Reading the AWS Compliance Framework

Reading the AWS Compliance FrameworkBertram DornSpecialized Solutions Architect EMEAFor Security and Compliance

Agenda:• Overview• ISO• SOC• Documents• A Demo

Certifications/Audits: Overview

Shared Responsibility

Cross-service Controls

Service-specific Controls

Managed by AWS

Managed by Customer

Security of the Cloud

Security in the Cloud

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Request reports at:aws.amazon.com/compliance/#contact

ISO27000

ISO9001

The main AWS Compliance Frameworks of todayCertificates: Programmes:

ISO9001

ISO27000

MPAA

Point-in-time, or continuous compliance assessments?

ISO27001/27017

270189001

Certifications/Audits: Scope

Scope

• By Service (not only Datacenter)

• By Region• By Certification• Global• Scalable

Certifications/Audits: Demo Scope

Compliance Mapping: How to do that

Mapping

Compliance Mapping: Demo

Agenda:• Overview• CloudTrail

• Source• Structure• Analytics options

• VPC FlowLogs• What for• Where from• How structured• How to access them• Some analytics

CloudTrail: A Intro

What can you answer using a CloudTrail event?

v Who made the API call?

v When was the API call made?

v What was the API call?

v Which resources were acted up on in the API call?

v Where was the API call made from and made to?

AWSCloudTrail

CloudTrailcanhelpyouachievemanytasks• Securityanalysis

• TrackchangestoAWSresources,forexampleVPCsecuritygroupsandNACLs

• Compliance– logandunderstandAWSAPIcallhistory

• Provethatyoudidnot:• Usethewrongregion

• Useservicesyoudon’twant

• Troubleshoot operationalissues– quicklyidentifythemostrecentchangestoyourenvironment

AWSCloudTraillogscanbedeliveredcross-account

CloudTrailcanhelpyouachievemanytasks• Accountscansendtheirtrailstoacentral

account

• Centralaccountcanthendoanalytics

• Centralaccountcan:• Redistributethetrails

• Grantaccesstothetrails

• FilterandreformatTrails(tomeetprivacyrequirements)

Turn on CloudTrail

Turn on CloudTrail using AWS CLI• Step 1: Create a trail•

$ aws cloudtrail create-trail --region=eu-central-1 \

• --name ITAuditandOpsTrail --s3-bucket mybucket

• Step 2: Start logging on the trail

• $ aws cloudtrail start-logging --region=eu-central-1 \

• --name ITAuditandOpsTrail

What does an event look like?•

{

• "eventVersion": "1.01",

• "userIdentity": {

• "type": "IAMUser", // Who?• "principalId": "AIDAJDPLRKLG7UEXAMPLE",

• "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012",

• "accessKeyId": "AKIAIOSFODNN7EXAMPLE",

• "userName": "Alice",

• "sessionContext": {

• "attributes": {

• "mfaAuthenticated": "false",

• "creationDate": "2014-03-18T14:29:23Z"

• }

• }

• },

• "eventTime": "2014-03-18T14:30:07Z", //When?• "eventSource": "cloudtrail.amazonaws.com",

• "eventName": "StartLogging", //What?

• "awsRegion": "us-west-2",//Where to?

• "sourceIPAddress": "72.21.198.64", // Where from?• "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",

• "requestParameters": {

• "name": "Default“ // Which resource?• },

// more event details

• }

Receive email notifications of specific API activity

Lambda

CloudTrail: Demo

VPC FlowLogs: Detailed

Firewall-Requirements• Based on NIST800, BSI-IT Grundschutz and others

– Anti-Spoofing

– Packet-Filtering (minimum) stateful/stateless

– Segregation of Duties at the management side

– Logging/Audit capabilities on the management side

– Event-Logging on processed traffic

Security Group

IAM

AWS Config CloudTrail

FlowLogs

The Source I

CloudWatchLogs

LogGroupENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

The Source II

Flows

Security Group

Subnet 10.0.0.0/24

Routing Table

Network ACL

Subnet 10.0.1.0/24

Routing Table

Network ACL

Virtual Private Gateway Internet Gateway

Lockdown at instance level

Isolate network functions

Lockdown at network level

Route restrictively

Router

Availability Zone A Availability Zone B

Security Group

Security Group

Structure I

Event-Version

AccoutNumber

ENI-ID

Source-IP

Destionation-IP

SourcePort

Destination-Port

Proto-Number

Number of PacketsNumber of Bytes

Start-Time Window

End-Time Window

Action

State

2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

ACCEPT OK

Structure II

Flow Logs is STATISTICAL about activity in a window of time

Start-Time Window

End-Time Window

Number of Packets

Number of Bytes Action

Structure III

TIME

S/D IP/Port Tupel

?

Example

How To Access

CloudWatchLogs

LogGroupENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

Start

End

TIME

Some Analytics

Time -> 1 Month2 Public IPs

('Number of Source IPs: ', 48604)('Number of Destionation IPs: ', 5373)('Number of Source Ports: ', 64363)('Number of Destionation Ports: ', 64348)('Number of Bytes IPs: ', 887551682.0)('Number of Packets IPs: ', 8400707.0)

Some Analytics

Some Analytics

FlowLogs: Demo

Thank You