The AWS Security Focused Standardized Architecture solution is designed to enable customers create secure and compliant workloads in AWS, as well as reduce the complexity of maintaining secure baselines at scale as customer environments transform over time. This solution provides many benefits, including the ability to securely deploy recommended, reliable, and secure resources in AWS. AWS Security Focused Standardized Architecture is an automated reference architecture, following security-leading practices and supporting multiple customer compliance requirements (e.g. FISMA, PCI, CJIS, FFIEC, HIPAA, etc.). The webinar will dive deep into the four core aspects of this tool: Security Control Responsibility Matrix (CRM), Architecture diagrams, AWS CloudFormation templates, and User Guides and deployment instructions; and will also include an actual demonstration of an automated deployment of a secure and compliant baseline architectures using one of the CloudFormation templates.

1. Brett Miller
AWS Professional Services
December 2015
Introduction to Security-Focused
Standardized Architectures (SFSA)

2. Welcome & Objectives
 Understand the purpose and benefits of SFSA
 Review contents of the SFSA package
 Review common use case scenarios and implementations
 Know how to get started using SFSA in your organization

3. Customer Challenges
 Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.)
 Choosing from a myriad of options when designing for the cloud
 Making many critical decisions to ensure a secure application when
using the AWS Shared Responsibility Model
 Mapping security controls to numerous AWS services
− Example: 400 NIST 800-53 Security Controls to 42 AWS Services
 Error prone and time-consuming manual configuration of AWS
resources
AWS developed SFSA to address major customer
challenges when moving to the cloud

4. Customer Challenges
 Meeting compliance requirements (NIST,
PCI, HIPAA, CJIS, etc.)
 Choosing from a myriad of options when
designing for the cloud
 Making many critical decisions to ensure a
secure application when using the AWS
Shared Responsibility Model
 Mapping security controls to numerous
AWS services
− Example: 400 NIST 800-53 Security
Controls to 42 AWS Services
 Error prone and time-consuming manual
configuration of AWS resources
AWS developed SFSA to address major customer
challenges when moving to the cloud
AWS Solution: SFSA
 Standardized for specific use cases
 Address security/compliance
requirements and AWS best
practices
 Ready to be pre-approved by
customer assessment organizations
 Ready to deploy “out of the box”
 Customizable

5. Shared Responsibility Model
Customers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customer
Responsible for
security ‘in’ the Cloud
Responsible for
security ‘of’ the Cloud
AWS

6. Infrastructure Services Container Services
Abstracted ServicesSecurity Controls
Inherited
Hybrid
Shared
Customer
Specific
Fully inherited by AWS
AWS provides partial implementation
AWS and customer provides their implementation
Sole Responsibility of the customer
Division of Responsibility changes depending on AWS
service

7. SFSA helps simplify and accelerate your AWS
migrations
Benefits
 Automate system deployments
 Address security/compliance requirements
 Follow best practices
 Decrease deployment time
 Provide Reusable Documentation

8. AWS built the SFSA Package to include several key
artifacts to meet customer needs
Package Overview
 CloudFormation Templates
 Guidance Documentation
 Security Controls/Requirements Matrix
− NIST SP 800-53 available now
− Coming Soon: PCI DSS, CJIS, HIPAA, ISO
27001
 Customizable Reference Architecture Diagram

9. AWS SFSA CloudFormation Stacks
 Multiple nested stacks
− For different types of workloads
− Modular and customizable
− Each stack builds a portion of architecture
Each package consists of multiple CloudFormation templates
reusable across different use cases

10. SFSA CloudFormation Stack
2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions

11. Documentation
Included with every package is a User Guide along with an inventory
of resources deployed by the templates
Resource Inventory
User Guide

12. Security Controls / Compliance Mapping
 Pre-documents how security controls/requirements are addressed by the
SFSA within the VPC/infrastructure layer
− Can be included in a customer’s compliance documentation/SSP
− Can be ingested into customer security/compliance databases/workflow tools
 Contains additional guidance for each control/requirement
 Identifies which CloudFormation stack implements the control/requirement
 Identifies related AWS resources within each stack
 NIST SP 800-53 controls matrix will be followed by CJIS, SOC, PCI, and
other third-party compliance frameworks

13. Security Controls / Compliance Mapping: Example
Matrix

14. Customizable Reference Architecture

15. SFSA Use Cases
 Base Architectures
Examples:
− Base IAM Configuration
− Base VPC Architecture for Internal VPC
 Full Applications
Examples:
− 3 Tier Linux Web Application
− Shared Services VPC with Active
Directory

16. Before you get started…
 Understand use cases and workload types
 Have a basic understanding of your governance model
 Have a basic cloud strategy and roadmap
 Identify relevant security standards or compliance
requirements
− Have an organizational appetite to comply with them

17. As a Baseline for your architectures
Plan and design the Cloud-
based infrastructure
Build the infrastructure
using AWS components
Application Deployment
Deploy applications using EC2
instances and other services
within the cloud infrastructure
SFSA
Plan and design the Cloud-based
infrastructure
Build the infrastructure using
AWS components
Application Deployment
Deploy applications using EC2
instances and other services
within the cloud infrastructure
SFSA
As a Full Application Deployment
How can SFSA be used?

18. Security Focused Standardized
Architectures (SFSA)
CloudFormation Intro and Tools

19. AWS CloudFormation
 Basic standard in AWS for automating
deployment of resources
 CloudFormation Template
− JSON-formatted document which describes
a configuration to be deployed in an AWS
account
− When deployed, refers to a “stack” of
resources
AWS
CloudFormation

20. CloudFormation Template Structure

21.  Describe detailed configuration of
a resource in AWS
 Include, but not limited to:
− IAM Policies, Users, Groups, Roles
− VPCs, Subnets, NACLs, Security
Groups
− EC2 instances, Auto Scaling Groups
− RDS Databases, S3 Buckets
− Elastic Load Balancers
− CloudWatch Alarms
− Lambda Functions
− Logging (CloudTrail, CW Logs)
SFSA CloudFormation Resources

22.  20+ selectable variables to
customize the AWS
infrastructure
 Variables can be immutable
based on organizational
requirements
SFSA CloudFormation Parameters

23. SFSA + Customer Governance Model

24. Managing SFSA Packages
 Templates can be kept under version control
 Establishes baselines for standard AWS
configurations
 Organizationally approved architectures can be
stored centrally
 Mandatory for many third-party security
frameworks

25. Deployment Options
 AWS Console
 CLI Deployment
− Deployment scripts included with package
 AWS Service Catalog
− As a Service Catalog “Product”

26. AWS Management Console

27. CLI Deployment Scripts
 “cfdeploy”
− Optional tool included with package to make deployment from CLI easier
− Simpler management of standard parameters
cfdeploy --deploy SFSA --yaml-parameters templates/parameters/example_useast1.yaml --template templates/main-webapp-linux.json --
region us-east-1
Launched Stack ID: arn:aws:cloudformation:us-east-1:979676883363:stack/ASFA/e1442430-78f8-11e5-b55e-50d5018a129a

28. SFSA Deployment with AWS Service Catalog
 Standardize deployment
 Allow push-button build of common architectures based on compliance and
use case
 Provide a self-service model for workload owners

29.  Allows administrators to create and manage approved catalogs of
resources (products) that end users can access via a personalized
portal
 A Service Catalog Product is a deployable CloudFormation template
 Managed compliance with Service Catalog
− Provide a catalog of pre-built, compliant architectures ready to deploy
− Enforce resource tagging
− Allow workload owners to deploy resources which normally require higher
levels of IAM permissions than they are given
− Separate Portfolios of Products can be used to segment products by
compliance type
AWS Service Catalog

30. AWS SFSA & Service Catalog

31. Get started with SFSA
 Contact your sales representative/SA
 AWS Quickstart Deployments (coming soon)
 Getting Help:
− Whitepapers/User Guides/SA
Included with the package
− FREE 1 day workshop provided by Solutions
Architects or Professional Services
− SOW-based 2-5 day ProServe customization
workshop
Professional Services or APN Partner
 Email: brettmi@amazon.com

32. Additional Resources
 AWS SFSA Quick Start Test Drive
− https://s3.amazonaws.com/quickstart-reference/security-compliance/latest/doc/Standard_NIST_800-
53_Architecture_on_the_AWS_Cloud.pdf
 AWS re:Invent 2015 Videos
(SEC312) Reliable Design and Deployment of Security and Compliance
https://youtu.be/KtMANvC7_n8
(ISM206) Modern IT Governance Through Transparency and Automation
https://youtu.be/YYiV_z9D2CE

33. Questions?