Architecting Security and Governance Across Multi Accounts
-
Upload
amazon-web-services -
Category
Business
-
view
902 -
download
4
Transcript of Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across a Multi-Account Strategy
Dave Walker, Specialist Solutions Architect, Security and Compliance
Whattoexpectfromthesession
• "EverythingStartswithaThreatModel"• ControlMapping• ExistingMulti-AccountStrategies,andMulti-AccountPlanning• Organizations• BaseliningIndividualAccounts• PuttingitTogether
“StartHere”
“Everythingstartswithathreatmodel”
• STRIDE,DREAD,others• Identify:
• Actors• Vectors• “Badstuffthatcouldhappenwhenbadpeoplegetcreative”• Probabilitiesandconsequencesofbadstuffhappening
• Applytechnicalandproceduralmitigations• AllthewayuptheOSIstack,fromnetworktoapplication
• DanIonita's "Gazetteerofthreat/riskmodellingframeworks":http://eprints.eemcs.utwente.nl/23767/
“Everythingstartswithathreatmodel”
• Constrainscopeofpotentialthreatstoindividualaccounts• Planforincidentresponseandforensics• Protectyourlogrecordsfromtamperingandunauthorised reads
WhatAWSMeansby"Governance"
SecurityRisk ComplianceGovernance
Attackvectors• Application-levelandAPI-levelattacks
• “Ifittakesinput,itlikelyhasanin-bandattackvector”• “Ifithasacontrolpoint,itlikelyhasanout-of-bandattackvector”• “Evenifitdoesn’titselfhaveausefulcompromise,itmightbeauseful
propagationvector”
• Asuccessfulattack=disruptionorcorruptionofserviceoutput,orreductioninresponsivenesstofutureservicecalls,orbeingaconduitof“badcontent”tovulnerableconsumersoftheservice
• ConsidertheOWASPTop10andotherapplication-levelattacks
ControlMapping
Why a Mapping of Security Controls?
• PCI-DSS• standards for merchants which process credit card payments and
have strict security requirements to protect cardholder data. A point-in-time certification.
• SOC 1-3• designed by the “big 4” auditors as an evolution of SSAE16, SAS70
etc, and to address perceived shortcomings in ISO27001. A continuous-assessment certification, covering process and implementation.
• ISO 27001• outlines the requirements for Information Security Management
Systems. A point-in-time certification, but one which requires mature processes.
General Headings:• Infrastructure meta-security• Host security• Network security• Logging and Auditing• Resilience• User Access Control and Management• Cryptography and Key Management• Incident Response and Forensics• “Anti-Malware”• Separation of Duty• Data Lifecycle Management• Geolocation• Anti-DDoS
“Can our current Security Functions be mapped onto AWS?”
AWS Environment Management
Logging and AuditingAsset ManagementManagement Access ControlConfiguration Management
Configuration
Monitoring
AWS CloudTrailAWS Config, APIAWS IAM, OrganizationsWeb ConsoleAWS CloudFormationAWS OpsWorksCLIAPISDKsAmazon CloudWatch
“Can our current Security Functions be mapped onto AWS?”Network
AWS to Customer NetworksLayer 2 Network SegregationStateless Traffic ManagementIPsec VPNFirewall/ Layer 3 Packet FilterIDS/IPS
Managed DDoS Prevention
Internet and/or Direct ConnectAmazon VPCNetwork Access Control ListsVPC VGW, MarketplaceSecurity GroupsAWS CloudTrail, CloudWatchLogs,SNS, VPC Flow LoggingIncluded in Amazon CloudFront
“Can our current Security Functions be mapped onto AWS?”
Encryption, Key Management
Data-In-FlightVolume EncryptionObject EncryptionKey ManagementDedicated HSMsDatabase Encryption
IPsec or TLS or your own Amazon EBS EncryptionAmazon S3 Encryption (Server and Client Side)
AWS Key Management ServiceAWS CloudHSMTDE (RDS / Oracle EE)Encrypted Amazon EBS (with KMS)Encrypted Amazon Redshift
“Can our Current Security Functions be mapped onto AWS?”
Data Management
Hierarchical StorageDeletion ProtectionVersioningArchiving
Amazon S3 Lifecycle Amazon S3 MFA DeleteAmazon S3 VersioningAmazon Glacier (optionally, with Vault Lock)
“Can our Current Security Functions be mapped onto AWS?”
Host / Instance Security
Traditional ControlsInstance ManagementIncident ManagementAsset ManagementInstance Separation
Traditional Controls (mostly)Delete-and-promoteMore alternatives!“What the API returns, is true”PCI Level 1 HypervisorDedicated Instances
“Can our Current Security Functions be mapped onto AWS?”
Logging, Analysis, Alerting
Traditional OS Sources
Database Logs
Traditional OS SourcesCloudWatch LogsEC2 Systems Manager InventoryRDS / Redshift Logs
Logs→metrics→alerts→actions
AWS Config
CloudWatch / CloudWatch Logs
CloudWatch alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC Flow Logs
Amazon SNS
email notification
HTTP/S notification
SMS notifications
Mobile push notifications
APIcallsfrommostservices
MonitoringdatafromAWSservices
Custommetrics
ExistingMulti-AccountStrategies,andMulti-AccountPlanning
TheStorySoFar• MASCOT
• fullyrole- andidentity-managedimplementationfromProServe• PresentedatRe:Invent 2016SAC319
(https://www.youtube.com/watch?v=pqq39mZKQXU),SAC320(https://www.youtube.com/watch?v=xjtSWd8z_bE)
• BertramDorn'sworkfrom2014• similarstructure,butanumberofdifferences• https://youtu.be/CNSaJs7pWjA
• NeithercoversOrganizations(quiteyet)• MASCOThascoverageforKMS
WhatNeedsSegregatingfromWhat?• Obviouscasesfirst:
• ReadaccesstoBillingandLogrecordsfromeveryone,exceptAuditorsandSecurity• ...andeventhen,accessshouldbelimitedtoappropriatecases• considerevidentialweight
• ProdfromDev,TestandStaging• rememberKnightCapital?• also"bugringfencing"
• Compliancein-scopefromout-of-scope• auditorsneedtoseeahardscopeboundary• youwillwanttokeepin-scopeenvironmentsassmallaspossible• usebothAWSAccountsandVPCsforthis
• Lessobviouscases:• Lookatyourownorgchartandbodyofpolicies• ConsiderhowSeparationofDutyandNeedtoKnowoperate
• bothwithinandbetweendepartments
• Withinorgcharts,policy,compliancescoping,andtheneedtoringfence devaccountswherebugscouldimpactAPIaccess,liestheanswersto"howmany:
• AWSOrganizations• KMSCMKs• AWSaccounts
• ...doIneed?"
WhatNeedsSegregatingfromWhat?
Organizations
Inthebeginning…Your AWS Account
You
TodayJump
Account
Your Cloud Team
Dev Account
Prod Account
Data Science Account
Audit Account
Cross Account Trusts
CrossAccountResourceAccess
You
Whatdocustomerswanttodo?
UseAWSaccountboundariesfor
isolation.
Centrallymanagepoliciesacrossmanyaccounts.
Delegatepermissions,but
maintainguardrails.
Seecombinedviewofallcharges.
IntroducingAWSOrganizations
ControlAWSserviceuseacrossaccounts
Policy-basedmanagementformultipleAWSaccounts.
ConsolidatebillingAutomateAWSaccountcreation
TypicalUseCases• ControltheuseofAWSservicestohelpcomplywithcorporatesecurityandcompliancepolicies.
• ServiceControlPolicies(SCPs)helpyoucentrallycontrolAWSserviceuseacrossmultipleAWSaccounts.
• Ensurethatentitiesinyouraccountscanuseonlytheservicesthatmeetyourcorporatesecurityandcompliancepolicyrequirements.
• AutomatethecreationofAWSaccountsfordifferentresources.
• APIdrivenAWSaccountcreation.• UseAPIstoaddthenewaccounttoagroupandattach
servicecontrolpolicies.• UseAPIresponsetotriggeradditionalautomation(eg
deployCloudFormation template)
TypicalUseCases
• Createdifferentgroupsofaccountsfordevelopmentandproductionresources.
• Organise groupsintoahierarchy.• Applydifferentpoliciestoeachgroup.• Alternatively,groupaccordingtolines-of-businessor
otherdesireddimensions.
TypicalUseCases
KeyFeatures
• PolicyframeworkformultipleAWSaccounts.• Group-based accountmanagement.• AccountcreationandmanagementAPIs.• Consolidatedbilling forallAWSaccountsinyourorganization.• EnableConsolidatedBillingOnly orAllFeatures.
HowisOrganizationsdifferentfromIAM?
• CreategroupsofAWSaccounts withAWSOrganizations.• UseOrganizationstoattachSCPs tothosegroupstocentrallycontrol
AWSserviceuse.• EntitiesintheAWSaccountscanonlyusetheAWSservicesallowed
byboth theSCPandtheAWSIAMpolicyfortheaccount.
Howtogetstarted?
• Revisitorcreateyouraccountsegmentationstrategy.• Decide whichtypeoforganizationisrightforyou.• Organize yourAWSaccountsaccordingtoit.• Test&begintoapplySCPsslowly.• Iterate onSCPstoachieveyourdesiredstate.
Pricing&Availability
• Availableat noadditionalcharge.• Globalservice.• AccessedthroughendpointinN.Virginiaregion.
ServiceControlPolicies(SCPs)
• EnablesyoutocontrolwhichAWSserviceAPIsareaccessible- DefinethelistofAPIsthatareallowed– whitelisting- DefinethelistofAPIsthatmustbeblocked– blacklisting
• Cannotbeoverriddenbylocaladministrator• ResultantpermissiononIAMuser/roleistheintersectionbetween
theSCPandassignedIAMpermissions• Necessarybutnotsufficient• IAMpolicysimulatorisSCPaware
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "redshift:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
} ] }
Blacklistingexample Whitelistingexample
Bestpractices– AWSOrganizations
1. MonitoractivityinthemasteraccountusingCloudTrail2. Donotmanageresourcesinthemasteraccount3. Manageyourorganizationusingtheprincipalof“Leastprivilege”4. UseOUstoassigncontrols5. TestcontrolsonsingleAWSaccountfirst6. Onlyassigncontrolstorootoforganizationifnecessary7. Avoidmixing“whitelisting”and“blacklisting”SCPsinorganization8. CreatenewAWSaccountsfortherightreasons
MoreonSCPs• ServiceControlPolicies• ...whichlooklikeIAMpolicies
• (butwithoutsupportforConditions,inv1.0)
• ImposedbyMasteraccountonchildaccounts• essentiallyconcatenatewithper-child-accountIAMpolicies• Allows/Deniesaccesstospecificper-serviceAPIcalls,orwholeservices• aswithIAMpolicies,asingleexplicitDenyoverridesanynumberofexplicit
Allows
• But:theyarealsoappliedtotherootuserinthechildaccount• Here'swherewegetintoMandatoryAccessControl!J
MoreonSCPs• Also:
• youdon'thavetoapplyanSCPbefore youpopulateyouraccountwithassets...
• thislendstheideaof"immutableinfrastructure"tootherservices,fromthepointofviewofthechildaccounts
• (includingServerless)• eg:
• S3websiteswhichcan'thavetheircontentschanged• Lambdafunctionswhichareinvoke-only"blackboxes"• ACMcert/keypairswhichcan'tbedeleted• PreventCloudTrail,Config everbeingturnedoff• ...
MoreonSCPs• InPractice:
• theimposeroftheSCPintheMasteraccountgetsnoprivilegeinthechildaccount'sservice,asafunctionofthiscapability
• thismakesSCPsaneat2-personrulemechanism,too
BaseliningIndividualAccounts
IndustryBestPracticesforSecuringAWSResources
CISAmazonWebServicesFoundationsArchitectureagnosticsetofsecurityconfigurationbestpracticesprovidesset-by-stepimplementationandassessmentprocedures
CISAWSFoundationAutomationismostlythere...
NowAddanIncidentResponseBaseline:• HaveasmallNACLed subnetperAZ,perVPCforisolationofmisbehaving
instances• fliptheirENIstoit,asneeded
• HaveaForensicsroleliketheAuditrole,per-account• read-onlyaccessto(essentially)everything
• HavearunbooksoaForensicInvestigatorcanworkwiththenetworkadminteamto:• provisionaforensicworkstationAMIontotheisolationsubnet• openaholeintheNACLtotheworkstationfromanappropriatebastion
(oruseRunCommandtoremotelyoperateforensicCLItools)
PotentialFurtherExtensions
• EC2SystemsManager• Inventory:likeOSQuery• StateManager:likeOpenSCAP
• DMZs• Bastions• Managementnetworks
AWSEnterpriseAccelerator:ComplianceArchitectures
SampleArchitecture–SecurityControlsMatrixCloudformationTemplates
5xtemplatesUserGuide
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
PuttingitTogether
BillingRecords HandledbyOrganizationsMasterItemDescription
UsageStartDate
UsageEndDate
UsageQuantity
CurrencyCode
CostBeforeTax
Credits
TaxAmount
TaxType
TotalCost
$0.000perGB- regionaldatatransferunderthemonthlyglobalfreetier
01.04.1400:00
30.04.1423:59 0.00000675 USD 0.00 0.0
0.000000 None
0.000000
$0.05perGB-monthofprovisionedstorage- USWest(Oregon)
01.04.1400:00
30.04.1423:59
1.126.666.554 USD 0.56 0.0
0.000000 None
0.560000
First1,000,000AmazonSNSAPIRequestspermontharefree
01.04.1400:00
30.04.1423:59 10.0 USD 0.00 0.0
0.000000 None
0.000000
First1,000,000AmazonSQSRequestspermontharefree01.04.1400:00
30.04.1423:59 4153.0 USD 0.00 0.0
0.000000 None
0.000000
$0.00perGB- EU(Ireland)datatransferfromUSWest(NorthernCalifornia)
01.04.1400:00
30.04.1423:59 0.00003292 USD 0.00 0.0
0.000000 None
0.000000
$0.000perGB- datatransferoutunderthemonthlyglobalfreetier
01.04.1400:00
30.04.1423:59 0.02311019 USD 0.00 0.0
0.000000 None
0.000000
First1,000,000AmazonSNSAPIRequestspermontharefree
01.04.1400:00
30.04.1423:59 88.0 USD 0.00 0.0
0.000000 None
0.000000
$0.000perGB- datatransferoutunderthemonthlyglobalfreetier
01.04.1400:00
30.04.1423:59 3.3E-7 USD 0.00 0.0
0.000000 None
0.000000
AWSCloudTraillogscanbedeliveredcross-account
CloudTrailcanhelpachievemanytasksAccountscansendtheirtrailstoacentralaccountCentralaccountcanthendoanalyticsCentralaccountcan:‣ Redistributethetrails‣ Grantaccesstothetrails‣ FilterandreformatTrails(tomeetprivacy
requirements)
S3 Subtleties
• S3 write-only cross-account sharing• Share write-only (no reading or listing of contents) from owner account
via bucket policy• Writer accounts have IAM permissions to write
Multi-AccountAggregationofDeliveredData
Region1
Region2
Region3
CommonS3bucket
AmazonS3policiesshouldpermitaccountstowriteConfig data
SNSTopic:Region1
SNSTopic:Region2
SNSTopic:Region3
CommonSQSqueue
AmazonSQS/AmazonSNSpublish/subscribepermissionsshouldbeset
StagingandMaskingLogs• WecanmaskPIIinCloudTraillogs
• BertramDorn hasaLambdafunctionforit• OriginallyintendedasaproposaltoaddressconsiderationsinupcomingGermanprivacy
law• Canbegeneralised tootherconsistentAWSlogformats
StagingandMaskingLogs• Extendittomaskrelevantfieldsin:
• CloudWatch logs• ELB,CloudFront,AmazonVPCflowlog,etc.records
• ...allofwhichuseCloudWatch Logs
• IfweuseCloudWatch Events,wecanuseaLambdafunctiontolandourlogsinalocalS3bucket,thenuseacross-accountLambdafunctiontomask-and-forward
• Config recordscanbeforwardedas-is
StagingandMaskingLogs
• FlowLogsetc• inCWLogs
Local maskingLambda
Local S3 bucket Cross-acctLambda
Consolidated logs bucket
LogAnalytics• Splunk,SumoLogic,otherAWSMarketplaceproducts• ElasticSearch andKibana
• https://aws.amazon.com/blogs/security/how-to-optimize-and-visualize-your-security-groups/
• Athena• "RunSQLagainstS3"
• QuickSight• IntendedforBusinessIntelligence,butbendabletopurpose...?
On-premise
bucket
AWS Account: Bill Aggregation
IdP server
Organization member account
Organization non-member account
API Endpoints
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
On-premise
bucket
AWS Account: Bill Aggregation
IdP server
AWSOrganizationsOrganization member
account
Organization non-member account
API Endpoints
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
On-premise
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
IdP server
AWSOrganizationsOrganization member
account
Organization non-member account
API Endpoints
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Log aggregation
On-premise
bucket
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
IdP server
AWSOrganizationsOrganization member
account
Organization non-member account
API Endpoints
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
IdP server
AWSOrganizationsOrganization member
account
Organization non-member account
API Endpoints
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWSOrganizationsOrganization member
account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWSOrganizationsOrganization member
account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS KMS
AWSOrganizationsOrganization member
account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS IAMAWS Account: Resources
AWS KMS
AWSOrganizationsOrganization member
account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMS
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS IAMAWS Account: ResourcesAWS IAM
AWS KMS
AWSOrganizations
LDAP
AWS Account: SharedSvcs
AWSCloudHSM
Organization member account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMSInternalDNS
Scanningtools
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS Account: Audit(Internal)
AWS IAMAWS Account: ResourcesAWS IAM
AWS KMS
AWSOrganizations
LDAP
AWS Account: SharedSvcs
AWSCloudHSM
Organization member account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMSInternalDNS
Scanningtools
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Amazon QuickSight
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS Account: Audit(Internal)
AWS IAMAWS Account: Resources
AWS Account: Audit(External)
AWS IAM
AWS KMS
AWSOrganizations
LDAP
AWS Account: SharedSvcs
AWSCloudHSM
AmazonAthena
Organization member account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMSInternalDNS
Scanningtools
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Amazon QuickSight
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS Account: Audit(Internal)
AWS IAMAWS Account: Resources
AWS Account: Audit(External)
AWS Account: Regulator
AWS IAM
AWS KMS
AWSOrganizations
LDAP
AWS Account: SharedSvcs
AWSCloudHSM
AmazonAthena
Amazon Redshift*
Organization member account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMSInternalDNS
Scanningtools
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Amazon QuickSight
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS IAM
IdP server
AWS Account: Audit(Internal)
AWS IAMAWS Account: Resources
AWS Account: Audit(External)
AWS Account: Regulator
AWS IAM
AWS KMS
AWSOrganizations
LDAP
AWS Account: SharedSvcs
AWSCloudHSM
AmazonAthena
Amazon Redshift*
AWS Account: Incident Response
Organization member account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMSInternalDNS
Scanningtools
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
AWS Account: Log aggregation and anonymisation
AWS Account: Anonymised Bills
Amazon QuickSight
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
AWS Account: Resources
AWS IAM
role
AWS Account: Log aggregation and anonymisation
On-premise
AWSLambda
role
bucketbucket
AWS Account: Anonymised Logs
AWSLambda
role
bucket
AWS Account: Bill Aggregation and Anonymisation
bucket
AWS Account: Anonymised Bills
AWS IAM
IdP server
AWS Account: Audit(Internal)
AWS IAMAWS Account: Resources
AWS Account: Audit(External)
AWS Account: Regulator
AWS IAM
AWS KMS
AWSOrganizations
LDAP
AWS Account: SharedSvcs
AWSCloudHSM
AmazonAthena
Amazon QuickSight
Amazon Redshift*
bucket
AWS Account: Forensic Repo
AWS Account: Incident Response
bucketAWS Account: Forensic Working Repo
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Organization member account
Organization non-member account
AWS Account: IAM Federation
API Endpoints
AWS KMSInternalDNS
Scanningtools
AWS Account: Security Team
AWS IAMScanningtools
Forensicstools
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Centre Website: https://aws.amazon.com/compliance
Security Centre: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/
AWS Audit Training: [email protected]
HelpfulResources
The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption on AWS: https://youtu.be/DXqDStJ4epE
Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8
HelpfulVideos
Thank you!