Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

NIST Compliance, AWS Federal Pop-Up Loft

308 Aufrufe

Veröffentlicht am

Attend this day-long workshop for U.S. Federal government and Department of Defense IT professionals, architects, and administrators to learn how to architect for DoD workloads in the cloud. Join this session to map DoD requirements for cloud architecture and get hands-on experience with AWS NIST Quick Start tools, which can help fast track the FedRAMP/DoD ATO process.

  • Als Erste(r) kommentieren

NIST Compliance, AWS Federal Pop-Up Loft

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automating Compliance: Architecting for NIST Workloads in AWS GovCloud
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Today’s Mission • Achieve an ATO for an Information System in AWS • This Mission is of Critical Importance to the future of your organization • We are entrusting you to carry out this Critical Mission because you are the best of the best of the best…(you get the idea) • Yes, it may seem daunting – but you are not alone … • Your AWS Mission Support Team: • Michael Alpaugh – Solution Architect, AWS WWPS • Priyanka Mahankali – Solution Architect, AWS WWPS • Shaked Rotlevi – Solution Architect, AWS WWPS
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. This is your safety briefing … • Warning: Information Overload May Occur • Many cloud concepts will be new • Keep you harness strapped and your helmet on • Cut in extra cooling water to your laptops • Please ask questions! • This event is for you • We are always available for a deep dive • Email Us
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Objectives for Today • Gain confidence to build systems in the AWS cloud that meet Security/Compliance requirements • Understand the components of the AWS FedRAMP Package • Learn how compliance automation can help an ATO • See how AWS Compliance Quick Starts can help make your job easier while improving your system security posture • Have fun. Security and compliance doesn’t have to be boring, tedious, and/or difficult
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. YOUR MISSION Should you Choose to Accept It AWS GovCloud (US)
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. YOUR MISSION… (Should you chose to accept it) Move a 2 Tier Web App to the AWS Cloud & Attain an ATO • Can you do this? … Yes, YOU CAN! ü AWS makes it easier for you to move your workload to the Cloud. • Should you do this? … Yes, YOU SHOULD! ü AWS lowers cost, improves performance & allow agility • Am I authorized to do this? … Yes, YOU ARE! ü FedRAMP Guidance provides the roadmap to move to the Cloud • Are other people doing this? … Yes, THEY ARE! ü Examples include DISA IASE web site or NASA JPL
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Production data center Mission Scope: LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW 1. Move a 2 tier non-cloud web application to the Commercial Cloud 2. Attain an ATO to support production operations APP DB APP COOP data center SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP LB Asynchronous Replication
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Cloud Computing ? The on-demand delivery of: • rapidly elastic, pooled IT resources • over public or private networks • no long-term contracts • pay-as-you-go pricing • easily managed with self service tools • provides appropriate security
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. No Up Front Expense Pay for what you Use Improve Agility Scale Up and Down Self-Service Infrastructure AWS Cloud Equipment Resources and Administration Contracts Cost Traditional Infrastructure
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using Cloud for DoD: Why now? • Federal, DoD & Agency Cloud Strategy • Lower Cost • New funding model • Large & growing feature set • Performance & Reliability • Security • SPEED & AGILITY CAP EX OP EX $$ 1010 0010 1011 DevSecOps CI/CD - micro - services AUTOMATE INNOVATE EXPERIMENT 80 160 280 516 722 1017 1430 1957 2011 2012 2013 2014 2015 2016 2017 2018 AWS New Services & Features
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How does Cloud Computing work in AWS? “Isn’t it just someone else’s computer? No, it is much more than that!” Managed Large Scale Infrastructure • Data Centers / Security / Facilities • Networks / Compute / Storage / Databases • Integrated Management Tools & Services Remotely accessible & manageable by the customer Elastic & Scalable (automated, dynamic, responsive) Extensive visibility and transparency capabilities Security & Compliance built-in
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Global Infrastructure … its really really BIG 22Regions 66 Availability Zones 176 Edge Locations Millions of Active Customers 190+ Countries 5000+ Government Agencies 10,000+ Educational Institutions # Region and Number of Availability Zones New Region (coming soon) AWS GovCloud (US) 3 X24 Announced Regions Bahrain, Cape Town, Milan, Jakarta 3 Amazon Secret Region 3
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Redundant 100 GbE network • Private network capacity between all AWS region, except China Amazon Global Network
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Region AWS Region Availability Zone datacenter datacenter datacenter datacenter Availability Zone datacenter datacenter datacenter datacenter Availability Zone Transit Center 2Transit Center 1 datacenter datacenter datacenter datacenter
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. - Regions = metropolitan area - Fully Isolated (security boundary) - Customer chooses Region. - Data Stays within Region. - Regions comprised of multiple Availability Zones - AZ’s connected through redundant low-latency links - Discrete UPS & Onsite backup - Redundant connections to multiple tier-1 ISP’s - Built for Continuous Availability - PB’s of Logs daily Availability Zone A Availability Zone B Availability Zone C Sample US Region ~ Data Center AWS Region and Availability Zone View
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architected for Government Security Requirements And many more… https://aws.amazon.com/compliance/
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. US AWS Regions # Commercial Region and Number of Availability Zones Amazon Secret Region 3 3 3 6 3 3 3 3 # GovCloud Region and Number of Availability Zones # Classified Region and Number of Availability Zones HIGH MOD DoD IL 2/4/5 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 ICD 503 TS/SCI USEast(VA) USEast(OH) USWest(OR) USWest(CA) GOVCLOUDWest (OR) GOVCLOUDEast (OH) HIGH MOD DoD IL 2/4/5 ICD 503 SECRET DoD IL 6
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Service Breadth storage security analytics application integration compute customer engagement database developer tools machine learning IoT mgmt/monitoring media migration desktopnetwork
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mission Defined & Mission Accepted We accept our Mission: “ATO our system in the Cloud” Lets see where we can get guidance on: 1. How to get an ATO 2. How to get an ATO in the Cloud Next STOP – Mission Guidance – we are movin’ out!
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MISSION GUIDANCE: The Path to an ATO in the Cloud AWS GovCloud (US)
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s review how to get an ATO get in general… Then how to get an ATO in the Cloud!
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where Do We Get Compliance/ATO Guidance? NIST SP 800-53 (Security & Privacy Controls for Fed Info Systems & Orgs) NIST SP 800-37 (Guide for Applying the Risk Management Framework) FIPS 199 (Standard for Security Categorization of Federal Info. & Info. Systems) CNSSI 1253 (Categorization & Control Selection for National Security Systems) ☞ Lets look at the RMF process flow …
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NIST Risk Management Framework Define criticality/sensitivity of information system according to potential worst-case,adverse impactto mission/business. CATEGORIZE InformationSystem 1 Security Life-Cycle Selectbaseline security controls; apply tailoring guidance and supplementcontrols as needed based on risk assessment. SELECT Security Controls 2 Implementsecurity controls within enterprise architecture using sound systems engineering practices;apply security configuration settings. IMPLEMENT Security Controls 3 Continuously track changes to the information system thatmay affectsecurity controls and reassess control effectiveness. MONITOR Security State 6 Determine risk to organizational operations and assets, individuals,other organizations, and the Nation; if acceptable, authorize operation. AUTHORIZE InformationSystem 5 Determine security control effectiveness (i.e., controls implemented correctly,operating as intended, meeting security requirements for information system). ASSESS Security Controls 4
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NIST Risk Management Framework Define criticality/sensitivity of information system according to potential worst-case,adverse impactto mission/business. CATEGORIZE InformationSystem 1 Security Life-Cycle Selectbaseline security controls; apply tailoring guidance and supplementcontrols as needed based on risk assessment. SELECT Security Controls 2 Implementsecurity controls within enterprise architecture using sound systems engineering practices;apply security configuration settings. IMPLEMENT Security Controls 3 Continuously track changes to the information system thatmay affectsecurity controls and reassess control effectiveness. MONITOR Security State 6 Determine risk to organizational operations and assets, individuals,other organizations, and the Nation; if acceptable, authorize operation. AUTHORIZE InformationSystem 5 Determine security control effectiveness (i.e., controls implemented correctly,operating as intended, meeting security requirements for information system). ASSESS Security Controls 4 ü Create a security authorization package (Agency or GRC tool - e.g. Xacta, Archer, Allgress, etc.) ü Categorize System (Low – Mod – High) ü Select security controls ü Develop initial architecture for your system/application ü Develop System Security Plan ü Document Security Controls Implementation ü Complete architecture build out and integrations with supporting services ü Lockdown system for testing ü Submit ATO package to AO ü Conduct regular security/vulnerability scans ü Update vulnerability & malware definitions ü Conduct patching (IAVM process) ü Perform periodic assessment & re- authorization ü Update SSP ü Track & report significant changes to AO ü Assess system • Pen tests & Vulnerability scans • Compliance reviews ü Document findings ü Create Plans of Action and Milestones ü Remediate
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do we get approval to use Cloud? We know the basics of how to get an ATO But what about an ATO in the Cloud? We can look at these sources for guidance: • FedRAMP • Agency-specific Guidance • (e.g. DoD CC SRG) ☞ First let’s look at FedRAMP Define criticality/sensitivity of information system according to potential worst-case,adverse impactto mission/business. CATEGORIZE InformationSystem 1 Security Life-Cycle Selectbaseline security controls; apply tailoring guidance and supplementcontrols as needed based on risk assessment. SELECT Security Controls 2 Implementsecurity controls within enterprise architecture using sound systems engineering practices;apply security configuration settings. IMPLEMENT Security Controls 3 Continuously track changes to the information system thatmay affectsecurity controls and reassess control effectiveness. MONITOR Security State 6 Determine risk to organizational operations and assets, individuals,other organizations, and the Nation; if acceptable, authorize operation. AUTHORIZE InformationSystem 5 Determine security control effectiveness (i.e., controls implemented correctly,operating as intended, meeting security requirements for information system). ASSESS Security Controls 4
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is FedRAMP ? Federal Risk & Authorization Management Program (FedRAMP) is government-wide • Standardized approach for Cloud Products & Services for: Security assessment Authorization Continuous monitoring • Developed in collaboration with: GSA NIST DHS DoD NSA OMB Federal CIO Council
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why do we need FedRAMP ? • Mandatory per OMB for cloud services that hold federal data • ”Do once, use many times” framework Saves government cost – work smarter, not harder Reduces redundant reviews • Provides tailored set of NIST SP 800-53 security controls Selected to provide protection in cloud environments. Subsets defined for FIPS 199 Low, Moderate, and High categorizations. • Established a Joint Authorization Board (JAB) • CIOs from DoD, DHS & GSA • Establish accreditation standards for 3rd party assessors of cloud solutions. This is how we get assurance about Security OF the Cloud!
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agency-Specific Guidance Example: DoD DoD has its own specific implementation DoD Cloud Computing (CC) Security Requirements Guide (SRG) v1r3 6 MAR 2017 ☞ Let’s look at the DoD CC SRG
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is the DoD CC SRG? • Applies to Cloud Service Providers and is for DoD Mission Owners • Aligns with FedRAMP • Describes functional aspects of a security architecture in the Cloud • Select controls from the NIST SP 800-53 catalog using CNSSI 1253 guidance Think of the CC SRG as the DoD’s version of FedRAMP with extra functional security requirements to protect the DoDIN against perceived threats introduced by connecting to commercial Cloud Service Providers
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is IN the DoD CC SRG? • Cloud Service Providers (CSP) definition • Cloud Service Offerings (CSO) definition • DoD RMF application to Commercial Cloud • Use of FedRAMP & FedRAMP + controls • DoD Provisional Authorization definition • How to Classify and Categorize a system • And more…
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is a Provisional Authorization? • Pre-acquisition type of RMF authorization • Pre-qualifies Commercial Cloud Service Offerings (CSO) • Supports “do once, use many” framework of FedRAMP • Uses by DoD and Federal Cloud Mission Owners • Source Selection • Subsequent authorization under RMF • Used by Mission Owners the same as “Control Inheritance” • Leveraged by Mission Owner AO in overall risk assessment
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is CSP? • Cloud Service Provider • Organization the offers/provides Cloud Services • Commercial or Private • DoD and non-DoD • Commercial CSP Examples: AWS and Azure • DoD CSP Examples: milCloud
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is a CSO? • Cloud Service Offering • A CSP’s Discrete Product or Service Offering • Individual Assessed for Provisional Authorizations • Well Defined Standardized Offerings • Customer Level of Control Varies by Service Model • IaaS or PaaS or SaaS • Shared Security Model Applies
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RMF Process: Federal/DoD Datacenter vs. In-Cloud Federal/Dod Datacenter Inherited Controls from CSP PA Mission Owner Controls RMF Mission Owner Controls RMF Inherited Controls from DoD ATO RMF Mission Owner ATO Package RMF Datacenter Facility Power HVAC Network Server / Storage Operating System Application Datacenter Facility Power HVAC Network Server / Storage Operating System Application In-Cloud
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud-related Initial Activities for RMF Do Once per Enterprise Organization IAW FedRAMP ü Check FedRAMP catalog of Authorized Cloud Service Providers ü Select a CSP (Pick AWS!!) ü Review AWS compliance documentation ü Review security control inheritance & shared responsibility ü Grant an Organizational ATO for AWS as a General Support System (GSS) ü Load AWS into your GRC Tool as a GSS / Control provider
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud-related Activities - RMF “Implement” Step ü “Inherit” Common/Shared Controls from AWS ü Build out base system using AWS Services and Features ü Ensure you employ AWS security-related services (AWS CloudTrail, Amazon CloudWatch, AWS Config, encryption, etc.)
  37. 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s review where we stand on our Mission Mission Scope Outlined ✔ Mission Accepted ✔ Mission Guidance Identified ✔ Now lets take a look at the details of what we have to meet to get an ATO in the Cloud ☞ Next STOP ➤ MISSION REQUIREMENTS
  38. 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  39. 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MISSION REQUIREMENTS: System Categoration & Compliance Requirements
  40. 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Do We Categorize our Systems? System category allows us to determine applicable requirements & security controls Categorization done IAW: • FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” • CNSSI 1253 “Security Categorization and Control Selection for National Security Systems” • DoDI 8510.01 ”Risk Management Framework (RMF) for DoD Information Technology” Define criticality/sensitivity of information system according to potential worst-case,adverse impactto mission/business. CATEGORIZE InformationSystem 1 Security Life-Cycle Selectbaseline security controls; apply tailoring guidance and supplementcontrols as needed based on risk assessment. SELECT Security Controls 2 Implementsecurity controls within enterprise architecture using sound systems engineering practices;apply security configuration settings. IMPLEMENT Security Controls 3 Continuously track changes to the information system thatmay affectsecurity controls and reassess control effectiveness. MONITOR Security State 6 Determine risk to organizational operations and assets, individuals,other organizations, and the Nation; if acceptable, authorize operation. AUTHORIZE InformationSystem 5 Determine security control effectiveness (i.e., controls implemented correctly,operating as intended, meeting security requirements for information system). ASSESS Security Controls 4
  41. 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Impact Levels • FIPS 199 defines process to determine Impact Levels • Consider both: – Sensitivity of Information & – Impact of Events • Sensitivity of information stored or processed – For example: Public / Controlled Unclassified / Classified • Impact of Event that results in loss of: – Confidentiality (Low / Moderate / High) – Integrity (Low / Moderate / High) – Availability (Low / Moderate / High) PII PHI Export Controlled Critical Infrastructure Sensitive Security
  42. 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Categorization Example: For DoD, CC SRG also has its Information Impact Levels SRG v1r3 Impact Level Maximum Data Type Information Characterization 2 Non-Controlled Unclassified Information Unclassified information approved for public release Unclassified, not designated as controlled unclassified information (CUI) or critical mission data, but requires some minimal level of access control 4 Controlled Unclassified Information Requires protection from unauthorized disclosure as established by Executive Order 13556 (Nov 2010); Education, Training, SSN, Recruiting (if medical is not included), Credit card information for individuals (i.e., PX or MWR events) PII, PHI, SSN, Credit card information for individuals, Export Control, FOUO, Law Enforcement Sensitive, Email 5 Controlled Unclassified Information + NSS National Security Systems and other information requiring a higher level of protection as deemed necessary by the information owner, public law, or other government regulations 6 Classified up to SECRET Pursuant to EO 12958 as amended by EO 13292; classified national security information or pursuant to the Atomic Energy Act of 1954, as amended to be Restricted Data (RD) DoD Cloud Compu*ng Security Requirements Guide (SRG): h<p://iase.disa.mil/cloud_security/Pages/index.aspx
  43. 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Updated DoD Policy on PII “Impact Level 2 cloud services may be used to host low confidentiality impact level PII”
  44. 44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Updated DoD Policy on PII (continued) “Reducing the minimum cloud requirement from Impact Level 4 to Impact Level 2 specifically for low confidentiality PII is consistent with requirements outside of cloud environments”
  45. 45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DoD CC SRG Update ”replaces 5.1.5 and 5.1.5.1" PII and PHI “are categorized as CUI” “PHI and most PII in the cloud must be minimally protected in a Level 4 CSO” “PII impact level determination will be performed”
  46. 46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DoD CC SRG Update “… there is a need for some low confidentiality impact (low sensitivity) PII to be published and collected in commercial CSOs having a Level 2 PA.”
  47. 47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DoD CC SRG Update (continued) ”Prior to authorizing the system, the AO is accountable to review the PIA ...”
  48. 48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Production data center Lets Categorize our 2 Tier Web Application LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP COOP data center SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP LB Asynchronous Replication
  49. 49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example 3 Tier Web Application Components Web Tier – NGINX Proxy Server Application Tier – WordPress/Apache/PHP Database Tier – MySQL DB All Servers Running Linux Data Elements – PII & other CUI data For our sample 3 tier app - example classification: • Moderate/Moderate/Moderate (C/I/A) ✓ • For DoD, Cloud Impact Level 4 (IL4) ✓
  50. 50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s Find this Application a Home… • So many Cloud Service Providers… • So little time … • What is a Mission Owner to do? • Perhaps FedRAMP can help.. let’s take a look ☁☁☁
  51. 51. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where can we find approved CSPs? • Thanks to FedRAMP reciprocity you don’t have to check out each CSP yourself • ”Authorize Once & Use Many” approach • FedRAMP Authorized Services – https://marketplace.fedramp.gov/index.html#/products?sort=productName • Agency-specific Approved GSS/Providers – Example: DoD Authorized Cloud Service Catalog http://www.disa.mil/~/media/Files/DISA/Services/Cloud-Broker/AuthorizedCloudServicesCatalog.pdf • AWS Services in Scope Listing – https://aws.amazon.com/compliance/services-in-scope/ ✓ ☛ ⚙⚙⚙⚙⚙
  52. 52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRAMP Cloud Services Marketplace https://marketplace.fedramp.gov/index.html#/products?sort=productName&productNameSearch=aws AWS
  53. 53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRAMP Cloud Services Marketplace …and more
  54. 54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DoD Cloud Services Catalog https://storefront.disa.mil/kinetic/disa/service-catalog#/forms/cloud-service-support AWS IaaS / PaaS IL4 AWS IaaS IL6 AWS IaaS IL5
  55. 55. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Services in Scope ✓ = This service is currently in scope and is reflected in current reports Joint Authorization Board (JAB) Review = This service is currently undergoing a JAB Review Third Party Assessment Organization (3PAO) = This service is currently undergoing an assessment by our third party assessor https://aws.amazon.com/compliance/services-in-scope/
  56. 56. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Services in Scope ✓ This service is currently in scope and is reflected in current reports Joint Authorization Board (JAB) Review This service is currently undergoing a JAB review Third-Party Assessment Organization (3PAO) Assessment This service is currently undergoing an assessment by our third-party assessor Defense Information Systems Agency (DISA) Review This service is currently undergoing a DISA review https://aws.amazon.com/compliance/services-in-scope/
  57. 57. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. US AWS Regions # Commercial Region and Number of Availability Zones Amazon Secret Region 3 3 3 6 3 3 3 3 # GovCloud Region and Number of Availability Zones # Classified Region and Number of Availability Zones HIGH MOD DoD IL 2/4/5 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 ICD 503 TS/SCI USEast(VA) USEast(OH) USWest(OR) USWest(CA) GOVCLOUDWest (OR) GOVCLOUDEast (OH) HIGH MOD DoD IL 2/4/5 ICD 503 SECRET DoD IL 6
  58. 58. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Infrastructure to Meet Federal Needs Public/Private Unrestricted/(U) FedRAMP Mod DoD IL2 Internet US Regions* AWS Secret RegionAWS GovCloud* * US Regions – CONUS (US-East/West) GovCloud (GovCloud East/GovCloud West) CUI, FOUO, SBU, PII, PHI FedRAMP High DoD IL2, IL4 & IL5 Customer Network (e.g. NIPR for DoD) SECRET IC M/M/M (CNSSI 1253) DoD IL 6 PATO SIPRNET C2S Region TS/SCI IC M/M/M (CNSSI 1253) JWICS CAP / DX
  59. 59. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • GovCloud designed to handle ITAR (International Traffic in Arms Regulation) – JAB Provisional Authorization at the FedRAMP High Impact level – Community Cloud: access controlled, US Persons for physical and logical access to the AWS infrastructure • Physically Isolated Regions East/West (Oregon & Ohio) • 3 Availability Zones • Logical Network Isolation – all users run in VPCs • FIPS 140-2 Validated Hardware & Cryptographic Services for VPNs and AWS Service API End Points • Service(s) are only deployed into the Region based on customer demand • Separate Isolated Credential Database Offers the same high level of security as the other AWS Regions. Access is restricted to customers who are US Persons, not subject to export restrictions, and who comply with US export control laws and regulations, including the International Traffic in Arms Regulations (ITAR). For Our Example, We will pick AWS US GovCloud
  60. 60. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. US East (VA) Asia Pacific (Tokyo) US West (CA) Asia Pacific (Singapore) US West (OR) Asia Pacific (Sydney) EU (Ireland) South America (Sao Paulo) GovCloud (OR) AWS GovCloud Account IAM Group IAM User 1 IAM User 2 AWS Public Account IAM Group IAM User 1 IAM User 2 Billing is linked AWS GovCloud: Credentials (How they differ) All other AWS Regions (Excluding China).. GovCloud (OH)
  61. 61. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mine, Yours and Ours – Control Ownership • Mission Owners inherit controls from AWS – Consistent with the reciprocity model used for years • AWS is responsible for some controls completely • Mission Owners are responsible for some controls completely • Some controls are shared in that services provided by AWS must be properly configured and implemented used by Mission Owners • AWS calls this approach the Shared Responsibility Model
  62. 62. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security is a Shared Responsibility Cross-service Controls Service-specific Controls Compliance of the Cloud Compliance in the Cloud Cloud Service Provider Controls Optimized Network/OS/App Controls https://aws.amazon.com/compliance awscompliance@amazon.com Customers and Partners implement their own Application and Service controls Multiple customers with: • FISMA/ICD-503 ATOs • DIACAP/RMF ATOs AWS obtains industry certifications & third party attestations: • SAS-70 Type II / SOC 1 / SOC 2 • ISO 27001/ 2 Certification • Payment Card Industry (PCI) • Data Security Standard (DSS) • DoD PA • FedRAMP JAB P-ATO & Agency ATOs • HIPAA • ITAR
  63. 63. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Control Ownership Customer Specific Hybrid Shared Inherited Sole Responsibility of the customer AWS provides partial implementation AWS & customer provide their implementation Fully inherited from AWS Division of Responsibility Depends on AWS Service Container Services Customer has less responsibility AWS has more responsibility Infrastructure Services Abstracted Services
  64. 64. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Delegation of Security Control Responsibilities DatabaseStorageCompute Networking Edge LocationsRegions Availability Zones AWS Global Infrastructure AWS Responsible for Control Requirements for CSO Application Owners Responsible for at the Application Level / Platform Enterprise Services Cloud Manager Governance and controls at Infrastructure / Platform Level
  65. 65. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “But Where Can I Find the Controls AWS meets?” • In the AWS FedRAMP Package! • Available for both AWS Partners & Customer Agencies • AWS FedRAMP package covers: – AWS infrastructure – Underlying management of services – Inherited controls – Shared controls • Assists in documenting security of workloads built on AWS This is how we see evidence about Security OF the Cloud!
  66. 66. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What You Get in the AWS FedRAMP Security Package # FedRAMP Security Package Document Federal Agency State, Local, Education Vendors & Contractors 1 System Security Plan (SSP) 2 Security Assessment Plan (SAP) 3 Control Implementation Summary (CIS) 4 FIPS-199 Categorization 5 Control Tailoring Workbook (CTW) 6 Security Assessment Report (SAR) 7 Authority to Operate (ATO) 8 User Guide 9 Customer Responsibility Matrix (CRM) 10 Configuration Management Plan (CM Plan) 11 Contingency Management Plan (CMP) 12 E-Authentication Plan 13 PTA/PIA 14 Rules of Behavior 15 Incident Response Plan (IRP) 16 Policies 17 Security Controls Summary 18 SSP Template
  67. 67. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRamp Control Implementation Summary (CIS) • Quick reference spreadsheet • Categorizes & allocates of FedRAMP controls between AWS & customer: – Inherited Controls – Customer Specific Controls – Shared Controls – Indications of where a control comes from – Categorizes FedRAMP controls as Moderate & High (applicable to GovCloud) Shared Customer Specific Inherited
  68. 68. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRamp Control Implementation Summary (CIS) Eye Chart!
  69. 69. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CIS – Customer Specific: Configured by Customer • Controls for which AWS provides services that may be used to meet a requirement, but the customer needs to properly select the service and apply a configuration • Examples of these controls include: – User profiles, policy/audit configurations, enabling/disabling key switches (e.g., enable/disable http or https, etc.), entering an IP range specific to their organization – Account Management (AC-2): AWS IAM service enables customers to securely control access to AWS services and resources, but the customer must apply the correct access policies
  70. 70. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CIS – Customer Specific: Provided by Customer • Controls which are solely the responsibility of the customer, either by providing additional hardware or software, or implement an organizational policy in order to meet the control requirement • Examples of these controls include: – Organizational/Management controls that involve business process within your organization – Security Assessment and Authorization (CA-3) – the customer must still complete a formal authorization for any workloads they build on top of AWS – The customer provides a SAML solution to implement SSO with two- factor authentication
  71. 71. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CIS “Inherited” Controls • Controls that a customer fully inherits from AWS • Filter spreadsheet by: – BLANK in “Customer” and Shared columns – ”X” in either Service Provider Corporate, Service Provider System-Specific, or Service Provider Shared – Examples of these controls include: – Media Protection (MP) – Maintenance (MA) – Physical and Environment (PE)
  72. 72. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CIS – Shared Controls • Controls that apply to both the Cloud Service Provider & the Customer, but in completely separate contexts. • AWS addresses the requirements for the infrastructure (“...of the cloud”) • Customer must address the requirements for their workload/application (“…in the cloud”) • Examples of these controls include: – Flaw Remediation (SI-2) – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications – Awareness & Training (AT-3) - where AWS trains AW employees, but a customer must train their own employees – Configuration Management (CM-2) - AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuration management of their own guest operating systems, databases, and applications
  73. 73. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRAMP Customer Responsibility Matrix • Also a quick reference spreadsheet • Basic guidance for customers’ meeting FedRAMP controls: – Provides Mapping of Controls to Impact levels – Describes Customer responsibilities within the scope of AWS Services
  74. 74. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRAMP: Customer Responsibility Matrix
  75. 75. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRAMP: System Security Plan (SSP) Template • 400+ page document template • 300+ security controls implementation details must be described • LOTS of writing to be done by the customer • Documentation and Implementation must then be assessed • “Acceptance of Risk” and “Authority to Operate” are only granted if the system “passes” • Many Federal Agencies/Organizations already have their own templates or tools for this
  76. 76. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FedRAMP: System Security Plan (SSP) Template Page 357
  77. 77. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Requesting the AWS FedRAMP package • Request Package from your FedRAMP PMO • Request Package from your AWS Account Rep • Send an Email to: – awscompliance@amazon.com – Requesting access to the FedRAMP Security Package – For the purposes of building a system security plan using the AWS Agency FedRAMP authorization
  78. 78. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Requesting the AWS FedRAMP package • Request Full Package from FedRAMP PMO or your AWS Account manager • Partner Package is available via AWS Artifact (AWS console) • Send an Email to: awscompliance@amazon.com
  79. 79. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Determine Risk Acceptance of AWS FedRAMP SSP • Evaluate the AWS P-ATO against internal risk posture • Your agency’s Authorizing Official (AO) can authorize the AWS package for use by multiple applications/SSPs • Your agency’s AO should authorize individual systems/SSPs for workloads built on AWS • Your agency’s AO may also authorize individual AWS Services that are not already in scope within FedRAMP
  80. 80. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  81. 81. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MISSION PLAN: Map Out the Architecture in the Cloud AWS GovCloud (US)
  82. 82. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Production data center Mission Scope: LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW 1. Move a 2 tier non-cloud web application to the Commercial Cloud 2. Attain an ATO to support production operations APP DB APP COOP data center SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP LB Asynchronous Replication
  83. 83. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. First let’s find it a home in the cloud “But isn’t the cloud just some amorphous collection of network and servers where data and applications are always moving?” NOPE … Your data and applications go into the AWS Region you choose and they stay there until you move them ☞ Let’s see what an AWS Region is…
  84. 84. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. - Regions: metropolitan area with independent ”cloud” - Fully Isolated from other Regions (security boundary) 50 mile (appx) radius “clustered” data center architecture - Customer chooses Region. Data Stays within Region. - Regions comprised of multiple Availability Zones AZ = 1 or more “data centers” - AZ’s connected through redundant low-latency links - Physically separated; Separate Low Risk Flood Plains - Discrete UPS & Onsite backup - Redundant connections to multiple tier-1 ISP’s - Built for Continuous Availability Availability Zone A Availability Zone B Availability Zone C Sample US Region ~ Data Center AWS Region and Availability Zone View
  85. 85. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Infrastructure to Meet Federal Needs Public/Private Unrestricted/(U) FedRAMP Mod DoD IL2 Internet US Regions AWS Secret RegionAWS GovCloud CUI, FOUO, SBU, PII, PHI FedRAMP High DoD IL2, IL4 & IL5 Customer Network (e.g. NIPR for DoD) SECRET IC M/M/M (CNSSI 1253) DoD IL 6 PATO SIPRNET C2S Region TS/SCI IC M/M/M (CNSSI 1253) JWICS CAP / DX
  86. 86. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. US AWS Regions # Commercial Region and Number of Availability Zones AWS GovCloud (US) Amazon Secret Region 3 3 3 6 3 3 3 3 # GovCloud Region and Number of Availability Zones # Classified Region and Number of Availability Zones HIGH MOD DoD IL 2/4/5 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 ICD 503 TS/SCI ICD 503 SECRET DoD IL 6
  87. 87. Inheritance Personnel Incident Response Boundary Protection Identity & Access Control Disaster Recovery Configuration Management High Availability Architecture System Mgmt. & Monitoring Log Management & Monitoring Compute & Storage Networking Virtualization Data Center Specific Mission Owner Controls Controls fully inherited Mission Owner on Prem Mission Owner Controls Hybrid Controls Mission Owner on AWS + Mission Owner Mission Owner Controls ATO Package
  88. 88. Production data center LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP COOP data center SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP LB Asynchronous Replication Lets Categorize our 2 Tier Web Application
  89. 89. Example 2 Tier Web Application Components App/Web Tier – NGINXApp / WordPress / Apache / PHP Database Tier – MySQL DB All Servers Running Linux Data Elements – PII & other CUI data For our sample 2 tier app - example classification: • Moderate/Moderate/Moderate (C/I/A) ✓ • Cloud Impact Level 4 (IL4) ✓
  90. 90. Region Availability Zone A Availability Zone B Step 1: Find a Home in AWS Cloud Production data center APP DB LB FW APP Select an AWS Region: • Independent geographic areas • Customer chooses Region • Data Stays within Region • Federal & DoD options include US East (VA and OH) – FR Mod, DoD IL2 US West (CA and OR) – FR Mod, DoD IL2 US GovCloud (OR) – FR Mod/High, DoD IL2/4/5 US GovCloud (OH) – FR Mod/High, DoD IL2/4/5 Select AWS Availability Zones (AZs): • 2 or more AZs for customer use per region • Physically isolated from each other • Each AZ designed as independent failure zone • Connected with low latency links (< 2 msec)
  91. 91. Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC Production data center APP DB LB FW Step 2: Define a Your Network in AWS VPC Subnets: • Defines a range of IP addresses in your VPC • Can be used to create separate network zones • Subnets are AZ specific (they don’t span Azs) • Example CIDR block 10.10.10.0/24 AWS Virtual Private Cloud (VPC): • Your private, isolated virtual network w/i AWS Cloud • You have complete control over your virtual network • You can assign an IP address space as large as a /16 CIDR block (65,536 addresses) • VPC CIDR block spans AZs • Example CIDR block 10.0.0.0/16 Network Access Control List (NACLs): • Stateless network filters applied to inter-subnet traffic Route Tables: • Define rules to determine where traffic is directed
  92. 92. Private subnet Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet VPC Production data center APP DB LB FW Step 3: Add in Servers Amazon Elastic Compute Cloud (EC2) • Virtual servers (instances) in the cloud • Launch EC2 instances into specific subnets • Quickly launch or reboot servers • Pay for what you use EC2 Instance Types • Various Windows & Linux O/S versions available • Over 40 instance types to choose from • Instance types are optimized for different use cases • CPU, Memory, Networking, Storage & Graphics Flexible Utilization & Pricing • Various pricing models available • Easily scale up or scale out • Add instances when you need them • Terminate instances when you don’t need them
  93. 93. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. F1 G2/ G3 P2 / P3 GPU enabled M4 General purpose Memory optimized R3 / R4 Dense-storage & High-I/O optimized C4 Compute optimized C3M3 D2 H1 I2 / I3 Compute: EC2 Instance Families T2 Burstable performance X1 / X1e M5 C5
  94. 94. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Clemson University Professor Alexander Herzog, graduate students Christopher Gropp and Brandon Posey, and Professor Amy Apon At just after 21:40 (GMT-1) on Aug. 26, 2017, the number of vCPUs utilized was 1,119,196. All processors were Spot Instances – “Excess AWS Capacity” World Record for Concurrent Processors
  95. 95. Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC Production data center APP DB LB FW Step 4: Add Storage for your Servers Amazon Elastic Block Storage (EBS) • Create individual storage volumes • Attach them to an EC2 instance • Volume is automatically replicated w/in its AZ EBS uses include: • Boot volumes and storage for EC2 instances • Data storage with a file system • Storage for Databases & Enterprise Applications • Can be used to create RAID configurations EBS specifications: • Persistent storage from 1 GB to 16 TiB • Magnetic, SSD & Provisioned IOPS SSD • Performance options to fit application needs • Optional seamless 256-bit encryption
  96. 96. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Simple Storage Solution (S3) - Object • A “Bucket” is functionally equivalent to a “folder” • Able to store unlimited number of Objects in a Bucket • Objects from 1B-5TB; no bucket size limit; must be globally unique • Highly available storage for the Internet (object store) • HTTP/S endpoint to store and retrieve any amount of data, at any time, from anywhere on the web • Highly scalable, reliable, fast, and inexpensive • Annual durability of 99.999999999%; Designed for 99.99% availability • Over 2 trillion objects stored • Peak requests 1,100,000+ per second Simple Storage Service (S3) EBS S3 Glacier
  97. 97. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Archival Storage EBS S3 Glacier • A “Bucket” is functionally equivalent to a “folder” • Able to store unlimited number of Objects in a Bucket • Objects from 1B-5TB; no bucket size limit; must be globally unique • Highly available storage for the Internet (object store) • HTTP/S endpoint to store and retrieve any amount of data, at any time, from anywhere on the web • Highly scalable, reliable, fast, and inexpensive • Annual durability of 99.999999999%; Designed for 99.99% availability Glacier
  98. 98. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SnowBall (Import/Export) E-ink shipping label Ruggedized case “8.5G impact” All data encrypted end-to-end Rain and dust resistant Tamper-resistant case and electronics 80 TB 10 GE network
  99. 99. Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC Production data center APP DB LB FW Step 5: Add Scalability, Redundancy & Failover Multiple Availability Zone (AZ) Architecture • Supports High Availability and Fail Over • Supports COOP and DR requirements
  100. 100. Production data center APP DB LB FW COOP data center LB FW APP APP DB Step 5: Add Scalability, Redundancy & Failover AWS Elastic Load Balancer (ELB) • Distribute inbound traffic across EC2 instances • Enables fault tolerance • Fully managed service Database Replication and Failover • Synchronous data replication • Failover using DNS that is transparent to application Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC APP
  101. 101. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Elastic Load Balancing • Supports the routing and load balancing of HTTP, HTTPS and generic TCP traffic to EC2 instances • Supports SSL termination and Proxy protocol • Supports health checks to ensure detect and remove failing instances • Dynamically grows and shrinks required resources based on traffic • Seamlessly integrates with Auto-scaling to add and remove instances based on scaling activities • Single CNAME provides stable entry point for DNS configuration • Supports internal load balancing within a VPC • Supports connection draining Elastic Load Balancing
  102. 102. Availability Zone A Availability Zone B Region Private subnet Private subnet Private subnet Private subnet VPC Production data center APP DB LB FW COOP data center LB FW APP APP DB Step 5: Add Scalability, Redundancy & Failover AWS Region AWS Auto Scaling Group (ASG) • Scales EC2 instances automatically • Add or remove instances according to load and traffic DB
  103. 103. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling • Well suited for applications that experience variability in usage • Client Defined Business Rules • Scale your Amazon EC2 capacity automatically once you define the conditions (may be 1,000’s of servers) • Can scale up just a little…doesn’t need to be massive number of servers (may be simply 2 servers) • Set minimum and maximum scaling policies • Alternate Use is for Fault Tolerance Auto Scaling
  104. 104. Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC Production data center APP DB LB FW COOP data center LB FW APP APP DB Step 6: Add network traffic filtering at servers AWS Security Groups (SG) • Stateful firewall applied to instance • Filters source & destination IP, port and protocol • Inbound and outbound rules • By default all inbound access is blocked Create Defense in Depth Architectures • Allow web servers to talk to app servers • Allow app servers to talk to DB servers SG Support Dynamic Scaling • As servers scale in an ASG SG continue filtering • SGs can reference other SGs
  105. 105. EC2 • Security Groups - Stateful Virtual Firewall applied to an instance (e.g. EC2, ELB) - Traffic must be explicitly specified by protocol, port, and security group - Can reference other Security Group(s) in Inbound Source and/or Outbound Destination AWS Security Group How should you Secure Your VPC? Best Practice: Build security at every layer using routing rules, network ACLs, and security groups. Inbound Traffic • Subnet level Network Access Control Lists (ACLs): - Layer of security that acts as a stateless firewall for controlling traffic in and out of a subnet - Port/Protocol defined with Action (Allow/Deny) Network Subnet ACLs OS Firewall • OS Firewall (e.g., iptables) may be implemented - Completely user controlled security layer - Granular access control of discrete hosts - Logging network events
  106. 106. Production data center APP DB LB FW COOP data center LB FW APP APP DB Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC Recap: Moving 2 Tier Web App to AWS AZ Data Center Subnet VLAN EC2 instance Server/VM Security Group FW ELB Load Balancer
  107. 107. Review Your Existing Infrastructure Components Production data center LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP COOP data center SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Back Up FW APP DB APP LB Asynchronous Replication In addition to Application & Networking requirements, we need to address these services!
  108. 108. How do we address these Infrastructure Needs? CND VPG Direct Connect Co- Location CAP CND DoDIN IAP Web Application Firewall Network Firewall / Full Packet Capture Network Intrusion Detection/Prevention ACAS – Vulnerability Scanning HBSS – Endpoint Protection AD / SSO / LDAP / OCSP DNS / NTP / DHCP Log Management / SEIM Patching Services Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC
  109. 109. DoD SCCA Component Functional Requirements Virtual Datacenter Security Stack (VDSS) Provides network and application security capabilities such as an application-aware firewall and/or intrusion prevention system. Virtual Datacenter Management Stack (VDMS) Provides system support services for mission owner environments (AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well. Trusted Cloud Credential Manager (TCCM) An individual or entity appointed by the Authorizing Official to establish policies for controlling privileged user access to connect Virtual Private Clouds to DISN and for administrating cloud services Cloud Access Point (CAP) Provides network access to the cloud and boundary protection of DISN from the cloud.
  110. 110. DoD SCCA Architecture Approach in AWS CND Direct Connect Co- Location CAP CND DoDIN IAP Virtual Datacenter Security Stack (VDSS) Virtual Datacenter Management Stack (VDMS)Inernet GovCloud Region Availability Zone A Availability Zone B Private subnet Private subnet Private subnet Private subnet VPC Availability Zone A Availability Zone B Network Firewall Services Full Packet Capture Services Network Intrusion Detection/Prevention Services Web Application Firewall Services Availability Zone A Availability Zone B ACAS / Vulnerability Scanning Services HBSS / Endpoint Protection Services AD / DNS / SSO / OCSP / DCHP Services Other Shared Services
  111. 111. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NIST HIGH Quick Start Architecture Region App Subnet AZB Database Subnet DMZ Subnet Web Server App Server DB Server primary Mission Owner Virtual Private Cloud (VPC) Availability Zone B Vulnerability Scanning Services Endpoint Protection Services NAT / Bastion Host Services Availability Zone A Management Services App Subnet AZA Database Subnet DMZ Subnet Web Server App Server DB Server primary App Subnet AZB Database Subnet DMZ Subnet Web Server App Server DB Server primary App Subnet AZA Database Subnet DMZ Subnet Web Server App Server DB Server primary Application Owner A – Application Stack / VPC Application Owner B – Application Stack / VPC PEERING NOTIONAL Inernet PEERING
  112. 112. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  113. 113. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Concepts and Services
  114. 114. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OR
  115. 115. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORAND
  116. 116. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Lack of visibility Low degree of automation Limited resources & scale constraints inhibit tooling build out to address challenges
  117. 117. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Focus Designed for Security Constantly Monitored Highly Automated Highly Available Highly Accredited Security is our # 1 priority
  118. 118. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Elevate your security with the AWS Cloud
  119. 119. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Assurance frameworks
  120. 120. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. US AWS Regions approved for DoD use # Commercial Region and Number of Availability Zones Amazon Secret Region 3 3 3 6 3 3 3 # GovCloud Region and Number of Availability Zones # Classified Region and Number of Availability Zones HIGH MOD DoD IL 2/4/5 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 MOD DoD IL 2 USEast(VA) USEast(OH) USWest(OR) USWest(CA) GOVCLOUDWest (OR) GOVCLOUDEast (OH) HIGH MOD DoD IL 2/4/5 ICD 503 SECRET DoD IL 6
  121. 121. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. All customers benefit from the same security 60+ Assurance programs, including • SOC 1 (SSAE 16 & ISAE 3402) Type II • SOC 2 Type II and public SOC 3 report • ISO 27001 • ISO 9001 • PCI DSS Level 1 - Service Provider • ISO 27017 (security of the cloud) • ISO 27018 (personal data) • BSI C5 (Germany) – ESCloud (EU) • CISPE - GDPR
  122. 122. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Control where your data is stored and who can access it Fine-grain identity & access control so resources have the right access Reduce risk via security automation and continuous monitoring Integrate AWS services with your solutions to support existing workflows, streamline ops, and simplify compliance reporting Scale with visibility and control
  123. 123. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption at scaleMeet data residency requirements build compliant infrastructure Comply with local data privacy laws Highest standards for privacy
  124. 124. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat remediation and response Securely deploy business critical applications Operational efficiencies to focus on critical issues Continuous monitoring and protection Automate with integrated services Comprehensive set of APIs and security tools
  125. 125. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. n Identity & access management Detective controls Infrastructure protection Incident response Data protection AWS security solutions
  126. 126. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions
  127. 127. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk, & compliance Security operations & automation Consulting competency partners with demonstrated expertise
  128. 128. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity & access management
  129. 129. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • IAM enables customers to create and manage users in AWS’s identity system • Identity Federation with local directory is an option for enterprises • Very familiar security model • Users, groups, roles, permissions • Supports SAML 2.0 • Allows customers to • Create users & organize users in groups • Assign individual passwords, access keys, multi-factor authentication devices • Grant fine-grained permissions • Optionally grant them access to the AWS Console Securely control access to AWS services and resources • Users • Groups • Roles • Policies • Resources
  130. 130. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  131. 131. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Track user activity and API usage to enable governance, compliance, and operational/risk auditing of your AWS account • Records AWS API calls for your account and delivers log files to a S3 buck that you specify • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from? • Log files are delivered approximately every 3-5 minutes • Multiple partners offer integrated solutions to analyze log files
  132. 132. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Uses of Cloud Trail • Security Analysis – Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. • Track Changes to AWS Resources – Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. • Troubleshoot Operational Issues – Quickly identify the most recent changes made to resources in your environment. • Compliance Aid – Easier to demonstrate compliance with internal policies and regulatory standards.
  133. 133. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Complete visibility of your cloud resources and applications to collect metrics, monitor log files, set alarms, and automatically react to changes • Visibility into resource utilization, operational performance, and overall demand patterns • Metrics such as CPU utilization, disk reads and writes, and network traffic • Accessible via the AWS Management Console, web service APIs or Command Line Tools • Add custom metrics of your own • Alarms (which tie into auto-scaling, SNS, SQS, etc.) • Billing Alerts to help manage charges on AWS bill
  134. 134. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dashboard Example Instance being monitored Selected Attributes
  135. 135. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Record and evaluate configurations of your AWS resources to enable compliance auditing, resource change tracking, & security analysis • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change • Know resource relationships dependencies
  136. 136. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  137. 137. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  138. 138. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service Hierarchy • Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys • KMS master keys never leave the KMS HSM unencrypted Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer Master Key (CMK) Data Key S3 Object Customer Master Key (CMK) Data Key EBS Volume Customer Master Key (CMK) Data Key Redshift Cluster Customer Master Key (CMK) Data Key Custom Application AWS Key Management Service (KMS)
  139. 139. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption at Rest Encryption in Process Ubiquitous Encryption EBS S3 Glacier DynamoDBRDS EMR Redshift EC2ELB Amazon Certificate Manager (ACM) KMS AWS IAM AWS CloudTrail Secrets Manager Restrict Access Full auditability Encryption in transit Certificate management Encrypted secrets management Fully managed keys
  140. 140. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  141. 141. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  142. 142. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MISSION EXECUTION: Reference Architectures and Automation to Build and Assess AWS GovCloud (US)
  143. 143. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Addressing Compliance Challenges w/ Standardized Reference Architectures Challenge • Meeting compliance requirements i.e., NIST • Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model • Mapping security controls to numerous AWS services Solution Incorporate compliance requirements which can be pre-approved by customer assessment organizations Incorporate AWS functional and security best practices in the baseline Pre-document the alignment of AWS best practices with security/compliance requirements
  144. 144. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Addressing Compliance Challenges w/ Standardized Reference Architectures Challenge • Error prone and time-consuming manual configuration of AWS resources • Enforcing configuration management of AWS infrastructure over time • Authorization process is time consuming, labor intensive, and delays mission deployments Solution ☞Create fully automated infrastructure as code CloudFormation templates to reduce human error ☞Keep AWS CloudFormation Templates under version control and only deploy from the approved repository using approved processes ☞Reduces time necessary to engineer, build, and document security compliance controls
  145. 145. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How Does AWS Make This Easier? The Enterprise Accelerator Compliance Quick Start https://aws.amazon.com/quickstart
  146. 146. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Enterprise Accelerator Quick Start Web Site
  147. 147. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Enterprise Accelerator Quick Start Web Site
  148. 148. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enterprise Accelerator Quick Start Packages: What’s in the Box? Architecture Diagram Security Controls Matrix (SCM) AWS CloudFormation Templates Deployment Guide
  149. 149. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customizable Reference Architecture Example Reference Architecture − Customizable − Employs AWS architecture best practices
  150. 150. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customizable Reference Architecture
  151. 151. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customizable Reference Architecture CloudTrai l AWS Config CloudWatch Alarms Archive Logs Bucket S3 Lifecycle Policies to Glacier AWS Account us-east-1b us-east-1c Proxies NAT RDS DB DMZSubnet PrivateSubnet PrivateSubnet RDS DB PrivateSubnet PrivateSubnet Production VPC DMZSubnet Proxies
  152. 152. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Controls Matrix • Security Controls/Requirements Matrix − Maps Security Controls to architectural components − Describes security control implementation Details
  153. 153. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Controls Matrix
  154. 154. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Are they Similar? Use the AWS Enterprise Accelerator as a Validation Tool Your SCMAWS Enterprise Accelerator SCM
  155. 155. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Quick Start CloudFormation Templates Templates • CloudFormation Templates − Customize and deploy through automation • Templates deliver infrastructure as code – Each template deploys a resource stack – Templates can be managed and version controlled using source code repositories i.e., (GitHub)
  156. 156. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Quick Start CloudFormation Stacks • The Quick Start package is a set of nested templates that deploy ‘stacks” which: − Are modular and customizable − Build specific portions of architecture − Can be deployed for different types of workloads Templates Stacks
  157. 157. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Quick Start Nested CloudFormation Stacks Web Application Stack Elastic Load Balancers; AutoScaling Groups; AutoScaling Launch Configurations; S3 Buckets/Bucket Policies for static web data; RDS Databases; Additional CloudWatch Alarms; EC2 Instances; Security Groups Config Rules Stack Config Rules; Lambda Functions IAM Stack Users; Groups; Roles; Policies; Authentication Main Stack Launches all other Stacks Management VPC Stack VPCs, Subnets, Gateways, Route Tables, NACLs Logging Stack CloudTrail, CloudWatch; S3 Buckets and Policies for log data; SNS Topics Production VPC Stack VPCs, Subnets, Gateways, Route Tables, NACLs NAT Instance Stack NAT EC2 Instance; Network Interfaces; Elastic IP Address
  158. 158. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deployment Guide Contents: • Overview of Compliance Framework(s) supported • AWS Account Prerequisites • Deployment steps • Best practices • How to customize and manage the CloudFormation templates
  159. 159. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AvailabilityZone#2 App server CloudWatch RDS Snapshots Fixed Content App App Web Web RDS RDS Availability Zone #1 JWICS AvailabilityZone#2 Availability Zone #1 RDP RDP AD AD Management Network Customer Gateway Production/Development VPC Management VPC End Users VPC Peering CloudTrail LogsIAM Incorporates Security Features via AWS Best Practices Users accessing AWS console can be required to use multi-factor authentication (MFA) with physical or virtual token CloudTrail logs API activity and outputs this logging to an S3 bucket where it can be analyzed with a number of tools CloudTrail Users who access or manage AWS resources can be restricted by roles and permissions Elastic Load Balancer supports HTTPS and high availability S3 supports both SSL and encryption at rest ACLs and IAM policies applied to any S3 bucket restricts access to S3 data Route table for each web subnet routes traffic to/from JWICS gateway Network ACL associated with multiple subnets can specify allow/deny ingress and egress rules Separate Management VPC isolates all management applications and access, accessible only via Virtual Private Gateway Logging can be enabled on S3 buckets to track access and operations Private subnets (subnets not routing through a gateway) are not accessible to Internet Each EC2 instance type (web, app) can have standard security group specified in the autoscaling launch configuration DB security groups specify only app instances have access to RDS
  160. 160. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudFormation as Part of Governance Model Application Owner Stack(s) Elastic Load Balancers; AutoScaling Groups; AutoScaling Launch Configurations; S3 Buckets/Bucket Policies for static web data; RDS Databases; Additional CloudWatch Alarms; EC2 Instances; Security Groups Config Rules Stack Config Rules; Lambda Functions IAM Stack Users; Groups; Roles; Policies; Authentication Provisioning Team Main Stack Launches Repeatable Baseline Stacks Logging Stack CloudTrail, CloudWatch; S3 Buckets and Policies for log data; SNS Topics Production VPC Stack VPCs, Subnets, Gateways, Route Tables, NACLs NAT Instance Stack NAT EC2 Instance; Network Interfaces; Elastic IP Address Hand-off from Provisioning Team to Application Team Baseline VPC/Networks are now ready for Application Deployment DONE! Enterprise Provisioning Team Application Development/Depoyment Team (Mission Owner, etc.)
  161. 161. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CIJS Quick Start Preview (we want your feedback) GovCloud URL https://s3-us-gov-west-1.amazonaws.com/quickstart-reference/enterprise-accelerator/cjis/latest/templates/main.template Commercial Region URL https://s3.amazonaws.com/quickstart-reference/enterprise-accelerator/cjis/latest/templates/main.template Deployment Guide https://tinyurl.com/y9u65xvm Security Controls Matrix https://tinyurl.com/y9r5q4bl
  162. 162. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  163. 163. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GOVERNANCE@SCALE: Scalable oversight and control of multiple AWS accounts through automation AWS GovCloud (US)
  164. 164. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Growing Cloud Adoption
  165. 165. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What does “enterprise cloud governance” really mean?
  166. 166. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common governance questions • How to determine the current state of all cloud users and control their access across my enterprise? • How to ensure adherence to IT budgets in a pay-per- use model? • How to ensure deployments and operations are compliant with relevant legal, regulatory, and/or contractual policies?
  167. 167. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The typical AWS adoption reality Amazon S3 Project 1 AWS Account Amazon EC2 Project 2 AWS Account Amazon S3 Amazon EC2 Amazon RDS Stage 1 Specific Systems Limited Accounts Minimal Services Stage 2 Numerous Systems Multiple Accounts Many Services Amazon S3 Project 1 AWS Account Amazon EC2 Amazon VPC Amazon S3 Project 2 AWS Account Amazon EC2 Amazon VPC Amazon EMR Amazon Kinesis Amazon Redshift Project 3 AWS Account Amazon S3 Project 4 AWS Account Amazon EC2 Project 5 AWS Account Amazon API Gateway Amazon SQS Amazon WorkSpaces Amazon ECS AWS Lambda AWS Elastic Beanstalk Amazon S3 Amazon S3 Project 6 AWS Account Amazon EC2 Amazon EMR Amazon Kinesis Amazon VPC
  168. 168. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Three principles of governance@scale • Account management Align AWS accounts with the organization through a common interface. Standardize and streamline provisioning, maintenance, and access control policies for many AWS accounts and workloads • Cost enforcement Ensure AWS accounts and workloads do not exceed budget • Compliance automation Accelerate security authorizations, provide continuous monitoring and configuration management, and enforce security controls
  169. 169. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So…what does this look like? Projects Management Upper Management Senior Leadership Executive CXO VP Director Manager Manager Director Manager VP Director Manager Manager Project 1 Project 2 Project 3 Project 5 Project 6 Project 7 Project 8 $$ $ $ $$ $ $ $ $ $ $$$ $$ $$ $$ $$ $$$ $
  170. 170. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account management @scale Use AWS Organizations, SSO, CloudFormation, IAM, etc Use a consolidated admin AWS account • AWS Identity and Access Management (IAM) users live in this account • IAM users assume roles to access other AWS accounts • Enforce MFA for role assumptions Automate AWS account provisioning • Eliminate slow, error-prone manual provisioning • Ensure AWS accounts are actively managed • Incentivizes users from using other methods (personal, school, and others) for AWS experimentation Implement “single sign-on” through federation Use Compliance Quick Starts and Landing Zones as a starting point • Policy assignment to IAM users/groups/roles • Consolidated admin baseline • Target account baseline
  171. 171. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cost enforcement @scale Use automation to map AWS accounts to org. structure • Aligns with current budget process and cost alignments Use automation for cost management/enforcement • Actual spend versus budget projections decision makers • Allow management to increase budgets • Turn off resources to preserve budget • Use dynamic IAM policies to throttle usage when budget thresholds are met Provide near real-time budget projections so stakeholders are aware of current AWS spend
  172. 172. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance automation @scale • Pre-approve standard security configurations to decrease RMF efforts up to 50% and achieve faster ATOs (days versus months/years) • Automate deployment of accounts consistent with security policies (NIST/HIPAA) • Pre-populate GRC tools with inherited and system specific controls. • Perform continuous monitoring with GRC tools and alert security staff of configuration drift and/or vulnerabilities
  173. 173. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where do I go from here? • Build or buy a Governance@Scale solution that can grow with you. • AWS Professional Services can help facilitate the design and help you build a solution based on your requirements. • Partner Solutions are available • AWS Solutions Architects can help with designing a solution that fits your needs
  174. 174. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  175. 175. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mission Wrap-Up: Putting it all together AWS GovCloud (US)
  176. 176. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where do I go from here? • AWS Account Manager / Solutions Architect team • AWS Professional Services • AWS Training and Self-Help
  177. 177. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Stages of Adoption Project Foundation Migration Reinvention Cloud Native Retire Tech Debt Value Time Discovery “Envisioning your cloud journey” “Starting your cloud journey” “Building your cloud journey muscle memory” “Migration @ scale” “Continually optimise what and how you use AWS”
  178. 178. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Adoption Framework Overview • Provides supportive guidance for six key organizational perspectives • Helps stakeholders understand how to update skills, adapt existing processes, and introduce new processes • Takes maximum advantage of the services provided by cloud computing Cloud Adoption Framework is based on six groups of stakeholder perspectives common to organizational structures of contemporary businesses
  179. 179. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • AWS Free Tier • Explore our training options • Whitepapers – Security – Risk & Compliance • Reference Architecture • AWS Marketplace • Expect answers to follow up questions shortly AWS Training and Self-Help
  180. 180. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Training and Self-Help • (Mostly) Free Training – AWS Service Videos and Solution Webinars – AWS CBTs: Security Fundamentals https://aws.amazon.com/training/course- descriptions/security-fundamentals/ – Public Sector Technical Essentials (Herndon and DC) – Qwiklabs (advanced labs with codes) https://qwiklabs.com – A Cloud Guru https://acloud.guru/ – Veterans: AWS Educate https://aws.amazon.com/education/awseducate/veterans/ • Formal AWS Training & Certification – AWS: Virtual and Instructor-led (Architecting, Developing, Operations) • “DOD-modified Architecting on AWS” Classroom in a Box Training – 3rd Party: Global Knowledge
  181. 181. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Learning Events AWS Automating Compliance Workshops for DOD / Federal AWS Worldwide Public Sector Summit – videos on YouTube AWS re:Inforce – Cloud Security conference – videos on YouTube AWS re:Invent – Annual User conference & training – 2-6 December (Las Vegas, NV)
  182. 182. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Training Does AWS Offer? Digital Training Free, self-paced online courses built by AWS experts Classroom Training Classes taught by accredited AWS instructors AWS Certification Exams to validate expertise with an industry-recognized credential
  183. 183. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Certifications Validate Knowledge AWS Certified Security Specialty AWS Certified Machine Learning Specialty AWS Certified Alexa Builder Specialty
  184. 184. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. We Can Help – Training Plan for Your Organization AWS Training and Certification can help your organization build cloud skills to make your transition to the AWS Cloud easier, so you can get the most out of your investment, faster

×