The document discusses several audit findings related to IT compliance and provides recommendations and AWS services to address them. It describes findings such as insufficient permissions management, developers having privileged access to production systems, and internal systems lacking user authentication. It then outlines strategies like using a multi-account structure, AWS SSO, immutable infrastructure, and zero-trust architectures to remedy these issues. The document is intended to help organizations design their environments for IT compliance.

1. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Design for compliance:Practical
patterns for meeting your IT
compliancerequirements
Kurt Gray
Principal Solutions Architect
AWS Global Financial Services
Amazon Web Services
G R C 2 0 1

2. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Compliance on AWS
aws.amazon.com/compliance
AWS Artifact

3. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
AWS shared responsibility model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer
(Amazon EC2)
Hardened service endpoints
Rich AWS Identity and
Access Management (IAM)
capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer

4. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Start with your risk-control mappings
Risk Requirement ControlReference Environment Tech Control Evidence EvidenceOwner
Exceptions
Owner
Risk Requirement Control Reference Environment Tech Control Evidence Evidence Owner
Exceptions
Owner
Unauthorized access Disable inactive employee logins PCI 8.1.4 Ent Corp Tech (ETC) ADFS Password Expiration AD-user-audit Report ETC DevSec ETC IT
Unauthorized access Disable inactive employee logins HIPAA 164.308(a)(3)(ii)(B) Ent Corp Tech (ETC) ADFS Password Expiration AD-user-audit Report ETC DevSec ETC IT
Unauthorized access Disable inactive employee logins ISO 27001 A.9.2.5 Ent Corp Tech (ETC) ADFS Password Expiration AD-user-audit Report ETC DevSec ETC IT
Unauthorized access Disable inactive employee logins PCI 8.1.4 AWS IAM Password Expiration AWS-IAM-user-audit Report ETC Cloud DevSec ETC Cloud
Unauthorized access Disable inactive employee logins HIPAA 164.308(a)(3)(ii)(B) AWS IAM Password Expiration AWS-IAM-user-audit Report ETC Cloud DevSec ETC Cloud
Unauthorized access Disable inactive employee logins ISO 27001 A.9.2.5 AWS IAM Password Expiration AWS-IAM-user-audit Report ETC Cloud DevSec ETC Cloud
Unauthorized access Role-based Access Control (RBAC) PCI 8.1.4 AWS IAM user audit AWS-IAM-user-audit Report ETC Cloud DevSec ETC Cloud

5. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.

6. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Example audit findings
1. Insufficient understanding of permissions
2. Developers have privileged access to production
3. Internal systems lacking user authentication

7. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Audit finding 1: Permissions management
“Entitlement owners have insufficient understanding of permissions resulting
in inappropriate access and incomplete access reviews”
Underlying causes:

8. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Example cause: Dev became production
Deploy
TestDesign
Code
MVP
Dev
POC work zone
+ Live Customers =
Deploy
TestDesign
Code
Production!

9. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Disposable POC dev environments
Deploy
TestDesign
Code
Proto
Dev
Least-Privileged PrototypeTemp POC work zone
* No customer data here
Working Prototype Artifacts
Test
DiagnoseTeardown
Deploy
Staging
Phase 1: POC Phase 2: POC Teardown Phase 3: MVP Beta
MVP Template

10. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Database Team 7
Personalization
Team
User Profiles Ops
Team
Capital Markets UX
Team
New App Dev Team
DevSecOpsTeam
Random Developer
Random Contractor
Privileged Admin
BU Architect
Example root cause: Shared AWS environments
AWS Cloud
VPC
VPC
VPC
VPC
VPC

11. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Multi-account strategy: Departmental AWS accounts
Analytics Team 1 Database Team 7
DevOpsTeam
Capital Markets
UX Team
New App Dev
Team
DevOpsTeam
Random
Contractor
SecOps Auditor
BU Architect
VPC VPC
VPC VPC
VPC
VPC
AWS Cloud AWS Cloud AWS Cloud
AWS Cloud

12. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Example: Thomson Reuters multi-account strategy

13. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
… also AWS Control Tower

14. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
AWS SSO: Centralized access management

15. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
AWS Organizations, centralized access policies

16. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Organizations, new policy elements
Policy Element Definition Supported StatementEffect
Statement
Main element for a policy. Each policy can have
multiple statements.
Allow, Deny
Sid (Optional) Friendly name for the statement. Allow, Deny
Effect
Define whether an SCP statement allows or
denies actions in an account.
Allow, Deny
Action List the AWS actions the SCP applies to. Allow, Deny
NotAction (New)
(Optional) List the AWS actions exempt from the
SCP. Used in place of the Action element.
Deny
Resource (New) List the AWS resources the SCP applies to. Deny
Condition (New)
(Optional) Specify conditions for when the
statement is in effect.
Deny

17. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Example audit findings
1. Insufficient understanding of permissions
2. Developers have privileged access to production
3. Internal systems lacking user authentication

18. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Audit finding 2: Devs have production access
“Developers have been granted access that allows for migrating changes to
production”
Underlying causes:

19. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Design for compliance: immutable production
Deploy
RunMonitor
Change
Production
No humans allowed

20. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Tools (not humans) change production
Deliver
ImportTest
TeardownCommit
TestDesign
Code Run
MonitorMask
Deploy
Dev Staging Production
No humans allowedHuman work zone Automated test zone

21. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Change approval: Separation of duties meets CI/CD
Development QA
Operations
UI
Tests
Security
Tests
Code Review
Integration Tests
Unit Tests, Static Analysis
Automated
Delivery
Automated Tests
Code Review
Automated
Deployment
Automated
Monitoring
Change
Request
Develop
DevSecOps
Test results
Deployment logs
Deployment notifications
Audit Trails and Artifacts

22. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Just-in-time break-glass access approvals
AssumeRole
Audit Trail
Temp Access
Requested
Temp Access
Approved Diagnose
Logout
Access
Logs
Temp
Access
Ticket Production
Read-Only ZoneAccess Control Portal

23. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
PAM example: ServiceNow + Centrify

24. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Auditable terminal access without jump boxes
AWS Systems Manager
Session Manager
• Doesn’t use SSH
• No SSH inbound port needed
• Auditable interactive shell access
• IAM centralized access controls
ssh

25. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Weekly KRI tracking to hit compliance goals
0
5
10
15
20
25
30
Interactive Server Logins on Production (less is better)
BBQ DX Cluster
Acme Billing Prod
Acme API Prod
Server Pools

26. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
AWS privileged access management partners
aws.amazon.com/security/partner-solutions/

27. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Example audit findings
1. Insufficient understanding of permissions
2. Developers have privileged access to production
3. Internal systems lacking user authentication

28. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Audit finding 3: Lack of user authentication
“Internal systems lacking access restrictions based on user identity and job
role“
Underlying causes:

29. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Example cause: IP-based access controls
HTTP (80) ALLOW 88.44.21.148
HTTP (80) ALLOW 64.23.0.0/16
HTTP (80) ALLOW 204.172.63.12
HTTP (80) ALLOW 183.62.242.71
Backend network
DMZ network
Backend Core Services
VPN 1

30. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Zero Trust redesign using AWS services with RBAC
External users
VPC
AWS Cloud
VPC
AWS Cloud
Amazon API Gateway
IAM Auth
AWS Shield
Amazon CloudFront
AWS WAF
API Gateway
IAM Auth
Amazon RDS
Database
AWS Lambda functions
Amazon EC2 instances

31. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Service roles and avoiding static credentials
$ cat ~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS Secrets Manager
AWS Service Roles
HashiCorp Vault

32. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Auditing for static credentials in IAM
user arn user_creation_time password_enabled password_last_used password_last_changed
<root_account>
arn:aws:iam::11111111111
1:root
2014-09-23T20:01:38+00:00 not_supported 2018-01-29T00:01:05+00:00 not_supported
demobuilder01
arn:aws:iam::11111111111
1:user/demobuilder01
2018-11-09T22:02:06+00:00 TRUE 2018-11-09T22:02:47+00:00 2018-11-09T22:02:07+00:00
User-1234
arn:aws:iam::11111111111
1:user/kuser-1234rt
2014-09-23T20:33:19+00:00 TRUE 2019-03-06T19:44:28+00:00 2018-09-25T12:57:07+00:00
Devuser-2313
arn:aws:iam::11111111111
1:user/Devuser-2313
2016-01-13T18:39:26+00:00 FALSE N/A N/A
dir-finance
arn:aws:iam::11111111111
1:user/dir-finance
2015-12-18T16:25:24+00:00 TRUE 2016-09-22T21:53:17+00:00 2016-09-22T21:53:09+00:00
Contractor-9557
arn:aws:iam::11111111111
1:user/Contractor-9557
2018-11-05T17:50:40+00:00 TRUE no_information 2018-11-05T17:50:41+00:00

33. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Addressing the audit findings
Insufficient understanding of permissions
Multi-accountstrategy, AWS SSO, Organizations, Control Tower
Developers have privileged access to production
Immutable production, integratechange approvals with CI/CD, just-in-time access, AWS PAM
partners
Internal systems lacking user authentication
Zero Trust architecture, API Gateway, Amazon RDS IAM Auth, Secrets Manager, IAM credential
auditing

34. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Kurt Gray
Principal Solutions Architect
AWS Global Financial Services