In this session we cover running PROTECTED workloads described by the Australian Cyber Security Centre, answer cloud security questions that we hear from customers, and impart best practices distilled from our experience working with organizations around the world. This session is for everyone who is curious about the cloud, cautious about the cloud, or excited about the cloud.

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Michael Stringer – AWS Solutions Architect
Cloud Security fundamentals and
PROTECTED workloads on AWS
3rd July 2019

2. “Innovation and cloud help
form the basis on which we will
make the Australian
government more secure.
Innovation is good. Cloud is
good – because it helps us
move off from legacy
systems. Our biggest risk is
indeed legacy systems.”
Voice of our customers

3. Agenda
AWS Security
PROTECTED on AWS
Shared Responsibility Model
Consumer Guide
Reference Architecture

4. Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation

5. ORMove fast Stay secure
Before…

6. ORANDMove fast Stay secure
Now…

7. The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to
boost our own security is really important for our business.
AWS does a much better job at security than we could ever
do running a cage in a data center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises
data center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)

8. “CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
Source: Clouds Are Secure: Are You Using Them Securely?

9. Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS
Strengthen your security posture

10. Inherit global security and compliance control

11. Quick acronym glossary
ACSC Australian Cyber Security Centre
https://www.acsc.gov.au/
ASD Australian Signals Directorate
https://asd.gov.au/
ISM Australian Government Information Security Manual
IRAP Information Security Registered Assessors Program

12. AWS services assessed at PROTECTED
42 services across a broad range of categories
Standard services, standard pricing
Leverage familiar and established AWS Sydney region
Access to 3 availability zones
Consumer guide and reference architecture immediately
available

13. PROTECTED Classification
www.protectivesecurity.gov.au
Sensitive
information
Security classified information
UNOFFICIAL OFFICIAL
OFFICIAL:
Sensitive
PROTECTED SECRET TOP SECRET
Compromise
of information
confidentiality
would be
expected to
cause →
No business
impact
1 Low business
impact
2 Low to
medium
business
impact
3 High
business
impact
4 Extreme
business
impact
5 Catastrophic
business
impact
Not applicable.
This
information
does not form
part of official
duty.
Not applicable.
This is the
majority of
routine
information
created or
processed by
the public
sector.
Limited
damage to an
individual,
organisation or
government
generally if
compromised.
Damage to the
national
interest,
organisations
or individuals.
Serious
damage to the
national
interest,
organisations
or individuals.
Exceptionally
grave damage
to the national
interest,
organisations
or individuals.

14. AWS Availability Zones
AWS Region
Availability Zone
Physical Sites
Availability Zone
Physical Sites
Availability Zone
Physical Sites
ap-southeast-2a ap-southeast-2b
ap-southeast-2c
Sydney Region
ap-southeast-2

15. The process AWS took with the ACSC
Documentation
Review
(Phase 1)
Assess the
System
(Phase 2)
ACSC
Deep Dive
(Certification)
&
No shortcuts to PROTECTED

16. PROTECTED services in scope
Analytics
Amazon EMR
Amazon Kinesis Data
Firehose
Amazon Kinesis Data
Streams
Amazon WorkSpaces
Desktop
Amazon WorkDocs
Amazon API
Gateway
Mobile
Storage
S3
Amazon S3 Glacier
Amazon EBS
Amazon
DynamoDB
Databases
Amazon
ElastiCache
Amazon Redshift
Amazon RDS
Management
Amazon CloudWatch
AWS CloudFormation
AWS CloudTrail
AWS Config
AWS Systems
Manager
Compute
Amazon EC2
Amazon ECS
ELB
AWS Lambda
Networking & Content
Delivery
Amazon CloudFront
Amazon VPC
AWS Direct Connect
Security
Application Integration
AWS Step Functions
Amazon Simple
Notification Service
Amazon Simple
Queue Service
Amazon Simple
Workflow Service
Amazon Cognito
Amazon
GuardDuty
Amazon
Inspector
AWS CloudHSM
AWS
Directory Service
IAM
AWS KMS
https://aws.amazon.com/compliance/services-in-scope/

17. What’s the difference?
Is there a checkbox? How do I order PROTECTED services?
… there is no difference!

18. Additional Unclassified DLM services
All Protected services can be
used at Unclassified DLM
Unclassified DLM services
can be leveraged in
Protected solutions.
Trusted Advisor
Amazon Route 53
AWS Organisations
AWS Shield

19. AWS shared responsibility model
Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS

20. Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS
AWS Shared Responsibility Model

21. Security IN
the Cloud
Managed by
customers
Security OF
the Cloud
Managed by
AWS
AWS Shared Responsibility Model
5 Pages
13 Pages
67 Pages
57 Pages

22. Consumer Guide
ACSC developed guidance specifies the required mitigations and additional
security controls for using AWS in PROTECTED systems.
Available now on AWS Artifact.
May need to adapt for your design and business requirements. Talk to ACSC
and AWS.
Services that are certified UNCLASSIFIED DLM are not excluded from use in
PROTECTED systems, but must not contain or process PROTECTED
information themselves.

23. Consumer Guide
• Data in transit
• Data at rest protection
• Data Sovereignty
• Incident response
• Logging, Monitoring, Audit
• Segmentation and Segregation
• Service Hardening
• Other guidance

24. Reference Architecture

26. AWS Identity & Access
Management (IAM)
- Min priv. + MFA
AWS Organizations
- SCP’s
AWS Directory Service
- Federated ID
AWS CloudTrail
- All accounts and regions
AWS Config
Amazon
CloudWatch, CloudWatch
Logs, CloudWatch Events
Amazon GuardDuty
- All account and regions
VPC Flow Logs
ACSC Logging solution
Amazon EC2
Systems Manager
- Patching, automation,
session, parameters
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS CloudFormation
AWS Key Management
Service (KMS)
- Recommended on all
supported services
Server Side Encryption
Encryption in transit
- VPN and Application
AWS Config Rules
- e.g. KMS enforcement;
continuous compliance
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
Reference Architecture – CAF alignment

27. Resources
AWS and Essential 8 https://aws.amazon.com/blogs/publicsector/aws-and-the-
australian-signals-directorate-essential-eight/
AWS and ASD Cloud Security for Tenants
https://d1.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cl
oud_Computing_Security_for_Tenants_in_the_Context_of_AWS.pdf
Services in Scope https://aws.amazon.com/compliance/services-in-scope/
AWS Compliance IRAP page: https://aws.amazon.com/compliance/irap/
AWS Security and Compliance pages:
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/

28. Summary
ACSC awarded PROTECTED certification to AWS.
Now listed on CCSL at PROTECTED and UNCLASSIFIED
DLM levels.
Broad range of 42 services now in scope at PROTECTED.
All available at standard public pricing.
Leverage established AWS Sydney region with 3
Availability zones.
Reference Architecture and ACSC Consumer guidance
immediately available.