In this session you will learn how to align your AWS environment to industry standard best practices for security. This session covers AWS' prescriptive recommendations for securing cloud workloads, including the the Well-Architected Framework for Security. In addition, see how AWS Security Hub simplifies the task of measuring the security of your workloads.

1. S U M M I T
SYDNEY

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security at scale: AWS Security Hub
and the Well-Architected Framework
Tyson Garrett
Principal Security Architect APJC
AWS Professional Services
Amazon Web Services
Phil Wait
Senior DevOps Engineer
Transurban Group

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
Security challenges
Findings into insights demo
Introduction to AWS Security Hub
Transurban Group use of AWS Security Hub
Compliance with AWS Security Hub

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Common security challenges we are facing
Large volume of
alerts and the need
to prioritise
Prioritising
Lack of single pane
of glass across
security and
compliance tools
Visibility
Dozens of security
tools with different
data formats
Multiple formats
Ensure your AWS
infrastructure
meets compliance
requirements
Compliance

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS security services overview
Identify Protect Detect RecoverRespond

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
https://aws.amazon.com/well-architected/
AWS Well-Architected

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
How to be secure: AWS Well-Architected Tool
• It is in the console
• If its not in your region, use us-east-1 (Nth Virginia)
• Use it as a training/learning tool
• Create a dummy workload & start

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where to start
• Identity and access management
• Use automation
• Enable detection
• Prepare for an incident

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
How do you detect and investigate security events?
• Define requirements for logs
• Define requirements for metrics
• Define requirements for alerts
• Configure service and application logging
• Analyze logs centrally
• Automate alerting on key indicators
• Develop investigation processes

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Well-Architected Resources
Document of all five areas of the framework:
https://wa.aws.amazon.com/
Hands on labs and code to help you learn, measure,
and build using architectural best practices:
https://github.com/awslabs/aws-well-architected-labs

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Identifying potential data exfil with AWS Security Hub
Amazon S3 Amazon
CloudWatch
Amazon SNS AWS Lambda
AWS Security Hub
Amazon GuardDuty
Amazon Inspector
Finding
Finding
Security Hub
Insight
Software Without Data
Execution Prevention (DEP) –
Medium Severity Alert
Recon:EC2/Portscan
(Medium Severity Alert)
Finding

12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security Hub insights
Security findings that are correlated and grouped for prioritisation
• More than 100 pre-built insights provided by AWS and AWS partners
• Ability to create your own insights
• Dashboard provides visibility into the top security findings
• Additional details for each finding is available for review
Prioritisation allows you to respond to what's important more quickly
EC2 instances that have
missing security patches
S3 buckets with stored
credentials
S3 buckets with public read
and write permissions

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Insights help identify resources that require attention

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security Hub workflow
Take action
based on
findings
Enable AWS
Security Hub for all
your accounts
Account 1
Account 2
Account 3
Conduct
automated
compliance scans
and checks
Continuously
aggregate and
prioritise findings

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integrations

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security Finding Format syntax highlights
Network Process Resource Threat

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security Finding Format normalised severity
Informational Low Medium CriticalHigh
AWS Security Hub automatically translates the native severity into the normalised severity
based on the guidance below. For findings generated by the supported third-party partner
products, partners can also use this guidance.

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Customisable response and remediation actions
Event (event-
based)
2. Findings are sent
to CloudWatch
decorated with a
custom action ID
AWS Lambda
or
AWS Step Functions
4. The rule defines
a target – typically
a Lambda or Step
Function
3. The custom action
ID is used to match
up with a CloudWatch
Event rule
Amazon
CloudWatch
Rule
5. The target could be
things like a chat, ticketing,
incident management or
remediation system
AWS
AERO
1. AWS Security Hub use
selects findings in the
console and takes a
custom action on them
AWS Security Hub

20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
TRANSURBAN GROUP
We plan, build and
operate premium roads
ASX 13
8.5M customers globally
PHIL WAIT
Senior DevOps Engineer
AWS Cloud Warrior
Quote Misrememberer

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Config with CIS baseline
AWS Config
Severity Company Product Title
Informational AWS AWS Security Hub
1.22 Ensure IAM policies that allow full “*.*”
administrative privileges are not created.
Low AWS AWS Security Hub
1.2 Ensure multi-factor authentication (MFA) is
enabled for all IAM users that have a console
password
[digital-nonprod] Resource DBInstance db-IN3MC3ZIBLHMMXHMJYDENFYCHI
has no Name tag.
has no Role tag.
AWS Tag Compliance
2.2 Ensure CloudTrail log file validation is enabled
X Non-compliant
1 CloudTrail trail failed
1 CloudTrail trail passed

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon GuardDuty and security notifications
Amazon
GuardDuty
“service”:
“servicename”: “guardduty”,
“detectorID”: ”ecb3850758225598ecbb4458db21ecc3”,
“action”: {
“actionType”: “DNS_REQUEST”,
“dnsRequestAction”: {
“domain”: “cxwbbhqdmxea.com.au”,
”protocol”: “0”
”blocked”: “false
}
},
“resourceRole”: “TARGET”,
”additionalInfo”: {},
“eventFirstSeen”: 2018-11-16T03:52:18Z”
“eventLastSeen”: 2019-04-07T32:03:19Z”
“archived”: false,
”count”: 55
},
“severity”: 8,
“createdAt”: “2018-11-16T04:37:44.321Z”,
”updatedAt”: “2019-04-08T01:01:58.454Z”,
“title”: “DGA domain name queried by EC2 instance i-0e2f09fd29aecf26b
”description”: “EC2 instance i-0e2f09fd29aecf26b is querying algorithmically generated domains. Such domains
are commonly used by malware and could be an indication of a compromised EC2 instance.”

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Democratising data for users
SecOps
Engineers
DevOps
Engineers Amazon GuardDuty
AWS Security Hub
VPC Flow
logs
IOC’s

25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Compliance standards
• Based on CIS AWS Foundations
Benchmark
• Findings are displayed on main
dashboard for quick access
• Best practices information is
provided to help mitigate issues
Compliance
Standards
AWS Security
Hub

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Automated
compliance checks

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security Hub benefits
Managed regional AWS service in minutes that aggregates findings
across AWS accounts
Manage security and compliance findings in a single location, increasing
efficiency of locating relevant data
Create custom insights to track issues unique to your environment

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Related breakouts
Automated forensics and incident response on AWS
Barry Conway
Automate security event management using trust-based decision models
Deena and Vinod
So You Want to be a Well-Architected?
Ben Hunter

31. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tyson Garrett Phil Wait