introduction to aws goldbase · hardened containers used by the amazon ec2 container service...

Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS

September 2015

Amazon Web Services – Introduction to AWS GoldBase September 2015

of 17

© 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Notices This document is provided for informational purposes only. It represents AWS’s

current product offerings and practices as of the date of issue of this document,

which are subject to change without notice. Customers are responsible for

making their own independent assessment of the information in this document

and any use of AWS’s products or services, each of which is provided “as is”

without warranty of any kind, whether express or implied. This document does

not create any warranties, representations, contractual commitments, conditions

or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities

and liabilities of AWS to its customers are controlled by AWS agreements, and

this document is not part of, nor does it modify, any agreement between AWS

and its customers.


of 17

Contents

Abstract 3

Architecting for Compliance in AWS 4

Compliance in the Enterprise 4

Compliance Standards 4

AWS GoldBase in AWS 5

Benefits 5

AWS GoldBase Package 6

AWS GoldBase Delivery 8

Automating Compliance with AWS GoldBase 9

Example Use Case: Tiered Web Application 12

Conclusion 16

Contributors 17

Notes 17

Abstract This document describes the AWS GoldBase offering from Amazon Web Services

(AWS) and the benefits it can provide to customers. AWS GoldBase is a joint

offering from AWS Risk & Compliance and AWS Professional Services to provide

customers with pre-validated, deployable AWS configurations which adhere to

specific customer compliance requirements. This solution can streamline and

simplify application deployment in AWS. It allows you to automate standardized

reference architectures that meet AWS best practices and customer compliance

requirements. This approach allows for a repeatable process that you can use to

ensure compliant configuration of AWS resources in the cloud while reducing the

time needed to approve applications for production use.


of 17

Architecting for Compliance in AWS

Compliance in the Enterprise

Compliance is a broad term used within technology and business. The simplest

definition of comply is to “meet specified standards.”1 Ensuring compliance in the

enterprise includes adhering to the following standards:

Third Party Assurance Frameworks

Standards established within the customer organization

AWS best practices

Within the context of deploying applications on AWS, compliance will

incorporate the concepts of secure, available, and scalable technology.

Compliance Standards

The AWS Shared Responsibility Model2 puts the final responsibility for system

security on the customer. AWS provides many different options and controls for

building a highly secure application in the cloud. Customers must be able to

ensure their architectures meet the compliance requirements of their

organization.

Examples of compliance standards that have unique requirements include the

following:

NIST SP 800-533–The Special Publication (SP) published by the

National Institute of Standards and Technology (NIST) is a catalog of

security controls that most U.S. federal agencies must comply with and that

are widely used within private-sector enterprises.

ICD 503–The security requirements and accreditation of this Intelligence

Community Directive (ICD) apply to the intelligence community; it’s based

on NIST SP 800-53 security controls.


of 17

FedRAMP4–The Federal Risk and Authorization Program (FedRAMP) is

a U.S. Government program for ensuring standards in security assessment,

authorization, and continuous monitoring.

DoD Cloud Security Model (CSM)5–Standards for cloud computing

issued by the Defense Information Systems Agency (DISA) and

documented in the U.S. Department of Defense (DoD) Security

Requirements Guide (SRG).

HIPAA6–The Health Insurance Portability and Accountability Act

(HIPAA) standards must be followed by any organization processing or

storing Protected Health Information (PHI).

ISO 270017–International Organization for Standardization (ISO) 27001

is a widely adopted global security standard that outlines the requirements

for information security management systems.

CJIS Security Policy8–Criminal Justice Information Services (CJIS)

security policies are guidelines for state, local, and federal law enforcement

agencies that follow the NIST SP 800-53 standards.

PCI DSS9–Payment Card Industry (PCI) Data Security Standard (DSS) are

standards for merchants who process credit card payments that require

strict security standards to protect cardholder data.

AWS GoldBase in AWS In AWS, AWS GoldBase is a packaged solution to help customers streamline,

automate, and implement the entire process of application deployment on AWS–

from initial design to operational readiness. AWS GoldBase incorporates the

expertise of AWS solutions architects that is required to build a secure and

reliable architecture in an easy-to-implement package that automates the

process.

Benefits Security controls compliance

Reduced time to production deployment

Transparency and support for continuous monitoring


of 17

Ease of deployment through automation

Decreased level of effort in architectural decisions

Standardization based on best practices

AWS GoldBase Package

The AWS GoldBase package includes the following four items for customer use:

Security Controls Implementation Matrix

Architecture diagrams

AWS CloudFormation templates

User Guide with deployment instructions

Security Controls Implementation Matrix

The AWS GoldBase package includes an Excel formatted security controls

implementation matrix that maps features and resources to specific controls

based on the required compliance standard of a customer. Security and risk

evaluators use this document as a reference that makes accrediting a system

easier when it is deployed in AWS. The matrix describes which controls a

reference architecture meets and reduces the number of total security controls for

which the application owner is ultimately responsible.

Figure 1: Snippet of a section of the matrix that describes how a reference

architecture applies to sections of the NIST SP 800-53 controls


of 17

Architectural Diagrams

Architectural diagrams in PowerPoint or Visio are included with the package.

These diagrams illustrate and document the design of the use case. They provide

a visual reference that demonstrates the components deployed by the AWS

CloudFormation templates. This accompanies the description of security features

implemented by the AWS GoldBase templates.

Figure 2: Sample architectural diagrams showing base AWS components deployed

by the templates

AWS CloudFormation Templates

The AWS GoldBase AWS CloudFormation templates allow for a fully automated

deployment of a compliant architecture. The default AWS CloudFormation

package consists of four JSON template files (AWS CloudFormation stacks):


of 17

Figure 3: AWS CloudFormation stacks

An additional template file, main.json, is the entry point from which the set of

stacks are launched. This design provides modularity, which enables the ability to

deploy a subset of resources if needed. The design facilitates reusability of

templates for multiple use cases. A AWS GoldBase use case package consists of a

main.json along with all required nested stacks.

User Guide with Deployment Instructions

The AWS GoldBase package includes a user guide that provides step-by-step

instructions on how to deploy an application in AWS using the AWS

CloudFormation templates. The user guide also contains information on how to

customize the package to meet customer requirements.

AWS GoldBase Delivery

Existing AWS GoldBase packages can be provided directly to customers and used

as a starting point. The AWS GoldBase packages can be customized to meet the

deployment needs of specific applications. The existing AWS CloudFormation


of 17

templates and related documentation can be updated to match specific use cases

within the customer organization.

Custom Built Packages

The AWS GoldBase package can be offered as a customized deliverable to

customers working with AWS Professional Services or a qualified Amazon

Partner Network (APN) partner. AWS or partner resources can work with the

customers to accomplish all the following necessary steps for providing a

complete working solution:

1. Identifying common use cases along with security and compliance

requirements.

2. Designing a base architecture based on one or more common use cases.

3. Building an automated solution using AWS CloudFormation templates,

documentation, security controls matrix, and related artifacts.

4. Validating and testing the AWS GoldBase package.

Automating Compliance with AWS GoldBase

AWS provides customers with the capability to develop and manage

“infrastructure as code.” The AWS GoldBase solution automates the deployment

of compliant architectures. It can be used in conjunction with other services and

solutions to deliver a truly automated infrastructure that meets the compliance

and governance requirements of the customer organization.

Multiple Layers of Compliance

The AWS GoldBase package provides for the ability to customize levels of

automation beyond AWS resources. The following additional layers of

compliance can be integrated with AWS GoldBase:

Custom AMIs–The AWS GoldBase package provides the capability to enforce

the use of pre-built “golden” baseline AMIs when deploying applications. Custom


of 17

Amazon Machine Images (AMIs) can be centrally managed and updated based on

compliance requirements related to Configuration Management (CM).

Configuration Management–EC2 instances deployed by the Trusted

Architect templates can be bootstrapped to automatically integrate with centrally

managed Configuration Management (CM) solutions such as Chef, Puppet, or

Ansible which can apply hardening scripts upon deployment and ensure a

consistent instance-level configuration which meets compliance requirements.

Containerization–Containers allow one or more applications to run

independently on a single instance within an isolated user space. Security-

hardened containers used by the Amazon EC2 Container Service (Amazon ECS)

or Docker can be deployed using the Trusted Architect template package through

additional customization at the instance level.

Continuous Monitoring–Trusted Architect can automate and enforce the use

of features such as AWS CloudTrail, Amazon CloudWatch, and centralized

logging of applications to Amazon S3 buckets. It can also ensure instances are

using the Host Based Security System (HBSS) and application VPCs are

accessible via peering to centrally managed security VPCs for additional

monitoring capabilities.

AWS GoldBase and AWS Service Catalog

The AWS Service Catalog allows administrators to create and manage approved

catalogs of resources that end users can access via a personalized portal.10 AWS

Service Catalog allows the creation of portfolios of one or more products that

AWS end users and workload owners can launch. The AWS GoldBase template

package can be delivered to workload owners and application developers as an

AWS Service Catalog product.

Product–Each template package, based on a use case, can be a product in the

form of a single AWS CloudFormation template which can include additional

nested templates to deploy and automate the configuration of an AWS

architecture or application.


of 17

Portfolios–A portfolio consists of one or more products, which can have

common tags and constraints applied. Portfolios can include products for

different types of use cases and can be organized by compliance type.

Permissions–End users and workload owners specified in the AWS Identity

and Access Management (IAM) service can be given permission to access

portfolios based on the level of access that they need and what they need to

deploy.

Constraints–Constraints are granular controls applied at a portfolio or product

level that restrict the ways that resources can be deployed. Constraints can be

used to allow templates to deploy all resources at an administrator level of access

while limiting permissions to certain resources for workload owners.

Tags–Tagging can be enforced at the portfolio or product level, by providing

custom tags for controlling access to resources or for cost allocation.

Benefits of using AWS GoldBase with AWS Service Catalog include the following:

A complete storefront capability for delivering applications to end users

and workload owners

Ease of use in deployment and management of AWS Service Catalog

products

Enforcement of existing separation of duties and access controls which

adhere to the customer’s governance model

Standardization in design of AWS Service Catalog products

Simplification of developing and updating AWS Service Catalog products

Continuous Integration/Continuous Delivery (CI/CD) capabilities of AWS

Service Catalog products that meet compliance and best practices

AWS GoldBase and DevOps

DevOps incorporates principles, practices, and methods that allow integration

between software development and IT operations.11 Tools and methods for

automation, continuous delivery, monitoring, and security are key to developing

DevOps practices. AWS GoldBase provides a use case package for both


of 17

infrastructure and application components that can be developed, deployed, and

managed with the same DevOps principles as any software application.

Example: AWS GoldBase Lifecycle Using AWS Service Catalog

The example in Figure 4 illustrates the concept of CI/CD in a centralized

governance model using AWS Service Catalog and AWS GoldBase. The workload

owners use the AWS Service Catalog portal as a storefront to deploy complete

workloads. AWS Service Catalog products are AWS GoldBase template packages

that are managed by a central provisioning team.

Figure 4: CI/CD using AWS Service Catalog and AWS GoldBase

AWS GoldBase is managed using a source code repository such as Git or AWS

CodeCommit while integration is handled by a continuous integration (CI) server,

such as Jenkins. A new commit triggers an automated build of the architecture

and/or application in a test account that can be fully validated for compliance

and security before being pushed as an update to the AWS Service Catalog

product.

Example Use Case: Tiered Web Application In the example in Figure 5, a AWS GoldBase package has been designed for the

reusable deployment of a three-tier web application. In this simple use case, the


of 17

application consists of Amazon Virtual Private Cloud VPCs for both production

and management use. Instances are placed in separate private and public subnets

depending on where they will be accessed. An Internet gateway allows application

end users access to the web instances from the Internet. The management VPC is

strictly for developer and administrator use and is accessed through the customer

network via a virtual private network (VPN) gateway.

Figure 5: Example three-tier web application

Deployment

AWS CloudFormation templates provide automation. For configuration at the

Amazon Elastic Compute Cloud (EC2) level, specify user data in the templates to

bootstrap additional application configuration. In this example, Amazon EC2

configuration takes place by simply using user data scripts. Alternatively,

instances can be bootstrapped to pull configuration from another source, such as

a Chef server.

Deployment of the entire package follows an organized sequence automatically by

how the CloudFormation templates are structured. Deployment of this sample

package follows these steps:

1. IAM users, roles, groups, and policies are created; CloudTrail and logging

to an Amazon S3 bucket are enabled.

2. Amazon VPC architecture is deployed complete with subnets, gateways,

NACLs, route tables, and NAT instances.


of 17

3. Security groups, Amazon S3 buckets, and Elastic Load Balancing (ELB)

load balancers are created.

4. EC2 instances and an Amazon Relational Database Service (RDS) database

are deployed.

a. EC2 instances are launched using user-specified Amazon Machine

Images (AMIs).

b. An Amazon RDS database is created with user-specified size, type, and

capacity.

c. User data scripts install the latest version and configuration of software

on EC2 instances.

d. App instances are configured to connect to the Amazon RDS database.

Deployment Options

Workload owners can use parameters to customize the architecture on

deployment based on their specific application requirements. The templates are

designed so that different applications with similar architectures can be deployed

using the same package.


of 17

Parameter Description Conditional

createVPCManagement Option to specify whether or not

to create Management VPC

If true, creates Management VPC.

createVPCDevelopment Option to specify whether or not

to create Development VPC

If true, creates Development VPC.

Stack1URL S3 URL of Stack1 template If blank, existing IAM/security config

already deployed.

Stack2URL S3 URL of Stack2 template If blank, VPC networking already

deployed.

Stack3URL S3 URL of Stack3 template If blank, does not deploy Stack3

resources.

Stack4URL S3 URL of Stack4 template If blank, does not deploy any instance-

level resources.

Example of parameter-specified deployment options

Compliance with Third Party Assurance Frameworks

In this example, the customer must comply with the NIST SP 800-53 control set.

The 800-53 controls provide requirements that must be met from the system

(application) level or from the use of common services.

The following is an example control from the Boundary Protection NIST control

family:

SC-07(2) BOUNDARY PROTECTION

(2) The information system prevents public access into the

organization’s internal networks except as appropriately

mediated by managed interfaces employing boundary

protection devices.


of 17

The documentation included with this automation package provides the

following description, including the names of AWS CloudFormation resources, of

how this control works at the AWS architecture level:

ROUTE TABLES (rtbProductionPublic, rtbManagement) and security

groups limit public traffic to the public subnet and private traffic to the

private subnet.

Conclusion

Developing an automated solution for compliance can reduce the cost, time, and

effort to deploy applications in AWS while minimizing risk and simplifying

architectural design. AWS GoldBase provides enterprise customers with an easy-

to-use, customized solution that alleviates the challenges of architecting for the

cloud while reducing the level of effort normally required to build such a solution

from scratch.


of 17

Contributors The following individuals contributed to this document:

Mike Dixon, Consultant, AWS Public Sector

Lou Vecchioni, Senior Consultant, AWS Public Sector, Pro Serve

Brett Miller, Senior Consultant, AWS Public Sector, Pro Serve

Notes

1 http://www.merriam-webster.com/dictionary/comply

2 http://aws.amazon.com/compliance/shared-responsibility-model/

3 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

4 http://d0.awsstatic.com/whitepapers/compliance/aws-architecture-and-

security-recommendations-for-fedramp-compliance.pdf

5 http://iase.disa.mil/cloud_security/Documents/u-

cloud_computing_srg_v1r1_final.pdf

6 http://aws.amazon.com/compliance/hipaa-compliance/

7 http://www.27000.org/iso-27001.htm

8 http://www.fbi.gov/about-us/cjis/csp-v5_3-to-nist-sp800-53r4-

mapping_20150527.pdf

9 http://aws.amazon.com/compliance/pci-dss-level-1-faqs/

10 http://aws.amazon.com/servicecatalog/

11 https://d0.awsstatic.com/whitepapers/AWS_DevOps.pdf

https://d0.awsstatic.com/whitepapers/AWS_DevOps.pdf