AWS re:Invent 2022 - Automating and evidencing key compliance security controls (STP207-R)
AWS re:Invent 2022 - Automating and evidencing key compliance security controls (STP207-R)
Whether you’re in the healthcare industry and subject to HIPAA regulations or in FinTech and subject to SOC 2 compliance, this session discusses a few common controls required for multiple compliance standards. An AWS security solutions architect and a compliance specialist walk you through automating, monitoring, and evidencing key controls and how to talk about them with your auditor or regulated customer.
Learn more about AWS re:Invent at https://go.aws/3ikK4dD.
Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
#reInvent2022 #AWSreInvent2022 #AWSEvents
Content
0.63 -> - So I'm really excited
to talk with you today
2.85 -> about automating and evidencing
4.38 -> key compliance security controls on AWS.
8.31 -> So I'm Dani Traphagen.
9.84 -> I am a Senior Startup Solutions Architect.
11.82 -> I specialize in healthcare
and life sciences here at AWS.
15.45 -> And so I work with highly
regulated customers
18.33 -> who have highly regulated data.
21.21 -> My background is in both
science and technology.
25.35 -> I have wet lab experience
27.63 -> doing tissue engineering at UCSF.
30.69 -> And then I also have worked
in a series of startups,
33.6 -> one of which just recently IPOed in 2021.
36.21 -> So I have a little bit of
that experience as well,
38.28 -> and some experience in
distributed systems.
40.74 -> And each of those companies
defined and created
43.29 -> a cloud product and a cloud offering.
44.85 -> So that's how I have
experience with AWS as well.
47.49 -> I've been at AWS for about two years now,
49.53 -> and I've learned a lot about
50.7 -> how we do governance and compliance,
53.13 -> and we have a lot of really
good tooling out there,
55.77 -> and that's the part that's overwhelming.
57.24 -> So we're gonna unpack that.
58.92 -> Debunk maybe some common ideas
61.74 -> that you might have about compliance.
63.718 -> And yeah, so I hope you
enjoy our talk today.
67.89 -> So let's talk about what we're
gonna talk about in detail.
70.86 -> So first, I'm gonna address
72.57 -> compliance and why it's important.
74.28 -> I'm gonna start with a fun analogy.
76.17 -> Why?
77.003 -> Because you should make
77.836 -> compliance discussions fun, right?
79.71 -> Since they normally can
be kind of painful, right?
82.56 -> Emotionally and mentally.
84.36 -> Speaking of mentally,
I'm going to talk about
86.31 -> three different mental models, okay?
88.59 -> And these mental models
are really important
90.87 -> to lay a foundation to
your compliance house.
93.27 -> It will really help you
kind of shift your mindset
95.52 -> towards the cloud journey
with compliance entirely.
98.4 -> So I think it's really
important to have that
100.53 -> before we move on to some
of the meatier parts.
103.65 -> Speaking of the meatier
parts of the talk today,
105.39 -> we're gonna be talking about tooling.
106.83 -> So what are the different tools on AWS?
108.96 -> How do I use them?
109.793 -> How do I use them together
to really show evidence,
112.71 -> automate, and monitor my
compliance posture on AWS?
116.31 -> Those are the three things
117.24 -> that we're gonna discuss in detail
118.68 -> is that automation process,
the monitoring process,
122.88 -> and the evidencing process
to the auditor, okay?
126.69 -> All right, next, where
does that leave you?
128.55 -> Okay, now you have a funky little analogy
132.57 -> with cute little drawings.
133.77 -> You have three mental models,
you understand the tooling,
136.41 -> but where do you go from there?
137.58 -> Well, then I'm gonna offer
some getting started guidance
140.16 -> and show you some of the
solutions that we publish
143.43 -> that might be helpful for you,
145.26 -> especially getting into
things like conformance packs,
147.6 -> which are really handy and dandy,
149.25 -> and talking a lot about
how to implement continuous
151.71 -> compliance from an architecture
principles perspective.
156.93 -> Next, I'll do some customer examples.
159.45 -> So I find that it's nice to kind of build
162.21 -> to a point where you can
see what other customers
164.4 -> are doing as well on AWS
and what good looks like.
168.03 -> So we'll talk a little
bit about those as well.
171.27 -> And then, like I said earlier,
172.8 -> I would appreciate if we
could take Q&A in the hall.
174.93 -> That way, I can get to know you.
176.58 -> And we'll chat in a little
bit more detail that way.
179.55 -> All right.
181.14 -> So let's unpack this whole
compliance thing, right?
185.01 -> Ensuring that you have proper
data governance controls
188.04 -> to meet your compliance requirements.
189.51 -> It's not too dissimilar
from taking a hike, right?
192.06 -> It is a journey, it is ongoing.
194.76 -> And hikes can be risky, right?
196.98 -> But they're often worth that risk
198.48 -> if you've planned for them appropriately.
203.52 -> Now, when you plan for a hike,
204.84 -> you're probably thinking
about the inventory
206.7 -> of the resources that you need, right?
207.807 -> And like, "Ah, I need to pack some food.
209.67 -> I need to make a good lunch
at that beautiful vista
212.01 -> that I'm gonna have at
the end of this hike."
214.05 -> And then you wanna pack them
securely for your journey.
219.03 -> But when you have valuable resources,
221.85 -> this also means that you have something
223.14 -> that others might want, right?
225.27 -> And that's the rub.
227.49 -> That can put you at risk
if you haven't planned
229.86 -> for things appropriately.
232.35 -> And when you don't plan,
235.83 -> bad things happen, okay?
237.93 -> And so this is what we wanna avoid.
240.69 -> And when we plan ahead for these threats,
243.48 -> we can develop controls that we can use
245.1 -> in an automated fashion
to protect our resources.
248.87 -> In this example, we
plan to have bear spray
251.25 -> in the event we come across
a bear on our lovely hike.
254.37 -> These drawings were all
done by me, by the way,
256.02 -> so if you need any artists
in your life, right?
259.68 -> I will be taking that at a premium.
262.35 -> So you can also talk to me
about that in the hallway.
266.49 -> Okay, so what if we don't know
269.82 -> how to use our tools properly?
271.56 -> And this is something I see a lot
272.73 -> with my customers on AWS.
275.55 -> Don't tell them that I said that.
276.87 -> There might be one of them
in the room right now.
279.42 -> Just kidding, Lance.
280.92 -> You're great.
281.753 -> But what if we don't know
283.83 -> how to use our tooling properly, right?
285.93 -> That's where things go wrong,
288.63 -> with our lovely friend
here, as you can see.
291.36 -> And if you think that this is silly,
294.09 -> well, bad things can happen on a hike.
296.37 -> But what about when we actually encounter
301.35 -> a situation in the real
world with an auditor, right?
304.86 -> What is the cost point
there that we might see?
307.56 -> Well, it's not gonna be a pretty picture
309.78 -> when the auditor says, "Hey,
you have not implemented
313.74 -> the proper governance
and compliance controls,
315.9 -> and here's some issues."
317.07 -> Because what happens?
318.9 -> Fines, big ones.
321.09 -> And they're not fun, right?
322.86 -> And if you think this analogy is silly,
324.9 -> just ask the Oklahoma Department
326.82 -> of Wildlife Conservation where they say,
328.537 -> "Listen, bear spray does
not work like bug spray.
331.2 -> We would like to not have
to repeat that again."
334.47 -> So in the case of tool misuse on a hike,
337.62 -> at least where bears are
involved, you could get mauled.
340.17 -> And that's not a great outlook.
341.25 -> But what about getting mauled
financially by an auditor?
343.98 -> Let's take into specific example, right?
345.72 -> Where the stakes are similarly high
348.75 -> within the context of GDPR.
350.37 -> And for those of you who don't know,
351.72 -> I'm pretty sure everybody in the room
353.07 -> based upon chatting with you all does.
354.96 -> But GDPR is the global
data protection regulation.
359.13 -> And this is an EU regulation.
362.49 -> Defined in its body is
a level of violation.
369.87 -> So there'll be severe violation,
371.58 -> egregious violation, and so on.
373.11 -> An egregious violation could be 4%
375.96 -> of your global annual turnover, right?
378.93 -> Or 2 million euros,
whichever might be higher.
382.89 -> That is a pretty significant risk, right?
385.86 -> Especially if you're caught
in violation of that.
388.14 -> And that's what we
really want to avoid here
390.06 -> are those types of issues
for you in the cloud.
392.49 -> And that's what I advise my customers on.
395.13 -> Okay, so let's figure out
how we can really develop
397.71 -> automated controls using the right tools
400.23 -> that everybody can use appropriately
402.69 -> in the event of a threat,
404.1 -> either internally or
externally caused, right?
409.11 -> Okay.
411.63 -> And ultimately, when we are successful
413.58 -> in keeping our resources
and our data secure,
416.58 -> well, we're happy and
good things happen, right?
421.53 -> And that's what we want
for our organization.
423.63 -> So next, we're gonna talk
about common challenges
426.39 -> with cloud compliance, because
there are quite a few, right?
429.78 -> So first data is an
ever evolving landscape.
433.11 -> How many of you are familiar
434.19 -> with the concept of the three Vs?
437.01 -> Okay, just a few, so we'll
do a quick recap on that.
439.59 -> This is volume, variety,
and velocity of your data.
442.83 -> And those increase over time,
especially in the cloud,
445.77 -> where you continually
onboard new use cases, right?
450.21 -> And you're constantly
growing your data volumes.
452.28 -> You're constantly getting a shift
453.9 -> of the variety of data based
upon those new use cases.
456.54 -> And it's coming in an ever faster pace
458.97 -> because of what, right?
461.28 -> The presence of mobile technology as well.
465.3 -> So this is a challenge
for us with compliance
468.24 -> because the landscape
shifts for us in flight.
474.06 -> Second, everyone who uses
our cloud computing resources
477.75 -> at our organization has
differing cloud skillsets.
480.21 -> I was talking with some
of you in the audience,
482.31 -> some of you are just getting started
483.36 -> with your compliance journey.
484.59 -> Some of you are cybersecurity experts,
486.84 -> some of you, this is
your bread and butter,
488.88 -> this is what you do every day.
490.35 -> And so how do you make
sure that you are standing
493.26 -> on the shoulders of giants
and that is the focus
495.48 -> for everybody within your organization?
497.28 -> Well, the answer is to automate.
500.37 -> That's how you can ensure
it entirely, right?
502.8 -> So we're gonna talk a lot about that.
506.04 -> Next is global distribution.
507.87 -> I was talking with some of you also
509.64 -> about you going into new markets
511.44 -> and entering different places
where regulation standards
514.38 -> are totally different than you have today.
516.24 -> So global distribution
is another key challenge
518.88 -> when it comes to compliance.
521.25 -> The rate of innovation.
522.84 -> That's another place where
things can get a little tricky,
526.14 -> especially when you're
developing new use cases.
528.45 -> And you have to be able to
manage those as they come along.
533.22 -> And then there's dynamic
compliance needs, right?
536.49 -> So things change over time
and we end up developing
540.27 -> new strategies or innovating
around different solutions.
543.57 -> And we need to be able to
have dynamic compliance needs
547.17 -> that we can change over time, too.
550.56 -> And then choosing the right tools.
551.85 -> This is the last one that I'm gonna unpack
553.32 -> a lot during our session today.
554.97 -> That's what I'm gonna be
talking about with you
557.19 -> is which tools should you
use on AWS for compliance?
562.2 -> Because there's a lot, right?
564 -> This is a lot of tooling
to have for security,
566.73 -> governance, and compliance, right?
569.31 -> Just the sheer list of this,
571.62 -> I can see why it's challenging
572.88 -> for people that are just getting started.
574.2 -> And so I wanna kind of
streamline through some of that
576.99 -> and really bring up
with you what can create
580.17 -> an effective strategy on AWS
and what that consists of
583.35 -> based upon our own learnings here
585.24 -> as we've created these services.
588.81 -> Okay.
590.46 -> Let me have a sip of water,
591.63 -> and then we're gonna
talk about mental models.
600.45 -> Okay, so this is a foundation
603.21 -> that I talked about before
for our house, right?
605.16 -> So let's dig in and talk about our needs
607.92 -> when thinking about compliance
and governance controls.
611.28 -> To be successful in reaching
these types of goals
614.37 -> and avoiding those egregious
fines I talked about earlier,
617.07 -> we must first have an
overall understanding
619.08 -> of what's in scope for us
to demonstrate versus AWS.
622.2 -> So we need mental models, right?
623.79 -> To understand that.
625.14 -> We also need to make sure
627.57 -> that we have a plan for risk management.
629.04 -> How are we doing that?
630.09 -> That's another mental model right there.
631.89 -> We'll talk about what that is.
633.06 -> And lastly, we need the support of tooling
635.88 -> to really break out automation,
638.25 -> monitoring, and evidencing on AWS, right?
641.13 -> Those are the three
things that are really key
643.11 -> to understand for
governance and compliance.
645.81 -> So I know a lot of you are familiar
649.8 -> with some of the AWS tooling concepts
652.41 -> and some of these mental models,
653.43 -> but for those of you who aren't,
654.63 -> I'm gonna quickly go through what this is.
656.82 -> What you're looking at right here
658.2 -> is the shared responsibility model on AWS.
661.26 -> And so in the olden days,
664.8 -> when we had bare metal servers in rooms,
668.46 -> we were in charge of everything
that you see on this slide.
671.82 -> There was no orange and blue distinction.
674.61 -> There was no above the
line and below the line.
676.98 -> With AWS now and the
emergence of cloud computing,
679.95 -> now all of a sudden, AWS has to maintain
682.86 -> its compliance posture of
resources as well, right?
685.65 -> We have third party attestations,
687.93 -> we have certifications,
689.25 -> we have things that we can expose to you,
690.48 -> and I'll talk about what tooling
691.62 -> we expose that to you in just a moment.
693.93 -> But there's above the
line and below the line.
696.09 -> And that really comes down to the types
697.83 -> of tools that you're using as well.
699.87 -> So there's also a distinction
between serverless
702.36 -> or if you're running self-managed DC Two,
705.39 -> where you have to do patch
updates and things like that
709.47 -> versus something serverless,
710.85 -> where the service team is going to do that
712.56 -> for you on your behalf, right?
714.36 -> But that's all published as well.
715.89 -> And I'll talk a little bit about that,
717.18 -> where you can find those
resources in AWS artifact.
721.2 -> But ultimately, what
you need to understand
723.21 -> is that you're responsible
for the things in the blue,
725.46 -> and AWS is responsible for
the things in the orange.
730.56 -> We also have a white paper on that too,
732.15 -> if you want further dirty detail on it.
734.64 -> We don't have time to go
735.69 -> into the depths of it for this talk.
738.84 -> Next, I'm gonna build this out in advance
741.33 -> so I can talk about it really quickly,
742.62 -> because we have some people
743.453 -> that are already familiar
with this in the room.
745.53 -> But ultimately, what
you need to understand
747.21 -> is the architected framework is how AWS
749.76 -> visualizes properly built
architectures on AWS.
752.46 -> This is like what we
have learned internally
754.71 -> watching customers over and over again
756.81 -> build software applications.
758.25 -> These key principles
are what are essential
761.04 -> to build proper, healthy, functioning
764.01 -> software apps in the cloud, okay?
765.96 -> So the first of which is the
operational excellence pillar.
769.44 -> This is focusing on running
your systems and monitoring them
773.16 -> and continually involving
processes at your organization.
777.54 -> And that's something that
we're gonna talk about
778.95 -> in terms of continuous compliance, right?
782.01 -> So operational excellence
is definitely a key part
784.62 -> of how we think about
compliance in the cloud.
787.11 -> Security.
788.28 -> I feel like I don't even
need to explain that.
789.81 -> Obviously, that is a very important focus
792.03 -> when we're talking about
794.07 -> defining our cloud operations in general,
796.56 -> who has access to what resources, right?
799.8 -> That's something that we'll
unpack a bit in a minute.
802.77 -> And then next would be reliability, right?
805.11 -> We want reliable architectures.
807.15 -> We want to make sure that
we're meeting our SLAs.
809.34 -> And when you start encrypting things,
811.41 -> yeah, there's a little bit of an impact
812.76 -> right there to performance.
813.75 -> So it's something that we need
to think about and plan out
815.7 -> ahead of time to understand how reliably
818.19 -> we've architected things.
819.87 -> And then performance efficiency, right?
821.52 -> So how efficient are
we in our performance?
824.88 -> Are we getting the bang for our buck
826.26 -> on these cloud resources?
827.52 -> Which brings us to our next
point, cost optimization.
830.22 -> And there's a healthy tension
between those two pillars.
833.13 -> Lastly, sustainability is
something AWS introduced
835.29 -> this past year to focus
on our carbon footprint.
837.6 -> It's just something good to know about
838.77 -> that we're thinking more
about this now as well,
841.38 -> because it is a important thing
845.54 -> to note during our climate crisis here.
848.25 -> Okay, so now that we've talked about
850.95 -> how AWS thinks about
things, let's talk about,
853.17 -> and I was having a conversation
854.52 -> just in the beginning about this.
856.26 -> Let's talk about how the auditor
thinks about things, right?
858.48 -> So this is the three lines model, okay?
860.79 -> And this is the standard that's presented
862.41 -> by the Institute of Internal Auditors.
864.36 -> And what this standard
does is it establishes
868.77 -> three different lines of defense
870.21 -> for an organization to
have strong governance.
873.18 -> So this is how the auditor sees you
875.13 -> if you have strong governance.
882.18 -> Okay, so the first line of defense
884.49 -> is where you are going to manage risk.
886.77 -> This is where you identify the controls
888.78 -> that will help you mitigate risk.
891.3 -> Services like AWS Config,
which I'm gonna show you.
893.76 -> I'm gonna show you some
screen grabs of it in console,
895.98 -> and you can see a lot of
the nitty gritty about it.
899.07 -> But services like AWS
Config, AWS Control Tower,
902.61 -> Backup, AWS Systems
Manager, and AWS CloudTrail,
906.9 -> which is basically our audit log service.
910.11 -> These are going to help you
912 -> to ensure that you can manage risk, right?
914.43 -> Which is that first line of defense.
916.29 -> The second line of defense
is going to talk about
918.72 -> having visibility into your risk.
919.98 -> So that's that monitoring piece, right?
922.59 -> And basically, what that
line of defense imparts
926.13 -> is that you need to have a
way of having this visibility.
929.67 -> And having a place where
you can oversee this risk.
932.58 -> This is what's gonna inform your process
934.35 -> for mitigating any sort
of non-compliant issues.
938.16 -> And services like Security
Hub and AWS Config
940.86 -> have features that allow you to do that
942.3 -> in the second line of defense.
943.56 -> And what's really cool
about them too is they also,
946.23 -> when things get flagged,
947.1 -> you can auto remediate
non-compliant resources.
950.52 -> You can see that across multiple accounts,
952.98 -> and it's a really nice feature
955.13 -> of doing that automation step,
956.82 -> but also having that
monitor piece as well.
960.12 -> And you'll see what that
looks like in console today.
963.09 -> All right, the third line of defense
964.74 -> is where you provide
assurance of your risk.
967.23 -> So this is where our auditor comes in.
970.53 -> This is the orange-ish box there
973.92 -> on the far right of the screen.
977.07 -> And so this is where you're going
978.78 -> to have that validation step
981.09 -> that you are HIPAA compliant, for example.
983.64 -> And for this, you need
services like Audit Manager
986.52 -> and CloudTrail in order
to help you with that.
991.788 -> Okay, so now that we
understand the mental models,
993.99 -> we have the foundation
to our compliance house,
996.42 -> we're gonna discuss AWS
services that help you automate,
999.45 -> monitor, and evidence
your compliance needs.
1003.71 -> So how many of you have heard
of or used Control Tower?
1008.39 -> Great, this is a healthy show of hands.
1010.28 -> That makes me happy.
1011.3 -> For the recording, that
was about 50% of the folks.
1014.24 -> So if you're just getting started,
1016.94 -> and some of you are, as I know,
1019.28 -> in building out your AWS
multi-account strategy,
1022.16 -> I highly recommend the
use of AWS Control Tower.
1024.56 -> This is a great tool for
setting up governance
1026.27 -> in a dynamic multi-account
cloud environment.
1029.72 -> What Control Tower
provides is a way to set up
1033.62 -> landing zones that make
use of AWS organizations.
1036.26 -> And AWS organizations are great
1037.91 -> in that they really pair
nicely with the hierarchy
1040.52 -> that already exists within your company.
1042.77 -> So that way, you can start thinking about
1044.39 -> who does what where in
terms of deploying resources
1048.02 -> and how do you do that.
1049.07 -> Well, with things called SCPs,
1050.42 -> which are service control policies.
1052.07 -> How many of you have set up an SCP before?
1055.34 -> Hey, this is great.
1056.69 -> That was about 40% of the hands.
1058.88 -> So automation is really key
1060.53 -> when you're growing your
cloud usage, as you know.
1063.59 -> And so using tools like this allow you
1066.29 -> to really kind of do things
1068 -> in a less manual and painful sense.
1069.86 -> And so I highly recommend Control Tower,
1072.29 -> if you haven't given it a look before.
1074.84 -> You can also detect violations
through AWS Config rules
1079.04 -> in addition to this
piece on Control Tower.
1081.62 -> And so basically kind of starting
1084.95 -> to get towards that
compliance of code mentality,
1087.74 -> where not just infrastructure is code,
1089.72 -> but now we're starting
to enforce what resources
1091.91 -> that we're launching from a
continuous mindset, right?
1096.23 -> With just some code snippets
1098.6 -> that can easily be version controlled
1100.01 -> and shared throughout our organization.
1102.076 -> So that's really nice pattern
1105.17 -> to have in your architecture on AWS.
1108.89 -> Then there's two types of
controls that we ultimately need.
1111.35 -> So we need to be able to prevent
1112.91 -> compliance issues from happening,
1114.65 -> and then we also need to be able to detect
1116.66 -> those issues once they occur.
1119.12 -> So this is preventative controls
versus detective controls.
1122.54 -> And so let's talk a little bit
1124.64 -> about those types of controls now.
1129.59 -> Okay, ways to manage, ways to provision,
1133.34 -> and ways to assure to auditors
1135.56 -> that you are compliant, right?
1137.15 -> These are kind of the in-a-nutshell tools
1139.43 -> that I think map to
those different causes.
1141.59 -> And I'm gonna go ahead and
talk through each of those.
1147.95 -> So we already kind of chatted
1149.12 -> about AWS organizations and Control Tower,
1152.75 -> but ultimately, on this management layer,
1155.54 -> what you want to do is
control who's doing what
1158.42 -> and what happens in your environment.
1160.13 -> So an example of this that I talked about
1162.26 -> on the previous slide was SCPs
1164.3 -> for your organizations, right?
1165.8 -> And this lets you restrict a
user from being able to perform
1168.5 -> actions that don't coincide
with your compliance standards.
1171.5 -> So you can also extend that functionality.
1174.17 -> I talked with somebody who is interested
1175.37 -> in fine grain access controls.
1176.9 -> You can extend that functionality
1178.1 -> with tools like IAM, right?
1179.9 -> which is AWS identity and
access management service.
1185.75 -> So this allows you to restrict a user
1187.73 -> from being able to perform actions
1189.17 -> that don't really coincide
with your compliance standards.
1192.77 -> And you can also extend the
functionality of IAM policies
1196.25 -> as well to set those
controls at the individual
1199.55 -> permission level on your
cloud infrastructure,
1202.85 -> which I find particularly handy
1204.77 -> and a good thing to know about
1206.39 -> if you're just getting started.
1208.85 -> In terms of provisioning,
1210.17 -> this is how things are gonna get created.
1212.06 -> So there's a number of different
ways of going about this.
1214.13 -> I'm sure many of you are familiar
with AWS Cloud Formation.
1217.4 -> And some of you might
come from a background
1220.94 -> where you use Terraform.
1221.773 -> How many Terraform users do we have?
1224.84 -> Okay, good.
1225.673 -> I'm glad I included as little discussion
1227.84 -> on OPA then as well.
1230.18 -> Wow, that was really
healthy showing of hands.
1232.13 -> How many of you use Cloud Formation?
1235.01 -> Okay, also a healthy showing of hands.
1236.93 -> How many of you use both?
1239.54 -> Yeah, and that's what I would expect.
1241.7 -> It seems like people kind
of use one or the other,
1245.12 -> but a huge chunk of customers use both.
1248.84 -> So provisioning is how we're
gonna create things, right?
1250.85 -> And there are good tools
for this within the context
1253.4 -> of Cloud Formation and Terraform,
1255.08 -> which support us to
standardize an approach
1257.48 -> for provisioning our infrastructure
1259.49 -> throughout our organization.
1260.84 -> But with compliance,
once you do all of that,
1264.56 -> once you get all of that set up,
1265.85 -> you've got those management tools,
1266.99 -> you've got the provisioning tools.
1268.49 -> Well, now, how do we evaluate our evidence
1271.34 -> that we have these in play?
1272.99 -> And that's where tooling
like Cloud Formation Guard
1277.1 -> and Open Policy Agent
can really help us out.
1279.32 -> Cloud Formation Guard, specifically,
1281.57 -> I'll show an architectural diagram
1283.49 -> as well as a code snippet here
1285.89 -> that I'm gonna talk through with you,
1287.72 -> but it can be really
handy to implement rules.
1295.28 -> An example of a rule here
that you see on the screen
1297.65 -> is for EBS volumes.
1299.33 -> So in this case, we need to see rules
1301.4 -> that ensure that our
volumes are encrypted.
1303.53 -> Very common thing amongst a lot
1305.3 -> of different compliance
postures and standards.
1308.24 -> And so we can ensure
that they're encrypted,
1311.99 -> and we can also require
them to be only GP2 or GP3.
1315.71 -> GP3 is more cost performant, by the way.
1318.11 -> So if you are still on GP2 instances,
1319.94 -> I urge you to shift to GP3,
1322.04 -> but this is not an EBS volume
talk, so I will move on.
1325.55 -> And then that they're only launched
1326.93 -> in the two regions we have listed there.
1328.85 -> So for a volume to be defined
in a cloud formation script,
1333.59 -> it will have to meet these requirements
1335.84 -> to even take off, to pass, and to build.
1338.57 -> So let's take a look at
what the architecture
1340.76 -> is all about for this.
1341.72 -> So how do you use AWS
Cloud Formation Guard,
1346.4 -> and what does it look like?
1347.96 -> So you start with that
Cloud Formation template
1350.06 -> or Terraform or whatever.
1352.37 -> And then you're gonna be
using some CICD pipeline,
1356.39 -> whether that's Jenkins,
or in the example here,
1359.06 -> I have code pipeline, but
whatever that might be, okay?
1362.51 -> And so you're going to,
1365 -> once that merge is gonna be detected
1367.16 -> in a specific branch of your repo,
1369.08 -> what's gonna happen next is
that it's gonna run CodeBuild.
1374.147 -> And CodeBuild runs the
Cloud Formation Guard tool
1377.54 -> against the template that
you just tried to launch
1380.36 -> with the rules that you
detained already for compliance.
1383.12 -> So once the run is completed,
1384.74 -> then it's gonna pass or
fail as you see here.
1388.04 -> And so if it does pass,
1389.48 -> then it's gonna fail with an error.
1391.46 -> And then if it passes, it can
pass it on to the next step
1394.79 -> for those desired resources
in the infrastructure
1398.12 -> with the rules, conditions
for compliance to be met.
1401.06 -> What I like about this is
this is a really simple
1402.98 -> architecture that allows you to deploy
1405.08 -> a preventative control on AWS.
1407.6 -> So this is kind of one of
the first architectures
1409.37 -> I'd like to point out as a way of doing
1411.29 -> preventative controls in a
pretty easy and streamlined way.
1416.96 -> All right, more preventative control.
1418.52 -> So this AWS Config is
really an amazing tool
1422.12 -> for governance and compliance.
1423.89 -> If you need to know about
governance and compliance on AWS,
1426.65 -> I would highly recommend
you dig into AWS Config.
1429.11 -> And I'm gonna be explaining
a bit about it right now.
1431.99 -> It helps us to track changes
to our configurations,
1435.05 -> evaluate the compliance of our resources,
1437.24 -> and visualize this
across multiple accounts
1439.82 -> in multiple regions, in one
single pane of glass view.
1443.06 -> You can also actually
use SQL queries as well
1446.15 -> to get more insights on
the data in AWS Config.
1449.27 -> And we're gonna talk about
what that AWS Config data
1451.91 -> consists of right now and
what AWS Config looks like
1455.6 -> really from the AWS mindset, right?
1457.73 -> Like how we see AWS Config.
1460.04 -> So the very core,
1461.33 -> which you see on the
bottom of the screen here,
1463.04 -> you have an AWS Config recording, right?
1465.71 -> This is really the core
primitive of not only AWS Config,
1470.09 -> but of many different services on AWS,
1472.37 -> including the ones that you
see at the top of this diagram.
1474.59 -> So AWS Security Hub controls,
AWS Backup policies,
1478.73 -> AWS Control Tower guardrails,
1480.14 -> all those things we talked
about that you've already used.
1482.81 -> And then AWS Audit Manager
resource assessments,
1485.33 -> conformance packs, which I will
talk a little bit more about
1488.03 -> and actually give you a direct
QR code, which you can scan
1491.9 -> to check out conformance
packs, they're super handy.
1494.93 -> And then AWS Firewall Manager rules.
1497.63 -> So let's talk about how this is built.
1499.13 -> Well, a config recording is under the hood
1504.89 -> the way that we track changes
to configuration items.
1507.56 -> Anytime you create or update a
resource in your environment,
1510.62 -> we create a configuration item,
1512.447 -> and we deliver it to an S3 bucket.
1514.46 -> That's what a Config recording is, okay?
1516.5 -> And so then you can see how resources
1518.15 -> are gonna change over time.
1519.41 -> You can also use third party resources
1522.95 -> with custom configured recordings as well.
1524.99 -> So this is kind of nice too,
1527.12 -> because you can take those
third party resources,
1529.79 -> and it allows you to track resources
1531.68 -> that might reside elsewhere,
like on-premises, for example,
1535.19 -> because not everybody is 100%
1536.75 -> on the cloud or cloud native today.
1538.34 -> So this is a nice way of kind of having
1540.47 -> a hybrid solution to track those changes.
1548.18 -> And then config rules are the
way that we're gonna evaluate
1551.27 -> every single resource for compliance.
1554.3 -> They're basically managed policies.
1556.28 -> From the compliance
terminology perspective,
1558.5 -> this is just a managed policy,
1560.63 -> and these are rules that you want
1562.61 -> your resources to ultimately adhere to.
1564.56 -> Config rules are the way that
we're gonna implement that.
1567.32 -> And there's different types,
as you see on the screen here.
1569.36 -> There's managed, there's custom,
1571.49 -> there's change triggered,
and there's periodic.
1573.62 -> So a managed config rule, right?
1576.47 -> Would be the example
that I brought up earlier
1578.03 -> with confirmation guard of
those EBS volumes, right?
1580.58 -> So we detect a change,
1582.83 -> the resource is either
encrypted or not encrypted.
1586.07 -> It needs to be encrypted
based upon our rule set.
1588.44 -> That's a managed policy.
1590.3 -> A custom policy would be
where you want to deploy
1593.18 -> something outside of that.
1595.7 -> An example of this would just be
1599.57 -> to generate a custom configuration item.
1603.08 -> And then another set of options
1607.34 -> is change triggered or periodic.
1609.08 -> So change triggered would
be if a resource is changed,
1611.6 -> and periodic comes in
from the auditor lens,
1613.67 -> where we are looking to show compliance
1616.94 -> within a certain time
period within the epic,
1619.1 -> like 24 hours or what have you.
1622.16 -> What I really like at the end
of the day about AWS Config
1624.5 -> is the ability to auto remediate
non-compliant resources.
1629.48 -> That is where that
automation step comes in.
1631.79 -> And I'm gonna show you what
that looks like in console.
1634.1 -> How many of you have already
played around with AWS config?
1637.73 -> Okay, yeah, that was maybe 20% of hands.
1640.88 -> So not as many people.
1643.25 -> And I think this is really handy for you
1645.86 -> to be able to focus on
compliance from a mindset
1653.27 -> of where you're trying to automate
1655.19 -> what really matters in your AWS accounts.
1657.56 -> And another thing to kind
of mention about this
1661.13 -> is billing is also impacted with this core
1665.99 -> primitive of the AWS Config recording.
1667.85 -> So some of you who have
already played around
1669.23 -> with AWS Config probably
know that what shows up
1671.54 -> on your bill, if you're using
these other services up here,
1674.24 -> is actually that config recording piece
1676.28 -> rather than the names of those services.
1679.13 -> And that's because that's
where the magic actually is.
1682.73 -> Okay.
1687.47 -> So again, the big takeaway here
1689.15 -> is that AWS Config
recordings really underpin
1691.19 -> a lot of the AWS tooling around
governance and compliance.
1695.9 -> So you might be asking yourself,
1696.733 -> "Okay, well, then why do
we need other tooling?
1698.78 -> Why are there so many logos on that page?"
1701.99 -> That I showed you earlier.
1702.86 -> Well, I will kind of unpack some of that.
1704.45 -> That's where the monitoring
1705.89 -> and evidencing pieces come in, right?
1707.63 -> And then different ways
that we need to do that.
1710.96 -> And then I'll also talk a little bit
1712.22 -> about conformance packs as
well as a really easy way
1715.22 -> to automate configuration in the cloud.
1719.39 -> Okay, so let's talk about
1720.47 -> what it looks like in your console.
1722.96 -> All right, so you can see here
1725.99 -> that when you need to set up,
1730.46 -> or when you need to
detect a compliance issue,
1732.5 -> you'll see that your
resources are indicated
1735.02 -> as either compliant or non-compliant.
1737.21 -> So that's just under the
compliance pin over there.
1739.91 -> It's detected for S3 buckets
public access, right?
1743.63 -> It's detected 11
non-compliant resources there.
1747.2 -> And you'll also note the remediation
1749.57 -> action panel on this screen, okay?
1752.66 -> So there's not one that's set,
1753.83 -> but you can set up a remediation action,
1755.81 -> so that you don't have
to go to all 11 buckets
1758.48 -> in whatever accounts they might reside
1760.49 -> and fix that manually, which is nice.
1763.31 -> So you can kind of automate this.
1764.69 -> It's less error prone, it's less manual.
1767.51 -> This is the part that I
really like about AWS Config.
1771.38 -> Also, just to note that
where that hyphen is,
1775.04 -> those resources haven't been launched.
1777.26 -> The next thing we talked about
1778.16 -> was the conformance pack bit
on the previous slide, right?
1780.29 -> And so what is that?
1781.82 -> Well, you can see on this screenshot here,
1783.89 -> it says conformance pack.
1785.06 -> So all of these rules were
managed from a conformance pack.
1788.39 -> And what is a conformance pack?
1790.88 -> Well, it's just a collection of rules.
1793.37 -> That's all it is.
1794.75 -> So a use case example of
this would be to deploy
1797.36 -> a hundred rules into multiple accounts.
1799.7 -> So you go to account one,
and then you have to deploy
1804.17 -> all those hundred rules.
1805.43 -> Then you go to account
two and you have to deploy
1807.8 -> all those hundred rules,
and three, and so on.
1810.14 -> And this is tedious at best
and error prone at worst.
1813.98 -> And so what a conformance
pack does for you
1816.86 -> is really to help you have a single
1820.19 -> honorable entity that you can use, right?
1823.91 -> And then this makes it a lot easier
1825.65 -> to apply things for an
entire organization,
1828.05 -> which is probably what you're doing
1829.28 -> in managing the governance
and compliance posture
1831.68 -> on AWS for your company, right?
1833.657 -> And so this is just a simple one way,
1836.54 -> one click way to deploy this.
1839.09 -> Okay.
1841.01 -> Also important to note is that
1842.93 -> all of these rules are immutable.
1844.58 -> So once they're deployed,
you can ensure that a user
1847.04 -> doesn't accidentally delete them,
1848.66 -> which is really important.
1849.5 -> We want these rules to be immutable.
1852.11 -> And there are many different types
1853.55 -> of conformance packs that we have.
1855.26 -> We even have them actually
1856.4 -> for operational best practices for S3.
1859.04 -> And this is an area
where I see my customers
1861.2 -> get wrapped around the axle.
1862.16 -> They throw everything
into S3 standard, right?
1864.424 -> They don't actually understand
their access patterns.
1867.77 -> And so they don't use things
like intelligent tiering
1870.26 -> to understand those access patterns
1871.43 -> and then write those S3 policies
1873.35 -> to transition them into archival types,
1875.75 -> which can save tons of
money for you, right?
1877.847 -> And so that's kind of goes back
1879.26 -> to those well-architected
principles we talked about,
1881.51 -> where things sort of
interrelate here, right?
1883.64 -> How do we do things from the mindset
1885.56 -> of also being cost optimized and efficient
1887.96 -> with the resources that we're utilizing?
1890.879 -> Okay, and then next,
1892.4 -> you can also simplify your reporting step,
1896.27 -> and you can do so by getting
the status of an entire pack.
1898.94 -> So you can do this manually,
but it would be really tedious.
1901.67 -> Conformance packs allow
you to just get the status
1903.47 -> of everything around these
resources just directly.
1907.28 -> And there's lots of
sample conformance packs,
1909.29 -> which can give you an idea
of how to map controls
1912.98 -> to AWS Config rules as we went
over on the previous slides
1916.52 -> and guidance around
each of those controls.
1918.38 -> So this is a really nice AWS
declarative way to do things
1922.4 -> based upon our understanding
of compliance posture,
1924.47 -> and how we're assuring it ourselves.
1926.15 -> So that's not to say, "Okay, now you go
1928.82 -> and you use this conformance
pack and you're compliant."
1931.34 -> There's a lot more to
compliance than that,
1933.47 -> but at least this makes the cloud journey
1935.6 -> of compliance a bit easier.
1937.52 -> So I like to bring it up for folks.
1940.7 -> And then the QR code on the screen,
1943.97 -> just to point that out to
you, is for operational
1946.25 -> best practices for HIPAA
security, for example,
1949.16 -> so already here is a conformance pack
1951.38 -> that applies directly to HIPAA
as a compliance standard.
1955.07 -> And so you can see how these can be handy.
1956.81 -> We have them for several
different industries.
1959.09 -> And so please check out conformance packs
1961.52 -> that it'll save you a
lot of time and headache.
1964.1 -> I guess I should ask,
1965.03 -> how many people have used them already?
1968.69 -> Oh, okay.
1969.523 -> Like maybe less than 10 hands.
1971.12 -> All right, so glad we discussed that,
1972.71 -> and hopefully it's
something you can check out.
1976.22 -> Okay.
1980.99 -> So we talked about config rules,
1983.24 -> and we talked about conformance packs
1984.95 -> and how they help us to
implement defective controls.
1988.91 -> And so config rules, as you'll recall,
1991.46 -> after the resources are
created in our environment,
1993.59 -> we are checking to ensure
that they're provisioned
1995.63 -> against our desired rules.
1998.06 -> And with conformance packs,
1999.41 -> what we're seeing is that
customers are deploying
2001.21 -> conformance packs that are
being used against those
2003.85 -> operational best practices
for compliance regimes,
2006.01 -> like I talked about.
2007.15 -> So just think of them as one step further
2008.83 -> than a service like Security Hub.
2011.2 -> They're a little bit more
flexible and are meant to extend
2013.57 -> what was prescribed in Security Hub.
2016.54 -> They're a bit more hybrid.
2017.83 -> They're that declarative
guidance for you from AWS.
2022.57 -> And AWS Config is the core to compliance.
2025.6 -> And again, that's just the
big take takeaway here.
2028.21 -> So hopefully, you're
seeing that that slide
2030.13 -> in the beginning with all those tools
2031.45 -> has become a little bit more
simplified and demystified.
2035.539 -> Okay, AWS Systems Manager.
2037.96 -> We call this Operations Hub.
2039.55 -> This allows you to group resources
2040.84 -> and visualize data on the
resources, how they're running.
2043.42 -> And lastly, how to take action
2045.01 -> on the resources that are performing.
2047.32 -> One feature that I'd like
to call out is Quick Setup.
2050.56 -> This is a great way to
perform configuration actions.
2053.71 -> And one of those is through AWS Config.
2056.89 -> Has anybody done that?
2059.89 -> No?
2060.723 -> Okay, no hands.
2061.63 -> Well, you can do that.
2063.64 -> And if you have a large
environment to deploy AWS Config in
2067.78 -> and you aren't already
using Control Tower,
2069.43 -> then you could potentially use quick setup
2071.89 -> to apply a configuration recording.
2074.29 -> And you can also do quick setup
2077.14 -> for conformance packs too, like I said.
2080.92 -> So really, this is a good
way for you to write out
2083.23 -> the remediation actions that
you'd like to take place.
2085.57 -> For example, an S3 bucket
that is unencrypted
2088.06 -> but should be encrypted.
2089.35 -> So with the automation
feature of Systems Manager,
2091.75 -> you can write API actions
that you want to use
2094.99 -> to fix those non-compliant resources.
2096.4 -> And I think that's kind
of like the end point
2097.93 -> we all wanna get into is just being able
2099.97 -> to have an API action
to manage this stuff,
2102.85 -> rather than deal with it
all painfully and manually.
2106.57 -> So this is a good way of doing that.
2108.7 -> Another couple features worth mentioning
2110.23 -> would be run command and
inventory patch manager.
2113.08 -> They do a lot of what they sound like,
2114.76 -> run command you'd use against
large amounts of EC2 resources
2117.73 -> to ensure that you're setting
them in a compliant way.
2121.39 -> You can write a document to
automate this at scale as well.
2124.57 -> And then inventory and patch management,
2126.79 -> that sounds exactly like what it is.
2128.14 -> It can be used for patching
2129.16 -> and networking configurations as well.
2133.51 -> Okay, Cloud Trail, a
very, very important tool
2137.71 -> in managing risk because it is our managed
2140.92 -> audit trail platform, right?
2142.48 -> That's literally what it is.
2143.5 -> It's for audit trails.
2145.06 -> It creates a trail at every single action
2147.31 -> logging into the console,
2148.36 -> CLI actions, API actions, et cetera.
2151.69 -> And if I asked you how many of
you were using Control Tower,
2155.23 -> I would expect 100% of the hands
2157.15 -> to go up into the air, why?
2158.98 -> Because it's enabled by default.
2160.3 -> That's how important AWS thinks it is.
2162.4 -> It's enabled by default for 90 days.
2164.95 -> So there's two types of
trails you can configure.
2168.22 -> A management trail and
a data events trail.
2170.8 -> Management is for the creation
and updating of a resource.
2174.28 -> And then for data events,
2175.57 -> this is gonna be operations
within that resource.
2177.88 -> So something like an
S3 read or an S3 write.
2181.36 -> And many compliance frameworks require
2183.58 -> the ability to track
operations on these files.
2186.52 -> And audit trail of data helps us do that.
2190 -> So that's why control, or pardon me,
2192.22 -> that is why Cloud Trail
can be really helpful.
2196.69 -> All right, let's talk a
wee bit about security Hub.
2201.91 -> So this is where you're gonna
get a comprehensive view
2204.37 -> of security alerts and
and your security posture
2207.76 -> across all of your security
accounts and regions.
2211.48 -> The state is gonna get collected
from different AWS services
2214.51 -> like Amazon Macy, Amazon
Inspector and GuardDuty,
2218.56 -> and you can also have partner
solutions there as well
2221.86 -> that take actions on those findings.
2223.75 -> A lot of my customers in the
highly regulated healthcare
2226.81 -> and life sciences industries do rely
2229.3 -> on those partner functions.
2231.34 -> And this allows you to
have a clear overview
2232.56 -> of your security posture
2233.71 -> across your whole entire organization.
2238.57 -> Okay.
2240.46 -> All right, so we've
talked about the tools.
2242.89 -> Where are we at in the journey?
2244.42 -> Now, we need to talk about
2245.253 -> how to get ready for an audit, right?
2250.15 -> So some tooling that can
help you with the audit step,
2253.96 -> AWS Audit Manager.
2254.83 -> This is gonna help you
evidence your needs.
2257.95 -> When an audit comes up,
2259.39 -> it allows you to collect necessary
information for an audit.
2263.26 -> And there are frameworks
which are control sets
2265.9 -> for different compliance regimes
2267.58 -> like HIPAA, HITRUST, et cetera.
2269.56 -> And these control sets are
going to automatically collect
2272.47 -> information using Security
Hub, CloudTrail and AWS Config.
2276.1 -> There might also be some
manual components as well
2279.22 -> that you need to collect
because not everything
2281.23 -> is gonna be in the cloud, right?
2282.61 -> You're gonna have physical
security needs as well
2285.55 -> to document for the auditor.
2287.38 -> For example, do you have
a security guard outside?
2290.83 -> Those types of things can be requirements
2292.45 -> for certain compliance standards.
2294.43 -> So just note that that's
something that you can also
2297.13 -> ensure is in one single
location through audit manager,
2300.7 -> which is nice.
2301.93 -> And this is kind of that
push to auditor solution.
2305.83 -> So you can actually
manage towards the audits
2309.34 -> by everything getting
delivered as a PDF in S3.
2313.39 -> And so then that's what
gets pushed to the auditor.
2315.82 -> Whether or not the auditor likes that
2317.86 -> is between you and the auditor.
2320.17 -> I understand that some
auditors do not like
2322.69 -> any automated tooling being involved
2324.97 -> in the process whatsoever,
but this is a really nice way
2327.46 -> for you to be able to post that
2330.07 -> for the auditor to
observe and check off on.
2334.15 -> So this tool really helps you
in the third line of defense,
2336.49 -> which is that assurance
of risk management piece.
2340.3 -> And so now, we've kind of
completed the whole bit
2343.48 -> of the three lines of
defense model, right?
2345.31 -> We have all the tooling for
each of those lines of defense,
2349.24 -> and this is how we see the
important relevant tools in AWS
2353.68 -> to ensure that you are thinking
2354.91 -> about things the way an auditor
2356.29 -> really wants you to be
thinking about them.
2360.31 -> Okay, now next is AWS Artifact.
2364.689 -> AWS Artifact is another
tool that you can use,
2367.39 -> and this is our self-service
compliance portal
2370.24 -> where you can obtain AWS reports.
2373.48 -> This is where you can find
agreements such as the BAA.
2376.84 -> Are you familiar with BAAs in the crowd?
2379.54 -> Yes, only a couple of people, okay.
2381.61 -> So that's just the business
associated addendum.
2384.01 -> You need to sign a BAA for
certain compliance steps,
2387.7 -> and then NDA as well is hosted there.
2391.03 -> And so you can review and
sign all of those agreements,
2393.82 -> but also, you can monitor,
2395.29 -> remember the shared responsibility model?
2397.63 -> There's a reason why I went over that.
2399.04 -> So you can actually monitor the security
2402.64 -> and compliance posture
of AWS within this tool.
2405.28 -> You can download our Artifacts,
2407.02 -> our third party attestations,
2408.94 -> our certifications right
there within the console,
2411.58 -> which I think is nice because
everything is up to date.
2413.74 -> You don't have to go and like grab it
2415.03 -> or email your account manager and be like,
2416.987 -> "Hey dude, do you know where this is?
2420.52 -> Because I have a SOC2 report coming up,
2422.38 -> and it is in a very short while.
2424.63 -> So please get back to me quickly."
2427.03 -> No, you can just do that in the console.
2429.19 -> Okay, and then here on the screen,
2431.53 -> we have an example that I
just pulled up from my console
2434.11 -> of the AWS HITRUST CSF
certification letter.
2437.14 -> So this is just an example
of some of the certifications
2439.51 -> that you can grab from
us to be able to furnish
2442.21 -> those to your auditor and say,
2443.777 -> "Hey, AWS takes care of that part."
2450.34 -> Okay.
2451.173 -> Now we have made it to the crucial moment
2453.67 -> where we have Getting
Started guidance to discuss.
2459.82 -> So we have a firm
understanding of what tools
2463.36 -> are relevant for compliance
and governance on AWS.
2466.27 -> Let's start about how do we build out
2467.95 -> these architectures, right?
2469.75 -> And we have a lot of resources for this
2472.09 -> to help you prepare for the
next step after you've got
2474.76 -> kind of all these other
preceding steps done.
2477.52 -> And so let's dig into this.
2480.94 -> First, and these are all QR codes,
2482.77 -> because whenever I attend a talk
2483.91 -> and then there's no way
for me to get the links
2485.77 -> that they're talking about,
I get really frustrated.
2487.21 -> So hopefully, this is helpful,
2488.277 -> 'cause you can just grab it
2489.55 -> and then you don't have
to wait for the recording
2491.35 -> or the slides to get posted.
2493.36 -> So this one is actually for HIPAA.
2495.55 -> It is a quick start and
reference architecture.
2497.89 -> And the quick start is for people
2499.42 -> in the healthcare industry or
really life sciences industry
2504.22 -> where HIPAA is pertinent.
2507.25 -> And it includes cloud formation template,
2509.8 -> and that's automatically going to deploy
2511.39 -> the environment and
configure AWS resources.
2514.24 -> Probably the most helpful
element in this entire,
2517.99 -> once you go to the link
in this entire thing,
2520.78 -> I find for my customers is
the security controls matrix.
2523.81 -> And what that is it actually defines
2528.34 -> the architectural decisions, components,
2530.74 -> and configurations from
a cloud perspective
2533.38 -> that map to the HIPAA security controls.
2536.23 -> So this is very useful so
that you can actually see
2540.01 -> an entire grid of where AWS
and where the compliance rules
2544.93 -> need to be set and how, right?
2546.67 -> So example would be like all
S3 buckets are encrypted,
2551.47 -> no public read, things like that
2553.33 -> from an informed HIPAA perspective.
2555.94 -> So I often point customers to that,
2558.07 -> and it's especially helpful for folks
2559.84 -> that are just entering
into a new compliance
2561.97 -> regulatory standard that they have to have
2563.98 -> so that they can get a sense
2564.97 -> and get their bearings
on what that consists of.
2568.51 -> Okay.
2570.04 -> Also, just a quick note.
2571.33 -> I know I talked about this earlier.
2573.19 -> Just deploying a quick start
2574.33 -> is not going to ensure
that you are compliant.
2576.28 -> You need to do the other steps
2577.27 -> that we discussed as well, right?
2578.86 -> To make sure that you are
checking all of those boxes.
2584.47 -> HITRUST, okay,
2585.61 -> so this quick start
deploys a model environment
2588.94 -> for AWS to have organizations that work
2594.64 -> with workloads that fall
in the scope of HITRUST.
2597.79 -> And what HITRUST is is
the health information
2600.25 -> trust alliance and common
security framework.
2602.65 -> It's an architecture that maps out certain
2605.89 -> technical requirements to achieve HITRUST.
2608.2 -> And what I want to say
too is that even though
2610.24 -> we have a lot of healthcare examples
2611.59 -> and life sciences examples,
2612.97 -> these exist also for
other industries, right?
2615.07 -> So the really big takeaway here
2616.33 -> is that you can do quick starts,
2617.44 -> you can use conformance
packs for other industries,
2619.9 -> and this fits really
nicely into that continuous
2622.03 -> compliance goal that
we're trying to achieve.
2624.37 -> So just know that these
resources are available.
2627.04 -> But for those of you that
are interested, right?
2630.25 -> This builds on core
security principles, right?
2633.07 -> This builds on well-architected principles
2634.78 -> that we talked about.
2635.613 -> We want a highly available architecture.
2637.24 -> We want us to span to AZs.
2639.22 -> We want a management VPC.
2641.44 -> We want a production VPC.
2642.97 -> We want separate VPCs for
important reasons, right?
2646.6 -> And we want to make sure that
we have public and private
2649.21 -> subnets allocated accordingly
in our own virtual network.
2652.57 -> So our networking is secure.
2654.34 -> We want also to ensure
in the public segments
2659.05 -> that we have things like net gateways
2661.87 -> to manage the outbound
internet access and traffic.
2665.8 -> In the managed VPC, we want
to have a Linux fashion host,
2669.13 -> an auto scaling group,
an inbound SSH access
2672.94 -> to EC2, for example,
in the private subnet.
2676.504 -> So these are all things that have mapped
2678.64 -> to various security controls.
2680.92 -> And so those are already
able to be deployed
2684.25 -> within the quick start.
2685.083 -> So that's kind of the big takeaway here.
2688.18 -> And let's see, I wanna make sure
2690.1 -> that I kind of just summarize this
2691.84 -> based on the interest of time.
2695.62 -> You can see kind of a three
tier web architecture here.
2698.53 -> Obviously, this is somewhat
of a canned architecture,
2700.69 -> but for those of you who
are just getting started,
2702.61 -> this can be really helpful
because it gives you a sense
2705.01 -> of what good looks like
and also how it maps
2707.05 -> to security controls.
2707.89 -> Like this is what you're
going to build out
2709.96 -> to ensure that you're eligible
2712.12 -> for these various sorts
of compliance regimes.
2716.74 -> Okay.
2720.61 -> Another thing to note too is
AWS configured rules is here.
2723.94 -> No surprise there.
2724.84 -> And that's to monitor
deployment configuration.
2728.5 -> Okay.
2734.05 -> GxP, this is definitely
getting more public awareness,
2738.28 -> especially post pandemic.
2740.17 -> What is GxP,?
2741.1 -> It is shorthand for good practice
2742.48 -> quality guidelines and regulations.
2744.22 -> This is a commonplace for production
2745.96 -> of biopharmaceutical products,
2748.15 -> which we had to do very quickly
2749.41 -> in the past couple of years and at scale.
2752.77 -> And so this is a standard
that was recently published,
2756.16 -> or this is a blog post,
2757.75 -> the link here that was recently
published to address this.
2761.68 -> The pace of product
innovation in this industry
2764.26 -> is often really constrained
by risk management, right?
2767.29 -> That's what really slows it down.
2768.7 -> And for a lot of industries, I'd say.
2770.35 -> So our goal here is really
to enable innovation
2772.9 -> and streamline these processes
to ensure that compliance
2775.66 -> is gonna be able to meet
regulatory requirements.
2778.48 -> And so we have some best
practices and recommendations,
2780.91 -> but ultimately, the goal here
is really to minimize risks,
2784.21 -> reduce overall qualification timelines,
2787.24 -> provide point in time traceability,
2789.61 -> and ultimately get a faster
product time to market.
2796.78 -> Okay, so customer story time.
2799.84 -> Now, you can put down your phones,
2801.34 -> 'cause there's no QR codes
left in the presentation.
2805.48 -> Just kidding.
2806.53 -> There is still one more QR code.
2808.363 -> This is actually a customer example
2810.13 -> of threat detection at CrowdStrike.
2812.17 -> Did anybody see CrowdStrike's
booth at the big expo hall?
2815.59 -> Yeah?
2816.423 -> And I'm sure based upon
what you do in this room,
2819.19 -> and those of you who I talked to
2820.75 -> that you're familiar with
what CrowdStrike builds,
2823.6 -> which is a threat
detection platform, okay?
2825.64 -> So this is a pretty cool customer story
2827.62 -> about their Falcon product.
2829.96 -> And so what they did is they integrated
2831.94 -> an Amazon EventBridge and Falcon Horizon.
2835.48 -> And so CrowdStrike has
developed a realtime
2838.33 -> cloud-based solution that allows you
2840.13 -> to detect threats in
less than a second, okay?
2842.74 -> This solution uses CloudTrail,
2844.69 -> it uses EventBridge and CloudTrail,
2848.32 -> like we said before, right?
2849.49 -> That's our audit trail tool.
2852.4 -> And it's ultimately for
the governance compliance
2855.73 -> and operational auditing piece
2857.44 -> and doing the risk auditing
piece for CrowdStrike.
2861.359 -> EventBridge, how they use that
is as a serverless event bus
2864.34 -> to make it easier to build
2865.3 -> event-driven applications at scale.
2867.25 -> And they maximize the
advantage of the EDA,
2869.92 -> the event driven
architecture by integrating
2872.2 -> with EventBridge as shown
on this diagram here.
2876.82 -> And what EventBridge is
doing is it's allowing
2878.95 -> observing CloudTrail
logs and event streams.
2881.35 -> And so this also is gonna simplify
2882.82 -> log centralization as
well in multiple accounts.
2887.74 -> So it's a direct source
to target integration
2889.81 -> for all of those accounts.
2892.03 -> And within their customer accounts,
2894.19 -> EventBridge, what it's going to do
2895.45 -> is those rules are going to
listen for the local CloudTrail
2899.05 -> and stream each activity as a centralized
2902.08 -> EventBridge that's hosted by CrowdStrike.
2905.59 -> So that's kind of how
they thought about it.
2906.88 -> This is merging sort of event detection,
2909.55 -> real time event-driven architecture
with compliance, right?
2913.03 -> With threat detection.
2914.8 -> And so that's something
you can think about too
2916.18 -> and keep in your back pocket
2917.47 -> as a potential reference architecture.
2920.11 -> Their event-driven platform really detects
2922.66 -> adversarial behaviors in general
2924.55 -> from the event streams in real time.
2926.35 -> And this detection is performed
against incoming events
2929.89 -> in conjunction with
historical events as well.
2933.76 -> The context that comes from connecting new
2936.31 -> and historical events together minimizes
2938.95 -> the false positive chance
that they might have
2941.98 -> and also improves their alert efficacy.
2944.29 -> So doing that kind of historical
2946.09 -> and fresh evaluation is really important.
2949.27 -> And then finally, the
events are actually enriched
2951.61 -> with CrowdStrike's
threat intelligence data
2953.86 -> to provide additional insight
2955.9 -> of the attack to SOC analysts
and incident responders.
2960.07 -> So I think this is a really cool approach
2962.05 -> and nice architecture.
2963.64 -> And you can check out
more there at that link.
2968.59 -> Okay, so next, we are
going to look at some
2972.31 -> customer testimonials from
highly regulated industries.
2975.55 -> First is DNAnexus.
2976.93 -> It's an American company
that provides cloud-based
2979.39 -> data analysis and management
platform for DNA sequence data.
2982.39 -> And second is Bristol Myers Squibb.
2984.07 -> It's a global biopharmaceutical company
2986.92 -> whose mission is to discover,
develop, and deliver
2989.53 -> innovative medicines that help patients
2991.12 -> prevail over diseases overall.
2994.03 -> And so respectively,
what Richard Daly says
2996.61 -> is basically that with AWS,
they've been able to create
3001.29 -> clinical trials and genomic analyses
3002.97 -> in a secure and compliant way.
3004.62 -> And then the Executive
Director of Cloud Computing
3008.31 -> at Bristol Myers Squibb says
that their data residency
3011.4 -> and control tower a
way of programmatically
3015.72 -> setting up guardrails and data controls.
3019.56 -> And as their data regulations evolve,
3021.66 -> which we see is a very common pattern,
3023.76 -> they say that it really helps
them to assist with compliance
3027.06 -> and ease innovation to serve
patients all around the world.
3030.54 -> So this is how customers are using
3032.31 -> some of this tooling today.
3035.4 -> And with that, we can
do Q&A out in the hall.
3039.57 -> Thank you so much for your
time and your participation.
3042.81 -> Really appreciate it.
3043.643 -> I hope that was helpful for you,
3045.21 -> and happy to chat with you outside.
3046.924 -> (audience applause)
Source: https://www.youtube.com/watch?v=1vfyhCdUT-0