As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session focuses on Amazon S3 best practices and using AWS CloudTrail Data Events to help better protect data residing within Amazon S3. The session includes a demonstration to show how CloudTrail, in combination with other AWS services, can help with Amazon S3 governance and compliance requirements.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Using AWS CloudTrail
to Enhance Governance and
Compliance of Amazon S3
B o b O ’ D e l l , S r . P r o d u c t M a n a g e r , A W S C l o u d T r a i l
T a k e C o n t r o l o v e r Y o u r C l o u d E n v i r o n m e n t
N o v e m b e r 3 0 , 2 0 1 7
D E V 3 1 1
AWS re:INVENT

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from the session
• Overview of:
• Governance and compliance
• Amazon S3 features
• AWS Config and Config rules
• AWS CloudTrail
• AWS CloudTrail S3 data events
• Use cases and examples
• S3 data events demo
• Amazon Macie

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is governance and compliance?
Governance is the oversight role and the process by which
companies manage and mitigate business risks
Compliance ensures that an organization has the process and
internal controls to meet the requirements imposed by the
governance body

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So what does this mean?
To effectively use IT in enabling an organization to achieve its governance
and compliance goals, you need to:
• Define—what IT is supposed to do
• Discover—what IT resources exist
• Monitor—what IT is doing
• Manage, report, and respond—to “changes to” and “non-compliance of”
IT resources

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The challenge
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS enables you to do both
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed
With AWS, you can programmatically:
• Define provisioning and configuration of
resources
• Continuously discover new resources and
changes to existing resources
• Monitor resources and operations for
compliance
• Manage, report on, and respond to
changes to your resources

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS shared responsibility model

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand customer data in Amazon S3
What do you have in your S3 buckets?
• Static website content
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• Logs
• Sensitive data
• Password files

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3 Features

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3 features to help you
with governance and compliance
• S3 bucket policies
• S3 VPC endpoints
• S3 access logs
• Encryption options (now including default encryption)
• MFA delete
• Versioning and lifecycle policies

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3 features to help you
with governance and compliance
• Default encryption
• Permission checks
• Cross-region replication ACL overwrite
• Cross-region replication with KMS
• Detailed inventory report with encryption status

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bucket Permissions Check

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
S3 Inventory
Save time Daily or weekly delivery Delivery to S3 bucket
• Same set of metadata as the LIST API
• Can add size, last modified date, storage class, etag, or replication status
Trigger business workflows and applications such as secondary index,
garbage collection, data auditing, and offline analytics
Event notification for
log delivery

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
S3 Inventory
Object level
Encryption Status
CSV or ORC
output format
Query with Amazon
Athena, Redshift
Spectrum or any Hive
tools
Encrypt inventory
with SSE or KMS

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
S3 Inventory
Bucket name
Key name
Version ID
IsLatest
Size
Last modified date
ETag
Storage class
Multipart upload flag
Delete marker
Replication status
Encryption status

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS services that can further enhance
your efforts
AWS Config AWS CloudTrail Amazon Macie

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• AWS Config is a service that enables you to assess, audit, and evaluate the
configurations of your AWS resources. Config continuously monitors and
records your AWS resource configurations and allows you to automate the
evaluation of recorded configurations against desired configurations.
AWS Config
- Discover
- Monitor
Changing resources AWS Config Config Rules
History
Notifications
API Access

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configurable and customizable rules:
• Check whether logging is enabled for your S3 buckets
• Check whether S3 buckets have policies that require requests to use
Secure Socket Layer (SSL)
• Check whether versioning is enabled for your S3 buckets; optionally,
you can check if MFA delete is enabled for your S3 buckets
AWS Config rules
Check out the aws-security-benchmark
https://github.com/awslabs/aws-security-benchmark/blob/master/architecture/create-benchmark-rules.yaml

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
New AWS Config rules
• AWS Config supports two new managed rules to detect overly
permissive Amazon S3 bucket policies

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Continuous monitoring
Change management
Continuous assessment
Operational troubleshooting
AWS Config key benefits

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Examples:
• Detecting S3 buckets with public read or write access
• Tracking configuration changes over time
• Verifying compliance (internal and regulatory) with defined business
policies and controls
AWS Config common use cases
- Discover
- Monitor

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s enable AWS Config S3 rules and investigate any buckets that have
public read permissions
AWS Config Demo

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
• AWS CloudTrail provides a history of your AWS account activity, including
actions taken through the AWS Management Console, AWS SDKs,
command line tools, and other AWS services
- Discover
- Monitor

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Examples:
• Meet compliance controls by having durable and auditable activity logs
• Gain visibility into IAM user activity
• Detect access to sensitive data from unauthorized networks or
IP addresses
• Troubleshoot misconfigured permissions for applications
AWS CloudTrail common use cases
- Discover
- Monitor

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Create 1 “audit” trail that applies to all regions within each account that:
• Logs to a centralized Amazon S3 bucket with S3 bucket permissions
restricted to select personnel
• Uses AWS KMS encryption
• Has log file validation enabled
• Logs both management events and data events for all resources
• Create additional trails as needed within the AWS account for operations, support,
and development needs
• Create Amazon CloudWatch Events rules and workflow for high-value activities
• Leverage integration with Amazon CloudWatch Logs, Amazon Athena, Amazon
Kinesis Analytics, Amazon QuickSight, Amazon Elasticsearch Service, or AWS
Partner solution for deeper analysis, anomaly detection, and alerting
AWS CloudTrail best practices
- Discover
- Monitor

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail features
• S3 log delivery
• Log file encryption
• Integrity validation
• SNS notification
• Cross-account S3 delivery
• CloudWatch Logs integration
• CloudWatch Events integration
• Personal Health Dashboard integration
• Support for multi-region configurations
• Event filters for read/write event actions

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail S3 support
• By default, CloudTrail records Amazon S3 bucket-level
actions as part of management events
• Last year, CloudTrail introduced S3 data events

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail S3 Data Events
S3 Data events are object-level API operations that access S3
objects, such as GetObject, DeleteObject, and PutObject. By default,
trails don't log data events, but you can configure trails to log data
events for S3 buckets and objects that you specify.
• S3 bucket-level operations are still captured by default as part
of CloudTrail Management Events
How it works:
• Enable at the bucket or bucket/prefix level
• Captures S3 object-level API activities
• Event logs delivered to your S3 bucket designated in your trail
• $0.10 per 100,000 data events

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail S3 Data Events
S3 data events differ from S3 access logs in the following ways:
• Delivered to CloudWatch Events within seconds of the activity
occurring, and to S3 log storage and CloudWatch Logs within
minutes
• Include additional information, such as additional user identity
details, error messages, request parameters, and regional
information
• JSON format, consistent with all other CloudTrail event logs
• Inherit all the CloudTrail features, including log file integrity
validation

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use case: Detect data exfiltration
Example: Detect access to sensitive data from unauthorized networks or
IP addresses.
• You can detect data exfiltration by collecting activity data on S3
objects through object-level API events recorded in CloudTrail. After
the activity data is collected, you can use other AWS services, such as
Macie, CloudWatch Events, and AWS Lambda, to trigger response
procedures.
AWS CloudTrail S3 Data Events

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use case: Perform security analysis
Example: Identify who changed the permissions on a private file
to public.
• You can quickly detect misconfiguration and perform security
analysis by ingesting AWS CloudTrail S3 Data Events into your
log management and analytics solutions such as Macie,
CloudWatch Logs, CloudWatch Events, Athena, Elasticsearch
Service, or a third-party solution
AWS CloudTrail S3 Data Events

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail Demo
Demo: Enable S3 data events using the AWS CloudTrail console

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail Demo—Scenario
(S3 Data Event—ACL Change)
Detect if an S3 object becomes public, auto-remediate the issue by
removing the public read/write permissions, and notify the security team
with full details of the event

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo scenario (S3 Data Event—ACL Change)
Step 1. Create your Lambda function
Step 2. Create a CloudWatch Event rule
Step 3. Change the file “Jan2017-profit-loss.xlsx” from private to
publically accessible
AWS Security Blog
How to Detect and Automatically Remediate Unintended Permissions in
Amazon S3 Object ACLs with CloudWatch Events

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Macie

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is it?
• Amazon Macie is a security service that uses
machine learning to automatically discover, classify,
and protect sensitive data in AWS
• What data do I have in the cloud?
• Where is it located?
• How is data being shared and stored?
• How can I classify data in near-real time?
• What PII/PHI is possibly exposed?
• What possible risks are present?
Macie helps answer questions such as:
Amazon Macie

47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
Amazon S3, AWS Config, AWS CloudTrail, and Amazon Macie provide:
• Broad and deep visibility for S3 compliance and governance
• Automation capabilities for governance and compliance of your data
Find out more here:
https://aws.amazon.com/config/
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/macie/

48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
b o b o d e l l @ a m a z o n . c o m