© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Modern Security and Compliance Through Automation

Brett Miller, Senior Consultant, Amazon Web ServicesMike Dixon, Senior Consultant, Amazon Web Services

June 21, 2016

Compliance & Accreditation

How do I architect for compliance in AWS?

How can I make architecting for compliance repeatable?

How can I validate that my architecture is compliant before deployment?

How can I ensure continuous compliance in production?

How can I simplify my accreditation process and get to ATO faster?

Compliance Frameworks

NIST SP 800-53 DoD CSM Levels 1-2 DIACAP/FISMA FedRAMP PCI DSS HIPAA MPAA CJIS

Shared Responsibility ModelCustomers are responsible for how they use AWS components in AWS

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side Data Encryption & Data

Integrity Authentication

Server-side Encryption (File

System and/or Data)

Network Traffic Protection (Encryption/

Integrity/Identity)

DatabaseStorageCompute Networking

Edge Locations

Regions

Avail. ZonesAWS Global

Infrastructure

Customer

Responsible for security in’the Cloud

Responsible for security of the Cloud

AWS

Customer Challenges Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.)

Taking advantage of new services and features when designing for the Cloud

Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model

Mapping security controls to numerous AWS services − Example: 400 NIST 800-53 Security Controls to 42 AWS services

Common Challenges in Compliance

Shared Responsibility ModelCompliance in the Cloud: Examples

Framework Control Description Implementation in AWS Architecture (Example)

NIST 800-53

AU-9 The information system protects audit information and audit tools from unauthorized access, modification, and deletion

AWS CloudTrail and/or log files in S3 buckets which have S3 bucket policies to prevent modification or deletion (write once read many)

PCI DSS Requirement 4 Encrypt transmission of cardholder data

Elastic load balancers must enforce HTTPS encryption using strong security policies enforcing TLS

HIPAA - Tenancy requirement Requirement to use “dedicated” tenancy for EC2 instances storing or processing PHI data

CJIS Policy Area 7 Configuration management Enforce use of hardened EC2 instance operating systems and/or pre-approved Amazon Machine Images (AMIs)

DoD CSM Levels 4-5 No direct access from VPC to the Internet

Amazon VPCs for Impact Levels 4-5 data require VPN connection, no Internet gateway (IGW)

Simplifying Compliance: Key Concepts Know your compliance framework(s)

− Translate compliance controls to technical implementation− Create and manage a pre-approved common security controls mapping (SCTM,

CRM, etc.) to use when architecting for security and compliance

Distinguish between inherited controls vs. customer controls− Establish (in advance) which controls are inherited by the global infrastructure

Take advantage of capabilities the Cloud provides− Infrastructure as Code− AWS services (CloudTrail, AWS Config, Amazon Inspector, etc.)− Partner solutions

Automate standard implementations

Automation Why automate compliance?

− Reduced time to ATO− Lower cost− Fewer resources required− Less human error− Consistency− Reproducible

Automating Compliance in AWS Infrastructure As Code

− Managed and controlled like software− Validate pre-deployment− Test-driven development (TDD) for security and compliance

Standardization− Predefined guidelines, mapped to security controls− Consistent, reusable architecture and configuration

Compliance at scale− Enforce policies across accounts, workloads, systems− Shared services for security, logging, monitoring, access control

Transparency − Everything is an API call! − Auditability, logging− Continuous monitoring (CM) for both applications and infrastructure

Demo

Pre-Development

Development

Testing

Production

Architect for Compliance

Architect for Compliance

Provide Baselines

Enterprise Accelerator for

Compliance

IATT ATO

Develop Applications

Enterprise Accelerator for

Compliance

AWS Service Catalog

Submit SSP

Validate Architecture for

Compliance

Continuous Monitoring

Manage Security-Relevant ChangesIntegration

Testing for Compliance

Submit for ATO

Accelerating the Journey to ATO

Vulnerability Scanning

AWS Code Pipeline

Compliance Control Mapped to

Implementation Method

Developing with a predefined baseline implementing control

Validation & Testing for Requirement

Continuous Monitoring for Control

Implementation

Amazon InspectorAWS ConfigAWS Config

AWS OpsWorks

AWS Elastic Beanstalk

Pre-Development Understand your compliance requirements

− Compliance type(s): NIST 800-53, ICD 503, DoD CSM, PCI, HIPAA, etc.

− Workload-specific: DoD CSM Levels 1-2, FedRAMP High, etc.

Architect for compliance− Map security controls to technical implementation

Predefine baselines− Examples: VPC configuration, connectivity, AWS Identity

and Access Management (IAM) configuration, logging/monitoring

− Baselines align with governance model

Pre-

Dev

elop

men

t

Architect for Compliance

Provide Baselines

Enterprise Accelerator for

Compliance

AWS Service Catalog

Compliance Control Mapped to

Implementation Method

Development

Deploy predefined baseline environment− Service Catalog

Manage all AWS components as code− Version Control (AWS CodeCommit, Git, SVN)

Take advantage of AWS services− AWS CodeDeploy/AWS CodePipeline− Elastic Beanstalk− OpsWorks

Submit for IATT (prepare for ATO)− Simplify the process of security controls

mapping

Dev

elop

men

t

Architect for Compliance

Develop Applications

Enterprise Accelerator for

Compliance

Submit SSP

Developing with a predefined baseline implementing control

AWS OpsWorks

AWS Elastic Beanstalk

Testing Unit testing

− Validate before deployment− Check AWS CloudFormation templates for

non-compliant configurations Integration testing

− Deploy infrastructure code into AWS account− Run tests for validation (Config, Inspector,

HBSS, partner products, etc.) Prepare for ATO

− Submit predefined security controls mapping for simplified ISSO/ISSM approval

Test

ing

Validate Architecture for

ComplianceIntegration Testing for

ComplianceSubmit for ATO

Validation & Testing for Requirement

Testing Infrastructure Code Identify resource configurations in

code that violate compliance− Example tools:

https://github.com/stelligent/cfn_nag

Common points of compliance validation− Security group rules− Network Access Control List (network ACL)

rules− IAM policies− S3 bucket policies− Elastic Load Balancing security policies

"sg": {      "Type": "AWS::EC2::SecurityGroup",      "Properties": {        "SecurityGroupIngress": {          "CidrIp": “0.0.0.0/0",          "FromPort": 22,          "ToPort": 22,          "IpProtocol": "tcp"        },        "VpcId": "vpc-12345678"      }    }  }}

Example: AWS CloudFormation template contains security group allowing

unrestricted access to SSH

Production Authority to Operate (ATO)

− …but compliance doesn’t end with ATO

Continuous monitoring− Security-relevant changes to configuration

Non-compliance− Continuously monitor for changes that violate

compliance− Immediate notifications− Event-driven, automated remediation

Prod

uctio

n Continuous Monitoring

Manage Security-Relevant Changes

Vulnerability Scanning

Continuous Monitoring for Control

Implementation

Amazon InspectorAWS Config

Automated Response to Noncompliant Changes with Config

Lifecycle of a Compliance Control: Example

Control Pre-Development Development Testing Production

SC-7(5)

Boundary Protection - DENY BY DEFAULT/ALLOW BY EXCEPTION: The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (that is, deny all, permit by exception).

Enterprise Accelerator defines required NIST 800-53 compliance control and maps predefined to implementation in CloudFormation template

Enterprise Accelerator as starting point for CloudFormation template development

Automated unit testing with cfn-nag tool validates that control is not being violated in a template

Integration testing with Config verifies

Config rule continuously monitors for violations of this control and takes corrective action if a violation is detected

Requirement: Rules with “ALL TRAFFIC” not permitted in security groups

Base templates by default deny all ports except those required to be open

Starting point in development with templates which

Testing for security groups where all ports are open

If security group changes, Config rule immediately evaluates and determines if rule changes violate control

Automating Compliance: Tools & Services

AWS Compliance Enterprise Accelerator Telos Xacta (partner solution) Config/Config rules Inspector AWS Trusted Advisor

AWS Compliance Enterprise Accelerator

AWS Compliance Enterprise Accelerator Address security/compliance requirements and AWS best practices Knowledge transfer on AWS security model Standardized for specific use cases Ready to be pre-approved by customer assessment organizations Ready to deploy “out of the box” Customizable

AWS Compliance Packages Include:    Managed Automation –CloudFormation templates, automation scripts    Detailed Documentation – User Guide, setup, customization    Security Controls Matrix – Mapping of controls to implementation

AWS Enterprise Accelerator for ComplianceCurrently Available Quick Starts NIST High baseline

(Featuring Trend Micro Deep Security) NIST SP 800-53 (version 2.0)

DoD SRG (GovCloud) Trusted Internet Connection 800-171

PCI DSS Secure Commercial Cloud Architecture (SCCA)

Late July preview

http://aws.amazon.com/quickstart

Telos Xacta

Xacta IT Governance, Risk, Compliance (GRC) product suite Automatically map inherited security controls Generate documentation Expedite approvals Automate risk assessment, remediation, and compliance reporting

Simplifying Security Controlswith Telos Xacta

Additional Resources

AWS Risk & Compliance Whitepaperhttps://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf

AWS Quick Start Reference Deploymentshttps://aws.amazon.com/quickstart/

AWS Compliancehttps://aws.amazon.com/compliance/

Telos Corporation Expedites Secure and Compliant Cloud Deployments on AWS Cloudhttp://bit.ly/1PoQA8O

Continuous Security: Security in the Continuous Delivery Pipeline (Stelligent) http://bit.ly/1sCaQPq