This document discusses how to automate compliance when using AWS cloud services. It recommends five steps: 1) Partner cloud technology and security experts; 2) Integrate industry standards and regulatory requirements; 3) Create a master design that meets requirements; 4) Enforce deployment according to the design; and 5) Mechanize scalable governance and auditing programs. Following best practices like leveraging CIS benchmarks, creating a "golden environment" configuration, and using AWS Service Catalog can help automate controls and achieve continuous compliance defense in the cloud.
2. What are you going to take-away
AWS Shared Responsibility
Know the cloud governance steps
How to use cloud services to create a persistent state of compliance
Best practices for a strong compliance defense
3. Poll Question
To understand the make up of
today’s audience, please select the
option that best describes your role.
5. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility
You get to define
your controls IN
the cloud
AWS takes care
of security OF the
cloud
aws.amazon.com/compliance/shared-responsibility-model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
6. Tao of Cloud Compliance
1. Partner the cloud tech SMEs and the security/ compliance SMEs
2. Integrate industry standards, independent benchmarking,
regulatory requirements
3. Design and Package: Create a master design that meets internal
and external requirements
4. Constrain: Enforce deployment to that design
5. Deploy: Mechanize a scalable governance and auditing program
7. Step 1: Partner the cloud tech SMEs
and the security/ compliance SMEs
8. Customer Governance Model: Permanent Supervision
AWS Best Practices
Industry Standards
AWS Architecture for Standards
Internal & Regulatory Requirements
Service Documentation
AWS Workbooks
AWS Technology Resources
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
9. Poll Question
Within your organization, how
closely does your compliance
department work with your
information technology team?
10. Step 2: Integrate industry standards,
independent benchmarking,
regulatory requirements
11. Industry Standards and Benchmarking
CIS Amazon Web Services Foundations
Benchmark v1.0.0
Description
This document provides prescriptive guidance
for configuring security options for a subset of
Amazon Web Services with an emphasis on
foundational, testable, and architecture agnostic
settings.
18. Enforce AWS Service Catalog
Allows administrators to create and manage catalogs of approved resources
(products) that users can access via a personalized portal.
Control which IT services and versions are available
Control the configuration of the available services
Control permission access by individual, group, department, or cost center.
Provisioning Team creates
and manages Service Catalog
Products built from
CloudFormation Templates
An AWS Service Catalog
product is a deployable AWS
CloudFormation template.
21. Best Practices for a Strong Compliance Defense
1. How is the entity using the cloud?
2. Is the entity leveraging credible, third-party assessments?
3. Has the entity benchmarked their use of the cloud against CIS or another
independent body?
4. How do they monitor use of the cloud?
5. How has application, logical access, resiliency, governance changed?