Upload
amazon-web-services
View
422
Download
3
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAC 305
How AWS Automates Internal Compliance
at Massive Scale using AWS Services
Chad Woolf, Director, Risk & Compliance
Sara Duffer, Director, Security Assurance Automation
11/30/2016
What to Expect from the Session
Four examples of how we deal with massive scale in compliance
1. Automated Control Mapping
2. Access Management
3. Change management
4. Vulnerability management
For each example:
• AWS Services that we utilize for operationalizing compliance
• Lessons learned
Amazon CloudWatch AWS CloudTrail AWS Lambda Amazon API Gateway Amazon Redshift
Scale, Complexity,
Security
AWS: Huge Scale
AWS Security: A Very High Bar
AWS: Complex System?
Gall’s Law:
A complex system that works is invariably
found to have evolved from a simple
system that worked.
A complex system designed from scratch
never works and cannot be patched to
make it work. You have to start over with a
working simple system.
Advice:
1. Start over, and start simple.
2. Implement Agile methodology. And do it forever.
+ Complex Systems
+ Highest Security Bar
= Impossible Task
(in a manual world)
Huge scale
Customized, Customer-centric Approach
40+
services
7,710 Audit
Artifacts
2,670
Controls
3,030 Audit
Requirements
Advice:
3. Objectively look at your requirements,
and build to that.
Advice:
4. Hire Compliance Automation Engineers
Investments in Automation
Pay for Themselves
Using AWS to Automate Compliance
We'll walk you through 4 examples today
1. Automated Control Mapping
2. Access Management
3. Change management
4. Vulnerability management
+ Lessons learned
Example 1: Automated Control
Mapping
Example 1: Automated Control Mapping
• Problem: Control mapping – everyone does it and it takes a
really long time
• Our response: We developed intelligent correlation mapping
automation
• How we use it: For use with questionnaires, control mappings,
general search
• Benefit: Authoritative source of control mapping and
implementation.
Amazon API
Gateway
Amazon
Elasticsearch
Service
AWS Lambda
Example 1: Under the hood
Internal
Website
Questions,
responses,
& control
statements
6 2 3 4
1
Example 1: Under the hood
Example 1: Under the hood
Example 1: Lessons Learned
• Mapping is a heavy lift
• Granularity and specificity matter
• Higher return than expected
Example 2: Access Management
Example 2: Access Monitoring of Critical Systems
• Problem: monitoring access to a large number of hosts
• Our response: remediation controls that evaluates who AND
what
• How we use it: monitor, validate, remediate access controls
at AWS scale quickly
• Benefit: ensure principle of least privilege access
Near real time validation
Baseline rule review
Example 2: Access Management layered controls
Critical Assets
Rules based permission
management
Step 1: Principle of Least Privilege
Example 2: Step 1 Under the hood
HR
Permission
store
On-prem
hostsAmazon
Redshift
S3
AWS
Data
Pipeline
Job
Management
service
EC2 Worker
fleet
AWS
Lamdba
Group owners
Notifications
Amazon
Kinesis
Firehose
On-prem
hostsAmazon
SQS
“On prem like” environmentA
1
2
3
4
5
ETL SolutionB
6
78
9
Continuous Monitoring & Notification SolutionC
10
11 12 13
Example 2: Step 2 Under the hood
Amazon S3 Log
Repository Apache Spark
cluster
(Amazon EMR)
ETL using
Lambda
S3 bucket to
store extracted
SSH logins
Amazon Redshift
Step 2: Principle of Least Privilege
1 2 3 4 5
Example 2: Lessons Learned
• Revoke access of users who
haven’t used their access to critical
AWS resources/systems
• AWS CloudTrail + Credential
Usage Report + Service Access
Report
• Logins to your EC2 fleet vs. SSH
keys access list
Example 3: Change Management
Example 3: Change Management
• Problem: controlled automated deployment and validation of
daily deployments
• Our response: automated auditable deployment and validation
environment
• How we use it: auditor validation of our preventative and
detective change management controls
• Benefit: all changes to environment and controlled and
documented
Example 3: Under the hood
1 2 3 4 5
Example 3: Under the hood
QA & Code Review
1 2 3 4 5 6
Example 3: Under the hood
Flagged Deployment
ID: 47365690
Deployer: johndoe@
Deployment Time: 09:56:23 11/15/2016
Flag reason: Approval was not documented in the change ticket
Example 3: Lessons Learned
• AWS CodeCommit – authoritative source code
repository
• AWS CodeDeploy – controlled deployments to
instances
• AWS CodePipeline – continuous delivery of software
releases
AWS CodePipelineAWS CodeCommit AWS CodeDeploy
Example 4: Vulnerability
Management
Example 4: Vulnerability Management
• Problem: analyzing large data set of fleet information and
identifying ‘actionable’ patching data for our large fleet of
hosts
• Our response: utilize active and passive assessments to
accurately capture and identify opportunities for updates
• How we use it: utilizing 3rd-party scanners and on host
agents to reduce false positives and increase accurate
‘actionable actions’ for remediation
• Benefit: Our hosts are patched, preventing security issues
Example 4: Under the hood
Amazon
RDSAmazon
Elasticsearch
Service
Distributed
sensorsAmazon
EC2Dashboard
Example 4: Lessons Learned
• Active Scans are costly in time and resources
• False positives are hard to deal with
• Datatype definitions matter
Amazon
Inspector
Amazon
RDS
Amazon
Redshift AWS
Lambda
Amazon
Elasticsearch Service
Amazon
QuickSight
ASSESS STORE PROCESS VISUALIZE
Recap
• Our lesson learned: we had to automate to survive. We did this
using AWS services – to address Cloud + on-prem compliance
monitoring.
• You have the same opportunity for these examples and others.
• AWS can be used to automate Cloud and on-prem environments.
Thank you!
Related Sessions
• ARC312 - Compliance Architecture: How Capital One Automates the Guard Rails for 6,000 Developers
- Thursday, 11am, Venetian, Level 2, Venetian H
• SAC311 - Evolving an Enterprise-Level Compliance Framework with Amazon CloudWatch Events and AWS Lambda
- Friday, 9am, Venetian, Level 4, Lando 4205
• SAC315 - Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
- Friday, 11am, Venetian, Level 3, Lido 3005
• SAC316 - Security Automation: Spend Less Time Securing Your Applications
- Thursday, 4pm, Venetian, Level 2, Venetian A
Remember to complete
your evaluations!