Navigating the AWS Compliance Framework

Ronan Guilfoyle

Solutions Architect

Amazon Web Services Ireland

Agenda:

• Overview

• ISO

• SOC

• Documents

Certifications/Audits: Overview

Shared Responsibility

Cross-service Controls

Service-specific Controls

Managed by

AWS

Managed by

Customer

Security of the Cloud

Security in the Cloud

Cloud Service Provider

Controls

Optimized

Network/OS/App Controls

Request reports at:

aws.amazon.com/compliance/#contact

ISO

27000

ISO

9001

The main AWS Compliance Frameworks of today

Certificates: Programmes:

ISO

9001

ISO

27000

MPAA

Point-in-time, or continuous compliance assessments?

ISO

27001/27017

27018

9001

Certifications/Audits: Scope

Scope

• By Service (not only Datacenter)

• By Region

• By Certification

• Global

• Scalable

Certifications/Audits: Demo Scope

Compliance Mapping: How to do that

Mapping

Compliance Mapping: Demo

Agenda:• Overview

• CloudTrail

• Source

• Structure

• Analytics options

• VPC FlowLogs

• What for

• Where from

• How structured

• How to access them

• Some analytics

CloudTrail: A Intro

What can you answer using a CloudTrail event?

Who made the API call?

When was the API call made?

What was the API call?

Which resources were acted up on in the API call?

Where was the API call made from and made to?

AWS CloudTrail

CloudTrail can help you achieve many tasks

• Security analysis

• Track changes to AWS resources, for example

VPC security groups and NACLs

• Compliance – log and understand AWS API call

history

• Prove that you did not:

• Use the wrong region

• Use services you don’t want

• Troubleshoot operational issues – quickly

identify the most recent changes to your

environment

AWS CloudTrail logs can be delivered cross-account

CloudTrail can help you achieve many tasks

• Accounts can send their trails to a central

account

• Central account can then do analytics

• Central account can:

• Redistribute the trails

• Grant access to the trails

• Filter and reformat Trails (to meet privacy

requirements)

Turn on CloudTrail

Turn on CloudTrail using AWS CLI

• Step 1: Create a trail

•

$ aws cloudtrail create-trail --region=eu-central-1 \

• --name ITAuditandOpsTrail --s3-bucket mybucket

• Step 2: Start logging on the trail

• $ aws cloudtrail start-logging --region=eu-central-1 \

• --name ITAuditandOpsTrail

What does an event look like?•

{

• "eventVersion": "1.01",

• "userIdentity": {

• "type": "IAMUser", // Who?• "principalId": "AIDAJDPLRKLG7UEXAMPLE",

• "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012",

• "accessKeyId": "AKIAIOSFODNN7EXAMPLE",

• "userName": "Alice",

• "sessionContext": {

• "attributes": {

• "mfaAuthenticated": "false",

• "creationDate": "2014-03-18T14:29:23Z"

• }

• }

• },

• "eventTime": "2014-03-18T14:30:07Z", //When?• "eventSource": "cloudtrail.amazonaws.com",

• "eventName": "StartLogging", //What?

• "awsRegion": "us-west-2",//Where to?

• "sourceIPAddress": "72.21.198.64", // Where from?• "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",

• "requestParameters": {

• "name": "Default“ // Which resource?• },

// more event details

• }

Receive email notifications of specific API activity

Lambda

CloudTrail: Demo

VPC FlowLogs: Detailed

Firewall-Requirements

• Based on NIST800, BSI-IT Grundschutz and others

– Anti-Spoofing

– Packet-Filtering (minimum) stateful/stateless

– Segregation of Duties at the management side

– Logging/Audit capabilities on the management side

– Event-Logging on processed traffic

Security Group

IAM

AWS Config CloudTrail

FlowLogs

The Source I

CloudWatch

Logs

LogGroup

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

The Source II

Flows

Security Group

Subnet 10.0.0.0/24

Routing Table

Network ACL

Subnet 10.0.1.0/24

Routing Table

Network ACL

Virtual Private Gateway Internet Gateway

Lockdown at

instance level

Isolate network

functions

Lockdown at

network level

Route restrictively

Router

Availability Zone A Availability Zone B

Security

Group

Security

Group

Structure I

Event-

Version

AccoutNumber

ENI-ID

Source-IP

Destionation-IP

SourcePort

Destination-Port

Proto-Number

Number of

Packets

Number of Bytes

Start-Time Window

End-Time Window

Action

State

2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

ACCEPT OK

Structure II

Flow Logs is STATISTICAL about activity in a window of time

Start-Time

Window

End-Time Window

Number of

Packets

Number of Bytes Action

Structure III

TIME

S/D IP/Port Tupel

?

Example

How To Access

CloudWatch

Logs

LogGroup

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

Start

End

TIME

Some Analytics

Time -> 1 Month

2 Public IPs

('Number of Source IPs: ', 48604)

('Number of Destionation IPs: ', 5373)

('Number of Source Ports: ', 64363)

('Number of Destionation Ports: ', 64348)

('Number of Bytes IPs: ', 887551682.0)

('Number of Packets IPs: ', 8400707.0)

Some Analytics

Some Analytics

FlowLogs: Demo

Thank You