Automating nist 800 171 compliance in AWS Govcloud (US)

Brett Miller
AWS Envision Engineering Center
brettmi@amazon.com
April 2017
Automating NIST 800-171 Compliance in AWS
GovCloud (US) with the NIST Quick Start tool

What is NIST SP 800-171?
Per Executive Order 13556, Controlled Unclassified Information, the National Archives and
Records Administration (NARA) issued a Federal regulation, “Controlled Unclassified
Information (CUI),” establishing consistent practices and procedures for safeguarding,
disseminating, controlling, and marking CUI across Executive Branch departments and
agencies. This regulation went into effect November 14, 2016.
In October, the U.S. Department of Defense (DoD) issued two final rules that changed the
DoD Federal Acquisition Regulations Supplement ("DFARS") which require DoD contractors
to provide adequate security to safeguard CUI on their information systems that support the
performance of work under a DoD contract, in accordance with NIST SP 800-171.
NIST SP 800-171 basically selects the Confidentiality security controls at the Moderate impact
level from NIST SP 800-53 to achieve that objective.
NIST SP 800-171 requirements are the security controls levied upon contractors and other
non-federal orgs that store/process federal CUI on their own systems, which can be enforced
contractually as part of the new acquisition regulations.

• Genomics professor reviewing U.S. population health
data for federally-funded research program at a U.S.
university
• Systems Integrator serving a government agency by
updating their employee management system housing
government employee PII including tax information
• Design engineer working for an aviation manufacturing
government contractor updating hardware designs in
CAD
• Veterans hospital administrator managing blood type
information housed by the hospital’s electronic health
records platform
CUI example use cases:

Shared Responsibility Model
Customers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customer
Responsible for
security ‘in’ the Cloud
Responsible for
security ‘of’ the Cloud
AWS

Delegation of Security Control Responsibilities
DatabaseStorageCompute Networking
Edge LocationsRegions
Avail. Zones
AWS Global
Infrastructure
AWS Responsible for ~10%
of Control Requirements
Application Owners
Responsible
for ~70-80% of Control
Requirements at the
Application Level
Enterprise Services
Responsible
for ~ 10-20% of Control
Requirements
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Meeting compliance requirements i.e., NIST
Challenge
Incorporate compliance requirements which can be pre-approved by
customer assessment organizations
Solution

Making many critical decisions to ensure a secure application when
using the AWS Shared Responsibility Model
Challenge
Incorporate AWS functional and security best practices in the baseline
Solution

Mapping security controls to numerous AWS services
Challenge
Pre-document the alignment of AWS best practices with
security/compliance requirements
Solution

Error prone and time-consuming manual configuration of AWS
resources
Challenge
Create fully automated infrastructure as code CloudFormation
templates to reduce human error
Solution

Enforcing configuration management of AWS infrastructure over time
Challenge
Keep AWS CloudFormation Templates under version control and only
deploy from the approved repository using approved processes
Solution

Authorization process is time consuming, labor intensive, and delays
mission deployments
Challenge
Reduces time necessary to engineer, build, and document security
compliance controls
Solution

How Does AWS Make This Easy?
The Enterprise Accelerator Compliance Quick Start
https://aws.amazon.com/quickstart

AWS Enterprise Accelerator Quick Start Web Site

Enterprise Accelerator Quick Start Packages:
What’s in the Box?
Architecture Diagram
Security Controls Matrix (SCM)
AWS CloudFormation
Templates
Deployment Guide

Customizable Reference Architecture

AvailabilityZone#2
App server
CloudWatch
RDS Snapshots
Fixed Content
App
App
Web
Web
RDS
RDS
Availability Zone #1
Internet
AvailabilityZone#2
Availability Zone #1
RDP
RDP
AD
AD
Management Network
Customer
Gateway
Production/Development VPC Management VPC
End Users
VPC Peering
CloudTrail LogsIAM
Incorporates Security Features via AWS Best Practices (200+ APIs)
Users accessing AWS
console can be required
to use multi-factor
authentication (MFA)
with physical or virtual
token
CloudTrail logs API
activity and outputs
this logging to an S3
bucket where it can be
analyzed with a
number of tools
CloudTrail
Users who access or manage
AWS resources can be
restricted by roles and
permissions
Elastic Load Balancer
supports HTTPS and
high availability
S3 supports both
SSL and encryption
at rest
ACLs and IAM
policies applied to
any S3 bucket
restricts access to
S3 data
Network ACL associated
with multiple subnets can
specify allow/deny ingress
and egress rules
Separate Management
VPC isolates all
management
applications and access,
accessible only via
Virtual Private Gateway
Logging can be
enabled on S3
buckets to track
access and
operations
Private subnets
(subnets not
routing through
a gateway) are
not accessible
to Internet
Each EC2 instance type (web, app)
can have standard security group
specified in the autoscaling launch
configuration
DB security
groups
specify only
app
instances
have access
to RDS

Security Controls Matrix
• Security Controls/Requirements Matrix
− Maps Security Controls to architectural
components
− Describes security control implementation
Details

Are they
Similar?
Use the AWS Enterprise Accelerator as a Validation Tool
Your SCMAWS Enterprise Accelerator SCM

AWS Quick Start CloudFormation Stacks
• The Quick Start package is a set of
nested templates that deploy
‘stacks” which:
− Are modular and customizable
− Build specific portions of architecture
− Can be deployed for different types of
workloads
Templates Stacks

How Does AWS CloudFormation Work?
• By setting up Infrastructure through code
Main Stack
IAM Stack Logging Stack
Production VPC Stack
Management VPC
Stack
Config Rule Stack NAT Instance Stack
Application Stack
main.template
Iam. logging.template
vpc-
production.template
vpc-
management.templ
ate
config-
rules.template
nat-
instance.template
application.template

Deployment Guide
Contents:
• Overview of Compliance
Framework(s) supported
• AWS Account Prerequisites
• Deployment steps
• Best practices
• How to customize and manage
the CloudFormation templates

• NIST 800-53 controls expand to 1711 granular
requirements
– ~736 = Moderate Confidentiality Controls
– AWS provides:
• ~84 Inherited by AWS Fedramp ATO
• ~51 addressed by AWS Quick Start architecture (infrastructure layer).
– You provide:
• ~415/525 – Organizational controls (~80%)
• ~110 Application level technical controls
• Some may be addressed with other AWS services not covered by AWS
Quick Start (ex. MFA, Marketplace partners).
Approximate Control Breakdown based on
Enterprise Accelerator NIST SCM

Enterprise Accelerator + Customer Governance Model

DEMO:
AWS Enterprise Accelerator – Compliance
Quick Start Deployment

Where do I go from here:
AWS Compliance Jumpstart Program
Accelerate cloud adoption and save staff time by enabling a NIST compliant cloud
architecture with post-workshop Technical Discovery services provided by AWS ProServe
Contact your AWS Account Manager to learn more and get started!
v1.0
Activity
Day
1
Day
2
Day
3
Day
4
Day
5
Day
6
Day
7
Day
8
Day
9
Day
10
Day
11
Day
12
Day
13
Day
14
Day
15
Day
16
Day
17
Day
18
Day
19
Day
20
Kick-Off & Introductions
Discovery of Customer Objectives
Introduction to AWS
AWS Security Deep-Dive
AWS DevOps Deep-Dive
Compliance Package Deep-Dive
AWS CloudFormation Deep-Dive
Technical Discovery
AWS QuickStart Deployment
Assist Customer in deploying one Customer provided 3 tier web app
Security Controls Matrix Deep-Dive
Compliance Package deployment to AWS Service Catalog
(Optional) Telos xActa Deep Dive
Project Plan
AWS Compliance Jumpstart

Samples Roles & Responsibilities:
• AWS provides:
– Consulting: high-level analysis, design, planning
– Remote and on site implementation services as agreed upon (Time & Materials)
– AWS is not required to perform any business application development for implementation
• Customer provides:
– Giving AWS access to Personnel (e.g.) at prescheduled times. Other resources needed by phase are:
• Workshop: Key Stakeholders like ATO Decision Makers, CISO, CIO and Client SPOC for the entire duration of
engagement.
• Technical Discovery: SPOC and ATO representative
• QuickStart/Deployment: Application Owner and SPOC
• Security Control: Security, Application, Infrastructure, Operations resources and SPOC
– Staffing for deploying, testing, and supporting any AWS Content (including but not limited to sample code)
provided by AWS
– Granting AWS access to Test Environment, Application Code and Database
– All third party software required
– Documentation (e.g. application dependencies, compliance requirements) during discovery phase
Program Details
*See SOW for details and legal limitations and disclaimers. Items listed above are not contractual terms.

Automating nist 800 171 compliance in AWS Govcloud (US)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Automating nist 800 171 compliance in AWS Govcloud (US)

Similar a Automating nist 800 171 compliance in AWS Govcloud (US) (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Último

Último (20)

Automating nist 800 171 compliance in AWS Govcloud (US)