Speaker: Alejandra Artiguez, FSI Compliance Program Manager, APAC, AWS Customer Speaker: Clara Lee Hui Theng, Head Technology & Operations, RHB Bank Berhad (Singapore) Security and Compliance is a shared responsibility between AWS and the customer. In this session we will examine the AWS Shared responsibility model, and AWS compliance programs customers can use to gain assurance of security controls in the cloud. We will dive-deep into a number of cloud native security services that customers can use to protect their critical systems when migrating to AWS. Finally we will review a next-generation approach to audit and continuous compliance leveraging automation to identify mis-configurations and perform automatic remediatation to protect your AWS workloads.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next Generation Audit & Compliance
Alejandra Artiguez
FSI Compliance and Audit Program Manager
Amazon Web Services (AWS)
John Painter
Managing Director - ASEAN
Sourced Group
Clara Lee Hui Theng
Head of Technology & Operations
RHB Bank

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Shared Responsibility Model

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Compliance Programs

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security, Identity & Compliance Services
• AWS Identity & Access
Management (IAM)
• AWS Single Sign-On
(SSO)
• AWS Directory Service
• Amazon Cloud Directory
• AWS Secrets Manager
• Amazon Cognito
• AWS Organizations
• AWS Resource Access
Manager (RAM)
• AWS Security Hub
• Amazon GuardDuty
• AWS CloudTrail
• AWS Config
• Amazon
CloudWatch
• VPC Flow Logs
• AWS Systems
Manager
• AWS Shield
• AWS Web Application
Firewall (AWS WAF)
• Amazon Inspector
• Amazon Virtual
Private Cloud (VPC)
• AWS Key
Management Service
(KMS)
• AWS CloudHSM
• Amazon Macie
• AWS Certificate
Manager
• Server-Side
Encryption
• AWS Config Rules
• AWS Lambda
Identity Detective
Control
Infrastructure
Security
Incident
Response
Data
Protection

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Your Compliance Requirements
Financial Institution
Internal Policies, Standards,
Procedures & Controls
Security Standards
NIST, CIS, ISO27001
Outsourcing Regulation,
Technology Risk Management

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Current Approach to Compliance and Audit
Sampling
Approach
Point in Time
Assessments
Spreadsheet /
Checklist
Driven
Inaccurate
Evidence
Collection
Manual
Validation

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS & Continuous Compliance
Unprecedented Visibility Near Real-Time Automation Continuous Compliance
Having the visibility into WHO made WHAT change from WHERE in near real-time allows
Financial Institutions to DETECT mis-configurations and non-compliance and RESPOND quickly to
PREVENT risks from materializing.

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Service Level Overview
AWS Management
Console; AWS SDKs;
CLI; AWS services
AWS Config Rules
AWS Config AWS Security Hub
Amazon SNS
AWS Lambda
CloudWatch Events
Third-Party
Integrations
AWS Lambda
AWS
CloudTrail

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Config
Predefined &
Customizable
Rules
Near Real-Time
Visibility
Ability to
Automatically
Respond

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Config Compliance History
AWS Config allows you to record and retrieve the compliance
status of a resource over time. This allows your risk, compliance
and audit teams to determine if a resource always has been
compliant or has drifted in and out of compliance with on-going
changes.

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
How does it work?
screenshot samples

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Validation in AWS - APIs

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Validation in AWS - Continuous compliance

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Config Automated remediation

15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
About Us
RHBSingaporewasfirstestablishedin1961throughaseriesofrapidexpansionandstrategicmergers.For
morethanhalfacenturyinSingapore,RHBhasgarneredinvaluablefinancialexperienceandtransferred
thoseinsightsofserviceexcellenceontoclients,helpingindividualsandcorporationsfulfiltheirfinancial
goals. RHBSingapore’scorebusinessesarestreamlinedintoninepillars,namelyPersonalFinancialServices
andWealthManagement,CommercialBanking,CorporateBanking,BusinessCentres,Treasury,Structured
FinanceaswellasInvestmentBanking,BrokerageandAssetManagementbusinesses. TheGroup’s
regionalpresencespanstencountriesinASEANincludingHongKong.RHBBankingGroupaspiresto
deliversuperiorcustomerexperienceandshareholdervalue;andtoberecognisedasaLeading
MultinationalFinancialServicesGroup.
The Journey started in 2018
RHB Singapore is embarking on an enterprise-wide digital transformation journey to enable
innovation, deliver, exceptional customer experiences and enhance its competitive
advantage within the region.
We Launched our First AWS Production workload in 2018
A Digital product comprising of a Multi-currency e-wallet, self service on-boarding, VISA
card, and a Mobile App to manage it all.
RHB Bank Singapore’s Journey to the
Cloud
Clara Lee Hui
Theng
Head Technology &
Operations

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
RHB – The start of the cloud journey
• > 12 Month internal journey of due diligence to obtain go ahead as Outsourcing
• 2 Regulatory bodies consulted during the journey
• 3 Months to build out the Landing Zone consisting of core foundations
• 8 Months (5 months after Landing Zone) to build and deploy first production
workload
• 1 Core principle adopted with AWS – Cloud First
• 2nd production workload – SG Corporate Web-site
• 1 Current focus - Migration of on premise workloads to AWS

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Overall Cloud Journey
Build out Secure
Foundations
First
Production
Workload
Non Material
Applications
Core Banking
and Material
Applications
All In

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
RHB TravelFX

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
TravelFX
• RHB first production workload in AWS
• Micro-services based architecture.
Mobile App functionality delivered
through orchestration of backend API
calls
• Architected using AWS native services
such as API Gateway, Lambda, and
RDS
• Auto-scaling applied to ec2 resources
to enable demand based scale-up
• All data encrypted in transit and at
rest using AWS KMS service.

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS
TravelFX Compliance Landscape
AWS Compliance
AWS
AWS
AWS Production
AWS ConfigAWS Cloudtrail VPC Flowlogs
• Invest in and build out a strong
foundational base as the first
step
• Accounts, Networks, Compliance Services
• Avoid the “account sprawl” and
enforce the foundations
• Build the central compliance
framework
• Invest in cloud native services
and tools to operationalize
compliance

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Using “Infrastructure as code” for approval workflows
All elements are
defined
exclusively via
CloudFormation
Changes to
platform and
applications are
approved via a git
“Pull Request”
Automation
deploys the
changes. No
human interaction
is allowed
Pull Requests
1. Requester, Approver(s), datestamps, comments, and changes that are being applied
2. Fully auditable changelog
3. Forced multi-actor approval chain can be applied

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Control Options

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Control Options

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Directive Control Plane
Central Library of
Certified Patterns
Development
teams are free to
self service Applications are
compliant and
certified by
default

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi Layered Compliance
Certified Patterns Detective
Validation
Canary Engine

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Compliance resources
AWS Whitepapers AWS Compliance Center
(www.atlas.aws)
AWS Workbooks

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Compliance Center

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
1. Understand your
requirements
2. Identify responsibility
for each control
3. Use AWS Compliance Reports
and Workbooks
4. Define the control 5. Enable AWS services for
real time visibility
6. Use AWS services for
near real-time automation
7. Iterate!

30. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alejandra Artiguez
aartigue@amazon.com

31. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.