Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Prochain SlideShare
What to Upload to SlideShare
Suivant

2

Partager

Automating Compliance for Financial Institutions - AWS Summit SG 2017

This session demonstrates how to architect for continuous compliance and security using CloudWatch Events and AWS Config rules. This session focuses on the actual code for the various controls, actions, and remediation features, and how to use various AWS services and features to build them. The demos in this session include CIS Amazon Web Services Foundations validation; examples of custom rules for regulatory compliance and how to automate aspects of incident response.

Automating Compliance for Financial Institutions - AWS Summit SG 2017

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automating Compliance for Financial Institutions Myles Hosford Security Solutions Architect, Amazon Web Services, APAC
  2. 2. What to expect from this session • How To Enforce Compliance • How To Assess Compliance • How To Remediate Compliance • Services: • AWS Config Rules • AWS CloudFormation • AWS Service Catalog
  3. 3. COMPLIANCE ‘a state of being in accordance with established guidelines, industry regulations and government legislation’
  4. 4. The Compliance Cycle Assess RemediateEnforce AWS Config AWS CloudTrail AWS Lambda AWS CloudFormation AWS Service Catalog Config Rules IAM
  5. 5. How do you enforce compliance?
  6. 6. AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
  7. 7. AWS CloudFormation – Everything as Code Template StackAWS CloudFormation ü Orchestrate changes across AWS Services ü Use as foundation to Service Catalog products ü Use with source code repositories to manage infrastructure changes ü JSON/YAML-based text file describing infrastructure ü Resources created from a template ü Can be updated
  8. 8. Auto Scaling group DMZ Zone security group security group root volume data volume S3 bucket (encrypted AES256) logs Amazon EBS snapshot (encrypted at rest) EC2 instance WEB corporate data center Auto Scaling group App Zone security group root volume data volume S3 bucket (encrypted AES256) logs Amazon EBS snapshot EC2 instance APP DB Zone AWS CloudHSM security group AWS KMS Direct Connect Or VPN Internet HTTP / HTTPS only to the web-tier
  9. 9. • Firewall rules • Network ACLs • Internal and external subnets • Gold OS images • Encryption • Compliance Checks • Logging & Monitoring Everything is Code AWS JSON translation Gold Image, NTP and NAT Network ACLs, Subnets, FW rules
  10. 10. CloudFormation. An example: Firewall rule
  11. 11. Any IP on the Internet Telnet, insecure, clear-text protocol CloudFormation. An example: Firewall rule Mis-configuration detected BEFORE the environment is even built! Fail to MAS TRM 9.1.1: FIs should identify important data and adopt adequate measures to detect and prevent unauthorised access, copying or transmission of confidential information.
  12. 12. Service Catalog Organizations Developers Control Standardization Governance Agility Self-service Time to market AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy the approved IT services they need in a self-service manner.
  13. 13. How do you enforce compliance?
  14. 14. How do you assess compliance?
  15. 15. IT Security Policy & Controls
  16. 16. IT Security Policy & Controls Nobody reads them Difficult to enforce Rarely updated
  17. 17. AWS Config Rules • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
  18. 18. AWS Config Rules Internal Controls MAS Guidelines Industry best practice Bake these compliance checks into your CloudFormation templates
  19. 19. AWS Config Rules – Managed Rules (30+) Encrypted Volumes Restricted SSH CloudTrail Enabled Root MFA Password Policy Approved OS Image
  20. 20. Custom Rules
  21. 21. MAS TRM Guideline AWS Config Rule 9.1.6 Confidential information stored on IT systems, servers and databases should be encrypted Encryption should be used for EBS Volumes 9.3.2 The FI should conduct regular enforcement checks to ensure that the baseline standards are applied uniformly and non-compliances are detected and raised for investigation. Instances must be from a specific ‘gold’ approved AMI 9.6.2 The FI should implement network surveillance and security monitoring procedures VPC Flow Logs must be enabled MAS TRM Example Managed Rule Managed Rule Custom Rule
  22. 22. How do you assess compliance?
  23. 23. How do you remediate non-compliance?
  24. 24. AWS Config Encryption Gold OS Image VPC Flow Logs Users Compliance Topic Amazon SNS Continuous Remediation Changes AWS Lambda Auto- Remediate Function 1. Terminate 2. Encrypt 3. Alert Ops 4. Do Nothing
  25. 25. AWS Config Encryption Gold OS Image VPC Flow Logs Users Periodic Remediation / Reporting Changes AWS Lambda Periodic Poll Function 1. Terminate 2. Encrypt 3. Alert Ops 4. Do Nothing AWS API Risk Report
  26. 26. Create Periodic Risk & Compliance Reports
  27. 27. How do you remediate non-compliance?
  28. 28. Conclusion Prevent users operating in a non- compliant environment. Perform Continuous Compliance. Annual assessments do not meet the bar. Automate remediation. Improve consistency and response time. Automate Everything. Prevention. Detection. Response.
  29. 29. Thank you! Stay Secure!
  • gebrekirstostesfay

    Mar. 11, 2018
  • coeus

    Aug. 18, 2017

This session demonstrates how to architect for continuous compliance and security using CloudWatch Events and AWS Config rules. This session focuses on the actual code for the various controls, actions, and remediation features, and how to use various AWS services and features to build them. The demos in this session include CIS Amazon Web Services Foundations validation; examples of custom rules for regulatory compliance and how to automate aspects of incident response.

Vues

Nombre de vues

673

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

39

Actions

Téléchargements

0

Partages

0

Commentaires

0

Mentions J'aime

2

×