Mastering Security and Compliance on AWS

MASTERING SECURITY AND COMPLIANCE ON AWS_ JON TOPPER | @jtopper
| he/him/his

Image: rupixen on Unsplash

Image: Mika Baumeister on Unsplash

Image: Irwan on Unsplash

Image: Joshua Mayo on Unsplash

Image: Ahmed Hindawi on Unsplash

“ SECURITY IS JOB ZERO WERNER VOGELS CTO, AMAZON.COM Photo:
Vaughn Ridley/Web Summit via Sportsﬁle

COMPLIANCE_ Focuses on actually protecting your data and other assets.
SECURITY_ Focuses on meeting documented standards and regulations.

Photo:Joanna Penn on Flickr

ENTERPRISE SAAS SALES ARE DIFFICULT TO WIN WITHOUT COMPLIANCE_

VENDOR QUESTIONNAIRES_

WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether
Sales cycle is shorter Close bigger deals

AWS supports 143 security standards and compliance certifications

YOUR AREAS_ Security Foundations Identity & access management Detection Infrastructure
protection Data protection Incident response Application security

SECURITY FOUNDATIONS_ AWS account management Secure your root accounts Figure
out what you need to secure Evaluate new security services regularly

IDENTITY & ACCESS MANAGEMENT_ Use central identity services Use temporary
credentials where possible Store secrets securely, rotate them Least privilege access

DETECTION_ Service & application logging Make logs available to query
Automate detection

INFRASTRUCTURE PROTECTION_ Secure VPC and network design Fine grained policies
DDoS protection / WAF Vulnerability management

DATA PROTECTION_ Data classification Access controls Encryption at rest Encryption
in transit

INCIDENT RESPONSE_ Build incident management plans Build forensic capabilities Simulate,
rehearse, drill Learn from incidents

APPLICATION SECURITY_ Train your teams Automate security testing & deployments
Pen test regularly Run code reviews for security Manage your BOM Encourage security ownership

Photo by Pascal Meier on Unsplash

LANDING ZONE_ A well-architected, self-service multi-account AWS environment providing: Account
& network structure Identity & access services Security baseline and guardrails Cost guardrails Centralised management Logging and monitoring Account/application blueprints

AWS CONTROL TOWER MAKES IT EASIER TO BUILD A LANDING
ZONE_

Workload OU Security OU Infrastructure OU Non-prod OU Prod OU
Developer Sandbox OU logs ﬂow network path Transitional OU Policy Staging OU Suspended OU Amazon Athena Backup vault Backup snapshots Management account Log Archive account Audit account Shared Services account Backups account Security Tooling account Bob's sandbox account Alice's sandbox account Test account Staging account Production account AWS Control Tower AWS Organizations AWS Conﬁg AWS IAM Identity Center Logs Baseline Baseline Baseline Baseline Baseline Baseline Baseline Baseline AWS Chatbot AWS Backup Amazon GuardDuty Admin AWS Budgets AWS Budgets VPC VPC Baseline VPC Baseline VPC

SECURITY CONTROLS_ Preventive (e.g. Service Control Policies) Detective (e.g. AWS
Config Rules) Proactive (e.g. AWS CloudFormation Hooks)

COMPLIANCE APPROACH_ Perform a security risk assessment Score and prioritise
those risks Identify controls from the standard that you wish to adopt. Map these controls to those available in AWS Control Tower Roll these out

WRAPPING UP_ Everything is software these days, security is important
Security & compliance are related, and both may be important to your business. On AWS, you’re responsible for a lot of your security position. The AWS Well-Architected framework provides detailed guidance. You should be using AWS Control Tower for some of your security approach.

AWS PARTNER SINCE 2014 We work exclusively with AWS, no
other cloud vendors. AWARD WINNING AWS SaaS SI Global Partner of the Year 2023 ISO/IEC 27001 CERTIFIED Robust approach to information security.

Mastering Security and Compliance on AWS

Mastering Security and Compliance on AWS

The Scale Factory

More Decks by The Scale Factory

Other Decks in Technology

Featured

Transcript