Upload
amazon-web-services
View
812
Download
2
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Financial Services Compliance Strategist at AWS
April 14, 2016
Defensive Cloud ComplianceAutomating Compliance in the Cloud
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Services
Governance Opportunities
• Evolution in third-party relationships
• Improved industry security baseline
• Codification of the three lines of defense
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
Today we have 12 AWS Regions
• North America (4)
• Europe (2)
• Asia Pacific (5)
• South America (1)
Each Region has at least 2 Availability Zones
• 33 Availability Zones (AZs)
Availability Zone A
Availability Zone B
Availability Zone C
Availability Zone D
US East (VA) 54 AWS Edge Locations
• North America (21)
• Europe (16)
• Asia Pacific (15)
• South America (2)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A Region – U.S. East VA
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A Region – U.S. East VA
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
Data center Data center
Data center Data center
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Criteria for Choosing an AWS Region
• Data locality & compliance requirements
• Proximity to your existing on premises data centers or the majority of
your customers
• Differences in AWS services launched within a region or regional
specific costs
Platform
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability ZonesEdge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer contentC
usto
mer
AWS Shared ResponsibilityModel
Customers are responsible for their security and compliance IN the Cloud
AWS is responsible for the security OF the Cloud
Compliance Enablers
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Senior Management
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Objective:
• Evaluates Program
• Tests effectiveness of
controls and monitoring
programs
Objective:
• Control (Compliance & Risk)
• Establishes supervisory
framework to monitor and
validate controls
Board of Directors / Audit Committee
Three Lines of Defense - Objective
Objective:
• Risk Management Operations
• Owns and Manages Risks
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Senior Management
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Management
Controls
Internal
Control
MeasuresInternal Audit
Financial Control
Security
Risk Management
Quality
Inspection
Compliance
Three Lines of Defense - Responsibilities
Senior Management
Board of Directors / Audit Committee
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Controls
• Transparency
• Log Processing
• Policy Review
• Separation of Duties
• Account Governance
• Event Review
Controls
• Configuration Controls
• Authorization Controls
• Change Controls
• Logging & Integrity Controls
• Policy Controls
• Policy Violation Controls
Three Lines of Defense – IT Services
Controls
• Network Controls
• Access Controls
• Traceability Controls
• Encryption Controls
• Awareness and Response
Controls
Senior Management
Board of Directors / Audit Committee
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
AWS Applicable ServicesAWS Applicable Services
Three Lines of Defense – AWS Services
AWS Applicable Services
Amazon
VPCAWS
CloudTrailAWS IAM
AWS KMSAmazon
CloudWatch
Amazon
CloudWatch
IAM
Permissions
AWS
Config
AWS
CloudTrail
IAM RoleAWS
CloudFormationAWS
CloudTrail
AWS
Management
Console
IAM Policy
Amazon
CloudWatch
Senior Management
Board of Directors / Audit Committee
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense – Configuration Management
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management in AWS
CloudFormation
templateAdmin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
Changes
Provisions
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2nd Line of Defense – Configuration Monitoring
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Alarm
CloudFormation
templateAdmin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Track changes
Notifies
Changes
Provisions
AWS Config rules
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3rd Line of Defense – Configuration Testing
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Log Testing
CloudFormation
templateAdmin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Captures Resource Changes
Notifies
Changes
Provisions
AWS Config rules AWS CloudTrail
Captures all API
interaction
Amazon S3
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Look up events in the CloudTrail console
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Three Lines of Defense – AWS Support
KEEP PACE WITH
THE INDUSTRY
INFRASTRUCTURE
AS CODE
ONLY VALIDATED
OPTIONS
AUTOMATE
COMPLIANCE
VISIBILITY
WHENEVER YOU
WANT
TOTAL
TRANSPARENCY
Senior Management
Board of Directors / Audit Committee
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Jodi Scrofani, Financial Services Compliance Strategist at AWS