© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

SAC 305

How AWS Automates Internal Compliance

at Massive Scale using AWS Services

Chad Woolf, Director, Risk & Compliance

Sara Duffer, Director, Security Assurance Automation

11/30/2016

What to Expect from the Session

Four examples of how we deal with massive scale in compliance

1. Automated Control Mapping

2. Access Management

3. Change management

4. Vulnerability management

For each example:

• AWS Services that we utilize for operationalizing compliance

• Lessons learned

Amazon CloudWatch AWS CloudTrail AWS Lambda Amazon API Gateway Amazon Redshift

Scale, Complexity,

Security

AWS: Huge Scale

AWS Security: A Very High Bar

AWS: Complex System?

Gall’s Law:

A complex system that works is invariably

found to have evolved from a simple

system that worked.

A complex system designed from scratch

never works and cannot be patched to

make it work. You have to start over with a

working simple system.

Advice:

1. Start over, and start simple.

2. Implement Agile methodology. And do it forever.

+ Complex Systems

+ Highest Security Bar

= Impossible Task

(in a manual world)

Huge scale

Customized, Customer-centric Approach

40+

services

7,710 Audit

Artifacts

2,670

Controls

3,030 Audit

Requirements

Advice:

3. Objectively look at your requirements,

and build to that.

Advice:

4. Hire Compliance Automation Engineers

Investments in Automation

Pay for Themselves

Using AWS to Automate Compliance

We'll walk you through 4 examples today

1. Automated Control Mapping

2. Access Management

3. Change management

4. Vulnerability management

+ Lessons learned

Example 1: Automated Control

Mapping

Example 1: Automated Control Mapping

• Problem: Control mapping – everyone does it and it takes a

really long time

• Our response: We developed intelligent correlation mapping

automation

• How we use it: For use with questionnaires, control mappings,

general search

• Benefit: Authoritative source of control mapping and

implementation.

Amazon API

Gateway

Amazon

Elasticsearch

Service

AWS Lambda

Example 1: Under the hood

Internal

Website

Questions,

responses,

& control

statements

6 2 3 4

1

Example 1: Under the hood

Example 1: Under the hood

Example 1: Lessons Learned

• Mapping is a heavy lift

• Granularity and specificity matter

• Higher return than expected

Example 2: Access Management

Example 2: Access Monitoring of Critical Systems

• Problem: monitoring access to a large number of hosts

• Our response: remediation controls that evaluates who AND

what

• How we use it: monitor, validate, remediate access controls

at AWS scale quickly

• Benefit: ensure principle of least privilege access

Near real time validation

Baseline rule review

Example 2: Access Management layered controls

Critical Assets

Rules based permission

management

Step 1: Principle of Least Privilege

Example 2: Step 1 Under the hood

HR

Permission

store

On-prem

hostsAmazon

Redshift

S3

AWS

Data

Pipeline

Job

Management

service

EC2 Worker

fleet

AWS

Lamdba

Group owners

Notifications

Amazon

Kinesis

Firehose

On-prem

hostsAmazon

SQS

“On prem like” environmentA

1

2

3

4

5

ETL SolutionB

6

78

9

Continuous Monitoring & Notification SolutionC

10

11 12 13

Example 2: Step 2 Under the hood

Amazon S3 Log

Repository Apache Spark

cluster

(Amazon EMR)

ETL using

Lambda

S3 bucket to

store extracted

SSH logins

Amazon Redshift

Step 2: Principle of Least Privilege

1 2 3 4 5

Example 2: Lessons Learned

• Revoke access of users who

haven’t used their access to critical

AWS resources/systems

• AWS CloudTrail + Credential

Usage Report + Service Access

Report

• Logins to your EC2 fleet vs. SSH

keys access list

Example 3: Change Management

Example 3: Change Management

• Problem: controlled automated deployment and validation of

daily deployments

• Our response: automated auditable deployment and validation

environment

• How we use it: auditor validation of our preventative and

detective change management controls

• Benefit: all changes to environment and controlled and

documented

Example 3: Under the hood

1 2 3 4 5

Example 3: Under the hood

QA & Code Review

1 2 3 4 5 6

Example 3: Under the hood

Flagged Deployment

ID: 47365690

Deployer: johndoe@

Deployment Time: 09:56:23 11/15/2016

Flag reason: Approval was not documented in the change ticket

Example 3: Lessons Learned

• AWS CodeCommit – authoritative source code

repository

• AWS CodeDeploy – controlled deployments to

instances

• AWS CodePipeline – continuous delivery of software

releases

AWS CodePipelineAWS CodeCommit AWS CodeDeploy

Example 4: Vulnerability

Management

Example 4: Vulnerability Management

• Problem: analyzing large data set of fleet information and

identifying ‘actionable’ patching data for our large fleet of

hosts

• Our response: utilize active and passive assessments to

accurately capture and identify opportunities for updates

• How we use it: utilizing 3rd-party scanners and on host

agents to reduce false positives and increase accurate

‘actionable actions’ for remediation

• Benefit: Our hosts are patched, preventing security issues

Example 4: Under the hood

Amazon

RDSAmazon

Elasticsearch

Service

Distributed

sensorsAmazon

EC2Dashboard

Example 4: Lessons Learned

• Active Scans are costly in time and resources

• False positives are hard to deal with

• Datatype definitions matter

Amazon

Inspector

Amazon

RDS

Amazon

Redshift AWS

Lambda

Amazon

Elasticsearch Service

Amazon

QuickSight

ASSESS STORE PROCESS VISUALIZE

Recap

• Our lesson learned: we had to automate to survive. We did this

using AWS services – to address Cloud + on-prem compliance

monitoring.

• You have the same opportunity for these examples and others.

• AWS can be used to automate Cloud and on-prem environments.

Thank you!

Related Sessions

• ARC312 - Compliance Architecture: How Capital One Automates the Guard Rails for 6,000 Developers

- Thursday, 11am, Venetian, Level 2, Venetian H

• SAC311 - Evolving an Enterprise-Level Compliance Framework with Amazon CloudWatch Events and AWS Lambda

- Friday, 9am, Venetian, Level 4, Lando 4205

• SAC315 - Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?

- Friday, 11am, Venetian, Level 3, Lido 3005

• SAC316 - Security Automation: Spend Less Time Securing Your Applications

- Thursday, 4pm, Venetian, Level 2, Venetian A

Remember to complete

your evaluations!