In order to ensure security best practices in your AWS accounts, you must establish a security baseline and then enforce it across all of these accounts. In this session, you will learn how to use AWS CloudFormation and AWS Organizations to execute security best practices (AWS CloudTrail, AWS Config, Flow Logs, S3 Access logs, etc...) in scenarios where you are managing many AWS accounts across an organization. You will see how to leverage Service Catalog across multiple accounts. Learn how to store all of these logs in a centralized logging system such as Amazon ElasticSearch Service, set up alerts, and drift detection on anomalous or high-risk activity.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Will St. Clair
Sr. Solutions Architect, Amazon Web Services
194360
Security Automation using AWS
Management Tools

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Classify workloads and define controls
Provision and baseline your environments
Secure and monitor AWS configuration
Secure and monitor your workloads
Respond and remediate

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Classify workloads and define controls
Provision and baseline your environments
Secure and monitor AWS configuration
Secure and monitor your workloads
Respond and remediate

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Confidentiality
Availability
Workloads
Classify workloads based on impact

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Confidentiality
Individual dev/test
Web/digital Critical external apps
Sensitive internal apps
Team dev/test
Low-risk apps
Exploratory research/analytics
Data science dev/test
Classify workloads based on impact

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Confidentiality
Classify workloads based on impact

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Confidentiality
Risk of
change
Classify workloads based on impact

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Impact levelLESS IMPACT MORE IMPACT
Controls
Low
Medium
Medium
Medium-High
High
Controls are additive

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use AWS accounts as impact and workload
boundaries

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Classify workloads and define controls
Provision and baseline your environments
Secure and monitor AWS configuration
Secure and monitor your workloads
Respond and remediate

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
• Policy-based management for multiple AWS accounts
• Create new AWS accounts using the organization’s API
• Organize accounts into groups and then apply policies to those
groups
• Consolidate bills for all accounts in your organization and use a
single payment method

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Account Lifecycle
Identify need Determine
classification
Provision
AWS account
Apply security
baseline
Monitor and
respond
Periodically
review

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatchAWS ConfigAWS CloudTrail
CloudWatch
Events
AWS Config
Rules
IAM
Managed
Policies
Roles
Amazon VPC
Flow logs
What’s in a baseline?

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation
AWS CloudFormation is a service that provides a common language for you to
describe and provision all your infrastructure resources for your AWS
environment.
Template
JSON or YAML document
Infrastructure as code
Comprehensive service
support
Change Sets
Computes changes to the
environment
Allows for review and
approval
Stack
Configured AWS services
Nested stacks
Cross-stack references

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Distributing standardized configurations
AWS Service Catalog
Create self-service portfolios of
IT products and services
Define products using
CloudFormation templates
AWS CloudFormation
Stack Sets
Easily manage common
stacks across accounts
and regions

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo: Baseline account configurations
using AWS CloudFormation StackSets

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Classify workloads and define controls
Provision and baseline your environments
Secure and monitor AWS configuration
Secure and monitor your workloads
Respond and remediate

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
AWS CloudTrail provides a history of your AWS account activity, including actions
taken through the AWS Management Console, AWS SDKs, command-line tools,
and other AWS services.

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail use cases
• Meet compliance controls by having durable and auditable
activity logs
• Gain visibility into IAM user activity
• Detect access to sensitive data from unauthorized
networks or IP addresses
• Troubleshoot misconfigured permissions for applications

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best Practices for Amazon CloudTrail
• As part of your security baseline, create a trail within all
accounts which aggregates events from all regions
• Log to a single S3 bucket in a central account
• Use AWS KMS encryption
• Has log file validation enabled
• Logs both management and data events for all resources
• Integrate with CloudWatch Logs to create derived metrics
• Use CloudWatch Events to report high-value events to
ticketing or chat systems

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config
• Continuous recording and continuous assessment
service
• Tracks configuration changes to AWS resources
• Records snapshots of resource configuration state
• See and alert on whether an environment is in or out of
compliance

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config
Resource state
changes
AWS Config Configuration
snapshots
AWS Config Rules Compliance
state
Amazon S3 Aggregation and
analysis

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config Rules
Create rules which reflect your desired state for the environment and alert when
the environment is non-compliant. Choose from built-in rules or write your own
using AWS Lambda.
Are my EBS volumes encrypted?
Do I have S3 buckets open to the public?
Is there outdated software running on my instances?
Are my RDS instances being backed up?

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config Dashboard
Aggregate rule compliance information across accounts and regions

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best Practices for AWS Config
• Deliver configuration snapshots to a single central S3
bucket
• Parse out key information, such as resource IP
addresses, hostnames, and AMI IDs for analysis
alongside your logs
• Use AWS CloudFormation and StackSets to deploy rules
into AWS accounts

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo: Monitoring compliance
using AWS Config

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Classify workloads and define controls
Provision and baseline your environments
Secure and monitor AWS configuration
Secure and monitor your workloads
Respond and remediate

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems Manager
AWS Systems Manager allows you to centralize operational data from multiple
AWS services and automate tasks across your AWS resources.
State Manager
Define and maintain
consistent configuration of
operating systems and
resources running in your
data center or in AWS
Inventory
Collect system and
application configuration
information from your
instances
Patch Manager
Select and deploy operating
system and software
patches automatically
across your instances

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems Manager Demo

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Secrets Manager
AWS Secrets Manager helps you manage, rotate, and retrieve database
credentials, API keys, and other secrets throughout their lifecycle. Applications
securely retrieve credentials on-demand, eliminating hardcoded or plaintext
storage of sensitive information.
Fine-grained
access controls
Managed credential
rotation
Integration with
Amazon RDS

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Secrets Manager Demo

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Classify workloads and define controls
Provision and baseline your environments
Secure and monitor AWS configuration
Secure and monitor your workloads
Respond and remediate

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Events
Amazon
CloudWatch
Service Events
Scheduled Events
{
"source": ...,
"detail-type": ...,
"detail": ...
}
Event Pattern Event Target

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Events Targets
EC2
(Snapshot, stop,
reboot, terminate)
AWS Batch
Amazon Elastic
Container Service
AWS CodeBuild
AWS CodePipeline
AWS Systems Manager Amazon Inspector
Amazon KinesisAmazon SQS
Amazon SNS AWS Lambda
AWS Step
Functions

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Events Sources
API Calls
Scheduled events
Amazon EBS
Amazon EC2
Amazon ECS
Amazon EMR
Amazon GameLift
Amazon GuardDuty
Amazon Macie
EC2 Auto Scaling
AWS Batch
AWS CodeBuild
AWS CodeCommit
AWS CodeDeploy
AWS CodePipeline
AWS Glue
Service events
AWS Health
AWS Key Management Service
AWS OpsWorks Stacks
AWS Server Migration Service
AWS Systems Manager
AWS Trusted Advisor

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo: Automatically remediate using
CloudWatch Events

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!