Más contenido relacionado La actualidad más candente (20) Similar a Automating Compliance in the Cloud (20) Más de Amazon Web Services (20) Automating Compliance in the Cloud1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Financial Services Compliance Strategist at AWS
April 14, 2016
Defensive Cloud Compliance
Automating Compliance in the Cloud
2. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Services
Governance Opportunities
• Evolution in third-party relationships
• Improved industry security baseline
• Codification of the three lines of defense
3. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
Today we have 12 AWS Regions
• North America (4)
• Europe (2)
• Asia Pacific (5)
• South America (1)
Each Region has at least 2 Availability Zones
• 33 Availability Zones (AZs)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
US East (VA) 54 AWS Edge Locations
• North America (21)
• Europe (16)
• Asia Pacific (15)
• South America (2)
4. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A Region – U.S. East VA
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
5. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A Region – U.S. East VA
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
Data center Data center
Data center Data center
6. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Criteria for Choosing an AWS Region
• Data locality & compliance requirements
• Proximity to your existing on premises data centers or the majority of
your customers
• Differences in AWS services launched within a region or regional
specific costs
Platform
7. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
Customer
AWS Shared ResponsibilityModel
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
9. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Senior Management
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Objective:
• Evaluates Program
• Tests effectiveness of
controls and monitoring
programs
Objective:
• Control (Compliance & Risk)
• Establishes supervisory
framework to monitor and
validate controls
Board of Directors / Audit Committee
Three Lines of Defense - Objective
Objective:
• Risk Management Operations
• Owns and Manages Risks
10. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Senior Management
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Management
Controls
Internal
Control
Measures
Internal Audit
Financial Control
Security
Risk Management
Quality
Inspection
Compliance
Three Lines of Defense - Responsibilities
Senior Management
Board of Directors / Audit Committee
11. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Controls
• Transparency
• Log Processing
• Policy Review
• Separation of Duties
• Account Governance
• Event Review
Controls
• Configuration Controls
• Authorization Controls
• Change Controls
• Logging & Integrity Controls
• Policy Controls
• Policy Violation Controls
Three Lines of Defense – IT Services
Controls
• Network Controls
• Access Controls
• Traceability Controls
• Encryption Controls
• Awareness and Response
Controls
Senior Management
Board of Directors / Audit Committee
12. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
AWS Applicable ServicesAWS Applicable Services
Three Lines of Defense – AWS Services
AWS Applicable Services
Amazon
VPC
AWS
CloudTrail
AWS IAM
AWS KMS
Amazon
CloudWatch
Amazon
CloudWatch
IAM
Permissions
AWS
Config
AWS
CloudTrail
IAM RoleAWS
CloudFormation
AWS
CloudTrail
AWS
Management
Console
IAM Policy
Amazon
CloudWatch
Senior Management
Board of Directors / Audit Committee
13. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense – Configuration Management
14. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management in AWS
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
Changes
Provisions
15. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2nd Line of Defense – Configuration Monitoring
16. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Alarm
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Track changes
Notifies
Changes
Provisions
AWS Config rules
17. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
18. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3rd Line of Defense – Configuration Testing
19. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Log Testing
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Captures Resource Changes
Notifies
Changes
Provisions
AWS Config rules AWS CloudTrail
Captures all API
interaction
Amazon S3
20. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Look up events in the CloudTrail console
21. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
Three Lines of Defense – AWS Support
KEEP PACE WITH
THE INDUSTRY
INFRASTRUCTURE
AS CODE
ONLY VALIDATED
OPTIONS
AUTOMATE
COMPLIANCE
VISIBILITY
WHENEVER YOU
WANT
TOTAL
TRANSPARENCY
Senior Management
Board of Directors / Audit Committee
22. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Jodi Scrofani, Financial Services Compliance Strategist at AWS
jscrofan@amazon.com