© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ian Massingham, Dave Walker

16/03/16

What’s (nearly) New?Manchester

Cloud Security Principles Complianceo Issued 1 Apr 2014 by the CESGo They replace the Business Impact Levels model (BIL: IL1-IL5+)o Distributed certification modelo Risk-based approach: suitability for purposeo New protective marking mechanismso AWS Whitepaper Available

Cyber Essentials Plus Compliance in DublinCyber Essentials Plus is a UK Government-backed, industry-supported certification scheme that helps organisations demonstrate security against common cyber attacks.

The ‘Plus’ scheme benefits from independent testing and validation compared to the baseline ‘Cyber Essentials’ scheme that is self-attested.

ISO 27018

o Customers control their content.o Customers' content will not be used for any

unauthorized purposes.o Physical media is destroyed prior to leaving

AWS data centers.o AWS provides customers the means to

delete their content.o AWS doesn’t disclose customers' content

ISO 27017

o Newest ISO code of practiceo Builds on top of ISO 27002o Information security controls specific to

Cloud serviceso Scope includes all AWS Regions and edge

locations

AWS Security Tools

AWS Trusted Advisor

AWS Config Rules

Amazon Inspector

Periodic evaluation of alignment with AWS Best Practices. Not just Security-related.

Create rules that govern configuration of your AWS resources. Continuous evaluation.

Security insights into your applications.Runs on EC2 instances; on-demand scans

AWS Compliance AWS: Security of the cloud

Customer: Security in the cloud

Cloud Config Rules

AWS Config Rules features

Flexible rules evaluated continuously and retroactively

Dashboard and reports for common goals

Customizable remediation

API automation

AWS Config Rules

Broad ecosystem of solutions

AWS Config Rules benefits

Continuous monitoring for unexpected changes

Shared compliance across your organization

Simplified management of configuration changes

Security by Design - SbD

• Systematic approach to ensure security

• Formalizes AWS account design• Automates security controls• Streamlines auditing

• Provides control insights throughout the IT management process

AWS CloudTrailAWS

CloudHSM

AWS IAMAWS KMS

AWS Config

GoldBase - Scripting your governance policy

Set of CloudFormation Templates & Reference Arhcitectures that accelerate compliance with PCI, EU Personal Data Protection, HIPAA, FFIEC, FISMA, CJISResult: Reliable technical implementation of administrative controls

What is Inspector?

• Application security assessment• Selectable built-in rules• Security findings

• Guidance and management• Automatable via APIs

Rule packages

• CVE (common vulnerabilities and exposures)• Network security best practices• Authentication best practices• Operating system security best practices• Application security best practices• PCI DSS 3.0 readiness

Getting started

Prioritized findings

Detailed remediation recommendations

What is AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

AWSWAF

AWS WAF rules:1: BLOCK requests from bad guys.2: ALLOW requests from good guys.

Types of conditions in rules:1: Source IP/range2: String Match3: SQL Injection

Why AWS WAF?

Application DDoS, Vulnerabilities, Abuse

Good users

Bad guys

Web server Database

AWS WAF Partner integrations

• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF• Offer additional detection and threat intelligence• Dynamically modify rulesets of AWS WAF for increased protection

S2N – AWS Implementation of TLS

• Small: • ~6,000 lines of code, all audited• ~80% less memory consumed

• Fast: • 12% faster

• Simple: • Avoid rarely used options/extensions

VPC Flow Logs

Flow Log Record Structure

Event-Version

Account Number

ENI-ID

Source-IP

Destination-IP

SourcePort

Destination-Port

Protocol Number

Number of Packets

Number of Bytes

Start-Time Window

End-Time Window

Action

State

2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

ACCEPT OK

AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform.

Introducing AWS Certificate Manager

AWS Certificate Manager

• Provision trusted SSL/TLS certificates from AWS for use with AWS resources:• Elastic Load Balancing • Amazon CloudFront distributions

• AWS handles the “maths and maintenance” • Key pair and CSR generation• Managed renewal and deployment

• Domain validation (DV) through email• Available through AWS Management console, CLI, or API

AWS Certificate Manager (ACM) Benefits

• Protect and secure websites and applications • Provision certificates quickly and easily • Free• Managed certificate renewal• Secure key management• Centrally manage certificates on the AWS Cloud• Integrated with other AWS Cloud Services

ACM Use Cases

• Help meet regulatory compliance requirements for encryption of data in transit

• PCI, FedRAMP and HIPAA

• Minimize downtime and outages

• Improve search rankings by using SSL/TLS

ACM-Provided Certificates

Domain names• Single domain name: www.example.com• Wildcard domain names: *.example.com• Combination of wildcard and non-wildcard names• Multiple domain names in the same certificate (up to 10)

ACM-provided certificates are managed• Private keys are generated, protected, and managed• ACM-provided certificates cannot be used on EC2 instances or on-premises servers• Can be used with AWS services, such as ELB and CloudFront

Algorithms• RSA 2048 and SHA-256

What is available at launch?

• SSL/TLS certificates for use with AWS services (ELB and CloudFront)

• Availability in US-East (N. Virginia)• Domain validation via email • Console, API, CLI• Integration with ELB and CloudFront• Managed renewal and deployment

What is NOT available at launch?

• Availability in additional regions• Certificates for use on EC2 • “Take home” certificates that can be used anywhere• Cross-region certificates• Cross-account access to certificates• CloudTrail logging of ACM API calls• Tagging• Certificates for email, code signing, or any other purpose except

SSL/TLS termination

Certification & Education

• Security Fundamentals on AWS• free, online course for security auditors and

analysts• Security Operations on AWS

• 3-day class for Security engineers, architects, analysts, and auditors

• AWS Certification• Security is part of all AWS exams

Rich Security Capabilities in the Cloud

Prepare

Prevent

Detect

Respond

o AWS Security Solutions Architectso AWS Professional Serviceso AWS Secure by Design & GoldBaseo AWS Security Best Practiceso Partner Professional Serviceso AWS Training and Certificationo Understand Compliance Requirements

Prepare

o Use IAM – consider MFA, roles, federation, SSOo Implement Amazon WAFo Leverage S2N for secure TLS connectionso Implement Config Rules to enforce complianceo Implement Amazon Inspector to identify

vulnerabilities early on

Prevent

o CloudTrail enabled across all accounts and serviceso Consider Config & Config Rules logso Inspector can be used as a detective toolo Trusted Advisor goes beyond just securityo Use CloudWatch logso VPC Flow Logs give insight into intended and

unintended communication taking place into your VPCo Look at partner log management and security

monitoring solutions

Detect

o Be Prepared: o Develop, acquire or hire Security Incident Response

capabilitieso Test preparedness via game days

o Automated response and containment is always better than manual response

o AWS supports forensic investigationso Leverage AWS Support for best resultso Talk to our security partners

Respond

Be Secure & Compliant in the Cloud!

Thank you!