MASTERING SECURITY AND COMPLIANCE ON AWS_ JON TOPPER | @jtopper | he/him/his

Image: rupixen on Unsplash

Image: Mika Baumeister on Unsplash

Image: Irwan on Unsplash

Image: Joshua Mayo on Unsplash

Image: Ahmed Hindawi on Unsplash

“ SECURITY IS JOB ZERO WERNER VOGELS CTO, AMAZON.COM Photo: Vaughn Ridley/Web Summit via Sportsfile

COMPLIANCE_ Focuses on actually protecting your data and other assets. SECURITY_ Focuses on meeting documented standards and regulations.

Photo:Joanna Penn on Flickr

ENTERPRISE SAAS SALES ARE DIFFICULT TO WIN WITHOUT COMPLIANCE_

VENDOR QUESTIONNAIRES_

WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether Sales cycle is shorter Close bigger deals

AWS supports 143 security standards and compliance certifications

No content

YOUR AREAS_ Security Foundations Identity & access management Detection Infrastructure protection Data protection Incident response Application security

SECURITY FOUNDATIONS_ AWS account management Secure your root accounts Figure out what you need to secure Evaluate new security services regularly

IDENTITY & ACCESS MANAGEMENT_ Use central identity services Use temporary credentials where possible Store secrets securely, rotate them Least privilege access

DETECTION_ Service & application logging Make logs available to query Automate detection

INFRASTRUCTURE PROTECTION_ Secure VPC and network design Fine grained policies DDoS protection / WAF Vulnerability management

DATA PROTECTION_ Data classification Access controls Encryption at rest Encryption in transit

INCIDENT RESPONSE_ Build incident management plans Build forensic capabilities Simulate, rehearse, drill Learn from incidents

APPLICATION SECURITY_ Train your teams Automate security testing & deployments Pen test regularly Run code reviews for security Manage your BOM Encourage security ownership

AWS Well-Architected Framework Security Pillar Copyright © 2024 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. AWS WELL-ARCHITECTED FRAMEWORK_

Photo by Pascal Meier on Unsplash

LANDING ZONE_ A well-architected, self-service multi-account AWS environment providing: Account & network structure Identity & access services Security baseline and guardrails Cost guardrails Centralised management Logging and monitoring Account/application blueprints

AWS CONTROL TOWER MAKES IT EASIER TO BUILD A LANDING ZONE_

Workload OU Security OU Infrastructure OU Non-prod OU Prod OU Developer Sandbox OU logs flow network path Transitional OU Policy Staging OU Suspended OU Amazon Athena Backup vault Backup snapshots Management account Log Archive account Audit account Shared Services account Backups account Security Tooling account Bob's sandbox account Alice's sandbox account Test account Staging account Production account AWS Control Tower AWS Organizations AWS Config AWS IAM Identity Center Logs Baseline Baseline Baseline Baseline Baseline Baseline Baseline Baseline AWS Chatbot AWS Backup Amazon GuardDuty Admin AWS Budgets AWS Budgets VPC VPC Baseline VPC Baseline VPC

SECURITY CONTROLS_ Preventive (e.g. Service Control Policies) Detective (e.g. AWS Config Rules) Proactive (e.g. AWS CloudFormation Hooks)

COMPLIANCE APPROACH_ Perform a security risk assessment Score and prioritise those risks Identify controls from the standard that you wish to adopt. Map these controls to those available in AWS Control Tower Roll these out

No content

No content

WRAPPING UP_ Everything is software these days, security is important Security & compliance are related, and both may be important to your business. On AWS, you’re responsible for a lot of your security position. The AWS Well-Architected framework provides detailed guidance. You should be using AWS Control Tower for some of your security approach.

AWS PARTNER SINCE 2014 We work exclusively with AWS, no other cloud vendors. AWARD WINNING AWS SaaS SI Global Partner of the Year 2023 ISO/IEC 27001 CERTIFIED Robust approach to information security.