The AWS Security Focused Standardized Architecture solution is designed to enable customers create secure and compliant workloads in AWS, as well as reduce the complexity of maintaining secure baselines at scale as customer environments transform over time. This solution provides many benefits, including the ability to securely deploy recommended, reliable, and secure resources in AWS. AWS Security Focused Standardized Architecture is an automated reference architecture, following security-leading practices and supporting multiple customer compliance requirements (e.g. FISMA, PCI, CJIS, FFIEC, HIPAA, etc.). The webinar will dive deep into the four core aspects of this tool: Security Control Responsibility Matrix (CRM), Architecture diagrams, AWS CloudFormation templates, and User Guides and deployment instructions; and will also include an actual demonstration of an automated deployment of a secure and compliant baseline architectures using one of the CloudFormation templates.
Gen AI in Business - Global Trends Report 2024.pdf
Introduction to Security-Focused Standardized Architecture
1. Brett Miller
AWS Professional Services
December 2015
Introduction to Security-Focused
Standardized Architectures (SFSA)
2. Welcome & Objectives
Understand the purpose and benefits of SFSA
Review contents of the SFSA package
Review common use case scenarios and implementations
Know how to get started using SFSA in your organization
3. Customer Challenges
Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.)
Choosing from a myriad of options when designing for the cloud
Making many critical decisions to ensure a secure application when
using the AWS Shared Responsibility Model
Mapping security controls to numerous AWS services
− Example: 400 NIST 800-53 Security Controls to 42 AWS Services
Error prone and time-consuming manual configuration of AWS
resources
AWS developed SFSA to address major customer
challenges when moving to the cloud
4. Customer Challenges
Meeting compliance requirements (NIST,
PCI, HIPAA, CJIS, etc.)
Choosing from a myriad of options when
designing for the cloud
Making many critical decisions to ensure a
secure application when using the AWS
Shared Responsibility Model
Mapping security controls to numerous
AWS services
− Example: 400 NIST 800-53 Security
Controls to 42 AWS Services
Error prone and time-consuming manual
configuration of AWS resources
AWS developed SFSA to address major customer
challenges when moving to the cloud
AWS Solution: SFSA
Standardized for specific use cases
Address security/compliance
requirements and AWS best
practices
Ready to be pre-approved by
customer assessment organizations
Ready to deploy “out of the box”
Customizable
5. Shared Responsibility Model
Customers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customer
Responsible for
security ‘in’ the Cloud
Responsible for
security ‘of’ the Cloud
AWS
6. Infrastructure Services Container Services
Abstracted ServicesSecurity Controls
Inherited
Hybrid
Shared
Customer
Specific
Fully inherited by AWS
AWS provides partial implementation
AWS and customer provides their implementation
Sole Responsibility of the customer
Division of Responsibility changes depending on AWS
service
7. SFSA helps simplify and accelerate your AWS
migrations
Benefits
Automate system deployments
Address security/compliance requirements
Follow best practices
Decrease deployment time
Provide Reusable Documentation
8. AWS built the SFSA Package to include several key
artifacts to meet customer needs
Package Overview
CloudFormation Templates
Guidance Documentation
Security Controls/Requirements Matrix
− NIST SP 800-53 available now
− Coming Soon: PCI DSS, CJIS, HIPAA, ISO
27001
Customizable Reference Architecture Diagram
9. AWS SFSA CloudFormation Stacks
Multiple nested stacks
− For different types of workloads
− Modular and customizable
− Each stack builds a portion of architecture
Each package consists of multiple CloudFormation templates
reusable across different use cases
11. Documentation
Included with every package is a User Guide along with an inventory
of resources deployed by the templates
Resource Inventory
User Guide
12. Security Controls / Compliance Mapping
Pre-documents how security controls/requirements are addressed by the
SFSA within the VPC/infrastructure layer
− Can be included in a customer’s compliance documentation/SSP
− Can be ingested into customer security/compliance databases/workflow tools
Contains additional guidance for each control/requirement
Identifies which CloudFormation stack implements the control/requirement
Identifies related AWS resources within each stack
NIST SP 800-53 controls matrix will be followed by CJIS, SOC, PCI, and
other third-party compliance frameworks
15. SFSA Use Cases
Base Architectures
Examples:
− Base IAM Configuration
− Base VPC Architecture for Internal VPC
Full Applications
Examples:
− 3 Tier Linux Web Application
− Shared Services VPC with Active
Directory
16. Before you get started…
Understand use cases and workload types
Have a basic understanding of your governance model
Have a basic cloud strategy and roadmap
Identify relevant security standards or compliance
requirements
− Have an organizational appetite to comply with them
17. As a Baseline for your architectures
Plan and design the Cloud-
based infrastructure
Build the infrastructure
using AWS components
Application Deployment
Deploy applications using EC2
instances and other services
within the cloud infrastructure
SFSA
Plan and design the Cloud-based
infrastructure
Build the infrastructure using
AWS components
Application Deployment
Deploy applications using EC2
instances and other services
within the cloud infrastructure
SFSA
As a Full Application Deployment
How can SFSA be used?
19. AWS CloudFormation
Basic standard in AWS for automating
deployment of resources
CloudFormation Template
− JSON-formatted document which describes
a configuration to be deployed in an AWS
account
− When deployed, refers to a “stack” of
resources
AWS
CloudFormation
21. Describe detailed configuration of
a resource in AWS
Include, but not limited to:
− IAM Policies, Users, Groups, Roles
− VPCs, Subnets, NACLs, Security
Groups
− EC2 instances, Auto Scaling Groups
− RDS Databases, S3 Buckets
− Elastic Load Balancers
− CloudWatch Alarms
− Lambda Functions
− Logging (CloudTrail, CW Logs)
SFSA CloudFormation Resources
22. 20+ selectable variables to
customize the AWS
infrastructure
Variables can be immutable
based on organizational
requirements
SFSA CloudFormation Parameters
24. Managing SFSA Packages
Templates can be kept under version control
Establishes baselines for standard AWS
configurations
Organizationally approved architectures can be
stored centrally
Mandatory for many third-party security
frameworks
25. Deployment Options
AWS Console
CLI Deployment
− Deployment scripts included with package
AWS Service Catalog
− As a Service Catalog “Product”
27. CLI Deployment Scripts
“cfdeploy”
− Optional tool included with package to make deployment from CLI easier
− Simpler management of standard parameters
cfdeploy --deploy SFSA --yaml-parameters templates/parameters/example_useast1.yaml --template templates/main-webapp-linux.json --
region us-east-1
Launched Stack ID: arn:aws:cloudformation:us-east-1:979676883363:stack/ASFA/e1442430-78f8-11e5-b55e-50d5018a129a
28. SFSA Deployment with AWS Service Catalog
Standardize deployment
Allow push-button build of common architectures based on compliance and
use case
Provide a self-service model for workload owners
29. Allows administrators to create and manage approved catalogs of
resources (products) that end users can access via a personalized
portal
A Service Catalog Product is a deployable CloudFormation template
Managed compliance with Service Catalog
− Provide a catalog of pre-built, compliant architectures ready to deploy
− Enforce resource tagging
− Allow workload owners to deploy resources which normally require higher
levels of IAM permissions than they are given
− Separate Portfolios of Products can be used to segment products by
compliance type
AWS Service Catalog
31. Get started with SFSA
Contact your sales representative/SA
AWS Quickstart Deployments (coming soon)
Getting Help:
− Whitepapers/User Guides/SA
Included with the package
− FREE 1 day workshop provided by Solutions
Architects or Professional Services
− SOW-based 2-5 day ProServe customization
workshop
Professional Services or APN Partner
Email: brettmi@amazon.com
32. Additional Resources
AWS SFSA Quick Start Test Drive
− https://s3.amazonaws.com/quickstart-reference/security-compliance/latest/doc/Standard_NIST_800-
53_Architecture_on_the_AWS_Cloud.pdf
AWS re:Invent 2015 Videos
(SEC312) Reliable Design and Deployment of Security and Compliance
https://youtu.be/KtMANvC7_n8
(ISM206) Modern IT Governance Through Transparency and Automation
https://youtu.be/YYiV_z9D2CE
SFSA provides AWS customers with pre-built “golden” reference architectures. These are deployable architectures for applications and use cases that have been pre-vetted by AWS and in addition a 3PAO (third party assessment) to be compliant and secure and help ensure customers have a proper starting point for deploying their applications.
How many heard of shared responsibility model?
Reality for customers
What customers ask/need
A way to easily automate architectures and configurations on AWS
While ensuring compliance and best practices
Decreasing deployment time – also making it easier to validate what is being deployed is compliant
Ultimately – drive adoption and accelerate customers transition to AWS
The fundamental part of the SFSA package is a set of structured, reusable CloudFormation templates which have been validated for the specific compliance of the package and are built for the use case. In addition included is user documentation, reference architectures, as well as a security controls mapping to help speed up accreditation as proof for auditors that the architecture deployed is compliant.
Modular, reusable template design
Use cases take advantage of nested templates
Documentation to make the package easier for customers to get started with
The SFSA packages include automated templates which can be used for either base architectures – starting points which can be built upon. Or can be used in some cases to deploy configurations for entire applications.
AWS SFSA, formerly Trusted Architect
Resources is only required section
In this example you can optionally just use different base layers of a SFSA deployment. Very often you might have a provisioning team which simply provisions accounts for workload owners or developers and wants to keep the standards and guardrails in place from which the application can be deployed into. This means that at a minimum each workload will meet a certain number of controls and have a baseline level of compliance.