVCLOUDEast (OH)
HIGH MOD
DoD
IL
2/4/5
ICD
503
SECRET
DoD
IL
6

AWS Service Breadth
storage
security
analytics
application integration
compute
customer engagement
database
developer tools
machine learning IoT
mgmt/monitoring
media
migration
desktopnetwork

Mission Defined & Mission Accepted
We accept our Mission: “ATO our system in the Cloud”
Lets see where we can get guidance on:
1. How to get an ATO
2. How to get an ATO in the Cloud
Next STOP – Mission Guidance – we are movin’ out!

MISSION GUIDANCE:
The Path to an ATO in the Cloud
AWS GovCloud (US)

Let’s review how to get an ATO get in general…
Then how to get an ATO in the Cloud!

Where Do We Get Compliance/ATO Guidance?
NIST SP 800-53 (Security & Privacy Controls for Fed Info Systems & Orgs)
NIST SP 800-37 (Guide for Applying the Risk Management Framework)
FIPS 199 (Standard for Security Categorization of Federal Info. & Info. Systems)
CNSSI 1253 (Categorization & Control Selection for National Security Systems)
☞ Lets look at the RMF process flow …

NIST Risk Management Framework
Define criticality/sensitivity of
information system according to
potential worst-case,adverse
impactto mission/business.
CATEGORIZE
InformationSystem
1
Security
Life-Cycle
Selectbaseline security controls;
apply tailoring guidance and
supplementcontrols as needed
based on risk assessment.
SELECT
Security Controls
2
Implementsecurity controls
within enterprise architecture
using sound systems engineering
practices;apply security
configuration settings.
IMPLEMENT
Security Controls
3
Continuously track changes to
the information system thatmay
affectsecurity controls and
reassess control effectiveness.
MONITOR
Security State
6
Determine risk to organizational
operations and assets,
individuals,other organizations,
and the Nation; if acceptable,
authorize operation.
AUTHORIZE
InformationSystem
5
Determine security control
effectiveness
(i.e., controls implemented
correctly,operating as intended,
meeting security requirements for
information system).
ASSESS
Security Controls
4

NIST Risk Management Framework
CATEGORIZE
InformationSystem
1
Security
Life-Cycle
SELECT
Security Controls
2
IMPLEMENT
Security Controls
3
MONITOR
Security State
6
AUTHORIZE
InformationSystem
5
effectiveness
ASSESS
Security Controls
4
ü Create a security authorization package (Agency
or GRC tool - e.g. Xacta, Archer, Allgress, etc.)
ü Categorize System (Low – Mod – High)
ü Select security controls
ü Develop initial architecture for
your system/application
ü Develop System Security Plan
ü Document Security Controls
Implementation
ü Complete architecture build out
and integrations with supporting
services
ü Lockdown system for testing
ü Submit ATO package to AO
ü Conduct regular
security/vulnerability scans
ü Update vulnerability &
malware definitions
ü Conduct patching (IAVM
process)
ü Perform periodic assessment & re-
authorization
ü Update SSP
ü Track & report significant changes to AO
ü Assess system
• Pen tests & Vulnerability scans
• Compliance reviews
ü Document findings
ü Create Plans of Action and Milestones
ü Remediate

How do we get approval to use Cloud?
We know the basics of how to get an ATO
But what about an ATO in the Cloud?
We can look at these sources for guidance:
• FedRAMP
• Agency-specific Guidance
• (e.g. DoD CC SRG)
☞ First let’s look at FedRAMP
CATEGORIZE
InformationSystem
1
Security
Life-Cycle
SELECT
Security Controls
2
IMPLEMENT
Security Controls
3
MONITOR
Security State
6
AUTHORIZE
InformationSystem
5
effectiveness
ASSESS
Security Controls
4

What is FedRAMP ?
Federal Risk & Authorization Management Program (FedRAMP) is government-wide
• Standardized approach for Cloud Products & Services for:
Security assessment
Authorization
Continuous monitoring
• Developed in collaboration with:
GSA
NIST
DHS
DoD
NSA
OMB
Federal CIO Council

Why do we need FedRAMP ?
• Mandatory per OMB for cloud services that hold federal data
• ”Do once, use many times” framework
Saves government cost – work smarter, not harder
Reduces redundant reviews
• Provides tailored set of NIST SP 800-53 security controls
Selected to provide protection in cloud environments.
Subsets defined for FIPS 199 Low, Moderate, and High categorizations.
• Established a Joint Authorization Board (JAB)
• CIOs from DoD, DHS & GSA
• Establish accreditation standards for 3rd party assessors of cloud solutions.
This is how we get assurance about Security OF the Cloud!

Agency-Specific Guidance Example: DoD
DoD has its own specific implementation
DoD Cloud Computing (CC)
Security Requirements Guide (SRG)
v1r3
6 MAR 2017
☞ Let’s look at the DoD CC SRG

What is the DoD CC SRG?
• Applies to Cloud Service Providers and is for DoD Mission Owners
• Aligns with FedRAMP
• Describes functional aspects of a security architecture in the Cloud
• Select controls from the NIST SP 800-53 catalog using CNSSI 1253
guidance
Think of the CC SRG as the DoD’s version of FedRAMP with extra functional
security requirements to protect the DoDIN against perceived threats introduced
by connecting to commercial Cloud Service Providers

What is IN the DoD CC SRG?
• Cloud Service Providers (CSP) definition
• Cloud Service Offerings (CSO) definition
• DoD RMF application to Commercial Cloud
• Use of FedRAMP & FedRAMP + controls
• DoD Provisional Authorization definition
• How to Classify and Categorize a system
• And more…

What is a Provisional Authorization?
• Pre-acquisition type of RMF authorization
• Pre-qualifies Commercial Cloud Service Offerings (CSO)
• Supports “do once, use many” framework of FedRAMP
• Uses by DoD and Federal Cloud Mission Owners
• Source Selection
• Subsequent authorization under RMF
• Used by Mission Owners the same as “Control Inheritance”
• Leveraged by Mission Owner AO in overall risk assessment

What is CSP?
• Cloud Service Provider
• Organization the offers/provides Cloud Services
• Commercial or Private
• DoD and non-DoD
• Commercial CSP Examples: AWS and Azure
• DoD CSP Examples: milCloud

What is a CSO?
• Cloud Service Offering
• A CSP’s Discrete Product or Service Offering
• Individual Assessed for Provisional Authorizations
• Well Defined Standardized Offerings
• Customer Level of Control Varies by Service Model
• IaaS or PaaS or SaaS
• Shared Security Model Applies

RMF Process: Federal/DoD Datacenter vs. In-Cloud
Federal/Dod Datacenter
Inherited
Controls
from
CSP
PA
Mission
Owner
Controls
RMF
Mission
Owner
Controls
RMF
Inherited
Controls
from
DoD
ATO
RMF
Mission
Owner
ATO
Package
RMF
Datacenter
Facility
Power
HVAC
Network
Server / Storage
Operating System
Application
Datacenter
Facility
Power
HVAC
Network
Server / Storage
Operating System
Application
In-Cloud

Cloud-related Initial Activities for RMF
Do Once per Enterprise Organization IAW FedRAMP
ü Check FedRAMP catalog of Authorized Cloud Service Providers
ü Select a CSP (Pick AWS!!)
ü Review AWS compliance documentation
ü Review security control inheritance & shared responsibility
ü Grant an Organizational ATO for AWS as a General Support
System (GSS)
ü Load AWS into your GRC Tool as a GSS / Control provider

Cloud-related Activities - RMF “Implement” Step
ü “Inherit” Common/Shared Controls from AWS
ü Build out base system using AWS Services and
Features
ü Ensure you employ AWS security-related services
(AWS CloudTrail, Amazon CloudWatch, AWS Config, encryption, etc.)

Let’s review where we stand on our Mission
Mission Scope Outlined ✔
Mission Accepted ✔
Mission Guidance Identified ✔
Now lets take a look at the details of what we have to meet
to get an ATO in the Cloud
☞ Next STOP ➤ MISSION REQUIREMENTS

Questions?

MISSION REQUIREMENTS:
System Categoration & Compliance
Requirements

Why Do We Categorize our Systems?
System category allows
us to determine
applicable requirements
& security controls
Categorization done IAW:
• FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems”
• CNSSI 1253 “Security Categorization and Control Selection for National Security Systems”
• DoDI 8510.01 ”Risk Management Framework (RMF) for DoD Information Technology”
CATEGORIZE
InformationSystem
1
Security
Life-Cycle
SELECT
Security Controls
2
IMPLEMENT
Security Controls
3
MONITOR
Security State
6
AUTHORIZE
InformationSystem
5
effectiveness
ASSESS
Security Controls
4

Impact Levels
• FIPS 199 defines process to determine Impact Levels
• Consider both:
– Sensitivity of Information &
– Impact of Events
• Sensitivity of information stored or processed
– For example: Public / Controlled Unclassified / Classified
• Impact of Event that results in loss of:
– Confidentiality (Low / Moderate / High)
– Integrity (Low / Moderate / High)
– Availability (Low / Moderate / High)
PII
PHI
Export
Controlled
Critical
Infrastructure
Sensitive
Security

Categorization Example:
For DoD, CC SRG also has its Information Impact Levels
SRG v1r3
Impact
Level
Maximum
Data Type Information Characterization
2
Non-Controlled
Unclassified
Information
Unclassified information approved for public release
Unclassified, not designated as controlled unclassified information (CUI) or critical mission data,
but requires some minimal level of access control
4
Controlled
Unclassified
Information
Requires protection from unauthorized disclosure as established by Executive Order 13556 (Nov
2010); Education, Training, SSN, Recruiting (if medical is not included), Credit card information for
individuals (i.e., PX or MWR events)
PII, PHI, SSN, Credit card information for individuals, Export Control, FOUO, Law Enforcement
Sensitive, Email
5
Controlled
Unclassified
Information +
NSS
National Security Systems and other information requiring a higher level of protection as deemed
necessary by the information owner, public law, or other government regulations
6
Classified up to
SECRET
Pursuant to EO 12958 as amended by EO 13292; classified national security information or
pursuant to the Atomic Energy Act of 1954, as amended to be Restricted Data (RD)
DoD Cloud Compu*ng Security Requirements Guide (SRG):
h<p://iase.disa.mil/cloud_security/Pages/index.aspx

Updated DoD Policy on PII
“Impact Level 2 cloud
services may be used to
host low confidentiality
impact level PII”

Updated DoD Policy on PII (continued)
“Reducing the minimum
cloud requirement from
Impact Level 4 to Impact
Level 2 specifically for
low confidentiality PII is
consistent with
requirements outside of
cloud environments”

DoD CC SRG Update ”replaces 5.1.5 and 5.1.5.1"
PII and PHI “are
categorized as CUI”
“PHI and most PII in
the cloud must be
minimally protected
in a Level 4 CSO”
“PII impact level
determination will
be performed”

DoD CC SRG Update
“… there is a need for some
low confidentiality impact (low
sensitivity) PII to be published
and collected in commercial
CSOs having a Level 2 PA.”

DoD CC SRG Update (continued)
”Prior to authorizing
the system, the AO
is accountable to
review the PIA ...”

Lets Categorize our 2 Tier Web Application
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
COOP data center
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
LB

Example 3 Tier Web Application Components
Web Tier – NGINX Proxy Server
Application Tier – WordPress/Apache/PHP
Database Tier – MySQL DB
All Servers Running Linux
Data Elements – PII & other CUI data
For our sample 3 tier app - example classification:
• Moderate/Moderate/Moderate (C/I/A) ✓
• For DoD, Cloud Impact Level 4 (IL4) ✓

Let’s Find this Application a Home…
• So many Cloud Service Providers…
• So little time …
• What is a Mission Owner to do?
• Perhaps FedRAMP can help.. let’s take a look
☁☁☁

Where can we find approved CSPs?
• Thanks to FedRAMP reciprocity you don’t have to check
out each CSP yourself
• ”Authorize Once & Use Many” approach
• FedRAMP Authorized Services
– https://marketplace.fedramp.gov/index.html#/products?sort=productName
• Agency-specific Approved GSS/Providers
– Example: DoD Authorized Cloud Service Catalog
http://www.disa.mil/~/media/Files/DISA/Services/Cloud-Broker/AuthorizedCloudServicesCatalog.pdf
• AWS Services in Scope Listing
– https://aws.amazon.com/compliance/services-in-scope/
✓ ☛ ⚙⚙⚙⚙⚙

FedRAMP Cloud Services Marketplace
https://marketplace.fedramp.gov/index.html#/products?sort=productName&productNameSearch=aws
AWS

FedRAMP Cloud Services Marketplace
…and more

DoD Cloud Services Catalog
https://storefront.disa.mil/kinetic/disa/service-catalog#/forms/cloud-service-support
AWS IaaS / PaaS IL4
AWS IaaS IL6
AWS IaaS IL5

AWS Services in Scope
✓ = This service is currently in scope
and is reflected in current reports
Joint Authorization Board (JAB)
Review = This service is currently
undergoing a JAB Review
Third Party Assessment
Organization (3PAO) = This service is
currently undergoing an assessment by
our third party assessor
https://aws.amazon.com/compliance/services-in-scope/

AWS Services in Scope
✓ This service is currently in scope
and is reflected in current
reports
Joint Authorization Board (JAB)
Review
This service is currently undergoing
a JAB review
Third-Party Assessment
Organization (3PAO) Assessment
an assessment by our third-party
assessor
Defense Information Systems
Agency (DISA) Review
a DISA review
https://aws.amazon.com/compliance/services-in-scope/

US AWS Regions
Amazon
Secret
Region
3
3
3
6
3
3
3
3
HIGH MOD
DoD
IL
2/4/5
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
ICD
503
TS/SCI
USEast(VA)
USEast(OH)
USWest(OR)
USWest(CA)
GOVCLOUDWest (OR)
GOVCLOUDEast (OH)
HIGH MOD
DoD
IL
2/4/5
ICD
503
SECRET
DoD
IL
6

Cloud Infrastructure to Meet Federal Needs
Public/Private
Unrestricted/(U)
FedRAMP Mod
DoD
IL2
Internet
US Regions* AWS Secret RegionAWS GovCloud*
* US Regions – CONUS (US-East/West) GovCloud (GovCloud East/GovCloud West)
CUI, FOUO,
SBU, PII, PHI
FedRAMP High
DoD
IL2, IL4 & IL5
Customer
Network
(e.g. NIPR for DoD)
SECRET
IC M/M/M
(CNSSI 1253)
DoD
IL 6 PATO
SIPRNET
C2S Region
TS/SCI
IC M/M/M
(CNSSI 1253)
JWICS
CAP / DX

• GovCloud designed to handle ITAR (International Traffic in Arms Regulation)
– JAB Provisional Authorization at the FedRAMP High Impact level
– Community Cloud: access controlled, US Persons for physical and logical access to the AWS infrastructure
• Physically Isolated Regions East/West (Oregon & Ohio)
• 3 Availability Zones
• Logical Network Isolation – all users run in VPCs
• FIPS 140-2 Validated Hardware & Cryptographic Services for VPNs and AWS Service API End
Points
• Service(s) are only deployed into the Region based on customer demand
• Separate Isolated Credential Database
Offers the same high level of security as the other AWS Regions. Access is restricted to
customers who are US Persons, not subject to export restrictions, and who comply with US export
control laws and regulations, including the International Traffic in Arms Regulations (ITAR).
For Our Example, We will pick AWS US GovCloud

US East
(VA)
Asia Pacific
(Tokyo)
US West
(CA)
Asia Pacific
(Singapore)
US West
(OR)
Asia Pacific
(Sydney)
EU
(Ireland)
South America
(Sao Paulo)
GovCloud
(OR)
AWS GovCloud
Account
IAM Group
IAM User 1
IAM User 2
AWS Public
Account
IAM Group
IAM User 1
IAM User 2
Billing is linked
AWS GovCloud: Credentials (How they differ)
All other AWS Regions
(Excluding China)..
GovCloud
(OH)

Mine, Yours and Ours – Control Ownership
• Mission Owners inherit controls from AWS
– Consistent with the reciprocity model used for years
• AWS is responsible for some controls completely
• Mission Owners are responsible for some controls completely
• Some controls are shared in that services provided by AWS must
be properly configured and implemented used by Mission Owners
• AWS calls this approach the Shared Responsibility Model

Cloud Security is a Shared Responsibility
Cross-service Controls
Service-specific Controls
Compliance
of the Cloud
Compliance
in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App
Controls
https://aws.amazon.com/compliance
awscompliance@amazon.com
Customers and Partners implement their own
Application and Service controls
Multiple customers with:
• FISMA/ICD-503 ATOs
• DIACAP/RMF ATOs
AWS obtains industry certifications & third
party attestations:
• SAS-70 Type II / SOC 1 / SOC 2
• ISO 27001/ 2 Certification
• Payment Card Industry (PCI)
• Data Security Standard (DSS)
• DoD PA
• FedRAMP JAB P-ATO & Agency ATOs
• HIPAA
• ITAR

Security Control Ownership
Customer
Specific
Hybrid
Shared
Inherited
Sole Responsibility of the
customer
AWS provides partial
implementation
AWS & customer provide
their implementation
Fully inherited from AWS
Division of Responsibility Depends on AWS Service
Container Services
Customer has
less responsibility
AWS has more
responsibility
Infrastructure Services
Abstracted Services

Delegation of Security Control Responsibilities
DatabaseStorageCompute Networking
Edge LocationsRegions
Availability Zones
AWS Global
Infrastructure
AWS
Responsible for
Control
Requirements for
CSO
Application Owners
Responsible for at
the Application
Level / Platform
Enterprise Services
Cloud Manager
Governance and
controls at
Infrastructure /
Platform Level

“But Where Can I Find the Controls AWS meets?”
• In the AWS FedRAMP Package!
• Available for both AWS Partners & Customer Agencies
• AWS FedRAMP package covers:
– AWS infrastructure
– Underlying management of services
– Inherited controls
– Shared controls
• Assists in documenting security of workloads built on AWS
This is how we see evidence
about Security OF the Cloud!

What You Get in the AWS FedRAMP Security Package
# FedRAMP Security Package Document
Federal
Agency
State, Local,
Education
Vendors &
Contractors
1 System Security Plan (SSP)
2 Security Assessment Plan (SAP)
3 Control Implementation Summary (CIS)
4 FIPS-199 Categorization
5 Control Tailoring Workbook (CTW)
6 Security Assessment Report (SAR)
7 Authority to Operate (ATO)
8 User Guide
9 Customer Responsibility Matrix (CRM)
10 Configuration Management Plan (CM Plan)
11 Contingency Management Plan (CMP)
12 E-Authentication Plan
13 PTA/PIA
14 Rules of Behavior
15 Incident Response Plan (IRP)
16 Policies
17 Security Controls Summary
18 SSP Template

FedRamp Control Implementation Summary (CIS)
• Quick reference spreadsheet
• Categorizes & allocates of FedRAMP controls between AWS &
customer:
– Inherited Controls
– Customer Specific Controls
– Shared Controls
– Indications of where a control comes from
– Categorizes FedRAMP controls as Moderate & High (applicable to
GovCloud)
Shared
Customer
Specific
Inherited

FedRamp Control Implementation Summary (CIS)
Eye Chart!

CIS – Customer Specific: Configured by Customer
• Controls for which AWS provides services that may be used to meet
a requirement, but the customer needs to properly select the service
and apply a configuration
• Examples of these controls include:
– User profiles, policy/audit configurations, enabling/disabling key switches (e.g.,
enable/disable http or https, etc.), entering an IP range specific to their
organization
– Account Management (AC-2): AWS IAM service enables customers to securely
control access to AWS services and resources, but the customer must apply the
correct access policies

CIS – Customer Specific: Provided by Customer
• Controls which are solely the responsibility of the customer, either
by providing additional hardware or software, or implement an
organizational policy in order to meet the control requirement
– Organizational/Management controls that involve business process
within your organization
– Security Assessment and Authorization (CA-3) – the customer must still
complete a formal authorization for any workloads they build on top of
AWS
– The customer provides a SAML solution to implement SSO with two-
factor authentication

CIS “Inherited” Controls
• Controls that a customer fully inherits from AWS
• Filter spreadsheet by:
– BLANK in “Customer” and Shared columns
– ”X” in either Service Provider Corporate, Service Provider
System-Specific, or Service Provider Shared
– Examples of these controls include:
– Media Protection (MP)
– Maintenance (MA)
– Physical and Environment (PE)

CIS – Shared Controls
• Controls that apply to both the Cloud Service Provider & the Customer,
but in completely separate contexts.
• AWS addresses the requirements for the infrastructure (“...of the cloud”)
• Customer must address the requirements for their workload/application
(“…in the cloud”)
– Flaw Remediation (SI-2) – AWS is responsible for patching and fixing flaws within the
infrastructure, but customers are responsible for patching their guest OS and
applications
– Awareness & Training (AT-3) - where AWS trains AW employees, but a customer must
train their own employees
– Configuration Management (CM-2) - AWS maintains the configuration of its
infrastructure devices, but a customer is responsible for configuration management of
their own guest operating systems, databases, and applications

FedRAMP Customer Responsibility Matrix
• Also a quick reference spreadsheet
• Basic guidance for customers’ meeting FedRAMP controls:
– Provides Mapping of Controls to Impact levels
– Describes Customer responsibilities within the scope of AWS Services

FedRAMP: Customer Responsibility Matrix

FedRAMP: System Security Plan (SSP) Template
• 400+ page document template
• 300+ security controls implementation details must be described
• LOTS of writing to be done by the customer
• Documentation and Implementation must then be assessed
• “Acceptance of Risk” and “Authority to Operate” are only
granted if the system “passes”
• Many Federal Agencies/Organizations already have their
own templates or tools for this

FedRAMP: System Security Plan (SSP) Template
Page 357

Requesting the AWS FedRAMP package
• Request Package from your FedRAMP PMO
• Request Package from your AWS Account Rep
• Send an Email to:
– awscompliance@amazon.com
– Requesting access to the FedRAMP Security Package
– For the purposes of building a system security plan using the
AWS Agency FedRAMP authorization

Requesting the AWS FedRAMP package
• Request Full Package from FedRAMP
PMO or your AWS Account manager
• Partner Package is available via
AWS Artifact (AWS console)
• Send an Email to:
awscompliance@amazon.com

Determine Risk Acceptance of AWS FedRAMP SSP
• Evaluate the AWS P-ATO against internal risk posture
• Your agency’s Authorizing Official (AO) can authorize the
AWS package for use by multiple applications/SSPs
• Your agency’s AO should authorize individual
systems/SSPs for workloads built on AWS
• Your agency’s AO may also authorize individual AWS
Services that are not already in scope within FedRAMP

Questions?

MISSION PLAN:
Map Out the Architecture in the Cloud
AWS GovCloud (US)

First let’s find it a home in the cloud
“But isn’t the cloud just some amorphous collection of network and
servers where data and applications are always moving?” NOPE …
Your data and applications go into the AWS Region you choose and
they stay there until you move them
☞ Let’s see what an AWS Region is…

- Regions: metropolitan area with independent ”cloud”
- Fully Isolated from other Regions (security boundary)
50 mile (appx) radius “clustered” data center
architecture
- Customer chooses Region. Data Stays within Region.
- Regions comprised of multiple Availability Zones
AZ = 1 or more “data centers”
- AZ’s connected through redundant low-latency links
- Physically separated; Separate Low Risk Flood Plains
- Discrete UPS & Onsite backup
- Redundant connections to multiple tier-1 ISP’s
- Built for Continuous Availability
Availability
Zone A
Availability
Zone B
Availability
Zone C
Sample US Region
~ Data Center
AWS Region and Availability Zone View

Cloud Infrastructure to Meet Federal Needs
Public/Private
Unrestricted/(U)
FedRAMP Mod
DoD
IL2
Internet
US Regions AWS Secret RegionAWS GovCloud
CUI, FOUO,
SBU, PII, PHI
FedRAMP High
DoD
IL2, IL4 & IL5
Customer
Network
(e.g. NIPR for DoD)
SECRET
IC M/M/M
(CNSSI 1253)
DoD
IL 6 PATO
SIPRNET
C2S Region
TS/SCI
IC M/M/M
(CNSSI 1253)
JWICS
CAP / DX

US AWS Regions
AWS GovCloud (US)
Amazon
Secret
Region
3
3
3
6
3
3
3
3
HIGH MOD
DoD
IL
2/4/5
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
ICD
503
TS/SCI
ICD
503
SECRET
DoD
IL 6

Inheritance
Personnel
Incident Response
Boundary Protection
Identity & Access Control
Disaster Recovery
Configuration Management
High Availability Architecture
System Mgmt. & Monitoring
Log Management & Monitoring
Compute & Storage
Networking
Virtualization
Data Center
Specific
Mission
Owner
Controls
Controls fully
inherited
Mission
Owner
on Prem
Mission
Owner
Controls
Hybrid
Controls
Mission
Owner
on AWS
+
Mission
Owner
Mission
Owner
Controls
ATO
Package

LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
COOP data center
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
LB
Lets Categorize our 2 Tier Web Application

Example 2 Tier Web Application Components
App/Web Tier – NGINXApp / WordPress / Apache / PHP
Database Tier – MySQL DB
All Servers Running Linux
Data Elements – PII & other CUI data
For our sample 2 tier app - example classification:
• Moderate/Moderate/Moderate (C/I/A) ✓
• Cloud Impact Level 4 (IL4) ✓

Region
Availability Zone A Availability Zone B
Step 1: Find a Home in AWS Cloud
APP
DB
LB
FW
APP
Select an AWS Region:
• Independent geographic areas
• Customer chooses Region
• Data Stays within Region
• Federal & DoD options include
US East (VA and OH) – FR Mod, DoD IL2
US West (CA and OR) – FR Mod, DoD IL2
US GovCloud (OR) – FR Mod/High, DoD IL2/4/5
US GovCloud (OH) – FR Mod/High, DoD IL2/4/5
Select AWS Availability Zones (AZs):
• 2 or more AZs for customer use per region
• Physically isolated from each other
• Each AZ designed as independent failure zone
• Connected with low latency links (< 2 msec)

Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP
DB
LB
FW
Step 2: Define a Your Network in AWS
VPC Subnets:
• Defines a range of IP addresses in your VPC
• Can be used to create separate network zones
• Subnets are AZ specific (they don’t span Azs)
• Example CIDR block 10.10.10.0/24
AWS Virtual Private Cloud (VPC):
• Your private, isolated virtual network w/i AWS Cloud
• You have complete control over your virtual network
• You can assign an IP address space as large as a /16
CIDR block (65,536 addresses)
• VPC CIDR block spans AZs
• Example CIDR block 10.0.0.0/16
Network Access Control List (NACLs):
• Stateless network filters applied to inter-subnet traffic
Route Tables:
• Define rules to determine where traffic is directed

Private subnet
Region
Private subnet
Private subnet
Private subnet
VPC
APP
DB
LB
FW
Step 3: Add in Servers
Amazon Elastic Compute Cloud (EC2)
• Virtual servers (instances) in the cloud
• Launch EC2 instances into specific subnets
• Quickly launch or reboot servers
• Pay for what you use
EC2 Instance Types
• Various Windows & Linux O/S versions available
• Over 40 instance types to choose from
• Instance types are optimized for different use cases
• CPU, Memory, Networking, Storage & Graphics
Flexible Utilization & Pricing
• Various pricing models available
• Easily scale up or scale out
• Add instances when you need them
• Terminate instances when you don’t need them

F1
G2/ G3
P2 / P3
GPU
enabled
M4
General
purpose
Memory
optimized
R3 / R4
Dense-storage &
High-I/O optimized
C4
Compute
optimized
C3M3
D2
H1
I2 / I3
Compute: EC2 Instance Families
T2
Burstable
performance
X1 / X1e
M5 C5

Clemson University
Professor Alexander Herzog, graduate students Christopher Gropp and
Brandon Posey, and Professor Amy Apon
At just after 21:40 (GMT-1) on Aug. 26,
2017, the number of vCPUs utilized was
1,119,196.
All processors were Spot Instances – “Excess AWS Capacity”
World Record for Concurrent Processors

Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP
DB
LB
FW
Step 4: Add Storage for your Servers
Amazon Elastic Block Storage (EBS)
• Create individual storage volumes
• Attach them to an EC2 instance
• Volume is automatically replicated w/in its AZ
EBS uses include:
• Boot volumes and storage for EC2 instances
• Data storage with a file system
• Storage for Databases & Enterprise Applications
• Can be used to create RAID configurations
EBS specifications:
• Persistent storage from 1 GB to 16 TiB
• Magnetic, SSD & Provisioned IOPS SSD
• Performance options to fit application needs
• Optional seamless 256-bit encryption

Simple Storage Solution (S3) - Object
• A “Bucket” is functionally equivalent to a “folder”
• Able to store unlimited number of Objects in a Bucket
• Objects from 1B-5TB; no bucket size limit; must be globally unique
• Highly available storage for the Internet (object store)
• HTTP/S endpoint to store and retrieve any amount of data, at any
time, from anywhere on the web
• Highly scalable, reliable, fast, and inexpensive
• Annual durability of 99.999999999%; Designed for 99.99%
availability
• Over 2 trillion objects stored
• Peak requests 1,100,000+ per second
Simple Storage Service (S3)
EBS
S3
Glacier

Archival Storage
EBS
S3
Glacier
• A “Bucket” is functionally equivalent to a “folder”
• Able to store unlimited number of Objects in a Bucket
• Objects from 1B-5TB; no bucket size limit; must be globally
unique
• Highly available storage for the Internet (object store)
• HTTP/S endpoint to store and retrieve any amount of data, at
any time, from anywhere on the web
• Highly scalable, reliable, fast, and inexpensive
• Annual durability of 99.999999999%; Designed for 99.99%
availability
Glacier

SnowBall (Import/Export)
E-ink shipping
label
Ruggedized case
“8.5G impact”
All data encrypted
end-to-end
Rain and dust
resistant
Tamper-resistant
case and
electronics
80 TB
10 GE network

Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP
DB
LB
FW
Step 5: Add Scalability, Redundancy & Failover
Multiple Availability Zone (AZ) Architecture
• Supports High Availability and Fail Over
• Supports COOP and DR requirements

APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
AWS Elastic Load Balancer (ELB)
• Distribute inbound traffic across EC2 instances
• Enables fault tolerance
• Fully managed service
Database Replication and Failover
• Synchronous data replication
• Failover using DNS that is transparent to application
Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP

Elastic Load Balancing
• Supports the routing and load balancing of HTTP, HTTPS and
generic TCP traffic to EC2 instances
• Supports SSL termination and Proxy protocol
• Supports health checks to ensure detect and remove failing
instances
• Dynamically grows and shrinks required resources based on
traffic
• Seamlessly integrates with Auto-scaling to add and remove
instances based on scaling activities
• Single CNAME provides stable entry point for DNS configuration
• Supports internal load balancing within a VPC
• Supports connection draining
Elastic Load Balancing

Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
AWS Region
AWS Auto Scaling Group (ASG)
• Scales EC2 instances automatically
• Add or remove instances according to load and traffic
DB

Auto Scaling
• Well suited for applications that experience variability in
usage
• Client Defined Business Rules
• Scale your Amazon EC2 capacity automatically once
you define the conditions (may be 1,000’s of servers)
• Can scale up just a little…doesn’t need to be massive
number of servers (may be simply 2 servers)
• Set minimum and maximum scaling policies
• Alternate Use is for Fault Tolerance
Auto Scaling

Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
Step 6: Add network traffic filtering at servers
AWS Security Groups (SG)
• Stateful firewall applied to instance
• Filters source & destination IP, port and protocol
• Inbound and outbound rules
• By default all inbound access is blocked
Create Defense in Depth Architectures
• Allow web servers to talk to app servers
• Allow app servers to talk to DB servers
SG Support Dynamic Scaling
• As servers scale in an ASG SG continue filtering
• SGs can reference other SGs

EC2
• Security Groups
- Stateful Virtual Firewall applied to an instance (e.g. EC2, ELB)
- Traffic must be explicitly specified by protocol, port, and security
group
- Can reference other Security Group(s) in Inbound Source and/or
Outbound Destination
AWS
Security
Group
How should you Secure Your VPC?
Best Practice: Build security at every layer using routing rules,
network ACLs, and security groups.
Inbound
Traffic
• Subnet level Network Access Control Lists (ACLs):
- Layer of security that acts as a stateless firewall for controlling
traffic in and out of a subnet
- Port/Protocol defined with Action (Allow/Deny)
Network Subnet ACLs
OS
Firewall
• OS Firewall (e.g., iptables) may be implemented
- Completely user controlled security layer
- Granular access control of discrete hosts
- Logging network events

APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Recap: Moving 2 Tier Web App to AWS
AZ Data Center
Subnet VLAN
EC2 instance Server/VM
Security Group FW
ELB Load Balancer

Review Your Existing Infrastructure Components
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
COOP data center
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
LB
In addition to
Application & Networking
requirements, we need to
address these services!

How do we address these Infrastructure Needs?
CND
VPG Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Web Application Firewall
Network Firewall / Full Packet Capture
Network Intrusion Detection/Prevention
ACAS – Vulnerability Scanning
HBSS – Endpoint Protection
AD / SSO / LDAP / OCSP
DNS / NTP / DHCP
Log Management / SEIM
Patching Services
Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC

DoD SCCA Component Functional Requirements
Virtual Datacenter Security Stack (VDSS)
Provides network and application security capabilities such as an
application-aware firewall and/or intrusion prevention system.
Virtual Datacenter Management Stack (VDMS)
Provides system support services for mission owner environments
(AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well.
Trusted Cloud Credential Manager (TCCM)
An individual or entity appointed by the Authorizing Official to establish
policies for controlling privileged user access to connect Virtual Private
Clouds to DISN and for administrating cloud services
Cloud Access Point (CAP)
Provides network access to the cloud and boundary protection of DISN from
the cloud.

DoD SCCA Architecture Approach in AWS
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Virtual Datacenter Security Stack (VDSS)
Virtual Datacenter Management Stack (VDMS)Inernet
GovCloud Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Network Firewall Services
Full Packet Capture Services
Network Intrusion Detection/Prevention Services
Web Application Firewall Services
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services

NIST HIGH Quick Start Architecture
Region
App
Subnet
AZB
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
Mission Owner Virtual Private Cloud (VPC)
Availability Zone B
Vulnerability Scanning Services
Endpoint Protection Services
NAT / Bastion Host Services
Availability Zone A
Management Services
App
Subnet
AZA
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
App
Subnet
AZB
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
App
Subnet
AZA
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
Application Owner A – Application Stack / VPC
Application Owner B – Application Stack / VPC
PEERING
NOTIONAL
Inernet
PEERING

AWS
Security
Concepts and Services

OR

ORAND

Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation
Limited resources & scale constraints
inhibit tooling build out to address challenges

AWS Security Focus
Designed for
Security
Constantly
Monitored
Highly
Automated
Highly
Available
Highly
Accredited
Security is our # 1 priority

Elevate your security with the AWS Cloud

AWS Security Assurance frameworks

US AWS Regions
approved for DoD use
Amazon
Secret
Region
3
3
3
6
3
3
3
HIGH MOD
DoD
IL
2/4/5
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
USEast(VA)
USEast(OH)
USWest(OR)
USWest(CA)
GOVCLOUDWest
(OR)
GOVCLOUDEast (OH)
HIGH MOD
DoD
IL
2/4/5
ICD
503
SECRET
DoD
IL
6

All customers benefit from the same security
60+ Assurance programs, including
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001
• ISO 9001
• PCI DSS Level 1 - Service Provider
• ISO 27017 (security of the cloud)
• ISO 27018 (personal data)
• BSI C5 (Germany) – ESCloud (EU)
• CISPE - GDPR

Control where your data is stored
and who can access it
Fine-grain identity & access control
so resources have the right access
Reduce risk via security automation and
continuous monitoring
Integrate AWS services with your solutions
to support existing workflows, streamline ops,
and simplify compliance reporting
Scale with visibility and control

Encryption at scaleMeet data
residency requirements
build compliant
infrastructure
Comply with local
data privacy laws
Highest standards for privacy

Threat remediation
and response
Securely deploy business
critical applications
Operational efficiencies to
focus on critical issues
Continuous monitoring
and protection
Automate with integrated services
Comprehensive set of APIs
and security tools

n
Identity & access
management
Detective
controls
Infrastructure
protection
Incident
response
Data
protection
AWS security solutions

Infrastructure security
Logging
& monitoring
Identity &
access control
Configuration
& vulnerability analysis
Data
protection
Largest ecosystem of security partners and solutions

Security engineering
Governance, risk,
& compliance
Security operations
& automation
Consulting competency partners
with demonstrated expertise

Identity & access
management

• IAM enables customers to create and manage users in AWS’s identity
system
• Identity Federation with local directory is an option for enterprises
• Very familiar security model
• Users, groups, roles, permissions
• Supports SAML 2.0
• Allows customers to
• Create users & organize users in groups
• Assign individual passwords, access keys, multi-factor authentication devices
• Grant fine-grained permissions
• Optionally grant them access to the AWS Console
Securely control access to AWS services and resources
• Users
• Groups
• Roles
• Policies
• Resources

Track user activity and API usage to enable governance, compliance, and operational/risk
auditing of your AWS account
• Records AWS API calls for your account and delivers
log files to a S3 buck that you specify
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
• Log files are delivered approximately every 3-5
minutes
• Multiple partners offer integrated solutions to analyze
log files

Uses of Cloud Trail
• Security Analysis
– Use log files as an input into log management and analysis solutions to perform security analysis
and to detect user behavior patterns.
• Track Changes to AWS Resources
– Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon
VPC security groups and Amazon EBS volumes.
• Troubleshoot Operational Issues
– Quickly identify the most recent changes made to resources in your environment.
• Compliance Aid
– Easier to demonstrate compliance with internal policies and regulatory standards.

Complete visibility of your cloud resources and applications to collect
metrics, monitor log files, set alarms, and automatically react to changes
• Visibility into resource utilization, operational
performance, and overall demand patterns
• Metrics such as CPU utilization, disk reads and
writes, and network traffic
• Accessible via the AWS Management Console, web
service APIs or Command Line Tools
• Add custom metrics of your own
• Alarms (which tie into auto-scaling, SNS, SQS, etc.)
• Billing Alerts to help manage charges on AWS bill

Dashboard Example
Instance being monitored
Selected Attributes

Record and evaluate configurations of your AWS resources to enable
compliance auditing, resource change tracking, & security analysis
• Get inventory of AWS
resources
• Discover new and
deleted resources
• Record configuration
changes continuously
• Get notified when
configurations change
• Know resource
relationships
dependencies

AWS Key Management Service Hierarchy
• Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypts customer data
• KMS master keys encrypt data keys
• KMS master keys never leave the KMS HSM
unencrypted
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage small number of master
keys than millions of data keys
• Centralized access and audit of key activity
Customer Master
Key (CMK)
Data Key
S3 Object
Customer Master
Key (CMK)
Data Key
EBS Volume
Customer Master
Key (CMK)
Data Key
Redshift
Cluster
Customer Master
Key (CMK)
Data Key
Custom
Application
AWS Key Management Service (KMS)

Encryption at Rest
Encryption in Process
Ubiquitous Encryption
EBS
S3
Glacier
DynamoDBRDS
EMR Redshift
EC2ELB
Amazon
Certificate
Manager (ACM)
KMS
AWS IAM
AWS CloudTrail
Secrets Manager
Restrict Access
Full auditability
Encryption in
transit
Certificate
management
Encrypted
secrets management
Fully managed
keys

MISSION EXECUTION:
Reference Architectures and Automation to
Build and Assess
AWS GovCloud (US)

Addressing Compliance Challenges
w/ Standardized Reference Architectures
Challenge
• Meeting compliance requirements i.e., NIST
• Making many critical decisions to ensure a
secure application when using the AWS
Shared Responsibility Model
• Mapping security controls to numerous AWS
services
Solution
Incorporate compliance requirements which
can be pre-approved by customer
assessment organizations
Incorporate AWS functional and security best
practices in the baseline
Pre-document the alignment of AWS best
practices with security/compliance
requirements

Addressing Compliance Challenges
w/ Standardized Reference Architectures
Challenge
• Error prone and time-consuming
manual configuration of AWS resources
• Enforcing configuration management of
AWS infrastructure over time
• Authorization process is time
consuming, labor intensive, and delays
mission deployments
Solution
☞Create fully automated infrastructure as
code CloudFormation templates to
reduce human error
☞Keep AWS CloudFormation Templates
under version control and only deploy
from the approved repository using
approved processes
☞Reduces time necessary to engineer,
build, and document security
compliance controls

How Does AWS Make This Easier?
The Enterprise Accelerator Compliance Quick Start
https://aws.amazon.com/quickstart

AWS Enterprise Accelerator Quick Start Web Site

Enterprise Accelerator Quick Start Packages:
What’s in the Box?
Architecture Diagram
Security Controls Matrix (SCM)
AWS
CloudFormation
Templates
Deployment Guide

Customizable Reference Architecture
Example
Reference
Architecture
− Customizable
− Employs AWS
architecture best
practices

CloudTrai
l
AWS Config
CloudWatch Alarms
Archive
Logs
Bucket
S3
Lifecycle
Policies to
Glacier
AWS Account
us-east-1b
us-east-1c
Proxies
NAT
RDS DB
DMZSubnet
PrivateSubnet
PrivateSubnet
RDS DB
PrivateSubnet
PrivateSubnet
Production VPC
DMZSubnet
Proxies

Security Controls Matrix
• Security Controls/Requirements Matrix
− Maps Security Controls to architectural components
− Describes security control implementation Details

Are they
Similar?
Use the AWS Enterprise Accelerator as a Validation Tool
Your SCMAWS Enterprise Accelerator SCM

AWS Quick Start CloudFormation Templates
Templates
• CloudFormation Templates
− Customize and deploy through automation
• Templates deliver infrastructure as code
– Each template deploys a resource stack
– Templates can be managed and version controlled using
source code repositories i.e., (GitHub)

AWS Quick Start CloudFormation Stacks
• The Quick Start package is a set of
nested templates that deploy
‘stacks” which:
− Are modular and customizable
− Build specific portions of architecture
− Can be deployed for different types of
workloads
Templates Stacks

AWS Quick Start Nested CloudFormation Stacks
Web Application Stack
Elastic Load Balancers; AutoScaling Groups; AutoScaling Launch Configurations; S3 Buckets/Bucket Policies for static web data; RDS
Databases; Additional CloudWatch Alarms; EC2 Instances; Security Groups
Config Rules Stack
Config Rules; Lambda Functions
IAM Stack
Users; Groups; Roles; Policies; Authentication
Main Stack
Launches all other Stacks
Management VPC Stack
VPCs, Subnets, Gateways, Route Tables, NACLs
Logging Stack
CloudTrail, CloudWatch; S3 Buckets and Policies for log data; SNS Topics
Production VPC Stack
NAT Instance Stack
NAT EC2 Instance; Network Interfaces; Elastic IP Address

Deployment Guide
Contents:
• Overview of Compliance
Framework(s) supported
• AWS Account Prerequisites
• Deployment steps
• Best practices
• How to customize and manage
the CloudFormation templates

AvailabilityZone#2
App server
CloudWatch
RDS Snapshots
Fixed Content
App
App
Web
Web
RDS
RDS
Availability Zone #1
JWICS
AvailabilityZone#2
Availability Zone #1
RDP
RDP
AD
AD
Management Network
Customer
Gateway
Production/Development VPC Management VPC
End Users
VPC Peering
CloudTrail LogsIAM
Incorporates Security Features via AWS Best Practices
Users accessing AWS
console can be required
to use multi-factor
authentication (MFA)
with physical or virtual
token
CloudTrail logs API
activity and outputs
this logging to an S3
bucket where it can be
analyzed with a
number of tools
CloudTrail
Users who access or manage
AWS resources can be
restricted by roles and
permissions
Elastic Load Balancer
supports HTTPS and
high availability
S3 supports both
SSL and encryption
at rest
ACLs and IAM
policies applied to
any S3 bucket
restricts access to
S3 data
Route table for each web
subnet routes traffic to/from
JWICS gateway
Network ACL associated
with multiple subnets can
specify allow/deny ingress
and egress rules
Separate Management
VPC isolates all
management
applications and access,
accessible only via
Virtual Private Gateway
Logging can be
enabled on S3
buckets to track
access and
operations
Private subnets
(subnets not
routing through
a gateway) are
not accessible
to Internet
Each EC2 instance type (web, app)
can have standard security group
specified in the autoscaling launch
configuration
DB security
groups
specify only
app
instances
have access
to RDS

CloudFormation as Part of Governance Model
Application Owner Stack(s)
Elastic Load Balancers; AutoScaling Groups; AutoScaling Launch Configurations; S3 Buckets/Bucket Policies for static web data; RDS
Databases; Additional CloudWatch Alarms; EC2 Instances; Security Groups
Config Rules Stack
Config Rules; Lambda Functions
IAM Stack
Users; Groups; Roles; Policies; Authentication
Provisioning Team Main Stack
Launches Repeatable Baseline Stacks
Logging Stack
CloudTrail, CloudWatch; S3 Buckets and Policies for log data; SNS Topics
Production VPC Stack
NAT Instance Stack
NAT EC2 Instance; Network Interfaces; Elastic IP Address
Hand-off from Provisioning Team to Application Team
Baseline VPC/Networks are now
ready for Application Deployment
DONE!
Enterprise Provisioning Team
Application Development/Depoyment Team
(Mission Owner, etc.)

CIJS Quick Start Preview (we want your feedback)
GovCloud URL
https://s3-us-gov-west-1.amazonaws.com/quickstart-reference/enterprise-accelerator/cjis/latest/templates/main.template
Commercial Region URL
https://s3.amazonaws.com/quickstart-reference/enterprise-accelerator/cjis/latest/templates/main.template
Deployment Guide
https://tinyurl.com/y9u65xvm
https://tinyurl.com/y9r5q4bl

GOVERNANCE@SCALE:
Scalable oversight and control of
multiple AWS accounts through automation
AWS GovCloud (US)

What does “enterprise cloud governance”
really mean?

Common governance questions
• How to determine the current state of all cloud users
and control their access across my enterprise?
• How to ensure adherence to IT budgets in a pay-per-
use model?
• How to ensure deployments and operations are
compliant with relevant legal, regulatory, and/or
contractual policies?

The typical AWS adoption reality
Amazon
S3
Project 1 AWS Account
Amazon
EC2
Amazon
S3
Amazon
EC2
Amazon
RDS
Stage 1
Specific Systems
Limited Accounts
Minimal Services
Stage 2
Numerous Systems
Multiple Accounts
Many Services
Amazon
S3
Amazon
EC2
Amazon
VPC
Amazon
S3
Amazon
EC2
Amazon
VPC
Amazon
EMR
Amazon
Kinesis
Amazon
Redshift
Amazon
S3
Project 4 AWS
Account
Amazon
EC2
Project 5 AWS
Account
Amazon API
Gateway
Amazon
SQS
Amazon
WorkSpaces
Amazon
ECS
AWS
Lambda
AWS Elastic
Beanstalk
Amazon
S3
Amazon
S3
Project 6 AWS
Account
Amazon
EC2
Amazon
EMR
Amazon
Kinesis
Amazon
VPC

Three principles of governance@scale
• Account management
Align AWS accounts with the organization through a common interface.
Standardize and streamline provisioning, maintenance, and access control
policies for many AWS accounts and workloads
• Cost enforcement
Ensure AWS accounts and workloads do not exceed budget
• Compliance automation
Accelerate security authorizations, provide continuous monitoring and
configuration management, and enforce security controls

So…what does this look like?
Projects
Management
Upper Management
Senior Leadership
Executive CXO
VP
Director
Manager Manager
Director
Manager
VP
Director
Manager Manager
Project 1
Project 2
Project 3 Project 5 Project 6
Project 7
Project 8
$$
$
$ $$
$
$
$ $ $
$$$
$$
$$
$$
$$
$$$
$

Account management @scale
Use AWS Organizations, SSO, CloudFormation, IAM, etc
Use a consolidated admin AWS account
• AWS Identity and Access Management (IAM) users live in this account
• IAM users assume roles to access other AWS accounts
• Enforce MFA for role assumptions
Automate AWS account provisioning
• Eliminate slow, error-prone manual provisioning
• Ensure AWS accounts are actively managed
• Incentivizes users from using other methods (personal, school, and others) for AWS
experimentation
Implement “single sign-on” through federation
Use Compliance Quick Starts and Landing Zones as a starting point
• Policy assignment to IAM users/groups/roles
• Consolidated admin baseline
• Target account baseline

Cost enforcement @scale
Use automation to map AWS accounts to org. structure
• Aligns with current budget process and cost alignments
Use automation for cost management/enforcement
• Actual spend versus budget projections decision makers
• Allow management to increase budgets
• Turn off resources to preserve budget
• Use dynamic IAM policies to throttle usage when budget
thresholds are met
Provide near real-time budget projections so stakeholders
are aware of current AWS spend

Compliance automation @scale
• Pre-approve standard security configurations to decrease RMF
efforts up to 50% and achieve faster ATOs (days versus
months/years)
• Automate deployment of accounts consistent with security
policies (NIST/HIPAA)
• Pre-populate GRC tools with inherited and system specific
controls.
• Perform continuous monitoring with GRC tools and alert security
staff of configuration drift and/or vulnerabilities

Where do I go from here?
• Build or buy a Governance@Scale solution that can grow with you.
• AWS Professional Services can help facilitate the design and help
you build a solution based on your requirements.
• Partner Solutions are available
• AWS Solutions Architects can help with designing a solution that
fits your needs

Mission Wrap-Up:
Putting it all together
AWS GovCloud (US)

Where do I go from here?
• AWS Account Manager / Solutions Architect team
• AWS Professional Services
• AWS Training and Self-Help

AWS Stages of Adoption
Project
Foundation
Migration
Reinvention
Cloud Native
Retire Tech
Debt
Value
Time
Discovery
“Envisioning your
cloud journey”
“Starting your cloud
journey”
“Building your cloud
journey muscle
memory”
“Migration @ scale”
“Continually optimise
what and how you use
AWS”

AWS Cloud Adoption Framework Overview
• Provides supportive guidance
for six key organizational
perspectives
• Helps stakeholders understand
how to update skills, adapt
existing processes, and
introduce new processes
• Takes maximum advantage of
the services provided by
cloud computing
Cloud Adoption Framework is
based on six groups of
stakeholder perspectives common
to organizational structures of
contemporary businesses

• AWS Free Tier
• Explore our training options
• Whitepapers
– Security
– Risk & Compliance
• Reference Architecture
• AWS Marketplace
• Expect answers to follow up
questions shortly
AWS Training and Self-Help

AWS Training and Self-Help
• (Mostly) Free Training
– AWS Service Videos and Solution Webinars
– AWS CBTs: Security Fundamentals https://aws.amazon.com/training/course-
descriptions/security-fundamentals/
– Public Sector Technical Essentials (Herndon and DC)
– Qwiklabs (advanced labs with codes) https://qwiklabs.com
– A Cloud Guru https://acloud.guru/
– Veterans: AWS Educate https://aws.amazon.com/education/awseducate/veterans/
• Formal AWS Training & Certification
– AWS: Virtual and Instructor-led (Architecting, Developing, Operations)
• “DOD-modified Architecting on AWS” Classroom in a Box Training
– 3rd Party: Global Knowledge

Learning Events
AWS Automating Compliance Workshops for DOD / Federal
AWS Worldwide Public Sector Summit – videos on YouTube
AWS re:Inforce – Cloud Security conference – videos on YouTube
AWS re:Invent – Annual User conference & training – 2-6 December (Las Vegas, NV)

What Training Does AWS Offer?
Digital Training
Free, self-paced online
courses built by AWS
experts
Classroom Training
Classes taught by
accredited AWS
instructors
AWS Certification
Exams to validate
expertise with an
industry-recognized
credential

AWS Certifications Validate Knowledge
AWS Certified
Security Specialty
AWS Certified
Machine Learning Specialty
AWS Certified
Alexa Builder Specialty

We Can Help – Training Plan for Your Organization
AWS Training and Certification
can help your organization
build cloud skills to make your
transition to the AWS Cloud
easier, so you can get the
most out of your investment,
faster

NIST Compliance, AWS Federal Pop-Up Loft

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a NIST Compliance, AWS Federal Pop-Up Loft

Semelhante a NIST Compliance, AWS Federal Pop-Up Loft (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

NIST Compliance, AWS Federal Pop-Up Loft