This document discusses how to automate compliance when using AWS cloud services. It recommends five steps: 1) Partner cloud technology and security experts; 2) Integrate industry standards and regulatory requirements; 3) Create a master design that meets requirements; 4) Enforce deployment according to the design; and 5) Mechanize scalable governance and auditing programs. Following best practices like leveraging CIS benchmarks, creating a "golden environment" configuration, and using AWS Service Catalog can help automate controls and achieve continuous compliance defense in the cloud.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started with
Automating Compliance
Defense in the Cloud

2. What are you going to take-away
 AWS Shared Responsibility
 Know the cloud governance steps
 How to use cloud services to create a persistent state of compliance
 Best practices for a strong compliance defense

3. Poll Question
To understand the make up of
today’s audience, please select the
option that best describes your role.

4. https://aws.amazon.com/solutions/#industry
https://aws.amazon.com/financial-services
Regulated, audited, and sensitive
data will be better fit to be stored
and processed in the cloud.

5. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility
You get to define
your controls IN
the cloud
AWS takes care
of security OF the
cloud
aws.amazon.com/compliance/shared-responsibility-model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations

6. Tao of Cloud Compliance
1. Partner the cloud tech SMEs and the security/ compliance SMEs
2. Integrate industry standards, independent benchmarking,
regulatory requirements
3. Design and Package: Create a master design that meets internal
and external requirements
4. Constrain: Enforce deployment to that design
5. Deploy: Mechanize a scalable governance and auditing program

7. Step 1: Partner the cloud tech SMEs
and the security/ compliance SMEs

8. Customer Governance Model: Permanent Supervision
 AWS Best Practices
 Industry Standards
 AWS Architecture for Standards
 Internal & Regulatory Requirements
 Service Documentation
 AWS Workbooks
 AWS Technology Resources
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations

9. Poll Question
Within your organization, how
closely does your compliance
department work with your
information technology team?

10. Step 2: Integrate industry standards,
independent benchmarking,
regulatory requirements

11. Industry Standards and Benchmarking
CIS Amazon Web Services Foundations
Benchmark v1.0.0
Description
This document provides prescriptive guidance
for configuring security options for a subset of
Amazon Web Services with an emphasis on
foundational, testable, and architecture agnostic
settings.

12. FFIEC Assessment Guide for AWS

13. Poll Question
Has your organization leveraged
CIS benchmarks to implement
industry-standard best practices?

14. Step 3: Create a master design that
meets internal and external
requirements

15. Create a golden environment
 Using baseline requirements to create a gold OS image
 Configure use of AWS services, for example:
Amazon S3 Amazon EBS Amazon Redshift
 Force SSE
 Turn on logging
 Specify retention
 Set Amazon Glacier
archiving
 Prevent external access
 Specify overriding
permissions
 Set event notifications
 Define volume type
 Volume size limits
 IOPS performance
(input/output)
 Data location – regions
 Snapshot (backup) ID
 Encryption requirements
 Cluster type (single or multi)
 Encryption (KMS or HSM)
 VPC location
 External access (yes/no)
 Security groups applied
 Create SNS topic
 Enforce Amazon
CloudWatch alarms

16. Poll Question
What are your greatest challenges
prohibiting the automation of
controls throughout your
organization?

17. Step 4: Enforce deployment to that
design

18. Enforce AWS Service Catalog
Allows administrators to create and manage catalogs of approved resources
(products) that users can access via a personalized portal.
 Control which IT services and versions are available
 Control the configuration of the available services
 Control permission access by individual, group, department, or cost center.
Provisioning Team creates
and manages Service Catalog
Products built from
CloudFormation Templates
An AWS Service Catalog
product is a deployable AWS
CloudFormation template.

19. Step 5: Mechanize a scalable
governance and auditing program

20. Governance & Auditing Program

21. Best Practices for a Strong Compliance Defense
1. How is the entity using the cloud?
2. Is the entity leveraging credible, third-party assessments?
3. Has the entity benchmarked their use of the cloud against CIS or another
independent body?
4. How do they monitor use of the cloud?
5. How has application, logical access, resiliency, governance changed?

22. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Financial Services Compliance Strategist at AWS
Thank You!