Brett MillerAWS Professional ServicesDecember 2015

Introduction to Security-Focused Standardized Architectures (SFSA)

Welcome & Objectives

Understand the purpose and benefits of SFSA

Review contents of the SFSA package

Review common use case scenarios and implementations

Know how to get started using SFSA in your organization

Customer Challenges Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.) Choosing from a myriad of options when designing for the cloud Making many critical decisions to ensure a secure application when

using the AWS Shared Responsibility Model Mapping security controls to numerous AWS services

− Example: 400 NIST 800-53 Security Controls to 42 AWS Services

Error prone and time-consuming manual configuration of AWS resources

AWS developed SFSA to address major customer challenges when moving to the cloud

Customer Challenges Meeting compliance requirements (NIST,

PCI, HIPAA, CJIS, etc.) Choosing from a myriad of options when

designing for the cloud Making many critical decisions to ensure a

secure application when using the AWS Shared Responsibility Model

Mapping security controls to numerous AWS services

− Example: 400 NIST 800-53 Security Controls to 42 AWS Services

Error prone and time-consuming manual configuration of AWS resources

AWS developed SFSA to address major customer challenges when moving to the cloud

AWS Solution: SFSA Standardized for specific use cases Address security/compliance

requirements and AWS best practices

Ready to be pre-approved by customer assessment organizations

Ready to deploy “out of the box” Customizable

Shared Responsibility ModelCustomers are responsible for how they use AWS components in AWS

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side Data Encryption & Data

Integrity Authentication

Server-side Encryption (File

System and/or Data)

Network Traffic Protection (Encryption /

Integrity / Identity)

DatabaseStorageCompute Networking

Edge Locations

Regions

Avail. ZonesAWS Global

Infrastructure

Customer

Responsible for security ‘in’ the Cloud

Responsible for security ‘of’ the Cloud

AWS

Infrastructure Services Container Services

Abstracted ServicesSecurity ControlsInherited

Hybrid

Shared

Customer Specific

Fully inherited by AWS

AWS provides partial implementation

AWS and customer provides their implementation

Sole Responsibility of the customer

Division of Responsibility changes depending on AWS service

SFSA helps simplify and accelerate your AWS migrations

Benefits Automate system deployments Address security/compliance requirements Follow best practices Decrease deployment time Provide Reusable Documentation

AWS built the SFSA Package to include several key artifacts to meet customer needsPackage Overview CloudFormation Templates Guidance Documentation Security Controls/Requirements Matrix

− NIST SP 800-53 available now− Coming Soon: PCI DSS, CJIS, HIPAA, ISO

27001 Customizable Reference Architecture Diagram

AWS SFSA CloudFormation Stacks

Multiple nested stacks− For different types of workloads− Modular and customizable− Each stack builds a portion of architecture

Each package consists of multiple CloudFormation templates reusable across different use cases

SFSA CloudFormation Stack

2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions

Documentation

Included with every package is a User Guide along with an inventory of resources deployed by the templates

Resource Inventory

User Guide

Security Controls / Compliance Mapping Pre-documents how security controls/requirements are addressed by the

SFSA within the VPC/infrastructure layer− Can be included in a customer’s compliance documentation/SSP− Can be ingested into customer security/compliance databases/workflow tools

Contains additional guidance for each control/requirement Identifies which CloudFormation stack implements the control/requirement Identifies related AWS resources within each stack NIST SP 800-53 controls matrix will be followed by CJIS, SOC, PCI, and

other third-party compliance frameworks

Security Controls / Compliance Mapping: Example Matrix

Customizable Reference Architecture

SFSA Use Cases

Base Architectures Examples:− Base IAM Configuration− Base VPC Architecture for Internal VPC

Full Applications Examples: − 3 Tier Linux Web Application− Shared Services VPC with Active

Directory

Before you get started…

Understand use cases and workload types Have a basic understanding of your governance model Have a basic cloud strategy and roadmap Identify relevant security standards or compliance

requirements − Have an organizational appetite to comply with them

As a Baseline for your architectures

Plan and design the Cloud-based infrastructure

Build the infrastructure using AWS components

Application DeploymentDeploy applications using EC2 instances and other services within the cloud infrastructure

SFSA

Plan and design the Cloud-based infrastructure

Build the infrastructure using AWS components

Application DeploymentDeploy applications using EC2 instances and other services within the cloud infrastructure

SFSA

As a Full Application Deployment

How can SFSA be used?

Security Focused Standardized Architectures (SFSA)CloudFormation Intro and Tools

AWS CloudFormation

Basic standard in AWS for automating deployment of resources

CloudFormation Template− JSON-formatted document which describes

a configuration to be deployed in an AWS account

− When deployed, refers to a “stack” of resources

AWS CloudFormation

CloudFormation Template Structure

Describe detailed configuration of a resource in AWS

Include, but not limited to: − IAM Policies, Users, Groups, Roles− VPCs, Subnets, NACLs, Security Groups− EC2 instances, Auto Scaling Groups− RDS Databases, S3 Buckets− Elastic Load Balancers− CloudWatch Alarms− Lambda Functions− Logging (CloudTrail, CW Logs)

SFSA CloudFormation Resources

20+ selectable variables to customize the AWS infrastructure

Variables can be immutable based on organizational requirements

SFSA CloudFormation Parameters

SFSA + Customer Governance Model

Managing SFSA Packages

Templates can be kept under version control Establishes baselines for standard AWS

configurations Organizationally approved architectures can be

stored centrally Mandatory for many third-party security

frameworks

Deployment Options

AWS Console

CLI Deployment− Deployment scripts included with package

AWS Service Catalog− As a Service Catalog “Product”

AWS Management Console

CLI Deployment Scripts

“cfdeploy”− Optional tool included with package to make deployment from CLI easier− Simpler management of standard parameters

cfdeploy --deploy SFSA --yaml-parameters templates/parameters/example_useast1.yaml --template templates/main-webapp-linux.json --region us-east-1

Launched Stack ID: arn:aws:cloudformation:us-east-1:979676883363:stack/ASFA/e1442430-78f8-11e5-b55e-50d5018a129a

SFSA Deployment with AWS Service Catalog

Standardize deployment Allow push-button build of common architectures based on compliance and

use case Provide a self-service model for workload owners

Allows administrators to create and manage approved catalogs of resources (products) that end users can access via a personalized portal

A Service Catalog Product is a deployable CloudFormation template Managed compliance with Service Catalog

− Provide a catalog of pre-built, compliant architectures ready to deploy− Enforce resource tagging− Allow workload owners to deploy resources which normally require higher

levels of IAM permissions than they are given− Separate Portfolios of Products can be used to segment products by

compliance type

AWS Service Catalog

AWS SFSA & Service Catalog

Get started with SFSA

Contact your sales representative/SA AWS Quickstart Deployments (coming soon) Getting Help:

− Whitepapers/User Guides/SAIncluded with the package

− FREE 1 day workshop provided by Solutions Architects or Professional Services

− SOW-based 2-5 day ProServe customization workshopProfessional Services or APN Partner

Email: brettmi@amazon.com

Additional Resources

AWS SFSA Quick Start Test Drive− https://s3.amazonaws.com/quickstart

-reference/security-compliance/latest/doc/Standard_NIST_800-53_Architecture_on_the_AWS_Cloud.pdf

AWS re:Invent 2015 Videos

(SEC312) Reliable Design and Deployment of Security and Compliancehttps://youtu.be/KtMANvC7_n8

(ISM206) Modern IT Governance Through Transparency and Automationhttps://youtu.be/YYiV_z9D2CE

Questions?